Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932168AbdDZRr7 (ORCPT <rfc822;w@1wt.eu>);
        Wed, 26 Apr 2017 13:47:59 -0400
Received: from nm29-vm3.bullet.mail.ne1.yahoo.com ([98.138.91.159]:41025 "EHLO
        nm29-vm3.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1753664AbdDZRrw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 26 Apr 2017 13:47:52 -0400
X-Yahoo-Newman-Id: 255180.67003.bm@smtp215.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: RxEcwLcVM1kNOUvYPIjZ7ABQ9yyvWql4.Jm88jfh8tUDArD
 .cFPSPvjiZ5LpfFoL0uYXJ0QH6mAhjRjeYYlkoM5ULrreKKRvx4g7MwyZR6s
 dpOt7714fNYLv7q4m_oEvlXPMrvAcK0be9UqGwf2FXh02OMJjHO61E_3cNJ1
 qQ.mSrT9zwok2cvdnFnpuPvLkAULYGIytZOm03poEtJMvtKcFmE1nAbTp410
 DOZ7MNJc5NmHIicXvWr5NY8RKTaeQ4f3kgK4TyjJpVPpsWkuZZmmaqknyAAp
 qxEUmUFyhX0hVWjj2KtX9byY_aUrP_vEG0XRAK6inE6tZ4PLepeXJ9zXSQq0
 eoIv35ZyD6l2D1eANChctosZfeOvoh3IrJLBeg.jihZdaUUm6xP2Z1rLGQIE
 oBOeQTFC2MeEqFb4D3esRdDTKNTaQ_brlZp_EEmrdPZLw.jfAKU3gy6VWBkm
 _Es7j4hGgwJEpB15.eHXp41MbW2hwalWAMlSaEVX0LfKFZ4UtekwDir7VdxW
 2ZoAuRB9FpTEPy19MxitaNlLJ4IbHTediyyrilPeyghvbBu0dYotT7Z9D0_D
 bSw--
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
Subject: Re: [PATCH 1/3] selinux: Implement LSM notification system
To: Stephen Smalley <sds@tycho.nsa.gov>,
        Sebastien Buisson <sbuisson.ddn@gmail.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org,
        selinux@tycho.nsa.gov
References: <1493218936-18522-1-git-send-email-sbuisson@ddn.com>
 <8d4c5ab6-8c15-312a-398b-c3ee9d7e8cb6@schaufler-ca.com>
 <1493228201.32540.8.camel@tycho.nsa.gov>
Cc: Sebastien Buisson <sbuisson@ddn.com>, james.l.morris@oracle.com
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <fcdc41a2-68ab-b4df-a344-7763bda7cc8a@schaufler-ca.com>
Date: Wed, 26 Apr 2017 10:47:46 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <1493228201.32540.8.camel@tycho.nsa.gov>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 5435
Lines: 173

On 4/26/2017 10:36 AM, Stephen Smalley wrote:
> On Wed, 2017-04-26 at 08:38 -0700, Casey Schaufler wrote:
>> On 4/26/2017 8:02 AM, Sebastien Buisson wrote:
>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>
>>> Add a generic notification mechanism in the LSM. Interested
>>> consumers
>>> can register a callback with the LSM and security modules can
>>> produce
>>> events.
>> Why is this a generic mechanism? Do you ever see anyone
>> other than SELinux using it?
> I do - any security module that wants to support access control over
> Lustre filesystems or Infiniband. Seems ironic for you to be arguing
> for a SELinux-specific interface rather than a LSM interface.

I lost the connection between this mechanism and
Lustre and Infiniband, neither of which are mentioned
in the patchset. And I *did* pose it as a question.
I am all in favor of general mechanisms where they
are generally useful. I am also adverse to special
purpose clutter.

