Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758507AbbGHNiw (ORCPT ); Wed, 8 Jul 2015 09:38:52 -0400 Received: from emvm-gh1-uea09.nsa.gov ([63.239.67.10]:63350 "EHLO emvm-gh1-uea09.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754871AbbGHNir (ORCPT ); Wed, 8 Jul 2015 09:38:47 -0400 X-TM-IMSS-Message-ID: <5aabca4d000ac02f@nsa.gov> Message-ID: <559D27AB.4010402@tycho.nsa.gov> Date: Wed, 08 Jul 2015 09:37:47 -0400 From: Stephen Smalley Organization: National Security Agency User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Paul Osmialowski , Paul Moore , James Morris , Casey Schaufler , "Serge E. Hallyn" , Kees Cook , Tetsuo Handa , Neil Brown , Mark Rustad , Greg Kroah-Hartman , Daniel Mack , David Herrmann , Djalal Harouni , Shuah Khan , Al Viro , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org CC: Karol Lewandowski , Lukasz Skalski Subject: Re: [RFC 5/8] kdbus: use LSM hooks in kdbus code References: <1436351110-5902-1-git-send-email-p.osmialowsk@samsung.com> <1436351110-5902-6-git-send-email-p.osmialowsk@samsung.com> In-Reply-To: <1436351110-5902-6-git-send-email-p.osmialowsk@samsung.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3863 Lines: 115 On 07/08/2015 06:25 AM, Paul Osmialowski wrote: > Originates from: > > https://github.com/lmctl/kdbus.git (branch: kdbus-lsm-v4.for-systemd-v212) > commit: aa0885489d19be92fa41c6f0a71df28763228a40 > > Signed-off-by: Karol Lewandowski > Signed-off-by: Paul Osmialowski > --- > ipc/kdbus/bus.c | 12 ++++++++++- > ipc/kdbus/bus.h | 3 +++ > ipc/kdbus/connection.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++ > ipc/kdbus/connection.h | 4 ++++ > ipc/kdbus/domain.c | 9 ++++++++- > ipc/kdbus/domain.h | 2 ++ > ipc/kdbus/endpoint.c | 11 ++++++++++ > ipc/kdbus/names.c | 11 ++++++++++ > ipc/kdbus/queue.c | 30 ++++++++++++++++++---------- > 9 files changed, 124 insertions(+), 12 deletions(-) > > > diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c > index 9993753..b85cdc7 100644 > --- a/ipc/kdbus/connection.c > +++ b/ipc/kdbus/connection.c > @@ -31,6 +31,7 @@ > #include > #include > #include > +#include > > #include "bus.h" > #include "connection.h" > @@ -73,6 +74,8 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, bool privileged, > bool is_activator; > bool is_monitor; > struct kvec kvec; > + u32 sid, len; > + char *label; > int ret; > > struct { > @@ -222,6 +225,14 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, bool privileged, > } > } > > + security_task_getsecid(current, &sid); > + security_secid_to_secctx(sid, &label, &len); > + ret = security_kdbus_connect(conn, label, len); > + if (ret) { > + ret = -EPERM; > + goto exit_unref; > + } This seems convoluted and expensive. If you always want the label of the current task here, then why not just have security_kdbus_connect() internally extract the label of the current task? > @@ -1107,6 +1119,12 @@ static int kdbus_conn_reply(struct kdbus_conn *src, struct kdbus_kmsg *kmsg) > if (ret < 0) > goto exit; > > + ret = security_kdbus_talk(src, dst); > + if (ret) { > + ret = -EPERM; > + goto exit; > + } Where does kdbus apply its uid-based or other restrictions on connections? Why do we need to insert separate hooks into each of these functions? Is there no central chokepoint already for permission checking that we can hook? > diff --git a/ipc/kdbus/connection.h b/ipc/kdbus/connection.h > index d1ffe90..1f91d39 100644 > --- a/ipc/kdbus/connection.h > +++ b/ipc/kdbus/connection.h > @@ -19,6 +19,7 @@ > #include > #include > #include > +#include > > #include "limits.h" > #include "metadata.h" > @@ -73,6 +74,7 @@ struct kdbus_kmsg; > * @names_queue_list: Well-known names this connection waits for > * @privileged: Whether this connection is privileged on the bus > * @faked_meta: Whether the metadata was faked on HELLO > + * @security: LSM security blob > */ > struct kdbus_conn { > struct kref kref; > @@ -113,6 +115,8 @@ struct kdbus_conn { > > bool privileged:1; > bool faked_meta:1; > + > + void *security; > }; Unless I missed it, you may have missed the most important thing of all: controlling kdbus's notion of "privileged". kdbus sets privileged to true if the process has CAP_IPC_OWNER or the process euid matches the uid of the bus creator, and then it allows those processes to do many dangerous things, including monitoring all traffic, impersonating credentials, pids, or seclabel, etc. I don't believe we should ever permit impersonating seclabel information. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/