Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp987116pxb; Fri, 15 Apr 2022 17:30:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzleuC4nWucwTtUBn5ItkLRVh0Lk8m7KGAm+JBpAOp8xIVj8udt3BLblyDIGKJ2yxn/Oj8a X-Received: by 2002:a63:f005:0:b0:3a3:ef7c:c8dd with SMTP id k5-20020a63f005000000b003a3ef7cc8ddmr815766pgh.37.1650069011552; Fri, 15 Apr 2022 17:30:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650069011; cv=none; d=google.com; s=arc-20160816; b=obq9tLKwFVlaaqpA1STKVKIq7l6ALd2NM9Il8nCis0enlmchXm+zSAYVrLS2g8APdk eKSa9Dk4d7NdB58bm/eJ1HUVE/oMsUcsJf3D8sbugYGTlTmvLiRbR5egl5tUmsR30SdZ PsAwkOCmQ4DY7xqak5m4P2/k4Ru1FKUF4FsoXTSjEcWpR4tSZTrn33xBEyFAbiMEiNGl Hi5iiI8ipxa9GATujpiMBNZ6fBlL/N81YIoCMnFHI7ORTSGQXalDKOm0PJf6TVDg84RT nxmLsZp57cbgTEAFLohnBQlTDBGp7IhUXk9CeCilGoHA6xe5fv6h2W0K/K0tJtT/+iyt LNjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=3VJ6drxV7v8cy0e3EmrY0f1OiWSC5vBe0nWMsh9nu5A=; b=RrfYVPSPA/jBjomOaLrBX8If+CGZXonJbpqiY1hOcRYEoj7jbqWeJXwkduAu9PIbxN rzCQBFxr8RgvA5nvRZTMednoxazAH6rkthyQVpYiP/ZuuJt1+w1Ka4jkybJlZve4W47F LvkKQs7FayCc0LpeKN55to1ZDqqpJEcj6NgUAC4+RsvCPjbMIWTtM8etszlMlUuSuKA8 1EYtz42FjuqZIYb1yCLR6xNnpfb1jirR1ueGNHAAK1AKk4npHP6fIlNEAbmgnYIvQ7tz sxsMNW3ltzXQkT5tVc51ucPmMhu0lph/9ROGEV/VoBIHitEjB9cE2hMfL85soVV1KLVs CCxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=I5DNNc16; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id v22-20020a636116000000b003a3ef7cc8d4si614381pgb.829.2022.04.15.17.30.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Apr 2022 17:30:11 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=I5DNNc16; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1B344F1AD9; Fri, 15 Apr 2022 17:27:29 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1354983AbiDOV1l (ORCPT + 99 others); Fri, 15 Apr 2022 17:27:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345333AbiDOV0u (ORCPT ); Fri, 15 Apr 2022 17:26:50 -0400 Received: from sonic311-30.consmr.mail.ne1.yahoo.com (sonic311-30.consmr.mail.ne1.yahoo.com [66.163.188.211]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E210AE4397 for ; Fri, 15 Apr 2022 14:23:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1650057791; bh=3VJ6drxV7v8cy0e3EmrY0f1OiWSC5vBe0nWMsh9nu5A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=I5DNNc160wlbPDRoUppqbEWS2d/N3j9JfdS6ddVqObzNHnR0qAopl4HT5apX/AppU81bksciPa3lp2ahQaF0RwbRzDjZNR9IAtkJglkDl25oLXCdQxsN42TkZTZG6z+BYEVvhAeARKL7/yVN3O296zSyJJZzfoPCGMLgiu7vju/lKOqB01+GAi3rgWEeE2BbhXfj268ReKfMDt5qnQnaa4A4dSZtRuEXRflopX/WuW7JmB5iAb5kM3kaAIKqzBkuGiQzA64k5kAPxofIr8zwemvHByt/FM61qJIfTpc3niETCMHKYhFUyPSncNPckmTdYbn9K5LnK49L3B1D6QMmgA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1650057791; bh=0/tLYVcaw9cBsh6+2RMUm9tqnYiwPHeXc+UNP0lVriW=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=dH/HNCHk2qs5lwS/Q0CLheATr8B7OOogTiE1TGT0IXiGyNe16skeEo90Ryx39dsFm3AaPQPuCGGr07hbluPCPYWFT/SsEu05CTrcrLKRsLJ6kyqPkFi2006FRWWD4fYsHxYAB8IIOUE/qYIO5kOzP1WJY3aCJQptvcUoaRpGEqr3sQzbavAQlZ6n+oSzy8byLV93D460h80Bb2oFvMGtPpsiWd1v2Hf1/oQM0r86XSK8jzyAANZNDV9TzwySdOjbFBPjH2CpBV/e58e/orp5S14KoSJ4bcM2zAmIUHFywyNwrSHwWjlNjkhzq3/L2JrkGxgzKezJlRwMtVPrcNOtww== X-YMail-OSG: Drz2N34VM1lPc6LxkAzxwvkkfGk4rVQ3Kz1Ds30CCdmWG.8TLq3iMIvWJhSPFN7 VFM1UWGV69mlBpDX6BXfjESjFILOqyZJOcEaIndgjTvr5rDD0.goODdNXAwEYlyYXaaVT4yI.mtI 9apcW_w171ff47fsHrZATDFjiKKNE9keEDs0rcDLc.4O3QOK1Z1HzPDL8R0dN2qZ3upp.2skYxCg sgebMTP6GSlW6Lo0PP80Z48IeBm5n6Q5kaxdJlO7j5KflZanNswFmI4No0.0GmvUHytIWusK.02N dK6emeqJ2sTV3TxZ1D2YMUzszh5bCQZOdIl0tajFShnuHGmEjGGqFV_eVkUbnYFL2hHQTikzAjUZ nAWE0LFXAR5WrikRL._QN6sMh0O1Uu655kDewKYTrKtIBWPEHJGJnmH1nhteSu1ZvGe7_IRMNdj1 