lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 08 Jul 2015 12:25:05 +0200
From:	Paul Osmialowski <p.osmialowsk@...sung.com>
To:	Paul Moore <pmoore@...hat.com>,
	James Morris <james.l.morris@...cle.com>,
	Casey Schaufler <casey@...aufler-ca.com>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	Kees Cook <keescook@...omium.org>,
	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
	Stephen Smalley <sds@...ho.nsa.gov>,
	Neil Brown <neilb@...e.de>,
	Mark Rustad <mark.d.rustad@...el.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Daniel Mack <daniel@...que.org>,
	David Herrmann <dh.herrmann@...glemail.com>,
	Djalal Harouni <tixxdz@...ndz.org>,
	Shuah Khan <shuahkh@....samsung.com>,
	Al Viro <viro@...iv.linux.org.uk>,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-api@...r.kernel.org
Cc:	Karol Lewandowski <k.lewandowsk@...sung.com>,
	Paul Osmialowski <p.osmialowsk@...sung.com>,
	Lukasz Skalski <l.skalski@...sung.com>
Subject: [RFC 3/8] lsm: kdbus security hooks

This is combination of the work by Karol Lewandowski and Paul Moore
on LSM hooks for kdbus.

Originates from:

git://git.infradead.org/users/pcmoore/selinux (branch: working-kdbus)
commit: 7050f206a79564886938d0edc4e1e9da5972c72d

https://github.com/lmctl/linux.git (branch: kdbus-lsm-v4.for-systemd-v212)
commit: a9fe4c33b6e5ab25a243e0590df406aabb6add12

Signed-off-by: Karol Lewandowski <k.lewandowsk@...sung.com>
Signed-off-by: Paul Moore <pmoore@...hat.com>
Signed-off-by: Paul Osmialowski <p.osmialowsk@...sung.com>
---
 include/linux/lsm_hooks.h |  67 ++++++++++++++++++++++++++
 include/linux/security.h  |  99 +++++++++++++++++++++++++++++++++++++++
 security/security.c       | 117 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 283 insertions(+)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9429f05..2a8d8fc 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1297,6 +1297,36 @@
  *	@inode we wish to get the security context of.
  *	@ctx is a pointer in which to place the allocated security context.
  *	@ctxlen points to the place to put the length of @ctx.
+ *
+ * @kdbus_domain_alloc:
+ *	Allocate kdbus domain.
+ * @kdbus_domain_free:
+ *	Deallocate kdbus domain.
+ * @kdbus_bus_alloc:
+ *	Allocate kdbus bus.
+ * @kdbus_bus_free:
+ *	Deallocate kdbus bus.
+ * @kdbus_send:
+ *	Send message.
+ * @kdbus_recv:
+ *	Receive message.
+ * @kdbus_name_acquire:
+ *	Request a well-known bus name to associate with the connection.
+ * @kdbus_name_list:
+ *	Retrieve the list of all currently registered well-known and unique
+ *	names.
+ * @kdbus_ep_create:
+ *	Endpoint create
+ * @kdbus_connect:
+ *	Connect
+ * @kdbus_conn_free:
+ *	Deallocate connection
+ * @kdbus_conn_info:
+ *	Retrieve credentials and properties of the initial creator of the
+ *	connection.
+ * @kdbus_talk:
+ *	Talk to a given peer.
+ *
  * This is the main security structure.
  */
 
@@ -1520,6 +1550,29 @@ union security_list_options {
 	int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
 	int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
 
+	int (*kdbus_domain_alloc)(struct kdbus_domain *domain);
+	void (*kdbus_domain_free)(struct kdbus_domain *domain);
+
+	int (*kdbus_bus_alloc)(struct kdbus_bus *bus);
+	void (*kdbus_bus_free)(struct kdbus_bus *bus);
+	int (*kdbus_send)(const struct kdbus_conn *conn,
+			  const struct kdbus_bus *bus);
+	int (*kdbus_recv)(const struct kdbus_conn *conn,
+			  const struct kdbus_bus *bus);
+	int (*kdbus_name_acquire)(const struct kdbus_conn *conn,
+			  const char *name);
+	int (*kdbus_name_list)(const struct kdbus_bus *bus);
+
+	int (*kdbus_ep_create)(const struct kdbus_bus *bus);
+	int (*kdbus_ep_setpolicy)(const struct kdbus_bus *bus);
+
+	int (*kdbus_connect)(struct kdbus_conn *conn,
+			     const char *secctx, u32 seclen);
+	void (*kdbus_conn_free)(struct kdbus_conn *conn);
+	int (*kdbus_conn_info)(const struct kdbus_conn *conn);
+	int (*kdbus_talk)(const struct kdbus_conn *src,
+			  const struct kdbus_conn *dst);
+
 #ifdef CONFIG_SECURITY_NETWORK
 	int (*unix_stream_connect)(struct sock *sock, struct sock *other,
 					struct sock *newsk);
@@ -1760,6 +1813,20 @@ struct security_hook_heads {
 	struct list_head inode_notifysecctx;
 	struct list_head inode_setsecctx;
 	struct list_head inode_getsecctx;
+	struct list_head kdbus_domain_alloc;
+	struct list_head kdbus_domain_free;
+	struct list_head kdbus_bus_alloc;
+	struct list_head kdbus_bus_free;
+	struct list_head kdbus_send;
+	struct list_head kdbus_recv;
+	struct list_head kdbus_name_acquire;
+	struct list_head kdbus_name_list;
+	struct list_head kdbus_ep_create;
+	struct list_head kdbus_ep_setpolicy;
+	struct list_head kdbus_connect;
+	struct list_head kdbus_conn_free;
+	struct list_head kdbus_conn_info;
+	struct list_head kdbus_talk;
 #ifdef CONFIG_SECURITY_NETWORK
 	struct list_head unix_stream_connect;
 	struct list_head unix_may_send;
diff --git a/include/linux/security.h b/include/linux/security.h
index 79d85dd..5f257b9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,6 +53,10 @@ struct msg_queue;
 struct xattr;
 struct xfrm_sec_ctx;
 struct mm_struct;
+struct kdbus_ep;
+struct kdbus_bus;
+struct kdbus_conn;
+struct kdbus_domain;
 
