lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <1223326333.31539.116.camel@moss-terrapins.epoch.ncsc.mil>
Date:	Mon, 06 Oct 2008 16:52:13 -0400
From:	"David P. Quigley" <dpquigl@...ho.nsa.gov>
To:	"Serge E. Hallyn" <serue@...ibm.com>
Cc:	hch@...radead.org, viro@...iv.linux.org.uk, casey@...aufler-ca.com,
	sds@...ho.nsa.gov, matthew.dodd@...rta.com,
	trond.myklebust@....uio.no, bfields@...ldses.org,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
	labeled-nfs@...ux-nfs.org
Subject: Re: [PATCH 02/14] LSM/SELinux: inode_{get,set,notify}secctx hooks
	to access LSM security context information.

Fixed

On Tue, 2008-09-30 at 15:22 -0500, Serge E. Hallyn wrote:
> Quoting David P. Quigley (dpquigl@...ho.nsa.gov):
> > This patch introduces three new hooks. The inode_getsecctx hook is used to get
> > all relevant information from an LSM about an inode. The inode_setsecctx is
> > used to set both the in-core and on-disk state for the inode based on a context
> > derived from inode_getsecctx.The final hook inode_notifysecctx will notify the
> > LSM of a change for the in-core state of the inode in question. These hooks are
> > for use in the labeled NFS code and addresses concerns of how to set security
> > on an inode in a multi-xattr LSM. For historical reasons Stephen Smalley's
> > explanation of the reason for these hooks is pasted below.
> > 
> > Quote Stephen Smalley
> > 
> > inode_setsecctx:  Change the security context of an inode.  Updates the
> > in core security context managed by the security module and invokes the
> > fs code as needed (via __vfs_setxattr_noperm) to update any backing
> > xattrs that represent the context.  Example usage:  NFS server invokes
> > this hook to change the security context in its incore inode and on the
> > backing file system to a value provided by the client on a SETATTR
> > operation.
> > 
> > inode_notifysecctx:  Notify the security module of what the security
> > context of an inode should be.  Initializes the incore security context
> > managed by the security module for this inode.  Example usage:  NFS
> > client invokes this hook to initialize the security context in its
> > incore inode to the value provided by the server for the file when the
> > server returned the file's attributes to the client.
> > 
> > Signed-off-by: Matthew N. Dodd <Matthew.Dodd@...rta.com>
> > Signed-off-by: David P. Quigley <dpquigl@...ho.nsa.gov>
> 
> Hmm, sorry, for all of these new hooks which you introduce, you do not
> define empty cap_* versions and assign them when need in
> security_fixup_ops().  But you unconditionally call them if
> CONFIG_SECURITY=y.  So if you compile a kernel with CONFIG_SECURITY=y
> but CONFIG_SECURITY_SELINUX=n, don't you hose your box?
> 
> > ---
> >  include/linux/security.h |   50 ++++++++++++++++++++++++++++++++++++++++++++++
> >  security/security.c      |   18 ++++++++++++++++
> >  security/selinux/hooks.c |   25 +++++++++++++++++++++++
> >  3 files changed, 93 insertions(+), 0 deletions(-)
> > 
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index 80c4d00..8b5b041 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -1289,6 +1289,36 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
> >   *	audit_rule_init.
> >   *	@rule contains the allocated rule
> >   *
> > + * @inode_notifysecctx:
> > + *	Notify the security module of what the security context of an inode
> > + *	should be.  Initializes the incore security context managed by the
> > + *	security module for this inode.  Example usage:  NFS client invokes
> > + *	this hook to initialize the security context in its incore inode to the
> > + *	value provided by the server for the file when the server returned the
> > + *	file's attributes to the client.
> > + *
> > + * 	@inode we wish to set the security context of.
> > + * 	@ctx contains the string which we wish to set in the inode.
> > + * 	@ctxlen contains the length of @ctx.
> > + *
> > + * @inode_setsecctx:
> > + * 	Change the security context of an inode.  Updates the
> > + * 	incore security context managed by the security module and invokes the
> > + * 	fs code as needed (via __vfs_setxattr_noperm) to update any backing
> > + * 	xattrs that represent the context.  Example usage:  NFS server invokes
> > + * 	this hook to change the security context in its incore inode and on the
> > + * 	backing filesystem to a value provided by the client on a SETATTR
> > + * 	operation.
> > + *
> > + * 	@dentry contains the inode we wish to set the security context of.