QxfQdmNT3qiS4LgYccD9ttIwJOijSVjrMiym4tTMEmbDo8UhiWJ8uUY8I8Ts_ZCaIr7bDqs9rKQ1 Fv7tZmsErQy7PHDlFuRtpVttqUYEmzQOVX47mKdMPpQDisPrX351C5_p8GqDn44jA12DFvkoKN5B 0mQu2aNFr_bun20v4i90CwVuqkW8XjYQhMfoAR_WGtGEKrsF.nIwzyFcfQFg27.rkfN2yLfCWQkU RVnCDNmQDfQn_8P2ZDoKO2Y.EgxRk9RhdOOt3kfE4bgugbAXpMqVC6Hz3SjnWVHn6PHwc2gNnDCF NW.X57umHxRIbFqIVbEti3Au9.8blCzlcv7emqRutZ5.HQ8r7MX1LwEOZ5s8eU9UCB9X7M1RfcVU x_44oer8OXXDdtsK1uaqGf5HBbWAEnePCuVVsNMrsxN3HjdRjANlCuKnddwNK.qIEQYS2AHrkU4r HZsp6UpHgKVutw05Am60TWSV8Um4fVDOpCyfub87K4k0B3iGdGoIbdsGI0Gakor4X.ENg3sTLhf5 hbspfhI2QVUdBTojd5PPsPC9Svc2F3j49vhh6vT._eyO.IQgr5T4fAtJTWxs9WA8D5.txMXEn7EI FEqgjLhLXwNCI38F2yHFdB.TEGEWi8_z5mgO3Ef502ZCBwmyxPPOCKgrWB6d44QbxbVSq3UAfCqq Tlt9VLRY.exd1JcNIrTDf.5aBGOvYFCBo1_K0kL6OGigrp64s44sXDFWIAlxftRB9Zy54YtzQqZy PeN52sZgG1AM_LawBx80sLpCCEx5bS49x3kP8QX497L_jimK2N5Tcojg8xQM.lOgKtZQzko1hJPe LuNcUuZcpjfPC1JCqLO.CTCFechMENe_ZzRBwolmlrss3vb1Bb1C3FWCW4ILcYKDxdKp.kEb0a7O sDie.cwe4nP6eQhNPHAb9ssMTLt1iIo59kGYKWO0_bj4Y2XaTdVsOHefPmQfuLUswIsoZjbxDOqy eoRB_nsQ5JiRFiYUu8Cxa643E6BmrAr5ytkCgjnqqZ6pNs43XEyD_SlLZKioTCKlTSQTRR4Jh5W. 757pUrvwAfprBVHKGD1.x4ftYn9STyGzhmvBwp8dCK8yLqTQ3YvCj_MS55ngIwRXaUaYxQ4to9Y. yJShHFYw2nRI0J1eR2duAanvmT8bY3dQAISrC0b5V1yIH1pHEd0IQFRaGhT8RH43p8tNkfxsUCtM xftNcZWN5YeLUwJ5.vz88h9d.7e_kYoOzAOiaZvkI5VGJHTT1h6ejHhHEFVbGWkFZjzr5byTnLsW .l39ubL8NaeggNklYlJDDnYIGK1S3sBDpDBIotugGyWgNQcXt45Iug3vY3JhVQDRX0jehvFteO45 A8f9a6raJ7EvYH702TTyCcAwBlRqQMKQhYmyqzPQjKnS5cxC.e2zj1t_yd8ZWKNkxsXY3WgfB6am PYKv73Qh1L3VcTW2nXtTEHglgNt9YARDbc2Qm_vI0lddkFRqxhLtScXUTVIuKUmSVu2JrALhQ6S5 A6CseMhRBRPy_TuaJcE2sGt5S2uk595j3yZjfeMaD28HjmM0YYlWT1vrfeWgrot_9DwJ7eeGQbmP fRUmUHkI7evgVIjpl_KVqodNezr2sVrhWhY5u5AGjZwKLioLpe4rbM4h_ov6JTw0IwKKqEf2mdxc 3JC7cStZZJqrbysF_OVboATjtdHLMzI86RnJqx3J5y6JJUe6VfR_HfFKADKL_1Uy19NwqI40Fx_6 kNQcZYDRyykkb1TbyQc7bqWlQK2Huic0a0gXdC_PFdaZun8aXNhFasL7PnyF._ImspOVJtgsUj49 59HpEVPQU7S53Gxh1Ai451MiXMZh35IiBypIOGk4XhpSKzOq8APD9.YABxmGi1uf8_hHyZhvaXmV w1w2L6UmQkeYn2jDx8wEfDFhb X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Apr 2022 21:23:11 +0000 Received: by hermes--canary-production-ne1-c7c4f6977-9gvrn (VZM Hermes SMTP Server) with ESMTPA ID 0aa251bda2fc204a3bc01b852774ce09; Fri, 15 Apr 2022 21:23:07 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org Subject: [PATCH v34 09/29] LSM: Use lsmblob in security_secid_to_secctx Date: Fri, 15 Apr 2022 14:17:41 -0700 Message-Id: <20220415211801.12667-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220415211801.12667-1-casey@schaufler-ca.com> References: <20220415211801.12667-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Change security_secid_to_secctx() to take a lsmblob as input instead of a u32 secid. It will then call the LSM hooks using the lsmblob element allocated for that module. The callers have been updated as well. This allows for the possibility that more than one module may be called upon to translate a secid to a string, as can occur in the audit code. Acked-by: Paul Moore Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso --- drivers/android/binder.c | 12 +++++++++- include/linux/security.h | 5 +++-- include/net/scm.h | 7 +++++- kernel/audit.c | 21 +++++++++++++++-- kernel/auditsc.c | 27 ++++++++++++++++++---- net/ipv4/ip_sockglue.c | 4 +++- net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++-- net/netfilter/nf_conntrack_standalone.c | 4 +++- net/netfilter/nfnetlink_queue.c | 11 +++++++-- net/netlabel/netlabel_unlabeled.c | 30 +++++++++++++++++++++---- net/netlabel/netlabel_user.c | 6 ++--- security/security.c | 11 +++++---- 12 