Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964972AbbGHK1Z (ORCPT ); Wed, 8 Jul 2015 06:27:25 -0400 Received: from mailout3.w1.samsung.com ([210.118.77.13]:47992 "EHLO mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934680AbbGHKZ3 (ORCPT ); Wed, 8 Jul 2015 06:25:29 -0400 X-AuditID: cbfec7f4-f79c56d0000012ee-cf-559cfa98d71b From: Paul Osmialowski To: Paul Moore , James Morris , Casey Schaufler , "Serge E. Hallyn" , Kees Cook , Tetsuo Handa , Stephen Smalley , Neil Brown , Mark Rustad , Greg Kroah-Hartman , Daniel Mack , David Herrmann , Djalal Harouni , Shuah Khan , Al Viro , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org Cc: Karol Lewandowski , Paul Osmialowski , Lukasz Skalski Subject: [RFC 3/8] lsm: kdbus security hooks Date: Wed, 08 Jul 2015 12:25:05 +0200 Message-id: <1436351110-5902-4-git-send-email-p.osmialowsk@samsung.com> X-Mailer: git-send-email 1.9.1 In-reply-to: <1436351110-5902-1-git-send-email-p.osmialowsk@samsung.com> References: <1436351110-5902-1-git-send-email-p.osmialowsk@samsung.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplkeLIzCtJLcpLzFFi42I5/e/4Vd0Zv+aEGlzayGNxb9svNoumv69Y LBZfFrNoXryezaLvcZBF46e5zBZnunMt5pxrZLLY/L2DzeLyrjlsFh96HrFZzHn7ls1i7/wG FosJbw4wW8xuecdq8fnaL3aLw7sXM1ucv3CO3WLqlw8sFit/b2ezOP/3OKuDqMfshossHk8n TGb3uLY70mPn2lVMHov3vGTy2D93DbvHil9H2D0+Pr3F4rGl/y67x/t9V9k8+rasYvQ4un8R m8fm09UeW6f/Z/X4vEnOY9OTt0wBglFcNimpOZllqUX6dglcGX13vrAWNMdWTF15gr2Bsde/ i5GTQ0LAROJC/1w2CFtM4sK99UA2F4eQwFJGiTWrFjBDOI1MEvOeLwSrYhMwlLj5/zAjiC0i sItV4s2OOJAiZoFORok5XeeYQBLCAjoSWx59ZAaxWQRUJSbNPcYCYvMKuEv8eX2aHWKdnMTJ Y5NZQWxOAQ+JhS+/gtULAdVsXP2PbQIj7wJGhlWMoqmlyQXFSem5hnrFibnFpXnpesn5uZsY IZH0ZQfj4mNWhxgFOBiVeHg9YuaECrEmlhVX5h5ilOBgVhLh3XUBKMSbklhZlVqUH19UmpNa fIhRmoNFSZx37q73IUIC6YklqdmpqQWpRTBZJg5OqQZGu6dO5wN+ZHEX+k+f7tTykK27TGKm 1wyhpGfqf4xOVLi/3dIn0l15/b7Fkw3fLqxTuR9UP5E7ZlJXYefdRaESj4VflrvPXv9f5dIj ieq2c5mTollUtthkq53xvOxudunamxl/ltz8t+HKzwR/ponTJ9f+sPCYnf7mp9eRN9U6V77K FK/PbjonpsRSnJFoqMVcVJwIAMKGq9OgAgAA Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 11778 Lines: 379 This is combination of the work by Karol Lewandowski and Paul Moore on LSM hooks for kdbus. Originates from: git://git.infradead.org/users/pcmoore/selinux (branch: working-kdbus) commit: 7050f206a79564886938d0edc4e1e9da5972c72d https://github.com/lmctl/linux.git (branch: kdbus-lsm-v4.for-systemd-v212) commit: a9fe4c33b6e5ab25a243e0590df406aabb6add12 Signed-off-by: Karol Lewandowski Signed-off-by: Paul Moore Signed-off-by: Paul Osmialowski --- include/linux/lsm_hooks.h | 67 ++++++++++++++++++++++++++ include/linux/security.h | 99 +++++++++++++++++++++++++++++++++++++++ security/security.c | 117 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 283 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 9429f05..2a8d8fc 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1297,6 +1297,36 @@ * @inode we wish to get the security context of. * @ctx is a pointer in which to place the allocated security context. * @ctxlen points to the place to put the length of @ctx. + * + * @kdbus_domain_alloc: + * Allocate kdbus domain. + * @kdbus_domain_free: + * Deallocate kdbus domain. + * @kdbus_bus_alloc: + * Allocate kdbus bus. + * @kdbus_bus_free: + * Deallocate kdbus bus. + * @kdbus_send: + * Send message. + * @kdbus_recv: + * Receive message. + * @kdbus_name_acquire: + * Request a well-known bus name to associate with the connection. + * @kdbus_name_list: + * Retrieve the list of all currently registered well-known and unique + * names. + * @kdbus_ep_create: + * Endpoint create + * @kdbus_connect: + * Connect + * @kdbus_conn_free: + * Deallocate connection + * @kdbus_conn_info: + * Retrieve credentials and properties of the initial creator of the + * connection. + * @kdbus_talk: + * Talk to a given peer. + * * This is the main security structure. */ @@ -1520,6 +1550,29 @@ union security_list_options { int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen); int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen); + int (*kdbus_domain_alloc)(struct kdbus_domain *domain); + void (*kdbus_domain_free)(struct kdbus_domain *domain); + + int (*kdbus_bus_alloc)(struct kdbus_bus *bus); + void (*kdbus_bus_free)(struct kdbus_bus *bus); + int (*kdbus_send)(const struct kdbus_conn *conn, + const struct kdbus_bus *bus); + int (*kdbus_recv)(const struct kdbus_conn *conn, + const struct kdbus_bus *bus); + int (*kdbus_name_acquire)(const struct kdbus_conn *conn, + const char *name); + int (*kdbus_name_list)(const struct kdbus_bus *bus); + + int (*kdbus_ep_create)(const struct kdbus_bus *bus); + int (*kdbus_ep_setpolicy)(const struct kdbus_bus *bus); + + int (*kdbus_connect)(struct kdbus_conn *conn, + const char *secctx, u32 seclen); + void (*kdbus_conn_free)(struct kdbus_conn *conn); + int (*kdbus_conn_info)(const struct kdbus_conn *conn); + int (*kdbus_talk)(const struct kdbus_conn *src, + const struct kdbus_conn *dst); + #ifdef CONFIG_SECURITY_NETWORK int (*unix_stream_connect)(struct sock *sock, struct sock *other, struct sock *newsk); @@ -1760,6 +1813,20 @@ struct security_hook_heads { struct list_head inode_notifysecctx; struct list_head inode_setsecctx; struct list_head inode_getsecctx; + struct list_head kdbus_domain_alloc; + struct list_head kdbus_domain_free; + struct list_head kdbus_bus_alloc; + struct list_head kdbus_bus_free; + struct list_head kdbus_send; + struct list_head kdbus_recv; + struct list_head kdbus_name_acquire; + struct list_head kdbus_name_list; + struct list_head kdbus_ep_create; + struct list_head kdbus_ep_setpolicy; + struct list_head kdbus_connect; + struct list_head kdbus_conn_free; + struct list_head kdbus_conn_info; + struct list_head kdbus_talk; #ifdef CONFIG_SECURITY_NETWORK struct list_head unix_stream_connect; struct list_head unix_may_send; diff --git a/include/linux/security.h b/include/linux/security.h index 79d85dd..5f257b9 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -53,6 +53,10 @@ struct msg_queue; struct xattr; struct xfrm_sec_ctx; struct mm_struct; +struct kdbus_ep; +struct kdbus_bus; +struct kdbus_conn; +struct kdbus_domain; /* If capable should audit the security request */ #define SECURITY_CAP_NOAUDIT 0 @@ -356,6 +360,28 @@ void security_release_secctx(char *secdata, u32 seclen); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); + +int security_kdbus_domain_alloc(struct kdbus_domain *domain); +void security_kdbus_domain_free(struct kdbus_domain *domain); + +int security_kdbus_bus_alloc(struct kdbus_bus *bus); +void