Inter-revision diff: patch 27

Comparing v8 (message) to v38 (message) 

--- v8
+++ v38
@@ -1,71 +1,66 @@
-Add an entry /proc/.../attr/context which displays the full
-process security "context" in compound format:'
-        lsm1\0value\0lsm2\0value\0...
-This entry is not writable.
+Send an identifier for the security module interface_lsm
+along with the security context. This allows the receiver
+to verify that the receiver and the sender agree on which
+security module's context is being used. If they don't
+agree the message is rejected.
 
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
 ---
- fs/proc/base.c      |  1 +
- security/security.c | 27 +++++++++++++++++++++++++++
- 2 files changed, 28 insertions(+)
+ drivers/android/binder.c          | 21 +++++++++++++++++++++
+ drivers/android/binder_internal.h |  1 +
+ 2 files changed, 22 insertions(+)
 
-diff --git a/fs/proc/base.c b/fs/proc/base.c
-index 7bf70e041315..79600df5f7a2 100644
---- a/fs/proc/base.c
-+++ b/fs/proc/base.c
-@@ -2619,6 +2619,7 @@ static const struct pid_entry attr_dir_stuff[] = {
- 	ATTR(NULL, "keycreate",		0666),
- 	ATTR(NULL, "sockcreate",	0666),
- 	ATTR(NULL, "display",		0666),
-+	ATTR(NULL, "context",		0666),
- #ifdef CONFIG_SECURITY_SMACK
- 	DIR("smack",			0555,
- 	    proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
-diff --git a/security/security.c b/security/security.c
-index 8cb91f33c166..d151ac4a398b 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -2082,6 +2082,10 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
- 				char **value)
- {
- 	struct security_hook_list *hp;
-+	char *final = NULL;
-+	char *cp;
-+	int rc = 0;
-+	int finallen = 0;
- 	int display = lsm_task_display(current);
- 	int slot = 0;
+diff --git a/drivers/android/binder.c b/drivers/android/binder.c
+index 5cfdaec0f9b5..ff8f35b9bd1b 100644
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3222,6 +3222,7 @@ static void binder_transaction(struct binder_proc *proc,
+ 				    ALIGN(extra_buffers_size, sizeof(void *)) -
+ 				    ALIGN(lsmctx.len, sizeof(u64));
  
-@@ -2099,6 +2103,29 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
- 		return -ENOMEM;
- 	}
++		t->security_interface = lsm_task_ilsm(current);
+ 		t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
+ 		err = binder_alloc_copy_to_buffer(&target_proc->alloc,
+ 						  t->buffer, buf_offset,
+@@ -4667,6 +4668,26 @@ static int binder_thread_read(struct binder_proc *proc,
  
-+	if (!strcmp(name, "context")) {
-+		hlist_for_each_entry(hp, &security_hook_heads.getprocattr,
-+				     list) {
-+			rc = hp->hook.getprocattr(p, "current", &cp);
-+			if (rc == -EINVAL || rc == -ENOPROTOOPT)
-+				continue;
-+			if (rc < 0) {
-+				kfree(final);
-+				return rc;
+ 		tr.secctx = t->security_ctx;
+ 		if (t->security_ctx) {
++			int to_ilsm = lsm_task_ilsm(current);
++			int from_ilsm = t->security_interface;
++
++			if (to_ilsm == LSMBLOB_INVALID)
++				to_ilsm = 0;
++			if (from_ilsm == LSMBLOB_INVALID)
++				from_ilsm = 0;
++			/*
++			 * The sender provided a security context from
++			 * a different security module than the one this
++			 * process wants to report if these don't match.
++			 */
++			if (from_ilsm != to_ilsm) {
++				if (t_from)
++					binder_thread_dec_tmpref(t_from);
++
++				binder_cleanup_transaction(t, "security context mismatch",
++							   BR_FAILED_REPLY);
++				return -EINVAL;
 +			}
-+			rc = append_ctx(&final, &finallen, hp->lsmid->lsm,
-+					cp, rc);
-+			if (rc < 0) {
-+				kfree(final);
-+				return rc;
-+			}
-+		}
-+		if (final == NULL)
-+			return -EINVAL;
-+		*value = final;
-+		return finallen;
-+	}
-+
- 	hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
- 		if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
- 			continue;
+ 			cmd = BR_TRANSACTION_SEC_CTX;
+ 			trsize = sizeof(tr);
+ 		}
+diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h
+index abe19d88c6ec..152d0b55e050 100644
+--- a/drivers/android/binder_internal.h
++++ b/drivers/android/binder_internal.h
+@@ -528,6 +528,7 @@ struct binder_transaction {
+ 	long    saved_priority;
+ 	kuid_t  sender_euid;
+ 	struct list_head fd_fixups;
++	int	security_interface;
+ 	binder_uintptr_t security_ctx;
+ 	/**
+ 	 * @lock:  protects @from, @to_proc, and @to_thread
 -- 
-2.20.1
+2.37.3
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help