[PATCH v12 20/25] LSM: Verify LSM display sanity in binder
Stephen Smalley
sds at tycho.nsa.gov
Wed Dec 18 17:43:34 UTC 2019
On 12/16/19 5:36 PM, Casey Schaufler wrote:
> Verify that the tasks on the ends of a binder transaction
> use the same "display" security module. This prevents confusion
> of security "contexts".
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
Acked-by: Stephen Smalley <sds at tycho.nsa.gov>
> ---
> security/security.c | 29 +++++++++++++++++++++++++++++
> 1 file changed, 29 insertions(+)
>
> diff --git a/security/security.c b/security/security.c
> index 963641acf9dc..bca092dd4f00 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -738,9 +738,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr)
> return call_int_hook(binder_set_context_mgr, 0, mgr);
> }
>
> +/**
> + * security_binder_transaction - Binder driver transaction check
> + * @from: source of the transaction
> + * @to: destination of the transaction
> + *
> + * Verify that the tasks have the same LSM "display", then
> + * call the security module hooks.
> + *
> + * Returns -EINVAL if the displays don't match, or the
> + * result of the security module checks.
> + */
> int security_binder_transaction(struct task_struct *from,
> struct task_struct *to)
> {
> + int from_display = lsm_task_display(from);
> + int to_display = lsm_task_display(to);
> +
> + /*
> + * If the display is LSMBLOB_INVALID the first module that has
> + * an entry is used. This will be in the 0 slot.
> + *
> + * This is currently only required if the server has requested
> + * peer contexts, but it would be unwieldly to have too much of
> + * the binder driver detail here.
> + */
> + if (from_display == LSMBLOB_INVALID)
> + from_display = 0;
> + if (to_display == LSMBLOB_INVALID)
> + to_display = 0;
> + if (from_display != to_display)
> + return -EINVAL;
> +
> return call_int_hook(binder_transaction, 0, from, to);
> }
>
>
More information about the Linux-security-module-archive
mailing list