> > + * 	@ctx contains the string which we wish to set in the inode.
> > + * 	@ctxlen contains the length of @ctx.
> > + *
> > + * @inode_getsecctx:
> > + * 	Returns a string containing all relavent security context information
> > + * 	@inode we wish to set the security context of.
> > + *	@ctx is a pointer to place the allocated security context should be placed.
> > + *	@ctxlen points to the place to put the length of @ctx.
> >   * This is the main security structure.
> >   */
> >  struct security_operations {
> > @@ -1479,6 +1509,10 @@ struct security_operations {
> >  	int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
> >  	void (*release_secctx) (char *secdata, u32 seclen);
> > 
> > +	int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen);
> > +	int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
> > +	int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
> > +
> >  #ifdef CONFIG_SECURITY_NETWORK
> >  	int (*unix_stream_connect) (struct socket *sock,
> >  				    struct socket *other, struct sock *newsk);
> > @@ -1727,6 +1761,9 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
> >  int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
> >  void security_release_secctx(char *secdata, u32 seclen);
> > 
> > +int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
> > +int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
> > +int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
> >  #else /* CONFIG_SECURITY */
> >  struct security_mnt_opts {
> >  };
> > @@ -2458,6 +2495,19 @@ static inline int security_secctx_to_secid(const char *secdata,
> >  static inline void security_release_secctx(char *secdata, u32 seclen)
> >  {
> >  }
> > +
> > +static inline int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
> > +{
> > +	return -EOPNOTSUPP;
> > +}
> > +static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
> > +{
> > +	return -EOPNOTSUPP;
> > +}
> > +static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
> > +{
> > +	return -EOPNOTSUPP;
> > +}
> >  #endif	/* CONFIG_SECURITY */
> > 
> >  #ifdef CONFIG_SECURITY_NETWORK
> > diff --git a/security/security.c b/security/security.c
> > index 3a4b4f5..d0fd42a 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -869,6 +869,24 @@ void security_release_secctx(char *secdata, u32 seclen)
> >  }
> >  EXPORT_SYMBOL(security_release_secctx);
> > 
> > +int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
> > +{
> > +	return security_ops->inode_notifysecctx(inode, ctx, ctxlen);
> > +}
> > +EXPORT_SYMBOL(security_inode_notifysecctx);
> > +
> > +int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
> > +{
> > +	return security_ops->inode_setsecctx(dentry, ctx, ctxlen);
> > +}
> > +EXPORT_SYMBOL(security_inode_setsecctx);
> > +
> > +int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
> > +{
> > +	return security_ops->inode_getsecctx(inode, ctx, ctxlen);
> > +}
> > +EXPORT_SYMBOL(security_inode_getsecctx);
> > +
> >  #ifdef CONFIG_SECURITY_NETWORK
> > 
> >  int security_unix_stream_connect(struct socket *sock, struct socket *other,
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index 03fc6a8..b07871b 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -5285,6 +5285,28 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
> >  	kfree(secdata);
> >  }
> > 
> > +/*
> > + *	This hook requires that the inode i_mutex be locked
> > + */
> > +static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
> > +{
> > +	return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
> > +}
> > +
> > +/*
> > + *	This hook requires that the inode i_mutex be locked
> > + */
> > +static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
> > +{
> > +	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
> > +}
> > +
> > +static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
> > +{
> > +	*ctxlen = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
> > +						ctx, true);
> > +	return *ctxlen;
> > +}
> >  #ifdef CONFIG_KEYS
> > 
> >  static int selinux_key_alloc(struct key *k, struct task_struct *tsk,
> > @@ -5491,6 +5513,9 @@ static struct security_operations selinux_ops = {
> >  	.secid_to_secctx =		selinux_secid_to_secctx,
> >  	.secctx_to_secid =		selinux_secctx_to_secid,
> >  	.release_secctx =		selinux_release_secctx,
> > +	.inode_notifysecctx =		selinux_inode_notifysecctx,
> > +	.inode_setsecctx =		selinux_inode_setsecctx,
> > +	.inode_getsecctx =		selinux_inode_getsecctx,
> > 
> >  	.unix_stream_connect =		selinux_socket_unix_stream_connect,
> >  	.unix_may_send =		selinux_socket_unix_may_send,
> > -- 
> > 1.5.5.1
> > 
> > 
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@...ho.nsa.gov with
> > the words "unsubscribe selinux" without quotes as the message.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