Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1275927imm;
        Fri, 17 Aug 2018 15:18:46 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPwxEf3fUoaGibWx38Hr6X+UIVPmZr+On6ePImwGuNp0/KNjqvnS0XDjU+wl7M5VtwPCNfLq
X-Received: by 2002:a62:e30c:: with SMTP id g12-v6mr38442927pfh.25.1534544326683;
        Fri, 17 Aug 2018 15:18:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534544326; cv=none;
        d=google.com; s=arc-20160816;
        b=ZTbVld7cZPYgr2n/Fi7txIKyQDQOpbUgsKMetCvuOB67N6Pb0xsJgbyuwMqMS1aCbS
         0YB4wzYyh5+0xVVuwt4P/1OjQeeWHhSSFb88sbf5R5TbplfLqBUUnnTiCTsyZV63LN6p
         gQvUTmnYcqFsTB1C+IWggGexcOUgJ6MbkYihKnBXXjgiM01nj3i2i2NumOpXmnUBbnAv
         DGvkAkrMe+XSsYGBBi25ZNzVoqVhXj0HkvTM4mFu0CaWO3O4iaA2zp4i8CisR/IwoS/x
         grYs+IqFQV0JLZQ10Igk1PoSG5HGLwfpzc8/pUagVAAX3ZMAh2P852mx+6betkAq9R4C
         pZuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:to:from:arc-authentication-results;
        bh=1e7CMp9ZCan+JXKby3CG+VzGkNtqjw4+mdSX25Uhy3A=;
        b=UKxsbglPVwGYX0E9gVwLMKEHMW4o+z6Cpaj3L40bf98IPL1/PkahwgOB2tgvI4awhb
         P3ud2Tl//u3slrBWEYP1s5/1wOG/KpuJxKX9UBWaNmIiWwwchOzsd+uzu5n7I2OqJjGt
         vekYfLFI/loYPwVlvMkbW+70rSI1mTAQSPN/zSFJ9svB80z+eI6FodacVNRefgbKPuAm
         NWwa0gYM43Mq0dDbNbUGsunLvtdA/uR+FaqCIQvdDuRe+35FwFONicXU58uUyMCUnSu1
         3YSsf5OB8jdf6sYU8+DK3OYqgLLVrHK+RrmdZVTo57PiOOv1tub21nD+2oWwndpt+TqS
         WFNg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x4-v6si2947006pgr.167.2018.08.17.15.18.28;
        Fri, 17 Aug 2018 15:18:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727828AbeHRBVe (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Fri, 17 Aug 2018 21:21:34 -0400
Received: from mga11.intel.com ([192.55.52.93]:58247 "EHLO mga11.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727285AbeHRBVd (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 17 Aug 2018 21:21:33 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Aug 2018 15:16:25 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,253,1531810800"; 
   d="scan'208";a="67079613"
Received: from cschaufl-mobl.amr.corp.intel.com ([10.254.9.75])
  by orsmga006.jf.intel.com with ESMTP; 17 Aug 2018 15:16:25 -0700
From:   Casey Schaufler <casey.schaufler@intel.com>
To:     kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
        casey.schaufler@intel.com, dave.hansen@intel.com,
        deneen.t.dock@intel.com, kristen@linux.intel.com,
        arjan@linux.intel.com
Subject: [PATCH RFC v2 1/5] LSM: Introduce a hook for side-channel danger
Date:   Fri, 17 Aug 2018 15:16:20 -0700
Message-Id: <20180817221624.10232-2-casey.schaufler@intel.com>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180817221624.10232-1-casey.schaufler@intel.com>
References: <20180817221624.10232-1-casey.schaufler@intel.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Casey Schaufler <cschaufler@localhost.localdomain>

There may be cases where the data maintained for
security controls is more sensitive than general
process information and that may be subjected to
side-channel attacks. An LSM hook is provided so
that this can be check for where the system would
take action should the current task have potential
access to the passed task.

Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
---
 include/linux/lsm_hooks.h | 7 +++++++
 include/linux/security.h  | 1 +
 security/security.c       | 5 +++++
 3 files changed, 13 insertions(+)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index a08bc2587b96..fd2a7e6beb01 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -698,6 +698,11 @@
  *	security attributes, e.g. for /proc/pid inodes.
  *	@p contains the task_struct for the task.
  *	@inode contains the inode structure for the inode.
+ * @task_safe_sidechannel:
+ *	Check if a side channel attack is harmless for the current task and @p.
+ *	The caller may have determined that no attack is possible, in which
+ *	case this hook won't get called.
+ *	@p contains the task_struct for the task.
  *
  * Security hooks for Netlink messaging.
  *
@@ -1611,6 +1616,7 @@ union security_list_options {
 	int (*task_prctl)(int option, unsigned long arg2, unsigned long arg3,
 				unsigned long arg4, unsigned long arg5);
 	void (*task_to_inode)(struct task_struct *p, struct inode *inode);
+	int (*task_safe_sidechannel)(struct task_struct *p);
 
 	int (*ipc_permission)(struct kern_ipc_perm *ipcp, short flag);
 	void (*ipc_getsecid)(struct kern_ipc_perm *ipcp, u32 *secid);
@@ -1897,6 +1903,7 @@ struct security_hook_heads {
 	struct hlist_head task_kill;
 	struct hlist_head task_prctl;
 	struct hlist_head task_to_inode;
+	struct hlist_head task_safe_sidechannel;
 	struct hlist_head ipc_permission;
 	struct hlist_head ipc_getsecid;
 	struct hlist_head msg_msg_alloc_security;
diff --git a/include/linux/security.h b/include/linux/security.h
index 3410acfe139c..69a5526f789f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -366,6 +366,7 @@ int security_task_kill(struct task_struct *p, struct siginfo *info,
 int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 			unsigned long arg4, unsigned long arg5);
 void security_task_to_inode(struct task_struct *p, struct inode *inode);
+int security_task_safe_sidechannel(struct task_struct *p);
 int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
 void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
 int security_msg_msg_alloc(struct msg_msg *msg);
diff --git a/security/security.c b/security/security.c
index 4927e7cc7d96..353b711e635a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1165,6 +1165,11 @@ void security_task_to_inode(struct task_struct *p, struct inode *inode)
 	call_void_hook(task_to_inode, p, inode);
 }
 
+int security_task_safe_sidechannel(struct task_struct *p)
+{
+	return call_int_hook(task_safe_sidechannel, 0, p);
+}
+
 int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
 {
 	return call_int_hook(ipc_permission, 0, ipcp, flag);
-- 
2.17.1