Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp620265imu; Mon, 26 Nov 2018 15:55:44 -0800 (PST) X-Google-Smtp-Source: AFSGD/XqYa5ypSo62gAkkrGx/XYsfil+x3vjlAwsNr7MsXFl5zJDz70Q7NW0hBd3M+vZdOVzvJoo X-Received: by 2002:a17:902:1745:: with SMTP id i63mr27064536pli.145.1543276544882; Mon, 26 Nov 2018 15:55:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543276544; cv=none; d=google.com; s=arc-20160816; b=vdDm9WEPetFS9EaRXphzxK32q4fhSgxka+OV+jkvI/ef4HynfhD8yZgabY3k+umU88 krgSoWURGA2nhZyvYShW/YZzGF/Hg8/6bxMlLlf230DV4It8stYg5H1lPsU0WxFRXjJb ichN6wAYBXwqBtCBZ64yxyAqLfExnX006Dls6LByr8IDwfX8MMZy3X0rVYeblkcs6fcl PRE8CRbsFCQcX8bR0xnn4esNQs2FbExJHNrUvCVQ++WbwWgia+1UOlT8Q7IyapV7Asvd hczqR9V095P+FQvIs436o5/baDbTwFJuEuT7LOopmzX1ZUnl6+jBaMhHSXr2W2v4VdHk t9bQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=rtgbAY8v8bf2tMWocN4/v1BHGqtzr15pWf8snPHIIn8=; b=wyhZze+DvCT4SjH+W0N+K0OOZ5Nuxx66BEwLzjR6iGVnWrHCg9KgnByG8drLg1h7Pi 9qoUGuPJ+uuHmOWIZhgonx/1kaaoWGFb6SGyrqyCk7rxft/bMB+6otUT76yqhqwFVNdb BELSPBLG/A5RDCO9dl6CIHqDVVWALkJ22BhXi4D1ACJwt7USeIQ4uucb4KxnRHrlXFkB QLQYwewVlI+3bDRzB3ePw/NoVkTCu/wdnwNEWxkCd7NN+opEADjo+grTNTcnix7BExKo 5ocTi/OtDwj53qk29EtH25xx6tT3eAto5QcHQgf8f8kdBFOax2YvMrFF3eYdnhjlCHMM Vfvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=hiL8M9pp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a32si2101525pla.168.2018.11.26.15.55.21; Mon, 26 Nov 2018 15:55:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=hiL8M9pp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727844AbeK0Ktu (ORCPT + 99 others); Tue, 27 Nov 2018 05:49:50 -0500 Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:40548 "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727615AbeK0Ktu (ORCPT ); Tue, 27 Nov 2018 05:49:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276437; bh=rtgbAY8v8bf2tMWocN4/v1BHGqtzr15pWf8snPHIIn8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=hiL8M9pp7QGkNkzmk1PczUQsGzwTkMSO7mAJE54hVfkbFz8rzg0czoE7nDqV7fhOVxTfqX5MUYkfqtKDctnSMIZsi3PiET0GEROo0AcBS/b1JkhvVUQR2GeHkO4UlEPTegwzWuKZXmJwCcWsUZFfVXkFbPAP5hdy47ZmHzN6J0Q9l3ypuiQEuUqdXY6l2dYK4k/7cjRbqqpeeUM0zll+joOzYQl6X2begBidsI0paI0y1/7X0UmI4fF4h+dlWETOdpwbK1h2NYnSuXT85rAojM1h94ArKUUnrpzrBFUaa9TL/JOZYu9sBiDQ0H7wLclozM4af+ceMMM0kAirBtOamw== X-YMail-OSG: cpimlAgVM1kM37etYfkTzuwjiLrGfwo1pTY0AeY5tQTZDvTBTDAJFtqXUNQ68W4 NXjIPq2i_dQ9xPw7kucBInWGOm66bf2V18zUylwQ_Hmkz0PGth7OjuUwU6yasKeJl1v5zr0DW3Qq bRuPE6PAdureogjFY5_zSM285ifPv.oHnz.8h5rmL1XVUiwKRT2e9BXQweoDwNUqc0TQ7d9tLbjV jPZT5Q2Bsz0R86spJkM9LizQ_irsSqWR0sAJY1IcZBuYIqBycTU8sCp.7Tb4v0PRhKxp1Q_qSjDY HqsvDXcLyRYf29Q8qGwQ7zngbcS0NCUhSt5pzc2L6A95XlK6Gsb7xrKeyGepgQzj73Qlgj8Y2Bvh agdO_NGnBVuOC_dtNHyGE_DlB08PFfykOGp3Wwc9IZO8.jhQzzmnjTQE3QwFw7LF_emmpkkdtjA8 AeD5jcxk.10mE2kzwcKlIlmlfBCFNvLUTbx7BhMkgylKnUI4mkvejOfhDEwBQLNOWDr70_8SEs9I cgVLmhHuB5JscooTfEXLLfvvOdsKxsAup6B4f9RSVb5WDMBUK8ql7uHzuVyTN92TSMAxZA50yvd1 40LE5VjtEVP6K0PDukNkZ_FK0qsecuOkjTx50fChfewHRWN6W21lOlP3LBpjiWwjbieUL_wONfdf Uuq1muHMVqYdKYhVVydZ4aTdVvAqwAEBha42IJqTn6kPSAHetdJT6u4hR2EonyfaqAMqFiPnoPmL t3m5R5FeCa.Jy8EcdO3Mc4AE3UShVoLFcjp2_hZZbdBuxE6UPSflBCs_tGkiyu_UgiL8PiFDJFPe PL3BUeDMMy3yzfQ22aW0HuEaZAdxnu0l0AMPR7H310w4Y7dnT3Vsk2wC6CXokHsUstTHgIqVyhnq OY.3x_1FjR8lwLPWRSGqf2tA9.5xN.1XtFFG7fPCH6EKCl_2ypIpLMvrxKoRcYD0QcO9BAlR.fcx b49NBZm43UXx1whNiM3aH8R5G7LVsyvFqz.eWofGrirSMJ0XofFoJteAXbA5LNJooo9Er9fHrENV OQAPPRmQpK1h7_MKRFT03UA8.O1_mf74mS.NwhUJq_BY8oJ_7tMLYVFg0JFIvgwKnJ3WiO6TaC42 TsiKvKEbpE9pjxgO407eU8mmCZBL5JXc76yMTOrofhKw- Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:53:57 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp418.