From e52c1764f18a62776a0f2bc6752fb76b6e345827 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 29 Apr 2008 20:52:51 +0100 Subject: [PATCH 1/3] Security: Make secctx_to_secid() take const secdata Make secctx_to_secid() take constant secdata. Signed-off-by: David Howells Acked-by: Casey Schaufler Signed-off-by: James Morris --- include/linux/security.h | 6 +++--- security/dummy.c | 2 +- security/security.c | 2 +- security/selinux/hooks.c | 2 +- security/selinux/include/security.h | 2 +- security/selinux/ss/services.c | 4 ++-- security/smack/smack_lsm.c | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index adb09d893ae0..50737c70e78e 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1481,7 +1481,7 @@ struct security_operations { int (*getprocattr) (struct task_struct *p, char *name, char **value); int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size); int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen); - int (*secctx_to_secid) (char *secdata, u32 seclen, u32 *secid); + int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid); void (*release_secctx) (char *secdata, u32 seclen); #ifdef CONFIG_SECURITY_NETWORK @@ -1730,7 +1730,7 @@ int security_setprocattr(struct task_struct *p, char *name, void *value, size_t int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_netlink_recv(struct sk_buff *skb, int cap); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); -int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid); +int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(char *secdata, u32 seclen); #else /* CONFIG_SECURITY */ @@ -2449,7 +2449,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle return -EOPNOTSUPP; } -static inline int security_secctx_to_secid(char *secdata, +static inline int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { diff --git a/security/dummy.c b/security/dummy.c index 48cf30226e16..f50c6c3c32c9 100644 --- a/security/dummy.c +++ b/security/dummy.c @@ -968,7 +968,7 @@ static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return -EOPNOTSUPP; } -static int dummy_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) +static int dummy_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index 8e64a29dc55d..59838a99b80e 100644 --- a/security/security.c +++ b/security/security.c @@ -886,7 +886,7 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); -int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) +int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { return security_ops->secctx_to_secid(secdata, seclen, secid); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4e4de98941ae..85a220465a8f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5238,7 +5238,7 @@ static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) return security_sid_to_context(secid, secdata, seclen); } -static int selinux_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) +static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { return security_context_to_sid(secdata, seclen, secid); } diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index cdb14add27d2..ad30ac4273d6 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -96,7 +96,7 @@ int security_sid_to_context(u32 sid, char **scontext, int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *out_sid); -int security_context_to_sid_default(char *scontext, u32 scontext_len, +int security_context_to_sid_default(const char *scontext, u32 scontext_len, u32 *out_sid, u32 def_sid, gfp_t gfp_flags); int security_get_user_sids(u32 callsid, char *username, diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 25cac5a2aa8e..dcc2e1c4fd83 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -858,8 +858,8 @@ int security_context_to_sid(const char *scontext, u32 scontext_len, u32 *sid) * Returns -%EINVAL if the context is invalid, -%ENOMEM if insufficient * memory is available, or 0 on success. */ -int security_context_to_sid_default(char *scontext, u32 scontext_len, u32 *sid, - u32 def_sid, gfp_t gfp_flags) +int security_context_to_sid_default(const char *scontext, u32 scontext_len, + u32 *sid, u32 def_sid, gfp_t gfp_flags) { return security_context_to_sid_core(scontext, scontext_len, sid, def_sid, gfp_flags); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 5d2ec5650e61..92baee53a7dc 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2406,7 +2406,7 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) * * Exists for audit and networking code. */ -static int smack_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) +static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { *secid = smack_to_secid(secdata); return 0; From 780db6c104de48104501f5943361f2371564b85d Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 29 Apr 2008 20:54:28 +0100 Subject: [PATCH 2/3] Security: Typecast CAP_*_SET macros Cast the CAP_*_SET macros to be of kernel_cap_t type to avoid compiler warnings. Signed-off-by: David Howells Signed-off-by: James Morris --- include/linux/capability.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/linux/capability.h b/include/linux/capability.h index eaab759b1460..f4ea0dd9a618 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -365,12 +365,12 @@ typedef struct kernel_cap_struct { # error Fix up hand-coded capability macro initializers #else /* HAND-CODED capability initializers */ -# define CAP_EMPTY_SET {{ 0, 0 }} -# define CAP_FULL_SET {{ ~0, ~0 }} -# define CAP_INIT_EFF_SET {{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }} -# define CAP_FS_SET {{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } } -# define CAP_NFSD_SET {{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), \ - CAP_FS_MASK_B1 } } +# define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }}) +# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }}) +# define CAP_INIT_EFF_SET ((kernel_cap_t){{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }}) +# define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } }) +# define CAP_NFSD_SET ((kernel_cap_t){{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), \ + CAP_FS_MASK_B1 } }) #endif /* _LINUX_CAPABILITY_U32S != 2 */ From d20bdda6d45a4035e48ca7ae467a0d955c1ffc60 Mon