--- v4
+++ v28
@@ -1,165 +1,275 @@
-Change the data used in UDS SO_PEERSEC processing from a
-secid to a more general struct lsmblob. Update the
-security_socket_getpeersec_dgram() interface to use the
-lsmblob. There is a small amount of scaffolding code
-that will come out when the security_secid_to_secctx()
-code is brought in line with the lsmblob.
-
+Change the security_secctx_to_secid interface to use a lsmblob
+structure in place of the single u32 secid in support of
+module stacking. Change its callers to do the same.
+
+The security module hook is unchanged, still passing back a secid.
+The infrastructure passes the correct entry from the lsmblob.
+
+Acked-by: Paul Moore <paul@paul-moore.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Cc: netdev@vger.kernel.org
+Cc: netfilter-devel@vger.kernel.org
+To: Pablo Neira Ayuso <pablo@netfilter.org>
---
- include/linux/security.h | 7 +++++--
- include/net/af_unix.h | 2 +-
- include/net/scm.h | 8 +++++---
- net/ipv4/ip_sockglue.c | 8 +++++---
- net/unix/af_unix.c | 6 +++---
- security/security.c | 18 +++++++++++++++---
- 6 files changed, 34 insertions(+), 15 deletions(-)
+ include/linux/security.h | 26 ++++++++++++++++++--
+ kernel/cred.c | 4 +---
+ net/netfilter/nft_meta.c | 10 ++++----
+ net/netfilter/xt_SECMARK.c | 7 +++++-
+ net/netlabel/netlabel_unlabeled.c | 23 +++++++++++-------
+ security/security.c | 40 ++++++++++++++++++++++++++-----
+ 6 files changed, 85 insertions(+), 25 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
-index 313e45a3cac3..dcf20da87d1b 100644
+index 332df8a1cd4d..986a8f4bcd54 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
-@@ -1280,7 +1280,8 @@ int security_socket_shutdown(struct socket *sock, int how);
- int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
- int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
- int __user *optlen, unsigned len);
--int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
-+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
-+ struct lsmblob *blob);
- int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
- void security_sk_free(struct sock *sk);
- void security_sk_clone(const struct sock *sk, struct sock *newsk);
-@@ -1418,7 +1419,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
- return -ENOPROTOOPT;
- }
-
--static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
-+static inline int security_socket_getpeersec_dgram(struct socket *sock,
-+ struct sk_buff *skb,
-+ struct lsmblob *blob)
- {
- return -ENOPROTOOPT;
- }
-diff --git a/include/net/af_unix.h b/include/net/af_unix.h
-index 3426d6dacc45..933492c08b8c 100644
---- a/include/net/af_unix.h
-+++ b/include/net/af_unix.h
-@@ -36,7 +36,7 @@ struct unix_skb_parms {
- kgid_t gid;
- struct scm_fp_list *fp; /* Passed files */
- #ifdef CONFIG_SECURITY_NETWORK
-- u32 secid; /* Security ID */
-+ struct lsmblob lsmblob; /* Security LSM data */
- #endif
- u32 consumed;
- } __randomize_layout;
-diff --git a/include/net/scm.h b/include/net/scm.h
-index 1ce365f4c256..e2e71c4bf9d0 100644
---- a/include/net/scm.h
-+++ b/include/net/scm.h
-@@ -33,7 +33,7 @@ struct scm_cookie {
- struct scm_fp_list *fp; /* Passed files */
- struct scm_creds creds; /* Skb credentials */
- #ifdef CONFIG_SECURITY_NETWORK
-- u32 secid; /* Passed security ID */
-+ struct lsmblob lsmblob; /* Passed LSM data */
- #endif
- };
-
-@@ -46,7 +46,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
- #ifdef CONFIG_SECURITY_NETWORK
- static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
- {
-- security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
-+ security_socket_getpeersec_dgram(sock, NULL, &scm->lsmblob);
- }
- #else
- static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
-@@ -97,7 +97,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
+@@ -196,6 +196,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
+ extern int lsm_name_to_slot(char *name);
+ extern const char *lsm_slot_to_name(int slot);
+
++/**
++ * lsmblob_value - find the first non-zero value in an lsmblob structure.
++ * @blob: Pointer to the data
++ *
++ * This needs to be used with extreme caution, as the cases where
++ * it is appropriate are rare.
++ *
++ * Return the first secid value set in the lsmblob.
++ * There should only be one.
