Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4630728rdb; Tue, 12 Dec 2023 05:18:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IH32oDyWloow3ISpA8UuSN9IDrs6MVdrladPdee148M0SiYPVbkP0RyK+sQCaeEb6TN4sE6 X-Received: by 2002:a05:6a21:300d:b0:18b:558e:9e2a with SMTP id yd13-20020a056a21300d00b0018b558e9e2amr6677571pzb.12.1702387099542; Tue, 12 Dec 2023 05:18:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702387099; cv=none; d=google.com; s=arc-20160816; b=Ka77C1lNUMI5nY6wjaNxc7MD3qO4O9lv28exuTM9xUJRBvzUhuFQqSGrCJjcE9lrb7 ZrXg4gJ5Vvv2R4E0Rndd96CIwxblR2JbRNZCpW74+Q3cVx4HPDr3xoZNJjZTIm4tVQ0y Ffr1DEaCQPyN37hBkqGPfrytP6qjRAVTq2eSym4LDWyHlR6dKyrgS6lBZA3bptyjaN80 QtBLWGWjWZa1GokYaO4lug60NinrBI2cMD8h2m4SwOENKUZTBEQd/PtQXCTx7rLQIhdr WzQaSbOQUjXUp3piPtxeZVnuCy8mFjXtnr5+/b5ihoD+H884vnJDRI5vWKaQ1kncc6ie Csyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=I+u1S2AY/jEGnaBOw0WBoMATED3t5u4RyQxPWcyrfwg=; fh=LxmBIMHLWtCjcf7wsP7T1D32SQqzEfF7erhVR43RAg4=; b=bGx/prUW2AWfA7XEfm9oXTf4qzVf9noBoEZcS7Tr4kpYISK7GJdHv2aDa/QkaWQvyK OfEisjFdD5H01uhGDb1tFWzf9bVSNn70MZMGtHtE+X3nE7mBQimFQzjY7jHWNOZkrqxg 5YJnbxIuyJdJq8RhrjLq1X3X9oclVdsK8bVDwezkyAwZoLXo8gjtcPV7WlHuZss77/Wy sapsJVhy4oIyu8cDe6gcqvNBnb41eK0gNR82+qCzLhYsEy76oWI5c+GHfAvLHnq1mWw6 9w14nNAe3AVYPX8Ltw3JjTDTOYEJ2JG59puGXfgBvBs2XPK1pG1l7WrEMJ0FOFG8lKPX Qc0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ExqaaPmK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id 13-20020a63124d000000b005c6e820b5e5si7587470pgs.781.2023.12.12.05.18.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Dec 2023 05:18:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=ExqaaPmK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 8037B80972B7; Tue, 12 Dec 2023 05:18:16 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1376654AbjLLNSA (ORCPT + 99 others); Tue, 12 Dec 2023 08:18:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1376674AbjLLNRm (ORCPT ); Tue, 12 Dec 2023 08:17:42 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B33F1197 for ; Tue, 12 Dec 2023 05:17:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1702387057; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I+u1S2AY/jEGnaBOw0WBoMATED3t5u4RyQxPWcyrfwg=; b=ExqaaPmKwFJ8zDuyYBjpmRwzekFmNLNvXNqA69XKUlKZLVTGRqq7gLWBUhT0wX0QqDLK4B 4wJlnBiuDJjV7O0QA5QyRpyzCaD0Xd4F3XYNO/gurZeXcy9WkQ2xy4eoG5+d/xRhD3ffb8 h733sqmxe6YmWNy4EY0PXEhjYODafw4= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-673-4GXjYFpzO-GvKEOSKHlLSA-1; Tue, 12 Dec 2023 08:17:34 -0500 X-MC-Unique: 4GXjYFpzO-GvKEOSKHlLSA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 576E984A298; Tue, 12 Dec 2023 13:17:33 +0000 (UTC) Received: from max-p1.redhat.com (unknown [10.39.208.4]) by smtp.corp.redhat.com (Postfix) with ESMTP id 39C001121312; Tue, 12 Dec 2023 13:17:30 +0000 (UTC) From: Maxime Coquelin To: mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, stephen.smalley.work@gmail.com, eparis@parisplace.org, xieyongji@bytedance.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, david.marchand@redhat.com, lulu@redhat.com, casey@schaufler-ca.com Cc: Maxime Coquelin Subject: [PATCH v5 4/4] vduse: Add LSM hook to check Virtio device type Date: Tue, 12 Dec 2023 14:17:12 +0100 Message-ID: <20231212131712.1816324-5-maxime.coquelin@redhat.com> In-Reply-To: <20231212131712.1816324-1-maxime.coquelin@redhat.com> References: <20231212131712.1816324-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.3 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 12 Dec 2023 05:18:16 -0800 (PST) This patch introduces a LSM hook for devices creation, destruction (ioctl()) and opening (open()) operations, checking the application is allowed to perform these operations for the Virtio device type. Signed-off-by: Maxime Coquelin --- MAINTAINERS | 1 + drivers/vdpa/vdpa_user/vduse_dev.c | 13 ++++++++++++ include/linux/lsm_hook_defs.h | 2 ++ include/linux/security.h | 6 ++++++ include/linux/vduse.h | 14 +++++++++++++ security/security.c | 15 ++++++++++++++ security/selinux/hooks.c | 32 +++++++++++++++++++++++++++++ security/selinux/include/classmap.h | 2 ++ 8 files changed, 85 insertions(+) create mode 100644 include/linux/vduse.h diff --git a/MAINTAINERS b/MAINTAINERS index a0fb0df07b43..4e83b14358d2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -23040,6 +23040,7 @@ F: drivers/net/virtio_net.c F: drivers/vdpa/ F: drivers/virtio/ F: include/linux/vdpa.h +F: include/linux/vduse.h F: include/linux/virtio*.h F: include/linux/vringh.h F: include/uapi/linux/virtio_*.h diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c index fa62825be378..59ab7eb62e20 100644 --- a/drivers/vdpa/vdpa_user/vduse_dev.c +++ b/drivers/vdpa/vdpa_user/vduse_dev.c @@ -8,6 +8,7 @@ * */ +#include "linux/security.h" #include #include #include @@ -30,6 +31,7 @@ #include #include #include +#include #include "iova_domain.h" @@ -1442,6 +1444,10 @@ static int vduse_dev_open(struct inode *inode, struct