[Non-DoD Source] [PATCH 05/11] LSM: Infrastructure management of the remaining blobs

Stephen Smalley sds at tycho.nsa.gov
Thu Aug 31 16:09:17 UTC 2017


On Tue, 2017-08-29 at 13:59 -0700, Casey Schaufler wrote:
> Subject: [PATCH 05/11] LSM: Infrastructure management of the
> remaining blobs
> 
> Move management of the inode, ipc, key, msg_msg, sock and superblock
> security blobs from the security modules to the infrastructure.
> Use of the blob pointers is abstracted in the security modules.
> 
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
>  include/linux/lsm_hooks.h         |   8 +
>  security/security.c               | 259 +++++++++++++++++++++++++++-
>  security/selinux/hooks.c          | 333 ++++++++++++--------------
> ----------
>  security/selinux/include/objsec.h |  65 +++++++-
>  security/selinux/netlabel.c       |  15 +-
>  security/selinux/selinuxfs.c      |   4 +-
>  security/selinux/ss/services.c    |   3 +-
>  security/smack/smack.h            |  61 ++++++-
>  security/smack/smack_lsm.c        | 343 +++++++++++-----------------
> ----------
>  security/smack/smack_netfilter.c  |   8 +-
>  10 files changed, 599 insertions(+), 500 deletions(-)
> 

<snip>
> @@ -319,6 +341,166 @@ int lsm_task_alloc(struct task_struct *task)
>  	return 0;
>  }
>  
> +/**
> + * lsm_inode_alloc - allocate a composite inode blob
> + * @inode: the inode that needs a blob
> + *
> + * Allocate the inode blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +int lsm_inode_alloc(struct inode *inode)
> +{
> +#ifdef CONFIG_SECURITY_LSM_DEBUG
> +	if (inode->i_security)
> +		pr_info("%s: Inbound inode blob is not NULL.\n",
> __func__);
> +#endif
> +	if (blob_sizes.lbs_inode == 0)
> +		return 0;
> +
> +	inode->i_security = kzalloc(blob_sizes.lbs_inode,
> GFP_KERNEL);
> +	if (inode->i_security == NULL)
> +		return -ENOMEM;
> +	return 0;
> +}

NAK. See commit 7cae7e26f245151b9ccad868bf2edf8c8048d307 for why we
moved to using our own cache for inode security blobs in SELinux; we
don't want to regress here.  Also, you need to use GFP_NOFS here, see
commit a02fe13297af26c13d004b1d44f391c077094ea0.

<snip>
> @@ -570,14 +758,39 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
>  
>  int security_inode_alloc(struct inode *inode)
>  {
> -	inode->i_security = NULL;
> +	int rc = lsm_inode_alloc(inode);
> +
> +	if (rc)
> +		return rc;
>  	return call_int_hook(inode_alloc_security, 0, inode);
>  }
>  
> +static void inode_free_by_rcu(struct rcu_head *head)
> +{
> +	/*
> +	 * The rcu head is at the start of the inode blob
> +	 */
> +	kfree(head);
> +}
> +
>  void security_inode_free(struct inode *inode)
>  {
>  	integrity_inode_free(inode);
>  	call_void_hook(inode_free_security, inode);
> +	/*
> +	 * The inode may still be referenced in a path walk and
> +	 * a call to security_inode_permission() can be made
> +	 * after inode_free_security() is called. Ideally, the VFS
> +	 * wouldn't do this, but fixing that is a much harder
> +	 * job. For now, simply free the i_security via RCU, and
> +	 * leave the current inode->i_security pointer intact.
> +	 * The inode will be freed after the RCU grace period too.
> +	 */
> +	if (inode->i_security != NULL) {
> +		call_rcu((struct rcu_head *)inode->i_security,
> +				inode_free_by_rcu);
> +		inode->i_security = NULL;

You can't clear inode->i_security here; see the comment above that you
copied from the original SELinux code.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list