Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3706890rdg; Wed, 18 Oct 2023 03:52:21 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFnEddu+pkGvnYwb8NqGnnADl5enhpKNR7tGw7DK+4H3xOyHLmyUR6Uo7rsv4JT5pvfv2WW X-Received: by 2002:a05:6a20:4288:b0:161:346a:e7a1 with SMTP id o8-20020a056a20428800b00161346ae7a1mr6511114pzj.5.1697626340976; Wed, 18 Oct 2023 03:52:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697626340; cv=none; d=google.com; s=arc-20160816; b=o46wy1jVrwBvo5WCUwrvPaGoJiFhkO7opSWomz5dw4+pQ321fas1kXJdVtKOv8JD+V /ZwTVIurkZowF717nDpoEsQNy3Ekia6RsHTFWh7OufIXgaORR8nm8jMo7FIPH7YmPt9F ATEeMsxbZC6mgCDStMFBabRM0e7p+dmyPMCj1ZzfhapUCSinuWypOWVVpE9ijlftqrQp r1aOAchDGUMUk4wKhpWNELD+4e3Rqt67IpwfNG0TnYBOgTOva9wc0v3chnIU9ckGk/Ew F6q90YCVIzWwnuVkNG7Ei7hk0NHtPyW1P4aD9e+2WqqC2PAhcleJQCe/FB+bPe6cJijx hAJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:ui-outboundreport:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=+wYA09Ez/WIUe3DVS+b/j50bQggTuJu8rqzdBeEY/5g=; fh=c4ql7d5QsFreQmYQr7ycbAsMayBEmNUOv2nmR/PVp9M=; b=G9EUiyv5E9NdicfggGUa3st9GXZtS9doveawtPknkYE1PHjXTDgR/M+JWGh6Emtix3 OR348m+l5BakjZJkguMAjvMngRUcZEeafbAuiajxzl6iISl8c9R6IuMYPvZRxSf4booI MyHeCMbOc6lFBAOmPVjOSgdbWiZIUkBBfd4t+TUQCz4lNWnSlmEnOkxEmnCykhZ5knb8 /EbJrb1KZoBGkHXViQIfCmI5kasHmP5wNQesckDT64hnMcAuV12y6sx9tNUZ2gN3HIee T0e4dnEcUn7lP0zETytw0VfRMqinYQIgVmvEwspcgnfRCgKsFPLegcVV5RUhEBCLXAXk 79Nw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id q9-20020a655249000000b005b7c45c8acasi1945766pgp.238.2023.10.18.03.52.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 03:52:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id E41E481113BB; Wed, 18 Oct 2023 03:52:13 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235206AbjJRKv6 (ORCPT + 99 others); Wed, 18 Oct 2023 06:51:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235013AbjJRKvc (ORCPT ); Wed, 18 Oct 2023 06:51:32 -0400 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D99D109; Wed, 18 Oct 2023 03:51:29 -0700 (PDT) Received: from weisslap.aisec.fraunhofer.de ([91.67.186.133]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MAtoX-1qhkY30v9N-00BOPd; Wed, 18 Oct 2023 12:51:02 +0200 From: =?UTF-8?q?Michael=20Wei=C3=9F?= To: Alexander Mikhalitsyn , Christian Brauner , Alexei Starovoitov , Paul Moore Cc: Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro , Miklos Szeredi , Amir Goldstein , "Serge E. Hallyn" , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, gyroidos@aisec.fraunhofer.de, =?UTF-8?q?Michael=20Wei=C3=9F?= Subject: [RFC PATCH v2 09/14] lsm: Add security_inode_mknod_nscap() hook Date: Wed, 18 Oct 2023 12:50:28 +0200 Message-Id: <20231018105033.13669-10-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20231018105033.13669-1-michael.weiss@aisec.fraunhofer.de> References: <20231018105033.13669-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:5lxDhBdnRK6z/qneyHrExxpGGfNqKmn9/t+GHCV67i7gdyqABcu sqNuzvbWCst+BiDlXc96S54DVuWryXVblKlyxZ0G+0XC241SZV/ZSM5WIzaOYnGa2HwVhD7 w12pjkFUdUUIkGyG6Y/MWWJZTpEwRid3PsLC7MyY+Om2nm6t0bHDIB2WtzcILbedxiB17w1 Bpg7935I0mCv9jw2zLkcg== UI-OutboundReport: notjunk:1;M01:P0:2+i2Uh/X6wo=;2uxYOw5HC84hKPQexFNKPLKAGkt fQYhBSxyE+Ny/qlYqBNh/lRNoj42Lvenpzoqt2sOm2fb+ItLxK2aqhvRnBuFWEBxBV2pkGfJP LAqSq1V7TtAdHMMxnT6flWVbEJw+eHAGjOobF7hT2NJYUGKT21zIJ7HY5dUUVbNLy5y/vRBD8 1T8q4EotydMXbeuFrz8QJx0J+W8yFO2rFizCl7PrsLIOJ/cCvLfdoD8xj9lTUa3Ea/OLXBUJ8 iDtALlENbL5H32dD4XJjmauzfESGsfYA1O5BC2zco6zwEP0IFpAMzK3ptiddi64N9yyk4VFu8 lu31rT2lrrjcuz1QwvaME+6njgIpYTvLZcrKN0P4Q8ZcpY1JyBbnnYnUghq4+3LrIbTa5nTOc 4QzBp6H7vYMPeDLhlGokJggteXh7QlSbtGyom1xXBxlhk9FrQNg0WX2AdqGqIQIhKsz2DShs8 