[PATCH v15 05/23] net: Prepare UDS for security module stacking
Casey Schaufler
casey at schaufler-ca.com
Tue Mar 10 00:13:23 UTC 2020
On 3/6/2020 2:14 PM, Paul Moore wrote:
> On Fri, Feb 14, 2020 at 6:42 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> Change the data used in UDS SO_PEERSEC processing from a
>> secid to a more general struct lsmblob. Update the
>> security_socket_getpeersec_dgram() interface to use the
>> lsmblob. There is a small amount of scaffolding code
>> that will come out when the security_secid_to_secctx()
>> code is brought in line with the lsmblob.
>>
>> Reviewed-by: Kees Cook <keescook at chromium.org>
>> Reviewed-by: John Johansen <john.johansen at canonical.com>
>> Acked-by: Stephen Smalley <sds at tycho.nsa.gov>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> cc: netdev at vger.kernel.org
>> ---
>> include/linux/security.h | 7 +++++--
>> include/net/af_unix.h | 2 +-
>> include/net/scm.h | 8 +++++---
>> net/ipv4/ip_sockglue.c | 8 +++++---
>> net/unix/af_unix.c | 6 +++---
>> security/security.c | 18 +++++++++++++++---
>> 6 files changed, 34 insertions(+), 15 deletions(-)
> ...
>
>> diff --git a/include/net/af_unix.h b/include/net/af_unix.h
>> index 17e10fba2152..59af08ca802f 100644
>> --- a/include/net/af_unix.h
>> +++ b/include/net/af_unix.h
>> @@ -36,7 +36,7 @@ struct unix_skb_parms {
>> kgid_t gid;
>> struct scm_fp_list *fp; /* Passed files */
>> #ifdef CONFIG_SECURITY_NETWORK
>> - u32 secid; /* Security ID */
>> + struct lsmblob lsmblob; /* Security LSM data */
>> #endif
>> u32 consumed;
>> } __randomize_layout;
> This might be a problem. As it currently stands, the sk_buff.cb field
> is 48 bytes; with CONFIG_SECURITY_NETWORK=n unix_skb_parms is 28 bytes
> on a 64-bit system. That leaves 20 bytes (room for 5 LSMs) assuming a
> tight packing *and* that netdev doesn't swoop in and drop another few
> fields in unix_skb_parms.
>
> This may work now, and you might manage to sneak this by the netdev
> crowd, but I predict problems in the future.
Do you think that making this a struct lsmblob * instead would make
the change more likely to be accepted? It would complicate the code
but remove the issue.
More information about the Linux-security-module-archive
mailing list