security_kdbus_bus_free(struct kdbus_bus *bus); +int security_kdbus_send(const struct kdbus_conn *conn, + const struct kdbus_bus *bus); +int security_kdbus_recv(const struct kdbus_conn *conn, + const struct kdbus_bus *bus); +int security_kdbus_name_acquire(const struct kdbus_conn *conn, + const char *name); +int security_kdbus_name_list(const struct kdbus_bus *bus); +int security_kdbus_ep_create(struct kdbus_bus *bus); +int security_kdbus_ep_setpolicy(struct kdbus_bus *bus); +int security_kdbus_connect(struct kdbus_conn *conn, + const char *secctx, u32 seclen); +void security_kdbus_conn_free(struct kdbus_conn *conn); +int security_kdbus_conn_info(const struct kdbus_conn *conn); +int security_kdbus_talk(const struct kdbus_conn *src, + const struct kdbus_conn *dst); + #else /* CONFIG_SECURITY */ struct security_mnt_opts { }; @@ -1105,6 +1131,79 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 { return -EOPNOTSUPP; } + +static inline int security_kdbus_domain_alloc(struct kdbus_domain *domain) +{ + return 0; +} + +static inline void security_kdbus_domain_free(struct kdbus_domain *domain) +{ +} + +static inline int security_kdbus_bus_alloc(struct kdbus_bus *bus) +{ + return 0; +} + +static inline void security_kdbus_bus_free(struct kdbus_bus *bus) +{ +} + +static inline int security_kdbus_send(const struct kdbus_conn *conn, + const struct kdbus_bus *bus) +{ + return 0; +} + +static inline int security_kdbus_recv(const struct kdbus_conn *conn, + const struct kdbus_bus *bus) +{ + return 0; +} + +static inline int security_kdbus_name_acquire(const struct kdbus_conn *conn, + const char *name) +{ + return 0; +} + +static inline int security_kdbus_name_list(const struct kdbus_bus *bus) +{ + return 0; +} + +static inline int security_kdbus_ep_create(const struct kdbus_bus *bus) +{ + return 0; +} + +static inline int security_kdbus_ep_setpolicy(const struct kdbus_bus *bus) +{ + return 0; +} + +static inline int security_kdbus_connect(struct kdbus_conn *conn, + const char *secctx, u32 seclen) +{ + return 0; +} + +static inline void security_kdbus_conn_free(struct kdbus_conn *conn) +{ +} + +static inline int security_kdbus_conn_info(const struct kdbus_conn *conn) +{ + return 0; +} + +static inline int security_kdbus_talk(const struct kdbus_conn *src, + const struct kdbus_conn *dst) +{ + return 0; +} + #endif /* CONFIG_SECURITY */ #ifdef CONFIG_SECURITY_NETWORK diff --git a/security/security.c b/security/security.c index b1e935b..7fb46d1 100644 --- a/security/security.c +++ b/security/security.c @@ -1185,6 +1185,95 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) } EXPORT_SYMBOL(security_inode_getsecctx); +int security_kdbus_domain_alloc(struct kdbus_domain *domain) +{ + return call_int_hook(kdbus_domain_alloc, 0, domain); +} +EXPORT_SYMBOL(security_kdbus_domain_alloc); + +void security_kdbus_domain_free(struct kdbus_domain *domain) +{ + call_void_hook(kdbus_domain_free, domain); +} +EXPORT_SYMBOL(security_kdbus_domain_free); + +int security_kdbus_bus_alloc(struct kdbus_bus *bus) +{ + return call_int_hook(kdbus_bus_alloc, 0, bus); +} +EXPORT_SYMBOL(security_kdbus_bus_alloc); + +void security_kdbus_bus_free(struct kdbus_bus *bus) +{ + call_void_hook(kdbus_bus_free, bus); +} +EXPORT_SYMBOL(security_kdbus_bus_free); + +int