[PATCH 11/97] LSM: Use lsm_export in the kernel_ask_as hooks

Edwin Zimmerman edwin at 211mainstreet.net
Fri Mar 1 14:59:14 UTC 2019 

On Thursday, 2/28/2019 at 5:18 PM, Casey Schaufler <casey at schaufler-ca.com> wrote:
> Convert the kernel_ask_as hooks to use the lsm_export
Should be act_as, not? ^^
> structure instead of a u32 secid. There is some scaffolding
> involved that will be removed when security_kernel_ask_as()
> is updated.
> 
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
>  include/linux/lsm_hooks.h  |  4 ++--
>  security/security.c        | 15 ++++++++++++++-
>  security/selinux/hooks.c   | 17 ++++++++++++++---
>  security/smack/smack_lsm.c | 12 +++++++++++-
>  4 files changed, 41 insertions(+), 7 deletions(-)
> 
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 44597189fea4..796eb441be95 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -562,7 +562,7 @@
>   * @kernel_act_as:
>   *	Set the credentials for a kernel service to act as (subjective context).
>   *	@new points to the credentials to be modified.
> - *	@secid specifies the security ID to be set
> + *	@l specifies the security data to be set
>   *	The current task must be the one that nominated @secid.
>   *	Return 0 if successful.
>   * @kernel_create_files_as:
> @@ -1588,7 +1588,7 @@ union security_list_options {
>  				gfp_t gfp);
>  	void (*cred_transfer)(struct cred *new, const struct cred *old);
>  	void (*cred_getsecid)(const struct cred *c, struct lsm_export *l);
> -	int (*kernel_act_as)(struct cred *new, u32 secid);
> +	int (*kernel_act_as)(struct cred *new, struct lsm_export *l);
>  	int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
>  	int (*kernel_module_request)(char *kmod_name);
>  	int (*kernel_load_data)(enum kernel_load_data_id id);
> diff --git a/security/security.c b/security/security.c
> index 909b6b8d1a50..1a29fe08a5d9 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -738,6 +738,15 @@ static inline void lsm_export_secid(struct lsm_export *data, u32 *secid)
>  	}
>  }
> 
> +static inline void lsm_export_to_all(struct lsm_export *data, u32 secid)
> +{
> +	data->selinux = secid;
> +	data->smack = secid;
> +	data->apparmor = secid;
> +	data->flags = LSM_EXPORT_SELINUX | LSM_EXPORT_SMACK |
> +		      LSM_EXPORT_APPARMOR;
> +}
> +
>  /* Security operations */
> 
>  int security_binder_set_context_mgr(struct task_struct *mgr)
> @@ -1633,7 +1642,11 @@ EXPORT_SYMBOL(security_cred_getsecid);
> 
>  int security_kernel_act_as(struct cred *new, u32 secid)
>  {
> -	return call_int_hook(kernel_act_as, 0, new, secid);
> +	struct lsm_export data = { .flags = LSM_EXPORT_NONE };
> +
> +	lsm_export_to_all(&data, secid);
> +
> +	return call_int_hook(kernel_act_as, 0, new, &data);
>  }
> 
>  int security_kernel_create_files_as(struct cred *new, struct inode *inode)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6f61a894f7c5..efcd905bdabf 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -220,6 +220,14 @@ static inline void selinux_export_secid(struct lsm_export *l, u32 secid)
>  	l->flags |= LSM_EXPORT_SELINUX;
>  }
> 
> +static inline void selinux_import_secid(struct lsm_export *l, u32 *secid)
> +{
> +	if (l->flags | LSM_EXPORT_SELINUX)
> +		*secid = l->selinux;
> +	else
> +		*secid = SECSID_NULL;
> +}
> +
>  /*
>   * get the security ID of a set of credentials
>   */
> @@ -3669,19 +3677,22 @@ static void selinux_cred_getsecid(const struct cred *c, struct lsm_export *l)
>   * set the security data for a kernel service
>   * - all the creation contexts are set to unlabelled
>   */
> -static int selinux_kernel_act_as(struct cred *new, u32 secid)
> +static int selinux_kernel_act_as(struct cred *new, struct lsm_export *l)
>  {
>  	struct task_security_struct *tsec = selinux_cred(new);
> +	u32 nsid;
>  	u32 sid = current_sid();
>  	int ret;
> 
> +	selinux_import_secid(l, &nsid);
> +
>  	ret = avc_has_perm(&selinux_state,
> -			   sid, secid,
> +			   sid, nsid,
>  			   SECCLASS_KERNEL_SERVICE,
>  			   KERNEL_SERVICE__USE_AS_OVERRIDE,
>  			   NULL);
>  	if (ret == 0) {
> -		tsec->sid = secid;
> +		tsec->sid = nsid;
>  		tsec->create_sid = 0;
>  		tsec->keycreate_sid = 0;
>  		tsec->sockcreate_sid = 0;
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index d5ff34a5803b..0e1f6ef25eb2 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -473,6 +473,14 @@ static inline void smack_export_secid(struct lsm_export *l, u32 secid)
>  	l->flags |= LSM_EXPORT_SMACK;
>  }
> 
> +static inline void smack_import_secid(struct lsm_export *l, u32 *secid)
> +{
> +	if (l->flags | LSM_EXPORT_SMACK)
> +		*secid = l->smack;
> +	else
> +		*secid = 0;
> +}
> +
>  /*
>   * LSM hooks.
>   * We he, that is fun!
> @@ -1910,10 +1918,12 @@ static void smack_cred_getsecid(const struct cred *cred, struct lsm_export *l)
>   *
>   * Set the security data for a kernel service.
>   */
> -static int smack_kernel_act_as(struct cred *new, u32 secid)
> +static int smack_kernel_act_as(struct cred *new, struct lsm_export *l)
>  {
> +	u32 secid;
>  	struct task_smack *new_tsp = smack_cred(new);
> 
> +	smack_import_secid(l, &secid);
>  	new_tsp->smk_task = smack_from_secid(secid);
>  	return 0;
>  }
> --
> 2.17.0

More information about the Linux-security-module-archive mailing list