Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1473574imm; Wed, 15 Aug 2018 19:08:36 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyjZDMy4eaarXhJYgq5utNlBHmEBA7TCVgkynSyPopvFa8LJPFeiW7Es/ySuwiIGsuAys/C X-Received: by 2002:a17:902:ba85:: with SMTP id k5-v6mr26449632pls.258.1534385316927; Wed, 15 Aug 2018 19:08:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534385316; cv=none; d=google.com; s=arc-20160816; b=kmDh2ol194ZkY1RTG53MXukkdI/l195Ti4Gw1ZvzlDoa5l2wUx3CZy12jpFkES4r6y 6a+RrOGbBmHSK4xrb/ASuCgSVF7Nnb6LM606KHWm0eKNA0CJiCxV0KvtK4YzkCo9WNop 3pvjOMtmpTVDKDoYTc4zVMBh48eQsoGcniw7y1K2v1Yx8RRxMIF0lnC4b23I3qE4vl3+ UYqH5aAeGUOkqjY0Tqz+Rv4XocYDhy45FJiOEpC2Hx2ZHP74Ha/AFyOUZm6DVWo8+MIJ JIY/7gRR1HWMMXefJeTJnvqGp3O5bLbrvGza8QCYBfAtet+fAMNtN1UoZAx/1xbgOd0o jDbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:to:from:arc-authentication-results; bh=zbuVUajdZkZvKy5NtGbQX06KE6q7Bo6InZ0vwp7WXuQ=; b=R14zs8Cn+sbjXkBw8QOQfWBDioNpyU8C0okTp+oO/MVTb8FWv1l2eDwdyTNpzh6ipl mCqbSFK1QV+kS3eK5YyVk6AxACzIsFnm6WbRR+7A+33nliFLEaT6UiWEiy4H5dEC6J94 LKQlUz7hlGuSSmMHenFmY/hG7XheTw6EiAe2bqEhhd6WdZVuHpfNQlaoO16Ef6O3xvTO fM6Sm9vWBsa/miwquUVnhQE0kMVB/S6fDYXNAprFrwJ6ySsTylf4Wlowir7D0hMKHQP0 jlV5HCjflJG1OG2KdZ+QbzKu142dQetBSJv0FH3d8Zj6NhMOpibq91+JRW7iG9PLXnh7 j4/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f21-v6si23954647pgl.235.2018.08.15.19.08.20; Wed, 15 Aug 2018 19:08:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731236AbeHPCsa (ORCPT + 99 others); Wed, 15 Aug 2018 22:48:30 -0400 Received: from mga09.intel.com ([134.134.136.24]:61123 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728014AbeHPCsa (ORCPT ); Wed, 15 Aug 2018 22:48:30 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Aug 2018 16:53:59 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,245,1531810800"; d="scan'208";a="75694074" Received: from cschaufl-mobl.amr.corp.intel.com ([10.252.130.105]) by orsmga003.jf.intel.com with ESMTP; 15 Aug 2018 16:53:59 -0700 From: Casey Schaufler To: kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, SMACK-discuss@lists.01.org, casey.schaufler@intel.com, dave.hansen@intel.com, deneen.t.dock@intel.com, kristen@linux.intel.com, arjan@linux.intel.com Subject: [PATCH RFC 5/5] SELinux: Support SELinux determination of side-channel vulnerability Date: Wed, 15 Aug 2018 16:53:55 -0700 Message-Id: <20180815235355.14908-6-casey.schaufler@intel.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180815235355.14908-1-casey.schaufler@intel.com> References: <20180815235355.14908-1-casey.schaufler@intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org SELinux considers tasks to be side-channel safe if they have PROCESS_SHARE access. Signed-off-by: Casey Schaufler --- security/selinux/hooks.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a8bf324130f5..7fbd7d7ac1cb 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4219,6 +4219,14 @@ static void selinux_task_to_inode(struct task_struct *p, spin_unlock(&isec->lock); } +static int selinux_task_safe_sidechannel(struct task_struct *p) +{ + struct av_decision avd; + + return avc_has_perm_noaudit(&selinux_state, current_sid(), task_sid(p), + SECCLASS_PROCESS, PROCESS__SHARE, 0, &avd); +} + /* Returns error only if unable to parse addresses */ static int selinux_parse_skb_ipv4(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto) @@ -7002,6 +7010,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_movememory, selinux_task_movememory), LSM_HOOK_INIT(task_kill, selinux_task_kill), LSM_HOOK_INIT(task_to_inode, selinux_task_to_inode), + LSM_HOOK_INIT(task_safe_sidechannel, selinux_task_safe_sidechannel), LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission), LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid), -- 2.17.1