Received: by 10.192.165.148 with SMTP id m20csp3431236imm; Mon, 23 Apr 2018 06:32:19 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+YiX12JdB6FmmpEDwCNlBzayI+23x3+msLJ5SxdplwtIdwXzvh6Ay9JMj12kgKnz6k4Qqm X-Received: by 10.99.141.202 with SMTP id z193mr17006637pgd.418.1524490339810; Mon, 23 Apr 2018 06:32:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524490339; cv=none; d=google.com; s=arc-20160816; b=OiU41iutN7cZjGrwT1sX4G6Xnb/U9rjIq0UnUyT389u0DuEnXAUsiUvsI38/D5Pywi 9wTUabzmJQ6/3vrZ1flY9DzgiWFCwvkQV/SXFGYbI8iGIEL7vAEAYprUGR5TcB6Jb+mv eonPV+wl7pxuPwYfxrx/T+fnc8zhTIEbqjGZDGXqT/v3H78464nP+dCi8sX3N1jFi+f+ QVU5Udx04oj+CEGlRQ0wAVjho3PDVDxueoZcryehYQ/uxAYGF7/l4m6Hkb4TyiOlf0NE KMIXwWaptfIflu0KiqwNM6yvMgSYf6/tjeLZ9yJJN5XHIGo/Nw5eeGkIHMv6Cm/6S2JC 77+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=0jm+UPNZZmcxIQq/S0n6b0IlycmSOwu2sMtU1e2fC08=; b=wsvrty8Dt4FK68/FfZaiS+q1hcOaDcLAfhcTOQJj4OY2J1KXb2cTKTW09ahUY2ip5l BKXTyfNdsblWYsm2HR2wXtmNbaUHVd4Lfl5pzn33322S6uoI3ADpnBV80z0Yy55KkmFb fmrFK2Yd7Y0j4xcu2LEcsXsqy9B5DfhXHS16mPhEn/jrOw2hhqJ9asfWQzpVU2GFqULy ObDt7I3muZAJsRF92TJcD/owBof67pBlAB89wnkz8xPzg2Q5MTuyks5kBeklTicO/cfW Hm4miJZ4gI1J8AKEEwqBsxYgPlNbgG125EzNoTor6ppPnzo3XL/L6TB1jtdh5PMil7Eb POJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PgCYL6Cg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v2-v6si11767660plo.138.2018.04.23.06.32.05; Mon, 23 Apr 2018 06:32:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PgCYL6Cg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755277AbeDWNa6 (ORCPT + 99 others); Mon, 23 Apr 2018 09:30:58 -0400 Received: from mail-wr0-f196.google.com ([209.85.128.196]:44828 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755059AbeDWNa4 (ORCPT ); Mon, 23 Apr 2018 09:30:56 -0400 Received: by mail-wr0-f196.google.com with SMTP id o15-v6so41307632wro.11; Mon, 23 Apr 2018 06:30:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=0jm+UPNZZmcxIQq/S0n6b0IlycmSOwu2sMtU1e2fC08=; b=PgCYL6CgznOzYXmmiAnZ+rtVi6JuJ/ZSF8Mh8aSC4SSWQHA2WTs7MrcU4m+ndeCait Rpbuk6o1Ck2a05h2OSi6gceO1Z74F+4HuDjJFHXYXBN3270vhu+4kxkht2hxoc2deD/6 f7LJSJ6+aGweeqOp1ZB8c2XROjRWD/4qgz7sKpfejMxx1lmb+NKrdu9p2l36ojh4a/rI jus4FVsqkD69TzGfOJLMN8j4fl/bSnCUTgI7bhyhWhaUjPkqm2xcA2Ocy1BrliI0gHvu 0haHwVfzVjacFpUNTP/x4KHpl/12ADkC/4J3hdBYWK127wsv1oGQZSnhsDPGuEB4FmHI jnVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=0jm+UPNZZmcxIQq/S0n6b0IlycmSOwu2sMtU1e2fC08=; b=ev2URmkUHYC1GZ8JI4471QRx+N+28OurpAIkbDP0By4LmFeOzghSlEyH6hTsyLyane eq55dKZKyiiCPz1OWkZzTORhbEKmRiYqHq8QdVCxq+c1D+sm0oG/zlwdJVOlqLtPQdDZ 2lM+532YJMexivR1Qbbk+UZRgwK9wNjoaZ8i86apelHUxk3q6MfOlhN1J0nEhNJlQ7LJ wpusTAJFr2f3y1H/y4MMlgUrYvN+vw3GB4JmZ/xI7UFDRc64Rnzsf71FiRB7/EbuWFBp grwkBgIAIEN0R4uJiYRlB6wJwOJXHQLVuUQKd0vZ+4uHmVdQ2z0IidiywwgtuWUvLWio 5+8g== X-Gm-Message-State: ALQs6tCxrdPAXdbuFwqzHDpHrYJDQmTUO1spvsOKiixSI71f4iHQpesr SWuH7leQI+V18JSYFxkYWovDDw== X-Received: by 10.28.190.15 with SMTP id o15mr6380164wmf.104.1524490254801; Mon, 23 Apr 2018 06:30:54 -0700 (PDT) Received: from david-x1.fritz.box (p200300C2A3FE3000ECB787D771B96788.dip0.t-ipconnect.de. [2003:c2:a3fe:3000:ecb7:87d7:71b9:6788]) by smtp.gmail.com with ESMTPSA id 78sm10262548wmm.19.2018.04.23.06.30.