Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1329211imm;
        Tue, 5 Jun 2018 12:45:52 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJJ8KtW0p6DExotRXVCov6nEbeEvcvJLZ1kJEnIOecebMOvmNJAXScNISZYmFSwL7eeTYYv
X-Received: by 2002:a17:902:b40f:: with SMTP id x15-v6mr16087plr.270.1528227952184;
        Tue, 05 Jun 2018 12:45:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528227952; cv=none;
        d=google.com; s=arc-20160816;
        b=jXRp01PoJPS/9di2AYeoteIB1xURc65HRmrSnAzx2TTFdisGUubinnaZloCBLV5ojP
         cB9YK77cGjNvguUh859fmsyN6CvCe/kFZHChKN7DPuq8iL6zjdbE/PS7cAkio1j2tWy0
         J9G9cFAsq5y4nSmzprK4m2vQAAsxoIhyGhQ09Fwxyn8fk0+AITCzIDvb8uLriKot2CgO
         crtYINp3rhohcwNYYup5PmauqMqf4d9AJXiy2BT2QdgAOXTo/2w6jY/4BjbmRRjUWHU+
         haHLuRbw81auJ0T4+HuUZYJGu2ytO/WVXujUt8VsxUUWUQQxgD/HinpuyAVSNnst3AOl
         GTHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=KV/fYoOX8ygaYcnnXjNleDWTGhtp8lY7hlnwnTh1820=;
        b=UWlNhzDodj0p/b6+fvd4jNJwHbgh/lzRM4axNWdsUn5r2CI6VsqTXWWcPEzMTFJfqN
         xqqz0bF6MUesNra8vJUm0jes/FOmzo7utc+r0hsfGjNvbjcrGlh2cZCm35vYqwrh3zFm
         ScC2TYYuuMacrCYXAYPFUHyjIleV/wt5rDGFKkPZmsAL4jYuJylbwj9jj91vKd+28ODh
         +fNehLB15YQbobUcSjzXWdZxXBX6oXpG/H9aGxAqwzOoXDqNQ6xkFlLLp/YwNw7U1Wwa
         dOo74+92Qa6yNn5cxlJwifvusEIUCQF858stwcyzBcgNQu1k++LlpchgD2GarSR9P0t3
         bpRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=piPFsaIp;
       dkim=fail header.i=@chromium.org header.s=google header.b=OcGqXoET;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b6-v6si18878436pgv.595.2018.06.05.12.45.37;
        Tue, 05 Jun 2018 12:45:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=piPFsaIp;
       dkim=fail header.i=@chromium.org header.s=google header.b=OcGqXoET;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752156AbeFETpN (ORCPT <rfc822;krseo358@gmail.com> + 99 others);
        Tue, 5 Jun 2018 15:45:13 -0400
Received: from mail-ua0-f196.google.com ([209.85.217.196]:35046 "EHLO
        mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752003AbeFETpL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Jun 2018 15:45:11 -0400
Received: by mail-ua0-f196.google.com with SMTP id a2-v6so2482841uak.2
        for <linux-kernel@vger.kernel.org>; Tue, 05 Jun 2018 12:45:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=KV/fYoOX8ygaYcnnXjNleDWTGhtp8lY7hlnwnTh1820=;
        b=piPFsaIpBfIhMJ+WiR74/F7YyUUow03DLUT92/K65vT6ys6hGf4qsMZhRoA4ffeETt
         YNWq5oRxHqeosAnwxDAi/gNhPqPp3g/4wlz+MtJjSVR9nZ3tQtU+FmIVq79OVTissWWQ
         4M/8+1BYKYoFStgZe7y9Uvpif6dR/DXfV1KfT9uxQYrH5SHrWdIEVEHAuMWn00NlyEaM
         kt5lZWMAGFnfdirDHco/lyHJWUKGcLH08OmQUl1i7GekZoryZY6HY3epEbFjoeSztL4f
         Hkx5jPQTdrhYoxVIP7KUTDrKjfIt8BMo+DclfKGyQl/fU5plSzsC0Pe8rqYU7hWzIoRo
         KOXg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=KV/fYoOX8ygaYcnnXjNleDWTGhtp8lY7hlnwnTh1820=;
        b=OcGqXoETI258ehvD6awXsAzreVVS2BICOhetKObbc++ZTzySY1VM+TUu1Txugmzkxk
         e+b/bEmz29bTD4sITqCHAr7g2P4uHijo40IKFKEv4fSMCv9630qgSQc3oMwrtBSmMebb
         my88nHORMH2H2HUE5MSjublkQjqOGwLup9WhY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=KV/fYoOX8ygaYcnnXjNleDWTGhtp8lY7hlnwnTh1820=;
        b=N9pnUGeIhGqbwaGtQBVYDBfY2CYuNAoFt68NadVDm+ldAppFBotuk5hTn3ccExsBl1
         y/cHcObbl2RrbxSvpsoz5JSdquF1jtYmxgPT9AUxNsivtuiWz348yvpLrnpXCGajobpC
         BGGNLnifEV0436pX0Xxsn0OtpigPBXlNcdQi5fyYkeUrHY2qJZn8wRBasXLCnOdXHjk9
         yvjfJowbIlmFnnXTaVEGqIhdWdQqFQStnRwXleEOdbfb5utXerFjuNsEy7+pjy8Yj8R1
         IArS8peNiGHAmOLsqWYinvt11s8Zmm1+YFN2AHTxi16Q8S20bbl+TDOriRDs0pgLATb+
         zwdw==
X-Gm-Message-State: APt69E3hEQn0csRHUauE/s8rJ7AA6bgYF7vMZxeqoIXAmcIjWHsNdRKQ
        PQ9rAt5Mz0677wQqqzxCh3KGQGVUpScHxxk3FACsXw==
X-Received: by 2002:ab0:663:: with SMTP id f90-v6mr13824180uaf.167.1528227910055;
 Tue, 05 Jun 2018 12:45:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1f:a085:0:0:0:0:0 with HTTP; Tue, 5 Jun 2018 12:45:09 -0700 (PDT)
In-Reply-To: <1527780226.3427.20.camel@linux.vnet.ibm.com>
References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com>
 <1527616920-5415-9-git-send-email-zohar@linux.vnet.ibm.com>
 <CAHC9VhQL+CsqKL83fSZhjEZVSjKKfmLULvehXZ8SZhtK5xzLMQ@mail.gmail.com>
 <1527635645.3534.39.camel@linux.vnet.ibm.com> <CAHC9VhQQX-JAnV-6jEOsug-6siyO9mrNa=rYK9Whg-MYcfHxgA@mail.gmail.com>
 <1527780226.3427.20.camel@linux.vnet.ibm.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Tue, 5 Jun 2018 12:45:09 -0700
X-Google-Sender-Auth: F7EPIyD9kmVJ8zXou41kMNyWJLY
Message-ID: <CAGXu5jLXSEWHorm6=h9+1cP-y8ZX2_ALcra6g9x7Tm-O0kU3DQ@mail.gmail.com>
Subject: Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module
To:     Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc:     Paul Moore <paul@paul-moore.com>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        David Howells <dhowells@redhat.com>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        Eric Biederman <ebiederm@xmission.com>,
        Kexec Mailing List <kexec@lists.infradead.org>,
        Andres Rodriguez <andresx7@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Jeff Vander Stoep <jeffv@google.com>,
        Casey Schaufler <casey@schaufler-ca.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, May 31, 2018 at 8:23 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
> index 5fa191252c8f..a9c07bfbc338 100644
> --- a/security/loadpin/loadpin.c
> +++ b/security/loadpin/loadpin.c
> @@ -173,9 +173,24 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id)
>         return 0;
>  }
>
> +static int loadpin_load_data(enum kernel_load_data_id id)
> +{
> +       int rc = 0;
> +
> +       switch (id) {
> +       case LOADING_MODULE:
> +               rc = loadpin_read_file(NULL, READING_MODULE);
> +       default:
> +               break;
> +       }
> +
> +       return rc;
> +}