Sep 17 00:00:00 2001 From: "Ahmed S. Darwish" Date: Wed, 30 Apr 2008 08:34:10 +1000 Subject: [PATCH 3/3] Smack: Integrate Smack with Audit Setup the new Audit hooks for Smack. SELinux Audit rule fields are recycled to avoid `auditd' userspace modifications. Currently only equality testing is supported on labels acting as a subject (AUDIT_SUBJ_USER) or as an object (AUDIT_OBJ_USER). Signed-off-by: Ahmed S. Darwish Acked-by: Casey Schaufler --- security/smack/smack_lsm.c | 155 +++++++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 92baee53a7dc..fe0ae1bf1650 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "smack.h" @@ -752,6 +753,18 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, return -EINVAL; } +/** + * smack_inode_getsecid - Extract inode's security id + * @inode: inode to extract the info from + * @secid: where result will be saved + */ +static void smack_inode_getsecid(const struct inode *inode, u32 *secid) +{ + struct inode_smack *isp = inode->i_security; + + *secid = smack_to_secid(isp->smk_inode); +} + /* * File Hooks */ @@ -1805,6 +1818,18 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) return smk_curacc(isp, may); } +/** + * smack_ipc_getsecid - Extract smack security id + * @ipcp: the object permissions + * @secid: where result will be saved + */ +static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) +{ + char *smack = ipp->security; + + *secid = smack_to_secid(smack); +} + /* module stacking operations */ /** @@ -2381,6 +2406,124 @@ static int smack_key_permission(key_ref_t key_ref, } #endif /* CONFIG_KEYS */ +/* + * Smack Audit hooks + * + * Audit requires a unique representation of each Smack specific + * rule. This unique representation is used to distinguish the + * object to be audited from remaining kernel objects and also + * works as a glue between the audit hooks. + * + * Since repository entries are added but never deleted, we'll use + * the smack_known label address related to the given audit rule as + * the needed unique representation. This also better fits the smack + * model where nearly everything is a label. + */ +#ifdef CONFIG_AUDIT + +/** + * smack_audit_rule_init - Initialize a smack audit rule + * @field: audit rule fields given from user-space (audit.h) + * @op: required testing operator (=, !=, >, <, ...) + * @rulestr: smack label to be audited + * @vrule: pointer to save our own audit rule representation + * + * Prepare to audit cases where (@field @op @rulestr) is true. + * The label to be audited is created if necessay. + */ +static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) +{ + char **rule = (char **)vrule; + *rule = NULL; + + if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) + return -EINVAL; + + if (op != AUDIT_EQUAL && op != AUDIT_NOT_EQUAL) + return -EINVAL; + + *rule = smk_import(rulestr, 0); + + return 0; +} + +/** + * smack_audit_rule_known - Distinguish Smack audit rules + * @krule: rule of interest, in Audit kernel representation format + * + * This is used to filter Smack rules from remaining Audit ones. + * If it's proved that this rule belongs to us, the + * audit_rule_match hook will be called to do the final judgement. + */ +static int smack_audit_rule_known(struct audit_krule *krule) +{ + struct audit_field *f; + int i; + + for (i = 0; i < krule->field_count; i++) { + f = &krule->fields[i]; + + if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) + return 1; + } + + return 0; +} + +/** + * smack_audit_rule_match - Audit given object ? + * @secid: security id for identifying the object to test + * @field: audit rule flags given from user-space + * @op: required testing operator + * @vrule: smack internal rule presentation + * @actx: audit context associated with the check + * + * The core Audit hook. It's used to take the decision of + * whether to audit or not to audit a given object. + */ +static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, + struct audit_context *actx) +{ + char *smack; + char *rule = vrule; + + if (!rule) { + audit_log(actx, GFP_KERNEL, AUDIT_SELINUX_ERR, + "Smack: missing rule\n"); + return -ENOENT; + } + + if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) + return 0; + + smack = smack_from_secid(secid); + + /* + * No need to do string comparisons. If a match occurs, + * both pointers will point to the same smack_known + * label. + */ + if (op == AUDIT_EQUAL) + return (rule == smack); + if (op == AUDIT_NOT_EQUAL) + return (rule != smack); + + return 0; +} + +/** + * smack_audit_rule_free - free smack rule representation + * @vrule: rule to be freed. + * + * No memory was allocated. + */ +static void smack_audit_rule_free(void *vrule) +{ + /* No-op */ +} + +#endif /* CONFIG_AUDIT */ + /* * smack_secid_to_secctx - return the smack label for a secid * @secid: incoming integer @@ -2467,6 +2610,7 @@ struct security_operations smack_ops = { .inode_getsecurity = smack_inode_getsecurity, .inode_setsecurity = smack_inode_setsecurity, .inode_listsecurity = smack_inode_listsecurity, + .inode_getsecid = smack_inode_getsecid, .file_permission = smack_file_permission, .file_alloc_security = smack_file_alloc_security, @@ -2498,6 +2642,7 @@ struct security_operations smack_ops = { .task_prctl = cap_task_prctl, .ipc_permission = smack_ipc_permission, + .ipc_getsecid = smack_ipc_getsecid, .msg_msg_alloc_security = smack_msg_msg_alloc_security, .msg_msg_free_security = smack_msg_msg_free_security, @@ -2542,12 +2687,22 @@ struct security_operations smack_ops = { .sk_free_security = smack_sk_free_security, .sock_graft = smack_sock_graft, .inet_conn_request = smack_inet_conn_request, + /* key management security hooks */ #ifdef CONFIG_KEYS .key_alloc = smack_key_alloc, .key_free = smack_key_free, .key_permission = smack_key_permission, #endif /* CONFIG_KEYS */ + + /* Audit hooks */ +#ifdef CONFIG_AUDIT + .audit_rule_init = smack_audit_rule_init, + .audit_rule_known = smack_audit_rule_known, + .audit_rule_match = smack_audit_rule_match, + .audit_rule_free = smack_audit_rule_free, +#endif /* CONFIG_AUDIT */ + .secid_to_secctx = smack_secid_to_secctx, .secctx_to_secid = smack_secctx_to_secid, .release_secctx = smack_release_secctx,