files changed, 123 insertions(+), 29 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 8351c5638880..381a4fddd4a5 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2981,10 +2981,20 @@ static void binder_transaction(struct binder_proc *proc, if (target_node && target_node->txn_security_ctx) { u32 secid; + struct lsmblob blob; size_t added_size; security_cred_getsecid(proc->cred, &secid); - ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); + /* + * Later in this patch set security_task_getsecid() will + * provide a lsmblob instead of a secid. lsmblob_init + * is used to ensure that all the secids in the lsmblob + * get the value returned from security_task_getsecid(), + * which means that the one expected by + * security_secid_to_secctx() will be set. + */ + lsmblob_init(&blob, secid); + ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; diff --git a/include/linux/security.h b/include/linux/security.h index 310edbdaa14f..4f940ef06e51 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -549,7 +549,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(char *secdata, u32 seclen); @@ -1399,7 +1399,8 @@ static inline int security_ismaclabel(const char *name) return 0; } -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +static inline int security_secid_to_secctx(struct lsmblob *blob, + char **secdata, u32 *seclen) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index 1ce365f4c256..23a35ff1b3f2 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,12 +92,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmblob lb; char *secdata; u32 seclen; int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(scm->secid, &secdata, &seclen); + /* There can only be one security module using the secid, + * and the infrastructure will know which it is. + */ + lsmblob_init(&lb, scm->secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); diff --git a/kernel/audit.c b/kernel/audit.c index 7690c29d4ee4..2acf95cf9895 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1464,7 +1464,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_SIGNAL_INFO: len = 0; if (audit_sig_sid) { - err = security_secid_to_secctx(audit_sig_sid, &ctx, &len); + struct lsmblob blob; + + /* + * lsmblob_init sets all values in the lsmblob + * to audit_sig_sid. This is temporary until + * audit_sig_sid is converted to a lsmblob, which + * happens later in this patch set. + */ + lsmblob_init(&blob, audit_sig_sid); + err = security_secid_to_secctx(&blob, &ctx, &len); if (err) return err; } @@ -2170,12 +2179,20 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; u32 sid; + struct lsmblob blob; security_current_getsecid_subj(&sid); if (!sid) return 0; - error = security_secid_to_secctx(sid, &ctx, &len); + /* + * lsmblob_init sets all values in the lsmblob to sid. + * This is temporary until security_task_getsecid is converted + * to use a lsmblob, which happens later in this patch set. + */ + lsmblob_init(&blob, sid); + error = security_secid_to_secctx(&blob, &ctx, &len); + if (error) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index a9d5bfa37cb3..10b9dc253555 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -679,6 +679,13 @@ static int audit_filter_rules(struct task_struct *tsk, security_current_getsecid_subj(&sid); need_sid = 0; } + /* + * lsmblob_init sets all values in the lsmblob + * to sid. This is temporary until + * security_task_getsecid() is converted to + * provide a lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, sid); result = security_audit_rule_match(&blob, f->type, f->op, @@ -695,6 +702,13 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_str) { /* Find files that match */ if (name) { + /* + * lsmblob_init sets all values in the + * lsmblob to sid. This is temporary + * until name->osid is converted to a + * lsmblob, which happens later in + * this patch set. + */ lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, @@ -1118,6 +1132,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, char *ctx = NULL; u32 len; int rc = 0; + struct lsmblob blob; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) @@ -1127,7 +1142,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (sid) { - if (security_secid_to_secctx(sid, &ctx, &len)) { + lsmblob_init(&blob, sid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1418,8 +1434,10 @@ static void show_special(struct audit_context *context, int *call_panic) if (osid) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx(osid, &ctx, &len)) { + lsmblob_init(&blob, osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1585,9 +1603,10 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (n->osid != 0) { char *ctx = NULL; u32 len; + struct lsmblob blob; - if (security_secid_to_secctx( - n->osid, &ctx, &len)) { + lsmblob_init(&blob, n->osid); + if (security_secid_to_secctx(&blob, &ctx, &len)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 445a9ecaefa1..933a8f94f93a 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmblob lb; char *secdata; u32 seclen, secid; int err; @@ -138,7 +139,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) if (err) return; - err = security_secid_to_secctx(secid, &secdata, &seclen); + lsmblob_init(&lb, secid); + err = security_secid_to_secctx(&lb, &secdata, &seclen); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 1ea2ad732d57..a28e275981d4 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -347,8 +347,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) struct nlattr *nest_secctx; int len, ret; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return 0; @@ -656,8 +661,13 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) { #ifdef CONFIG_NF_CONNTRACK_SECMARK int len, ret; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, NULL, &len); + /* lsmblob_init() puts ct->secmark into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, NULL, &len); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 3e1afd10a9b6..bba3a66f5636 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -178,8 +178,10 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) int ret; u32 len; char *secctx; + struct lsmblob blob; - ret = security_secid_to_secctx(ct->secmark, &secctx, &len); + lsmblob_init(&blob, ct->secmark); + ret = security_secid_to_secctx(&blob, &secctx, &len); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index a364f8e5e698..6269fe122345 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -305,13 +305,20 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata) { u32 seclen = 0; #if IS_ENABLED(CONFIG_NETWORK_SECMARK) + struct lsmblob blob; + if (!skb || !sk_fullsock(skb->sk)) return 0; read_lock_bh(&skb->sk->sk_callback_lock); - if (skb->secmark) - security_secid_to_secctx(skb->secmark, secdata, &seclen); + if (skb->secmark) { + /* lsmblob_init() puts ct->secmark into all of the secids in + * blob. security_secid_to_secctx() will know which security + * module to use to create the secctx. */ + lsmblob_init(&blob, skb->secmark); + security_secid_to_secctx(&blob, secdata, &seclen); + } read_unlock_bh(&skb->sk->sk_callback_lock); #endif diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index