file *file) if (dev->connected) goto unlock; + ret = -EPERM; + if (security_vduse_perm_check(VDUSE_PERM_OPEN, dev->device_id)) + goto unlock; + ret = 0; dev->connected = true; file->private_data = dev; @@ -1664,6 +1670,9 @@ static int vduse_destroy_dev(char *name) if (!dev) return -EINVAL; + if (security_vduse_perm_check(VDUSE_PERM_DESTROY, dev->device_id)) + return -EPERM; + mutex_lock(&dev->lock); if (dev->vdev || dev->connected) { mutex_unlock(&dev->lock); @@ -1828,6 +1837,10 @@ static int vduse_create_dev(struct vduse_dev_config *config, int ret; struct vduse_dev *dev; + ret = -EPERM; + if (security_vduse_perm_check(VDUSE_PERM_CREATE, config->device_id)) + goto err; + ret = -EEXIST; if (vduse_find_dev(config->name)) goto err; diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index ff217a5ce552..3930ab2ae974 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -419,3 +419,5 @@ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) #endif /* CONFIG_IO_URING */ + +LSM_HOOK(int, 0, vduse_perm_check, enum vduse_op_perm op_perm, u32 device_id) diff --git a/include/linux/security.h b/include/linux/security.h index 1d1df326c881..2a2054172394 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -32,6 +32,7 @@ #include #include #include +#include struct linux_binprm; struct cred; @@ -484,6 +485,7 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); int security_locked_down(enum lockdown_reason what); +int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id); #else /* CONFIG_SECURITY */ static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) @@ -1395,6 +1397,10 @@ static inline int security_locked_down(enum lockdown_reason what) { return 0; } +static inline int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/include/linux/vduse.h b/include/linux/vduse.h new file mode 100644 index 000000000000..7a20dcc43997 --- /dev/null +++ b/include/linux/vduse.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _LINUX_VDUSE_H +#define _LINUX_VDUSE_H + +/* + * The permission required for a VDUSE device operation. + */ +enum vduse_op_perm { + VDUSE_PERM_CREATE, + VDUSE_PERM_DESTROY, + VDUSE_PERM_OPEN, +}; + +#endif /* _LINUX_VDUSE_H */ diff --git a/security/security.c b/security/security.c index dcb3e7014f9b..150abf85f97d 100644 --- a/security/security.c +++ b/security/security.c @@ -5337,3 +5337,18 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) return call_int_hook(uring_cmd, 0, ioucmd); } #endif /* CONFIG_IO_URING */ + +/** + * security_vduse_perm_check() - Check if a VDUSE device type operation is allowed + * @op_perm: the operation type + * @device_id: the Virtio device ID + * + * Check whether the Virtio device creation is allowed + * + * Return: Returns 0 if permission is granted. + */ +int security_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) +{ + return call_int_hook(vduse_perm_check, 0, op_perm, device_id); +} +EXPORT_SYMBOL(security_vduse_perm_check); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index feda711c6b7b..18845e4f682f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -21,6 +21,8 @@ * Copyright (C) 2016 Mellanox Technologies */ +#include "av_permissions.h" +#include "linux/vduse.h" #include #include #include @@ -92,6 +94,7 @@ #include #include #include +#include #include "avc.h" #include "objsec.h" @@ -6950,6 +6953,34 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) } #endif /* CONFIG_IO_URING */ +static int selinux_vduse_perm_check(enum vduse_op_perm op_perm, u32 device_id) +{ + u32 requested_op, requested_type, sid = current_sid(); + int ret; + + if (op_perm == VDUSE_PERM_CREATE) + requested_op = VDUSE__CREATE; + else if (op_perm == VDUSE__DESTROY) + requested_op = VDUSE__DESTROY; + else if (op_perm == VDUSE_PERM_OPEN) + requested_op = VDUSE__OPEN; + else + return -EINVAL; + + ret = avc_has_perm(sid, sid, SECCLASS_VDUSE, requested_op, NULL); + if (ret) + return ret; + + if (device_id == VIRTIO_ID_NET) + requested_type = VDUSE__NET; + else if (device_id == VIRTIO_ID_BLOCK) + requested_type = VDUSE__BLOCK; + else + return -EINVAL; + + return avc_has_perm(sid, sid, SECCLASS_VDUSE, requested_type, NULL); +} + /* * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: * 1. any hooks that don't belong to (2.) or (3.) below, @@ -7243,6 +7274,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { #ifdef CONFIG_PERF_EVENTS LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc), #endif + LSM_HOOK_INIT(vduse_perm_check, selinux_vduse_perm_check), }; static __init int selinux_init(void) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index a3c380775d41..b0a358cbac1c 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -256,6 +256,8 @@ const struct security_class_mapping secclass_map[] = { { "override_creds", "sqpoll", "cmd", NULL } }, { "user_namespace", { "create", NULL } }, + { "vduse", + { "create", "destroy", "open", "net", "block", NULL} }, { NULL } }; -- 2.43.0