 /* If capable should audit the security request */
 #define SECURITY_CAP_NOAUDIT 0
@@ -356,6 +360,28 @@ void security_release_secctx(char *secdata, u32 seclen);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+
+int security_kdbus_domain_alloc(struct kdbus_domain *domain);
+void security_kdbus_domain_free(struct kdbus_domain *domain);
+
+int security_kdbus_bus_alloc(struct kdbus_bus *bus);
+void security_kdbus_bus_free(struct kdbus_bus *bus);
+int security_kdbus_send(const struct kdbus_conn *conn,
+			const struct kdbus_bus *bus);
+int security_kdbus_recv(const struct kdbus_conn *conn,
+			const struct kdbus_bus *bus);
+int security_kdbus_name_acquire(const struct kdbus_conn *conn,
+				const char *name);
+int security_kdbus_name_list(const struct kdbus_bus *bus);
+int security_kdbus_ep_create(struct kdbus_bus *bus);
+int security_kdbus_ep_setpolicy(struct kdbus_bus *bus);
+int security_kdbus_connect(struct kdbus_conn *conn,
+			   const char *secctx, u32 seclen);
+void security_kdbus_conn_free(struct kdbus_conn *conn);
+int security_kdbus_conn_info(const struct kdbus_conn *conn);
+int security_kdbus_talk(const struct kdbus_conn *src,
+			const struct kdbus_conn *dst);
+
 #else /* CONFIG_SECURITY */
 struct security_mnt_opts {
 };
@@ -1105,6 +1131,79 @@ static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32
 {
 	return -EOPNOTSUPP;
 }
+
+static inline int security_kdbus_domain_alloc(struct kdbus_domain *domain)
+{
+	return 0;
+}
+
+static inline void security_kdbus_domain_free(struct kdbus_domain *domain)
+{
+}
+
+static inline int security_kdbus_bus_alloc(struct kdbus_bus *bus)
+{
+	return 0;
+}
+
+static inline void security_kdbus_bus_free(struct kdbus_bus *bus)
+{
+}
+
+static inline int security_kdbus_send(const struct kdbus_conn *conn,
+				      const struct kdbus_bus *bus)
+{
+	return 0;
+}
+
+static inline int security_kdbus_recv(const struct kdbus_conn *conn,
+				      const struct kdbus_bus *bus)
+{
+	return 0;
+}
+
+static inline int security_kdbus_name_acquire(const struct kdbus_conn *conn,
+					      const char *name)
+{
+	return 0;
+}
+
+static inline int security_kdbus_name_list(const struct kdbus_bus *bus)
+{
+	return 0;
+}
+
+static inline int security_kdbus_ep_create(const struct kdbus_bus *bus)
+{
+	return 0;
+}
+
+static inline int security_kdbus_ep_setpolicy(const struct kdbus_bus *bus)
+{
+	return 0;
+}
+
+static inline int security_kdbus_connect(struct kdbus_conn *conn,
+					 const char *secctx, u32 seclen)
+{
+	return 0;
+}
+
+static inline void security_kdbus_conn_free(struct kdbus_conn *conn)
+{
+}
+
+static inline int security_kdbus_conn_info(const struct kdbus_conn *conn)
+{
+	return 0;
+}
+
+static inline int security_kdbus_talk(const struct kdbus_conn *src,
+				      const struct kdbus_conn *dst)
+{
+	return 0;
+}
+
 #endif	/* CONFIG_SECURITY */
 