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Apr 2018 06:30:54 -0700 (PDT) From: David Herrmann To: linux-kernel@vger.kernel.org Cc: James Morris , Paul Moore , teg@jklm.no, Stephen Smalley , selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, Eric Paris , serge@hallyn.com, davem@davemloft.net, netdev@vger.kernel.org, David Herrmann Subject: [PATCH 0/3] Introduce LSM-hook for socketpair(2) Date: Mon, 23 Apr 2018 15:30:12 +0200 Message-Id: <20180423133015.5455-1-dh.herrmann@gmail.com> X-Mailer: git-send-email 2.17.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi This series adds a new LSM hook for the socketpair(2) syscall. The idea is to allow SO_PEERSEC to be called on AF_UNIX sockets created via socketpair(2), and return the same information as if you emulated socketpair(2) via a temporary listener socket. Right now SO_PEERSEC will return the unlabeled credentials for a socketpair, rather than the actual credentials of the creating process. A simple call to: socketpair(AF_UNIX, SOCK_STREAM, 0, out); can be emulated via a temporary listener socket bound to a unique, random name in the abstract namespace. By connecting to this listener socket, accept(2) will return the second part of the pair. If SO_PEERSEC is queried on these, the correct credentials of the creating process are returned. A simple comparison between the behavior of SO_PEERSEC on socketpair(2) and an emulated socketpair is included in the dbus-broker test-suite [1]. This patch series tries to close this gap and makes both behave the same. A new LSM-hook is added which allows LSMs to cache the correct peer information on newly created socket-pairs. Apart from fixing this behavioral difference, the dbus-broker project actually needs to query the credentials of socketpairs, and currently must resort to racy procfs(2) queries to get the LSM credentials of its controller socket. Several parts of the dbus-broker project allow you to pass in a socket during execve(2), which will be used by the child process to accept control-commands from its parent. One natural way to create this communication channel is to use socketpair(2). However, right now SO_PEERSEC does not return any useful information, hence, the child-process would need other means to retrieve this information. By avoiding socketpair(2) and using the hacky-emulated version, this is not an issue. There was a previous discussion on this matter [2] roughly a year ago. Back then there was the suspicion that proper SO_PEERSEC would confuse applications. However, we could not find any evidence backing this suspicion. Furthermore, we now actually see the contrary. Lack of SO_PEERSEC makes it a hassle to use socketpairs with LSM credentials. Hence, we propose to implement full SO_PEERSEC for socketpairs. This series only adds SELinux backends, since that is what we need for RHEL. I will gladly extend the other LSMs if needed. Thanks David [1] https://github.com/bus1/dbus-broker/blob/master/src/util/test-peersec.c [2] https://www.spinics.net/lists/selinux/msg22674.html David Herrmann (3): security: add hook for socketpair(AF_UNIX, ...) net/unix: hook unix_socketpair() into LSM selinux: provide unix_stream_socketpair callback include/linux/lsm_hooks.h | 8 ++++++++ include/linux/security.h | 7 +++++++ net/unix/af_unix.c | 5 +++++ security/security.c | 6 ++++++ security/selinux/hooks.c | 14 ++++++++++++++ 5 files changed, 40 insertions(+) -- 2.17.0