Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp7050789rwl; Mon, 9 Jan 2023 17:15:23 -0800 (PST) X-Google-Smtp-Source: AMrXdXvAeIBz0pgsaSUfSWjyFXRT9+E46J80WKykg5oDma651FK3tfdLVoQBisv01sHXXypL16+V X-Received: by 2002:a17:90a:fb4b:b0:225:e99e:e37d with SMTP id iq11-20020a17090afb4b00b00225e99ee37dmr54715671pjb.40.1673313323374; Mon, 09 Jan 2023 17:15:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673313323; cv=none; d=google.com; s=arc-20160816; b=biNgSlF3yaUWG0t1P/Kd4Bpcs40m0An11kTROxXKnWD5k0HCikFzGPuAUKXX8hq9ai bUXWDxqzi7YCpaeROZHWjeYpw4vErvM1EzG9hn/jrFaqysjqNznSFG6pjIOZZQ5Cd/S3 j3sssFguJFjzFGyIijWKyGE4ISXYdpOOZg9P+xsDzsM52TABYQBbHvAXnRuw1IBSz+fM 4GtTS7kzdKB9XlpE+gr4zFtI3i3XkG+irzqiRaA0wevBxD9noJ0L0lEZN1EvpCBCPU8y 9O3EP5nVHmVJFdmv261qPwp6ntQA3AEh9GbOF8O0sc9ya0X4dpl3d+S2vZIzpCcMRqZC o3xQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=n0APB/zykDxbiH2tuTIX9EMGYkGcv+YfvyuAJpMFuhY=; b=wgsFc6p6QGL4+g6tziy0sp/7WJ3jKA1hHU0a6GiohgKLdkqCpyrfdpevotCAApp+9V EJ+onYpMWscu2yJI5UX+8QAQ+/X6djB/dWP4JvM2hexQvp/3gJLzHHR3Sp+UUwpmpua0 VHATvwhn5jWlyMoCpNbUx93YTWbhZ33u5/dQfmn3+9vOWj6J2i0v5eVds1hLfcQQhqqn L/daG2v18uWi6kQzAjjwo2K32RZg0pRdUdEDbWyIS0SzyGSac1ngIc1utzZK9w1KVPEI +EBSyEdeYhUEqRPPZHlkaDvRdRUp3l4QNHnlx3SDAZ2nBsNpVHWNRTX5T/5BRDu4q21X 1IwA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=WVc0BDUp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mv11-20020a17090b198b00b00219f068d241si10055517pjb.130.2023.01.09.17.15.17; Mon, 09 Jan 2023 17:15:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=WVc0BDUp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235424AbjAJAcJ (ORCPT + 53 others); Mon, 9 Jan 2023 19:32:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60044 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238122AbjAJAbC (ORCPT ); Mon, 9 Jan 2023 19:31:02 -0500 Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6753D1102 for ; Mon, 9 Jan 2023 16:30:58 -0800 (PST) Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-4b6255ce5baso134700117b3.11 for ; Mon, 09 Jan 2023 16:30:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=n0APB/zykDxbiH2tuTIX9EMGYkGcv+YfvyuAJpMFuhY=; b=WVc0BDUp9SVjJ6q3wUC++WI7N/Tni/g/aXwHGXr1MeeP1qPk+en2yOArUr266ynZlE mUxsVueCV5uMPXe6uFIOwA+TS/oyDRyjo5ZnsAT1iyfnHo24A3u2q9vW5T4cjdkER9Zt jGxqEbCN4ejClYW8kPalGpueAsZNsSV0UzGqgSh2TkcP2Ty2IF1dAZ0W92oRCMq1lYag X5a/nCVa7ADbfMhkqWMdrq5ws9wES8sTC7spB9bA2oGMMCBMG6qGivxlYkglqjo1G6Hv CJLIVbFNkJTj+P4NM4JqfjV68njgS8HNAHab1qES/we2jiazHOZfjSJUjmRYWWGQUBgN Ikcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=n0APB/zykDxbiH2tuTIX9EMGYkGcv+YfvyuAJpMFuhY=; b=zUI+ct+nnqbu0C3wLOKPei/6W0GMdm607Ezxvcfm6i7qqKUhrhb8+WbKARw/b0gLs/ 5oeglDM8YmZoRzeHAPYYSu71HQdVSDxg0UZNYNrZCkN5FdCciW8mROPbFYQ8KLIEAwmv hh2ozk/7DJFfsuA2+HepfArWnFesrH3lBm8JzdOqGLB7MpQBqwAuJj1S5BU1VwOokPi3 JzvAIBfCI0/PVKszEzWPwp6Bwz9m/icUF/K62Iqvu/eeQtqonv+Q1RWFH9DPq6dL45rw 7L6MKbRUmB6PGMtu0ylowRf9PfEnR6s9OxidLA+vvuiqgDoR0tX+LoimwiX6djbEB6Rc 2hsQ== X-Gm-Message-State: AFqh2kr9tCpTxvMtlGzMN8rtZV/TxxnqurKiDn1PLPnqAOsvcRw27DBF rv+8KHMOU/SBzEync8p0eEf7logbUCi2X7upThZ7wQ== X-Received: by 2002:a05:690c:688:b0:4ab:cd28:a5e2 with SMTP id bp8-20020a05690c068800b004abcd28a5e2mr3509792ywb.234.1673310657407; Mon, 09 Jan 2023 16:30:57 -0800 (PST) MIME-Version: 1.0 References: <20230109213809.418135-1-tjmercier@google.com> <20230109213809.418135-5-tjmercier@google.com> <7e1610e7-c131-e162-be47-8983be7d9aec@schaufler-ca.com> In-Reply-To: <7e1610e7-c131-e162-be47-8983be7d9aec@schaufler-ca.com> From: "T.J. Mercier" Date: Mon, 9 Jan 2023 16:30:46 -0800 Message-ID: Subject: Re: [PATCH 4/4] security: binder: Add transfer_charge SElinux hook To: Casey Schaufler Cc: Greg Kroah-Hartman , =?UTF-8?B?QXJ2ZSBIasO4bm5ldsOlZw==?