++ */
++static inline u32 lsmblob_value(const struct lsmblob *blob)
++{
++ int i;
++
++ for (i = 0; i < LSMBLOB_ENTRIES; i++)
++ if (blob->secid[i])
++ return blob->secid[i];
++
++ return 0;
++}
++
+ /* These functions are in security/commoncap.c */
+ extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
+ int cap, unsigned int opts);
+@@ -527,7 +548,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
+ int security_netlink_send(struct sock *sk, struct sk_buff *skb);
+ int security_ismaclabel(const char *name);
+ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
++int security_secctx_to_secid(const char *secdata, u32 seclen,
++ struct lsmblob *blob);
+ void security_release_secctx(char *secdata, u32 seclen);
+ void security_inode_invalidate_secctx(struct inode *inode);
+ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+@@ -1382,7 +1404,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
+
+ static inline int security_secctx_to_secid(const char *secdata,
+ u32 seclen,
+- u32 *secid)
++ struct lsmblob *blob)
+ {
+ return -EOPNOTSUPP;
+ }
+diff --git a/kernel/cred.c b/kernel/cred.c
+index ea36ec6e1ad8..38b00a1390f4 100644
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -798,14 +798,12 @@ EXPORT_SYMBOL(set_security_override);
+ int set_security_override_from_ctx(struct cred *new, const char *secctx)
+ {
+ struct lsmblob blob;
+- u32 secid;
+ int ret;
+
+- ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
++ ret = security_secctx_to_secid(secctx, strlen(secctx), &blob);
+ if (ret < 0)
+ return ret;
+
+- lsmblob_init(&blob, secid);
+ return set_security_override(new, &blob);
+ }
+ EXPORT_SYMBOL(set_security_override_from_ctx);
+diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
+index a7e01e9952f1..f9448e81798e 100644
+--- a/net/netfilter/nft_meta.c
++++ b/net/netfilter/nft_meta.c
+@@ -809,21 +809,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
+
+ static int nft_secmark_compute_secid(struct nft_secmark *priv)
+ {
+- u32 tmp_secid = 0;
++ struct lsmblob blob;
int err;
- if (test_bit(SOCK_PASSSEC, &sock->flags)) {
-- err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
-+ /* Scaffolding - it has to be element 0 for now */
-+ err = security_secid_to_secctx(scm->lsmblob.secid[0],
-+ &secdata, &seclen);
-
- if (!err) {
- put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
-diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index 82f341e84fae..2a5c868ce135 100644
---- a/net/ipv4/ip_sockglue.c
-+++ b/net/ipv4/ip_sockglue.c
-@@ -130,15 +130,17 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
-
- static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
- {
-+ struct lsmblob lb;
- char *secdata;
-- u32 seclen, secid;
-+ u32 seclen;
+- err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
++ err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob);
+ if (err)
+ return err;
+
+- if (!tmp_secid)
++ if (!lsmblob_is_set(&blob))
+ return -ENOENT;
+
+- err = security_secmark_relabel_packet(tmp_secid);
++ err = security_secmark_relabel_packet(lsmblob_value(&blob));
+ if (err)
+ return err;
+
+- priv->secid = tmp_secid;
++ priv->secid = lsmblob_value(&blob);
+ return 0;
+ }
+
+diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
+index 498a0bf6f044..87ca3a537d1c 100644
+--- a/net/netfilter/xt_SECMARK.c
++++ b/net/netfilter/xt_SECMARK.c
+@@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
+
+ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
+ {
++ struct lsmblob blob;
int err;
-- err = security_socket_getpeersec_dgram(NULL, skb, &secid);
-+ err = security_socket_getpeersec_dgram(NULL, skb, &lb);
- if (err)
- return;
-
-- err = security_secid_to_secctx(secid, &secdata, &seclen);
-+ /* Scaffolding - it has to be element 0 */
-+ err = security_secid_to_secctx(lb.secid[0], &secdata, &seclen);
- if (err)
- return;
-
-diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
-index ddb838a1b74c..c50a004a1389 100644
---- a/net/unix/af_unix.c
-+++ b/net/unix/af_unix.c
-@@ -143,17 +143,17 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
- #ifdef CONFIG_SECURITY_NETWORK
- static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
- {
-- UNIXCB(skb).secid = scm->secid;
-+ UNIXCB(skb).lsmblob = scm->lsmblob;
- }
-
- static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
- {
-- scm->secid = UNIXCB(skb).secid;
-+ scm->lsmblob = UNIXCB(skb).lsmblob;
- }
-
- static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
- {
-- return (scm->secid == UNIXCB(skb).secid);
-+ return lsmblob_equal(&scm->lsmblob, &(UNIXCB(skb).lsmblob));
- }
- #else
- static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
