Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2953279imm; Thu, 24 May 2018 19:47:56 -0700 (PDT) X-Google-Smtp-Source: AB8JxZovZqeV2f3PTOt1QfNQ51xe73Gjv+CWqJZ6DWuc2fHu7ThMR8aOCiCQb0vHSseU7vNZSaAh X-Received: by 2002:a63:803:: with SMTP id 3-v6mr496728pgi.406.1527216476553; Thu, 24 May 2018 19:47:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527216476; cv=none; d=google.com; s=arc-20160816; b=0ivLpo4JTiDMDQhm6ra1BT7xIBEy4t8g35/77gBZX8EslItVfqTNhxJT1n7acYDNMs MASXfDirJWFuCUh/KvVoDDx0pI+21fWwweOtJEesN940m0Nh+ro+1yD5/k/UY9amWzmV Q9qil7mFdZjJUcwOMPNPDrf7qpmBk4ebOotbvaN/1H/k+LGFa7FDU3T6MVfyC/jNGHgv 4yroCNvBEyNo18Zl7XpxoODjaA8Ra4AxOP0MAlEZT+84TrJyQyTQ9h8n1hZw5+kllm/a dLrJZpihaNRGKibqQ9FNcBoldJW2pw/ZXpL+BWkxkTpZRxKDR8V2PQNW2TwpFM/L0DpY tYnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization:arc-authentication-results; bh=IwCq+bRI4q2gS+8ooQgxdmLV5M9j+l0QCg8sYxZVeWo=; b=tnhgaVojIsgSnBf9HwpdLZ4Ue+8qGRimZekS7XMy1oIK9/eobWLW0MrpBKZnnNrg9r mo17ksvhllymPyRVS4NgfCSZ0LlXBxwoiSKPmEJUb90Mu4ZHKt77YVgUcigwSg5E6i1H NTAi2OibWtvRDd3/59p0eTOIYzkMQJbMaHIN1/BcXR2/f3KP2a4HBJUV8YHq+Zw826aW wbl9OB2TfSUZciaICjeZf+1KG8E/mrYZKzhlvsdec7C+uZnaPVSWE4BwlgLnAVUDJEtx /QwCoh91d3k0cPOCsN5wg27ci3ZN6zz10zW1lVgFgHTgW11Lmi9fL6Ru/TWvqmXNteGI u7rA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k10-v6si17230408pgc.299.2018.05.24.19.47.42; Thu, 24 May 2018 19:47:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S971807AbeEYAGV (ORCPT + 99 others); Thu, 24 May 2018 20:06:21 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:35528 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S971779AbeEYAGR (ORCPT ); Thu, 24 May 2018 20:06:17 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2360D401EF24; Fri, 25 May 2018 00:06:17 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-255.rdu2.redhat.com [10.10.120.255]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5CA651006EBB; Fri, 25 May 2018 00:06:16 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 08/32] tomoyo: Implement security hooks for the new mount API [ver #8] From: David Howells To: viro@zeniv.linux.org.uk Cc: dhowells@redhat.com, linux-fsdevel@vger.kernel.org, linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org Date: Fri, 25 May 2018 01:06:15 +0100 Message-ID: <152720677585.9073.5943512079914332768.stgit@warthog.procyon.org.uk> In-Reply-To: <152720672288.9073.9868393448836301272.stgit@warthog.procyon.org.uk> References: <152720672288.9073.9868393448836301272.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 25 May 2018 00:06:17 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 25 May 2018 00:06:17 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Implement the security hook to check the creation of a new mountpoint for Tomoyo. As far as I can tell, Tomoyo doesn't make use of the mount data or parse any mount options, so I haven't implemented any of the fs_context hooks for it. Signed-off-by: David Howells cc: Tetsuo Handa cc: tomoyo-dev-en@lists.sourceforge.jp cc: linux-security-module@vger.kernel.org --- security/tomoyo/common.h | 3 +++ security/tomoyo/mount.