VHMOQHRqat2gdEuf76pB5RSMak36+SS16dZpeJCjNq0vuasSM+Q5hq8MwyaEPoaWUdhY+IeE8 5Gobc5CWqypvuYQGijWmwNT/5O2bmLmBaP8B1DuzVi5bWN30oioawo2FEmbyu32jDVyV42ZVD 2Khd2mrRFNcUge6Xc05REdy4mMIc4pmF+6D4qU9+nZ2fPHum1D4GN43IzUAi/fQVR6Cj3VM2w WuCnLxjl9jrN2xRPoyd6iXZdeHgKhpyuKqOvd7/b/rmstCPY23TZqiFDNqfQKrYnDCXEuHNYM i3jM5RmJVmJ2993fmi1/CK2zJVhsHYRyn9a/1Iwf9lnX6x8eSvO2X6k4ONeKEpUDX9+S4PzJT NlmyYPjb+abDxWdmHgRnZN6yEMH6yPeUt6QpqbwMmqmvsJhMuko00/NRJEpAFW8Qe/VrgQ6hC d0PA89QcvI6H7fw== X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 18 Oct 2023 03:52:14 -0700 (PDT) Provide a new lsm hook which may be used to allow mknod in non-initial userns. If access to the device is guarded by this hook, access to mknod may be granted by checking cap mknod for unprivileged user namespaces. By default this will return -EPERM if no lsm implements the hook. A first lsm to use this will be the lately converted cgroup_device module. Signed-off-by: Michael Weiß --- include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 8 ++++++++ security/security.c | 31 +++++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index a868982725a9..f4fa01182910 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -276,6 +276,8 @@ LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen) LSM_HOOK(int, 0, inode_getsecctx, struct inode *inode, void **ctx, u32 *ctxlen) LSM_HOOK(int, 0, dev_permission, umode_t mode, dev_t dev, int mask) +LSM_HOOK(int, -EPERM, inode_mknod_nscap, struct inode *dir, struct dentry *dentry, + umode_t mode, dev_t dev) #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) LSM_HOOK(int, 0, post_notification, const struct cred *w_cred, diff --git a/include/linux/security.h b/include/linux/security.h index 8bc6ac8816c6..bad6992877f4 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -485,6 +485,8 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); int security_dev_permission(umode_t mode, dev_t dev, int mask); +int security_inode_mknod_nscap(struct inode *dir, struct dentry *dentry, + umode_t mode, dev_t dev); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1400,6 +1402,12 @@ static inline int security_dev_permission(umode_t mode, dev_t dev, int mask) { return 0; } +static inline int security_inode_mknod_nscap(struct inode *dir, + struct dentry *dentry, + umode_t mode, dev_t dev); +{ + return -EPERM; +} #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/security/security.c b/security/security.c index 40f6787df3b1..7708374b6d7e 100644 --- a/security/security.c +++ b/security/security.c @@ -4034,6 +4034,37 @@ int security_dev_permission(umode_t mode, dev_t dev, int mask) } EXPORT_SYMBOL(security_dev_permission); +/** + * security_inode_mknod_nscap() - Check if device is guarded + * @dir: parent directory + * @dentry: new file + * @mode: new file mode + * @dev: device number + * + * If access to the device is guarded by this hook, access to mknod may be granted by + * checking cap mknod for unprivileged user namespaces. + * + * Return: Returns 0 on success, error on failure. + */ +int security_inode_mknod_nscap(struct inode *dir, struct dentry *dentry, + umode_t mode, dev_t dev) +{ + int thisrc; + int rc = LSM_RET_DEFAULT(inode_mknod_nscap); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &security_hook_heads.inode_mknod_nscap, list) { + thisrc = hp->hook.inode_mknod_nscap(dir, dentry, mode, dev); + if (thisrc != LSM_RET_DEFAULT(inode_mknod_nscap)) { + rc = thisrc; + if (thisrc != 0) + break; + } + } + return rc; +} +EXPORT_SYMBOL(security_inode_mknod_nscap); + #ifdef CONFIG_WATCH_QUEUE /** * security_post_notification() - Check if a watch notification can be posted -- 2.30.2