[PATCH v13 03/25] LSM: Use lsmblob in security_audit_rule_match

Casey Schaufler casey at schaufler-ca.com
Thu Jan 2 23:36:33 UTC 2020 

On 12/31/2019 5:13 AM, Mimi Zohar wrote:
> [Cc'ing Janne Karhunen based on his recent work updating IMA policy
> rules LSM id's - commit b16942455193 ("ima: use the lsm policy update
> notifier")]
>
> On Tue, 2019-12-24 at 15:59 -0800, Casey Schaufler wrote:
>> diff --git a/security/security.c b/security/security.c
>> index 87fc70f77660..12e1e6223233 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -439,7 +439,7 @@ static int lsm_append(const char *new, char **result)
>>  /*
>>   * Current index to use while initializing the lsmblob secid list.
>>   */
>> -static int lsm_slot __initdata;
>> +static int lsm_slot __lsm_ro_after_init;
>>
>>  /**
>>   * security_add_hooks - Add a modules hooks to the hook lists.
>> @@ -2412,9 +2412,21 @@ void security_audit_rule_free(void *lsmrule)
>>  	call_void_hook(audit_rule_free, lsmrule);
>>  }
>>
>> -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
>> +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
>> +			      void *lsmrule)
>>  {
>> -	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
>> +	struct security_hook_list *hp;
>> +	int rc;
>> +
>> +	hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
>> +		if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
>> +			continue;
>> +		rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
>> +					       field, op, lsmrule);
> IMA's policy rules may be written in terms of LSM labels.  On IMA
> policy initialization and, subsequently, when the LSM policy is
> updated, IMA correlates LSM labels with LSM ids.  Doesn't
> security_audit_rule_init() also need to be updated to walk the LSMs?

Yes. I've got a change in test.

>
> The basic assumption with security_audit_rule_match() is that there
> isn't any naming overlap.  Is that guaranteed?

No. A valid SELinux label is also a valid Smack label. If someone
asks to see subj_user=whatever_t both module will look for it.

>   With this change, do
> the IMA policy rules now need to be LSM qualified?

I have a change for that in test, too.

>
> Mimi
>
>> +		if (rc != 0)
>> +			return rc;
>> +	}
>> +	return 0;
>>  }
>>  #endif /* CONFIG_AUDIT */

More information about the Linux-security-module-archive mailing list