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ security/tomoyo/tomoyo.c | 15 +++++++++++++++ 3 files changed, 63 insertions(+) diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index 539bcdd30bb8..e637ce73f7f9 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -971,6 +971,9 @@ int tomoyo_init_request_info(struct tomoyo_request_info *r, const u8 index); int tomoyo_mkdev_perm(const u8 operation, const struct path *path, const unsigned int mode, unsigned int dev); +int tomoyo_mount_permission_fc(struct fs_context *fc, + const struct path *mountpoint, + unsigned int mnt_flags); int tomoyo_mount_permission(const char *dev_name, const struct path *path, const char *type, unsigned long flags, void *data_page); diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index 7dc7f59b7dde..9ec84ab6f5e1 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -6,6 +6,7 @@ */ #include +#include #include #include "common.h" @@ -236,3 +237,47 @@ int tomoyo_mount_permission(const char *dev_name, const struct path *path, tomoyo_read_unlock(idx); return error; } + +/** + * tomoyo_mount_permission_fc - Check permission to create a new mount. + * @fc: Context describing the object to be mounted. + * @mountpoint: The target object to mount on. + * @mnt: The MNT_* flags to be set on the mountpoint. + * + * Check the permission to create a mount of the object described in @fc. Note + * that the source object may be a newly created superblock or may be an + * existing one picked from the filesystem (bind mount). + * + * Returns 0 on success, negative value otherwise. + */ +int tomoyo_mount_permission_fc(struct fs_context *fc, + const struct path *mountpoint, + unsigned int mnt_flags) +{ + struct tomoyo_request_info r; + unsigned int ms_flags = 0; + int error; + int idx; + + if (tomoyo_init_request_info(&r, NULL, TOMOYO_MAC_FILE_MOUNT) == + TOMOYO_CONFIG_DISABLED) + return 0; + + /* Convert MNT_* flags to MS_* equivalents. */ + if (mnt_flags & MNT_NOSUID) ms_flags |= MS_NOSUID; + if (mnt_flags & MNT_NODEV) ms_flags |= MS_NODEV; + if (mnt_flags & MNT_NOEXEC) ms_flags |= MS_NOEXEC; + if (mnt_flags & MNT_NOATIME) ms_flags |= MS_NOATIME; + if (mnt_flags & MNT_NODIRATIME) ms_flags |= MS_NODIRATIME; + if (mnt_flags & MNT_RELATIME) ms_flags |= MS_RELATIME; + if (mnt_flags & MNT_READONLY) ms_flags |= MS_RDONLY; + + idx = tomoyo_read_lock(); + /* TODO: There may be multiple sources; for the moment, just pick the + * first if there is one. + */ + error = tomoyo_mount_acl(&r, fc->source, mountpoint, fc->fs_type->name, + ms_flags); + tomoyo_read_unlock(idx); + return error; +} diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 213b8c593668..31fd6bd4f657 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -391,6 +391,20 @@ static int tomoyo_path_chroot(const struct path *path) return tomoyo_path_perm(TOMOYO_TYPE_CHROOT, path, NULL); } +/** + * tomoyo_sb_mount - Target for security_sb_mountpoint(). + * @fc: Context describing the object to be mounted. + * @mountpoint: The target object to mount on. + * @mnt_flags: Mountpoint specific options (as MNT_* flags). + * + * Returns 0 on success, negative value otherwise. + */ +static int tomoyo_sb_mountpoint(struct fs_context *fc, struct path *mountpoint, + unsigned int mnt_flags) +{ + return tomoyo_mount_permission_fc(fc, mountpoint, mnt_flags); +} + /** * tomoyo_sb_mount - Target for security_sb_mount(). * @@ -519,6 +533,7 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(path_chmod, tomoyo_path_chmod), LSM_HOOK_INIT(path_chown, tomoyo_path_chown), LSM_HOOK_INIT(path_chroot, tomoyo_path_chroot), + LSM_HOOK_INIT(sb_mountpoint, tomoyo_sb_mountpoint), LSM_HOOK_INIT(sb_mount, tomoyo_sb_mount), LSM_HOOK_INIT(sb_umount, tomoyo_sb_umount), LSM_HOOK_INIT(sb_pivotroot, tomoyo_sb_pivotroot),