>
>>> Add a call to the notification mechanism from SELinux when the AVC
>>> cache changes.
>> This seems like a whole lot of mechanism for
>> something you could accomplish with a log message.
>> What am I missing?
> It's a notification to a kernel subsystem that policy has changed so
> that the subsystem can update any cached state.
>
>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>> Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
>>> ---
>>>  include/linux/security.h | 23 +++++++++++++++++++++++
>>>  security/security.c      | 20 ++++++++++++++++++++
>>>  security/selinux/hooks.c | 12 ++++++++++++
>>>  3 files changed, 55 insertions(+)
>>>
>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>> index af675b5..73a9c93 100644
>>> --- a/include/linux/security.h
>>> +++ b/include/linux/security.h
>>> @@ -68,6 +68,10 @@
>>>  struct user_namespace;
>>>  struct timezone;
>>>  
>>> +enum lsm_event {
>>> +	LSM_POLICY_CHANGE,
>>> +};
>>> +
>>>  /* These functions are in security/commoncap.c */
>>>  extern int cap_capable(const struct cred *cred, struct
>>> user_namespace *ns,
>>>  		       int cap, int audit);
>>> @@ -163,6 +167,10 @@ struct security_mnt_opts {
>>>  	int num_mnt_opts;
>>>  };
>>>  
>>> +int call_lsm_notifier(enum lsm_event event, void *data);
>>> +int register_lsm_notifier(struct notifier_block *nb);
>>> +int unregister_lsm_notifier(struct notifier_block *nb);
>>> +
>>>  static inline void security_init_mnt_opts(struct security_mnt_opts
>>> *opts)
>>>  {
>>>  	opts->mnt_opts = NULL;
>>> @@ -381,6 +389,21 @@ int security_sem_semop(struct sem_array *sma,
>>> struct sembuf *sops,
>>>  struct security_mnt_opts {
>>>  };
>>>  
>>> +static inline int call_lsm_notifier(enum lsm_event event, void
>>> *data)
>>> +{
>>> +	return 0;
>>> +}
>>> +
>>> +static inline int register_lsm_notifier(struct notifier_block *nb)
>>> +{
>>> +	return 0;
>>> +}
>>> +
>>> +static inline  int unregister_lsm_notifier(struct notifier_block
>>> *nb)
>>> +{
>>> +	return 0;
>>> +}
>>> +
>>>  static inline void security_init_mnt_opts(struct security_mnt_opts
>>> *opts)
>>>  {
>>>  }
>>> diff --git a/security/security.c b/security/security.c
>>> index b9fea39..ef9d9e1 100644
>>> --- a/security/security.c
>>> +++ b/security/security.c
>>> @@ -32,6 +32,8 @@
>>>  /* Maximum number of letters for an LSM name string */
>>>  #define SECURITY_NAME_MAX	10
>>>  
>>> +static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
>>> +
>>>  struct security_hook_heads security_hook_heads
>>> __lsm_ro_after_init;
>>>  char *lsm_names;
>>>  /* Boot-time LSM user choice */
>>> @@ -146,6 +148,24 @@ void __init security_add_hooks(struct
>>> security_hook_list *hooks, int count,
>>>  		panic("%s - Cannot get early memory.\n",
>>> __func__);
>>>  }
>>>  
>>> +int call_lsm_notifier(enum lsm_event event, void *data)
>>> +{
>>> +	return atomic_notifier_call_chain(&lsm_notifier_chain,
>>> event, data);
>>> +}
>>> +EXPORT_SYMBOL(call_lsm_notifier);
>>> +
>>> +int register_lsm_notifier(struct notifier_block *nb)
>>> +{
>>> +	return atomic_notifier_chain_register(&lsm_notifier_chain,
>>> nb);
>>> +}
>>> +EXPORT_SYMBOL(register_lsm_notifier);
>>> +
>>> +int unregister_lsm_notifier(struct notifier_block *nb)
>>> +{
>>> +	return
>>> atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
>>> +}
>>> +EXPORT_SYMBOL(unregister_lsm_notifier);
>>> +
>>>  /*
>>>   * Hook list operation macros.
>>>   *
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index e67a526..a4d36f8 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -171,6 +171,14 @@ static int selinux_netcache_avc_callback(u32
>>> event)
>>>  	return 0;
>>>  }
>>>  
>>> +static int selinux_lsm_notifier_avc_callback(u32 event)
>>> +{
>>> +	if (event == AVC_CALLBACK_RESET)
>>> +		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
>>> +
>>> +	return 0;
>>> +}
>>> +
>>>  /*
>>>   * initialise the security for the init task
>>>   */
>>> @@ -6379,6 +6387,10 @@ static __init int selinux_init(void)
>>>  	if (avc_add_callback(selinux_netcache_avc_callback,
>>> AVC_CALLBACK_RESET))
>>>  		panic("SELinux: Unable to register AVC netcache
>>> callback\n");
>>>  
>>> +	if (avc_add_callback(selinux_lsm_notifier_avc_callback,
>>> +			     AVC_CALLBACK_RESET))
>>> +		panic("SELinux: Unable to register AVC LSM
>>> notifier callback\n");
>>> +
>>>  	if (selinux_enforcing)
>>>  		printk(KERN_DEBUG "SELinux:  Starting in enforcing
>>> mode\n");
>>>  	else