 #ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/security.c b/security/security.c
index b1e935b..7fb46d1 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1185,6 +1185,95 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
 }
 EXPORT_SYMBOL(security_inode_getsecctx);
 
+int security_kdbus_domain_alloc(struct kdbus_domain *domain)
+{
+	return call_int_hook(kdbus_domain_alloc, 0, domain);
+}
+EXPORT_SYMBOL(security_kdbus_domain_alloc);
+
+void security_kdbus_domain_free(struct kdbus_domain *domain)
+{
+	call_void_hook(kdbus_domain_free, domain);
+}
+EXPORT_SYMBOL(security_kdbus_domain_free);
+
+int security_kdbus_bus_alloc(struct kdbus_bus *bus)
+{
+	return call_int_hook(kdbus_bus_alloc, 0, bus);
+}
+EXPORT_SYMBOL(security_kdbus_bus_alloc);
+
+void security_kdbus_bus_free(struct kdbus_bus *bus)
+{
+	call_void_hook(kdbus_bus_free, bus);
+}
+EXPORT_SYMBOL(security_kdbus_bus_free);
+
+int security_kdbus_send(const struct kdbus_conn *conn,
+			const struct kdbus_bus *bus)
+{
+	return call_int_hook(kdbus_send, 0, conn, bus);
+}
+EXPORT_SYMBOL(security_kdbus_send);
+
+int security_kdbus_recv(const struct kdbus_conn *conn,
+			const struct kdbus_bus *bus)
+{
+	return call_int_hook(kdbus_recv, 0, conn, bus);
+}
+EXPORT_SYMBOL(security_kdbus_recv);
+
+int security_kdbus_name_acquire(const struct kdbus_conn *conn,
+				const char *name)
+{
+	return call_int_hook(kdbus_name_acquire, 0, conn, name);
+}
+EXPORT_SYMBOL(security_kdbus_name_acquire);
+
+int security_kdbus_name_list(const struct kdbus_bus *bus)
+{
+	return call_int_hook(kdbus_name_list, 0, bus);
+}
+EXPORT_SYMBOL(security_kdbus_name_list);
+
+int security_kdbus_ep_create(struct kdbus_bus *bus)
+{
+	return call_int_hook(kdbus_ep_create, 0, bus);
+}
+EXPORT_SYMBOL(security_kdbus_ep_create);
+
+int security_kdbus_ep_setpolicy(struct kdbus_bus *bus)
+{
+	return call_int_hook(kdbus_ep_setpolicy, 0, bus);
+}
+EXPORT_SYMBOL(security_kdbus_ep_setpolicy);
+
+int security_kdbus_connect(struct kdbus_conn *conn,
+			   const char *secctx, u32 seclen)
+{
+	return call_int_hook(kdbus_connect, 0, conn, secctx, seclen);
+}
+EXPORT_SYMBOL(security_kdbus_connect);
+
+void security_kdbus_conn_free(struct kdbus_conn *conn)
+{
+	call_void_hook(kdbus_conn_free, conn);
+}
+EXPORT_SYMBOL(security_kdbus_conn_free);
+
+int security_kdbus_conn_info(const struct kdbus_conn *conn)
+{
+	return call_int_hook(kdbus_conn_info, 0, conn);
+}
+EXPORT_SYMBOL(security_kdbus_conn_info);
+
+int security_kdbus_talk(const struct kdbus_conn *src,
+			const struct kdbus_conn *dst)
+{
+	return call_int_hook(kdbus_talk, 0, src, dst);
+}
+EXPORT_SYMBOL(security_kdbus_talk);
+
 #ifdef CONFIG_SECURITY_NETWORK
 
 int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
@@ -1774,6 +1863,34 @@ struct security_hook_heads security_hook_heads = {
 		LIST_HEAD_INIT(security_hook_heads.inode_setsecctx),
 	.inode_getsecctx =
 		LIST_HEAD_INIT(security_hook_heads.inode_getsecctx),
+	.kdbus_domain_alloc =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_domain_alloc),
+	.kdbus_domain_free =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_domain_free),
+	.kdbus_bus_alloc =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_bus_alloc),
+	.kdbus_bus_free =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_bus_free),
+	.kdbus_send =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_send),
+	.kdbus_recv =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_recv),
+	.kdbus_name_acquire =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_name_acquire),
+	.kdbus_name_list =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_name_list),
+	.kdbus_ep_create =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_ep_create),
+	.kdbus_ep_setpolicy =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_ep_setpolicy),
+	.kdbus_connect =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_connect),
+	.kdbus_conn_free =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_conn_free),
+	.kdbus_conn_info =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_conn_info),
+	.kdbus_talk =
+		LIST_HEAD_INIT(security_hook_heads.kdbus_talk),
 #ifdef CONFIG_SECURITY_NETWORK
 	.unix_stream_connect =
 		LIST_HEAD_INIT(security_hook_heads.unix_stream_connect),
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