Commit b0654ca4 authored by Casey Schaufler's avatar Casey Schaufler Committed by Paul Moore
Browse files

lsm: create new security_cred_getlsmprop LSM hook 



Create a new LSM hook security_cred_getlsmprop() which, like
security_cred_getsecid(), fetches LSM specific attributes from the
cred structure.  The associated data elements in the audit sub-system
are changed from a secid to a lsm_prop to accommodate multiple possible
LSM audit users.

Cc: linux-integrity@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: selinux@vger.kernel.org
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
[PM: subj line tweak]
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent e0a8dcbd

include/linux/lsm_hook_defs.h

+2 −0
Original line number Diff line number Diff line
@@ -218,6 +218,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old, 
LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new,

	 const struct cred *old)

LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid)

LSM_HOOK(void, LSM_RET_VOID, cred_getlsmprop, const struct cred *c,

	 struct lsm_prop *prop)

LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid)

LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode)

LSM_HOOK(int, 0, kernel_module_request, char *kmod_name)

include/linux/security.h

+5 −0
Original line number Diff line number Diff line
@@ -488,6 +488,7 @@ void security_cred_free(struct cred *cred); 
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);

void security_transfer_creds(struct cred *new, const struct cred *old);

void security_cred_getsecid(const struct cred *c, u32 *secid);

void security_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop);

int security_kernel_act_as(struct cred *new, u32 secid);

int security_kernel_create_files_as(struct cred *new, struct inode *inode);

int security_kernel_module_request(char *kmod_name);
@@ -1229,6 +1230,10 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid) 
	*secid = 0;

}



static inline void security_cred_getlsmprop(const struct cred *c,

					    struct lsm_prop *prop)

{ }



static inline int security_kernel_act_as(struct cred *cred, u32 secid)

{

	return 0;

security/integrity/ima/ima_main.c

+2 −5
Original line number Diff line number Diff line
@@ -541,8 +541,7 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 
static int ima_bprm_check(struct linux_binprm *bprm)

{

	int ret;

	u32 secid;

	struct lsm_prop prop = { };

	struct lsm_prop prop;



	security_current_getlsmprop_subj(&prop);

	ret = process_measurement(bprm->file, current_cred(),
@@ -550,9 +549,7 @@ static int ima_bprm_check(struct linux_binprm *bprm) 
	if (ret)

		return ret;



	security_cred_getsecid(bprm->cred, &secid);

	/* scaffolding */

	prop.scaffold.secid = secid;

	security_cred_getlsmprop(bprm->cred, &prop);

	return process_measurement(bprm->file, bprm->cred, &prop, NULL, 0,

				   MAY_EXEC, CREDS_CHECK);

}

security/security.c

+15 −0
Original line number Diff line number Diff line
@@ -3272,6 +3272,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid) 
}

EXPORT_SYMBOL(security_cred_getsecid);



/**

 * security_cred_getlsmprop() - Get the LSM data from a set of credentials

 * @c: credentials

 * @prop: destination for the LSM data

 *

 * Retrieve the security data of the cred structure @c.  In case of

 * failure, @prop will be cleared.

 */

void security_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)

{

	lsmprop_init(prop);

	call_void_hook(cred_getlsmprop, c, prop);

}

EXPORT_SYMBOL(security_cred_getlsmprop);



/**

 * security_kernel_act_as() - Set the kernel credentials to act as secid

 * @new: credentials

security/selinux/hooks.c

+8 −0
Original line number Diff line number Diff line
@@ -4037,6 +4037,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid) 
	*secid = cred_sid(c);

}



static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)

{

	prop->selinux.secid = cred_sid(c);

	/* scaffolding */

	prop->scaffold.secid = prop->selinux.secid;

}



/*

 * set the security data for a kernel service

 * - all the creation contexts are set to unlabelled
@@ -7203,6 +7210,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { 
	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),

	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),

	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),

	LSM_HOOK_INIT(cred_getlsmprop, selinux_cred_getlsmprop),

	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),

	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),

	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),