security_kdbus_send(const struct kdbus_conn *conn, + const struct kdbus_bus *bus) +{ + return call_int_hook(kdbus_send, 0, conn, bus); +} +EXPORT_SYMBOL(security_kdbus_send); + +int security_kdbus_recv(const struct kdbus_conn *conn, + const struct kdbus_bus *bus) +{ + return call_int_hook(kdbus_recv, 0, conn, bus); +} +EXPORT_SYMBOL(security_kdbus_recv); + +int security_kdbus_name_acquire(const struct kdbus_conn *conn, + const char *name) +{ + return call_int_hook(kdbus_name_acquire, 0, conn, name); +} +EXPORT_SYMBOL(security_kdbus_name_acquire); + +int security_kdbus_name_list(const struct kdbus_bus *bus) +{ + return call_int_hook(kdbus_name_list, 0, bus); +} +EXPORT_SYMBOL(security_kdbus_name_list); + +int security_kdbus_ep_create(struct kdbus_bus *bus) +{ + return call_int_hook(kdbus_ep_create, 0, bus); +} +EXPORT_SYMBOL(security_kdbus_ep_create); + +int security_kdbus_ep_setpolicy(struct kdbus_bus *bus) +{ + return call_int_hook(kdbus_ep_setpolicy, 0, bus); +} +EXPORT_SYMBOL(security_kdbus_ep_setpolicy); + +int security_kdbus_connect(struct kdbus_conn *conn, + const char *secctx, u32 seclen) +{ + return call_int_hook(kdbus_connect, 0, conn, secctx, seclen); +} +EXPORT_SYMBOL(security_kdbus_connect); + +void security_kdbus_conn_free(struct kdbus_conn *conn) +{ + call_void_hook(kdbus_conn_free, conn); +} +EXPORT_SYMBOL(security_kdbus_conn_free); + +int security_kdbus_conn_info(const struct kdbus_conn *conn) +{ + return call_int_hook(kdbus_conn_info, 0, conn); +} +EXPORT_SYMBOL(security_kdbus_conn_info); + +int security_kdbus_talk(const struct kdbus_conn *src, + const struct kdbus_conn *dst) +{ + return call_int_hook(kdbus_talk, 0, src, dst); +} +EXPORT_SYMBOL(security_kdbus_talk); + #ifdef CONFIG_SECURITY_NETWORK int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) @@ -1774,6 +1863,34 @@ struct security_hook_heads security_hook_heads = { LIST_HEAD_INIT(security_hook_heads.inode_setsecctx), .inode_getsecctx = LIST_HEAD_INIT(security_hook_heads.inode_getsecctx), + .kdbus_domain_alloc = + LIST_HEAD_INIT(security_hook_heads.kdbus_domain_alloc), + .kdbus_domain_free = + LIST_HEAD_INIT(security_hook_heads.kdbus_domain_free), + .kdbus_bus_alloc = + LIST_HEAD_INIT(security_hook_heads.kdbus_bus_alloc), + .kdbus_bus_free = + LIST_HEAD_INIT(security_hook_heads.kdbus_bus_free), + .kdbus_send = + LIST_HEAD_INIT(security_hook_heads.kdbus_send), + .kdbus_recv = + LIST_HEAD_INIT(security_hook_heads.kdbus_recv), + .kdbus_name_acquire = + LIST_HEAD_INIT(security_hook_heads.kdbus_name_acquire), + .kdbus_name_list = + LIST_HEAD_INIT(security_hook_heads.kdbus_name_list), + .kdbus_ep_create = + LIST_HEAD_INIT(security_hook_heads.kdbus_ep_create), + .kdbus_ep_setpolicy = + LIST_HEAD_INIT(security_hook_heads.kdbus_ep_setpolicy), + .kdbus_connect = + LIST_HEAD_INIT(security_hook_heads.kdbus_connect), + .kdbus_conn_free = + LIST_HEAD_INIT(security_hook_heads.kdbus_conn_free), + .kdbus_conn_info = + LIST_HEAD_INIT(security_hook_heads.kdbus_conn_info), + .kdbus_talk = + LIST_HEAD_INIT(security_hook_heads.kdbus_talk), #ifdef CONFIG_SECURITY_NETWORK .unix_stream_connect = LIST_HEAD_INIT(security_hook_heads.unix_stream_connect), -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/