[PATCH 4/9] LSM: Manage task security blobs
Casey Schaufler
casey at schaufler-ca.com
Fri Oct 27 21:45:16 UTC 2017
Subject: [PATCH 4/9] LSM: Manage task security blobs
Move management of task security blobs into the security
infrastructure. Modules are required to identify the space
they require. At this time there are no modules that use
task blobs.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/security.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index e5d0f1e01b81..44f8619d93d6 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1920,6 +1920,7 @@ struct security_hook_list {
struct lsm_blob_sizes {
int lbs_cred;
int lbs_file;
+ int lbs_task;
};
/*
diff --git a/security/security.c b/security/security.c
index 4d8e702fa22f..70740b902e16 100644
--- a/security/security.c
+++ b/security/security.c
@@ -101,6 +101,7 @@ int __init security_init(void)
#ifdef CONFIG_SECURITY_LSM_DEBUG
pr_info("LSM: cred blob size = %d\n", blob_sizes.lbs_cred);
pr_info("LSM: file blob size = %d\n", blob_sizes.lbs_file);
+ pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task);
#endif
return 0;
@@ -278,6 +279,7 @@ void __init security_add_blobs(struct lsm_blob_sizes *needed)
{
lsm_set_size(&needed->lbs_cred, &blob_sizes.lbs_cred);
lsm_set_size(&needed->lbs_file, &blob_sizes.lbs_file);
+ lsm_set_size(&needed->lbs_task, &blob_sizes.lbs_task);
}
/**
@@ -299,6 +301,29 @@ int lsm_file_alloc(struct file *file)
return 0;
}
+/**
+ * lsm_task_alloc - allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_task_alloc(struct task_struct *task)
+{
+#ifdef CONFIG_SECURITY_LSM_DEBUG
+ if (task->security)
+ pr_info("%s: Inbound task blob is not NULL.\n", __func__);
+#endif
+ if (blob_sizes.lbs_task == 0)
+ return 0;
+
+ task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
+ if (task->security == NULL)
+ return -ENOMEM;
+ return 0;
+}
+
/*
* Hook list operation macros.
*
@@ -1102,12 +1127,19 @@ int security_file_open(struct file *file, const struct cred *cred)
int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
{
+ int rc = lsm_task_alloc(task);
+
+ if (rc)
+ return rc;
return call_int_hook(task_alloc, 0, task, clone_flags);
}
void security_task_free(struct task_struct *task)
{
call_void_hook(task_free, task);
+
+ kfree(task->security);
+ task->security = NULL;
}
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
--
2.13.0
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list