Is it worth keeping the same enum between the two hooks? That would
simplify this a bit since it could just pass the id without remapping.

And if you must have a separate enum, please change this to fail
closed instead of open (and mark the fall-through):

int rc = -EPERM;

switch (id) {
case LOADING_MODULE:
    rc = loadpin_read_file(NULL, READING_MODULE);
    /* Fall-through */
default:
    break;
}

Thanks!

-Kees

> +
>  static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
>         LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
>         LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
> +       LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),
>  };
>
>  void __init loadpin_add_hooks(void)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 02ebd1585eaf..475aed9ee2c7 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4059,6 +4059,20 @@ static int selinux_kernel_read_file(struct file *file,
>         return rc;
>  }
>
> +static int selinux_kernel_load_data(enum kernel_load_data_id id)
> +{
> +       int rc = 0;
> +
> +       switch (id) {
> +       case LOADING_MODULE:
> +               rc = selinux_kernel_module_from_file(NULL);
> +       default:
> +               break;
> +       }
> +
> +       return rc;
> +}
> +
>  static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
>  {
>         return avc_has_perm(&selinux_state,
> @@ -6950,6 +6964,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
>         LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
>         LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
>         LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
> +       LSM_HOOK_INIT(kernel_load_data, selinux_kernel_load_data),
>         LSM_HOOK_INIT(kernel_read_file, selinux_kernel_read_file),
>         LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
>         LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
> --
> 2.7.5
>



-- 
Kees Cook
Pixel Security