f3e2cde76919..0a99663e6edb 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -376,6 +376,7 @@ int netlbl_unlhsh_add(struct net *net, struct audit_buffer *audit_buf = NULL; char *secctx = NULL; u32 secctx_len; + struct lsmblob blob; if (addr_len != sizeof(struct in_addr) && addr_len != sizeof(struct in6_addr)) @@ -438,7 +439,11 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(secid, + /* lsmblob_init() puts secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + if (security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); @@ -475,6 +480,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr, @@ -493,8 +499,13 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, (dev != NULL ? dev->name : NULL), addr->s_addr, mask->s_addr); dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -536,6 +547,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct net_device *dev; char *secctx; u32 secctx_len; + struct lsmblob blob; spin_lock(&netlbl_unlhsh_lock); list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list); @@ -553,8 +565,13 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, (dev != NULL ? dev->name : NULL), addr, mask); dev_put(dev); + /* lsmblob_init() puts entry->secid into all of the secids + * in blob. security_secid_to_secctx() will know which + * security module to use to create the secctx. */ + if (entry != NULL) + lsmblob_init(&blob, entry->secid); if (entry != NULL && - security_secid_to_secctx(entry->secid, + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); security_release_secctx(secctx, secctx_len); @@ -1080,6 +1097,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, u32 secid; char *secctx; u32 secctx_len; + struct lsmblob blob; data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid, cb_arg->seq, &netlbl_unlabel_gnl_family, @@ -1134,7 +1152,11 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, secid = addr6->secid; } - ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len); + /* lsmblob_init() secid into all of the secids in blob. + * security_secid_to_secctx() will know which security module + * to use to create the secctx. */ + lsmblob_init(&blob, secid); + ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 3ed4fea2a2de..893301ae0131 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -86,6 +86,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct audit_buffer *audit_buf; char *secctx; u32 secctx_len; + struct lsmblob blob; if (audit_enabled == AUDIT_OFF) return NULL; @@ -98,10 +99,9 @@ struct audit_buffer *netlbl_audit_start_common(int type, from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); + lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(audit_info->secid, - &secctx, - &secctx_len) == 0) { + security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); security_release_secctx(secctx, secctx_len); } diff --git a/security/security.c b/security/security.c index f814a41c5d9f..6e6e44213d80 100644 --- a/security/security.c +++ b/security/security.c @@ -2192,17 +2192,16 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen) { struct security_hook_list *hp; int rc; - /* - * Currently, only one LSM can implement secid_to_secctx (i.e this - * LSM hook is not "stackable"). - */ hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { - rc = hp->hook.secid_to_secctx(secid, secdata, seclen); + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + continue; + rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot], + secdata, seclen); if (rc != LSM_RET_DEFAULT(secid_to_secctx)) return rc; } -- 2.35.1