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , hannes@cmpxchg.org, daniel.vetter@ffwll.ch, android-mm@google.com, jstultz@google.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, Jeffrey Vander Stoep Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 9, 2023 at 2:28 PM Casey Schaufler wrote: > > On 1/9/2023 1:38 PM, T.J. Mercier wrote: > > Any process can cause a memory charge transfer to occur to any other > > process when transmitting a file descriptor through binder. This should > > only be possible for central allocator processes, > > How is a "central allocator process" identified? Any process with the transfer_charge permission. On Android this is the graphics allocator HAL which would have this added to its policy. > If I have a LSM that > is not SELinux (e.g. AppArmor, Smack) or no LSM at all, how can/should this > be enforced? Sorry, why would you be expecting enforcement with no LSM? Are you suggesting that this check should be different than the ones that already exist for Binder here? https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hook_defs.h#n29 > Why isn't binder enforcing this restriction itself? Binder has no direct knowledge of which process has been designated as an allocator / charge transferrer. That is defined externally by whoever configures the system. > > so a new SELinux > > permission is added to restrict which processes are allowed to initiate > > these charge transfers. > > Which is all perfectly reasonable if you have SELinux. > > > > > Signed-off-by: T.J. Mercier > > --- > > drivers/android/binder.c | 5 +++++ > > include/linux/lsm_hook_defs.h | 2 ++ > > include/linux/lsm_hooks.h | 6 ++++++ > > include/linux/security.h | 2 ++ > > security/security.c | 6 ++++++ > > security/selinux/hooks.c | 9 +++++++++ > > security/selinux/include/classmap.h | 2 +- > > 7 files changed, 31 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/android/binder.c b/drivers/android/binder.c > > index 9830848c8d25..9063db04826d 100644 > > --- a/drivers/android/binder.c > > +++ b/drivers/android/binder.c > > @@ -2279,6 +2279,11 @@ static int binder_translate_fd(u32 fd, binder_size_t fd_offset, __u32 flags, > > if (IS_ENABLED(CONFIG_MEMCG) && (flags & BINDER_FD_FLAG_XFER_CHARGE)) { > > struct dma_buf *dmabuf; > > > > + if (security_binder_transfer_charge(proc->cred, target_proc->cred)) { > > + ret = -EPERM; > > + goto err_security; > > + } > > + > > if (unlikely(!is_dma_buf_file(file))) { > > binder_user_error( > > "%d:%d got transaction with XFER_CHARGE for non-dmabuf fd, %d\n", > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > > index ed6cb2ac55fa..8db2a958557e 100644 > > --- a/include/linux/lsm_hook_defs.h > > +++ b/include/linux/lsm_hook_defs.h > > @@ -33,6 +33,8 @@ LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from, > > const struct cred *to) > > LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from, > > const struct cred *to, struct file *file) > > +LSM_HOOK(int, 0, binder_transfer_charge, const struct cred *from, > > + const struct cred *to) > > LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child, > > unsigned int mode) > > LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent) > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > > index 0a5ba81f7367..39c40c7bf519 100644 > > --- a/include/linux/lsm_hooks.h > > +++ b/include/linux/lsm_hooks.h > > @@ -1385,6 +1385,12 @@ > > * @file contains the struct file being transferred. > > * @to contains the struct cred for the receiving process. > > * Return 0 if permission is granted. > > + * @binder_transfer_charge: > > + * Check whether @from is allowed to transfer the memory charge for a > > + * buffer out of its cgroup to @to. > > + * @from contains the struct cred for the sending process. > > + * @to contains the struct cred for the receiving process. > > + * Return 0 if permission is granted. > > * > > * @ptrace_access_check: > > * Check permission before allowing the current process to trace the > > diff --git a/include/linux/security.h b/include/linux/security.h > > index 5b67f208f7de..3b7472308430 100644 > > --- a/include/linux/security.h > > +++ b/include/linux/security.h > > @@ -270,6 +270,8 @@ int security_binder_transfer_binder(const struct cred *from, > > const struct cred *to); > > int security_binder_transfer_file(const struct cred *from, > > const struct cred *to, struct file *file); > > +int security_binder_transfer_charge(const struct cred *from, > > + const struct cred *to); > > int security_ptrace_access_check(struct task_struct *child, unsigned int mode); > > int security_ptrace_traceme(struct task_struct *parent); > > int security_capget(struct task_struct *target, > > diff --git a/security/security.c b/security/security.c > > index d1571900a8c7..97e1e74d1ff2 100644 > > --- a/security/security.c > > +++ b/security/security.c > > @@ -801,6 +801,12 @@ int security_binder_transfer_file(const struct cred *from, > > return call_int_hook(binder_transfer_file, 0, from, to, file); > > } > > > > +int security_binder_transfer_charge(const struct cred *from, > > + const struct cred *to) > > +{ > > + return call_int_hook(binder_transfer_charge, 0, from, to); > > +} > > + > > int security_ptrace_access_check(struct task_struct *child, unsigned int mode) > > { > > return call_int_hook(ptrace_access_check, 0, child, mode); > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 3c5be76a9199..823ef14924bd 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -2066,6 +2066,14 @@ static int selinux_binder_transfer_file(const struct cred *from, > > &ad); > > } > > > > +static int selinux_binder_transfer_charge(const struct cred *from, const struct cred *to) > > +{ > > + return avc_has_perm(&selinux_state, > > + cred_sid(from), cred_sid(to), > > + SECCLASS_BINDER, BINDER__TRANSFER_CHARGE, > > + NULL); > > +} > > + > > static int selinux_ptrace_access_check(struct task_struct *child, > > unsigned int mode) > > { > > @@ -7052,6 +7060,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > > LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), > > LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), > > LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), > > + LSM_HOOK_INIT(binder_transfer_charge, selinux_binder_transfer_charge), > > > > LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), > > LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), > > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h > > index a3c380775d41..2eef180d10d7 100644 > > --- a/security/selinux/include/classmap.h > > +++ b/security/selinux/include/classmap.h > > @@ -172,7 +172,7 @@ const struct security_class_mapping secclass_map[] = { > > { "tun_socket", > > { COMMON_SOCK_PERMS, "attach_queue", NULL } }, > > { "binder", { "impersonate", "call", "set_context_mgr", "transfer", > > - NULL } }, > > + "transfer_charge", NULL } }, > > { "cap_userns", > > { COMMON_CAP_PERMS, NULL } }, > > { "cap2_userns",