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID ba0d3aeea1fafd7a99a705ec020acc4e; Mon, 26 Nov 2018 23:53:53 +0000 (UTC) Subject: [PATCH v5 34/38] LSM: Infrastructure management of the task security To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: Date: Mon, 26 Nov 2018 15:53:50 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Move management of the task_struct->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. The only user of this blob is AppArmor. The AppArmor use is abstracted to avoid future conflict. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook [kees: adjusted for ordered init series] Signed-off-by: Kees Cook --- include/linux/lsm_hooks.h | 2 ++ security/apparmor/include/task.h | 18 +++----------- security/apparmor/lsm.c | 15 +++-------- security/security.c | 54 +++++++++++++++++++++++++++++++++++++++- 4 files changed, 62 insertions(+), 27 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 65440005ec92..243c7c6e181d 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2031,6 +2031,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_task; }; /* @@ -2106,6 +2107,7 @@ extern int lsm_inode_alloc(struct inode *inode); #ifdef CONFIG_SECURITY void __init lsm_early_cred(struct cred *cred); +void __init lsm_early_task(struct task_struct *task); #endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/apparmor/include/task.h b/security/apparmor/include/task.h index 55edaa1d83f8..039c1e60887a 100644 --- a/security/apparmor/include/task.h +++ b/security/apparmor/include/task.h @@ -14,7 +14,10 @@ #ifndef __AA_TASK_H #define __AA_TASK_H -#define task_ctx(X) ((X)->security) +static inline struct aa_task_ctx *task_ctx(struct task_struct *task) +{ + return task->security; +} /* * struct aa_task_ctx - information for current task label change @@ -36,17 +39,6 @@ int aa_set_current_hat(struct aa_label *label, u64 token); int aa_restore_previous_label(u64 cookie); struct aa_label *aa_get_task_label(struct task_struct *task); -/** - * aa_alloc_task_ctx - allocate a new task_ctx - * @flags: gfp flags for allocation - * - * Returns: allocated buffer or NULL on failure - */ -static inline struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags) -{ - return kzalloc(sizeof(struct aa_task_ctx), flags); -} - /** * aa_free_task_ctx - free a task_ctx * @ctx: task_ctx to free (MAYBE NULL) @@ -57,8 +49,6 @@ static inline void aa_free_task_ctx(struct aa_task_ctx *ctx) aa_put_label(ctx->nnp); aa_put_label(ctx->previous); aa_put_label(ctx->onexec); - - kzfree(ctx); } } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 3ae8c902d740..83dc23f33a29 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -93,19 +93,14 @@ static void apparmor_task_free(struct task_struct *task) { aa_free_task_ctx(task_ctx(task)); - task_ctx(task) = NULL; } static int apparmor_task_alloc(struct task_struct *task, unsigned long clone_flags) { - struct aa_task_ctx *new = aa_alloc_task_ctx(GFP_KERNEL); - - if (!new) - return -ENOMEM; + struct aa_task_ctx *new = task_ctx(task); aa_dup_task_ctx(new, task_ctx(current)); - task_ctx(task) = new; return 0; } @@ -1156,6 +1151,7 @@ static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb, struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct aa_task_ctx *), .lbs_file = sizeof(struct aa_file_ctx), + .lbs_task = sizeof(struct aa_task_ctx), }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { @@ -1486,15 +1482,10 @@ static int param_set_mode(const char *val, const struct kernel_param *kp) static int __init set_init_ctx(void) { struct cred *cred = (struct cred *)current->real_cred; - struct aa_task_ctx *ctx; - - ctx = aa_alloc_task_ctx(GFP_KERNEL); - if (!ctx) - return -ENOMEM; lsm_early_cred(cred); + lsm_early_task(current); set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); - task_ctx(current) = ctx; return 0; } diff --git a/security/security.c b/security/security.c index 0cc48072eb3b..d3d3963d7914 100644 --- a/security/security.c +++ b/security/security.c @@ -169,6 +169,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) if (needed->lbs_inode && blob_sizes.lbs_inode == 0) blob_sizes.lbs_inode = sizeof(struct rcu_head); lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); + lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); } /* Prepare LSM for initialization. */ @@ -292,6 +293,7 @@ static void __init ordered_lsm_init(void) init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); init_debug("file blob size = %d\n", blob_sizes.lbs_file); init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); + init_debug("task blob size = %d\n", blob_sizes.lbs_task); /* * Create any kmem_caches needed for blobs @@ -515,6 +517,46 @@ int lsm_inode_alloc(struct inode *inode) return 0; } +/** + * lsm_task_alloc - allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +int lsm_task_alloc(struct task_struct *task) +{ + if (blob_sizes.lbs_task == 0) { + task->security = NULL; + return 0; + } + + task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); + if (task->security == NULL) + return -ENOMEM; + return 0; +} + +/** + * lsm_early_task - during initialization allocate a composite task blob + * @task: the task that needs a blob + * + * Allocate the task blob for all the modules if it's not already there + */ +void __init lsm_early_task(struct task_struct *task) +{ + int rc; + + if (task == NULL) + panic("%s: task cred.\n", __func__); + if (task->security != NULL) + return; + rc = lsm_task_alloc(task); + if (rc) + panic("%s: Early task alloc failed.\n", __func__); +} + /* * Hook list operation macros. * @@ -1346,12 +1388,22 @@ int security_file_open(struct file *file) int security_task_alloc(struct task_struct *task, unsigned long clone_flags) { - return call_int_hook(task_alloc, 0, task, clone_flags); + int rc = lsm_task_alloc(task); + + if (rc) + return rc; + rc = call_int_hook(task_alloc, 0, task, clone_flags); + if (unlikely(rc)) + security_task_free(task); + return rc; } void security_task_free(struct task_struct *task) { call_void_hook(task_free, task); + + kfree(task->security); + task->security = NULL; } int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) -- 2.14.5