+ info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
+ info->secid = 0;
+
+ err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
+- &info->secid);
++ &blob);
+ if (err) {
+ if (err == -EINVAL)
+ pr_info_ratelimited("invalid security context \'%s\'\n",
+@@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
+ return err;
+ }
+
++ /* xt_secmark_target_info can't be changed to use lsmblobs because
++ * it is exposed as an API. Use lsmblob_value() to get the one
++ * value that got set by security_secctx_to_secid(). */
++ info->secid = lsmblob_value(&blob);
+ if (!info->secid) {
+ pr_info_ratelimited("unable to map security context \'%s\'\n",
+ info->secctx);
+diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
+index 2483df0bbd7c..c29a8d7a7070 100644
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -882,7 +882,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
+ void *addr;
+ void *mask;
+ u32 addr_len;
+- u32 secid;
++ struct lsmblob blob;
+ struct netlbl_audit audit_info;
+
+ /* Don't allow users to add both IPv4 and IPv6 addresses for a
+@@ -906,13 +906,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
+ ret_val = security_secctx_to_secid(
+ nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+ nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+- &secid);
++ &blob);
+ if (ret_val != 0)
+ return ret_val;
+
++ /* netlbl_unlhsh_add will be changed to pass a struct lsmblob *
++ * instead of a u32 later in this patch set. security_secctx_to_secid()
++ * will only be setting one entry in the lsmblob struct, so it is
++ * safe to use lsmblob_value() to get that one value. */
++
+ return netlbl_unlhsh_add(&init_net,
+- dev_name, addr, mask, addr_len, secid,
+- &audit_info);
++ dev_name, addr, mask, addr_len,
++ lsmblob_value(&blob), &audit_info);
+ }
+
+ /**
+@@ -933,7 +938,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
+ void *addr;
+ void *mask;
+ u32 addr_len;
+- u32 secid;
++ struct lsmblob blob;
+ struct netlbl_audit audit_info;
+
+ /* Don't allow users to add both IPv4 and IPv6 addresses for a
+@@ -955,13 +960,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
+ ret_val = security_secctx_to_secid(
+ nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+ nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
+- &secid);
++ &blob);
+ if (ret_val != 0)
+ return ret_val;
+
++ /* security_secctx_to_secid() will only put one secid into the lsmblob
++ * so it's safe to use lsmblob_value() to get the secid. */
+ return netlbl_unlhsh_add(&init_net,
+- NULL, addr, mask, addr_len, secid,
+- &audit_info);
++ NULL, addr, mask, addr_len,
++ lsmblob_value(&blob), &audit_info);
+ }
+
+ /**
diff --git a/security/security.c b/security/security.c
-index f9c8e1926a0b..4e1eb2a54064 100644
+index 69474918be8b..1621a28bf9c4 100644
--- a/security/security.c
+++ b/security/security.c
-@@ -2120,10 +2120,22 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
+@@ -2193,10 +2193,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+ }
+ EXPORT_SYMBOL(security_secid_to_secctx);
+
+-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
++int security_secctx_to_secid(const char *secdata, u32 seclen,
++ struct lsmblob *blob)
+ {
+- *secid = 0;
+- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
++ struct security_hook_list *hp;
++ int rc;
++
++ lsmblob_init(blob, 0);
++ hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
++ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
++ continue;
++ rc = hp->hook.secctx_to_secid(secdata, seclen,
++ &blob->secid[hp->lsmid->slot]);
++ if (rc != 0)
++ return rc;
++ }
++ return 0;
+ }
+ EXPORT_SYMBOL(security_secctx_to_secid);
+
+@@ -2347,10 +2359,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
optval, optlen, len);
}
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
-+ struct lsmblob *blob)
++ u32 *secid)
{
- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
- skb, secid);
+ struct security_hook_list *hp;
+ int rc = -ENOPROTOOPT;
+
++ /*
++ * Only one security module should provide a real hook for
++ * this. A stub or bypass like is used in BPF should either
++ * (somehow) leave rc unaltered or return -ENOPROTOOPT.
++ */
+ hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
+ list) {
+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+ continue;
-+ rc = hp->hook.socket_getpeersec_dgram(sock, skb,
-+ &blob->secid[hp->lsmid->slot]);
-+ if (rc != 0)
++ rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid);
++ if (rc != -ENOPROTOOPT)
+ break;
+ }
+ return rc;
@@ -167,5 +277,5 @@
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
--
-2.20.1
-
+2.31.1
+