lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Jan 2020 13:30:53 +0000 From: David Howells <dhowells@...hat.com> To: torvalds@...ux-foundation.org Cc: dhowells@...hat.com, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Casey Schaufler <casey@...aufler-ca.com>, Stephen Smalley <sds@...ho.nsa.gov>, nicolas.dichtel@...nd.com, raven@...maw.net, Christian Brauner <christian@...uner.io>, dhowells@...hat.com, keyrings@...r.kernel.org, linux-usb@...r.kernel.org, linux-block@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-api@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [RFC PATCH 02/14] security: Add hooks to rule on setting a watch [ver #3] Add security hooks that will allow an LSM to rule on whether or not a watch may be set. More than one hook is required as the watches watch different types of object. Signed-off-by: David Howells <dhowells@...hat.com> cc: Casey Schaufler <casey@...aufler-ca.com> cc: Stephen Smalley <sds@...ho.nsa.gov> cc: linux-security-module@...r.kernel.org --- include/linux/lsm_hooks.h | 24 ++++++++++++++++++++++++ include/linux/security.h | 17 +++++++++++++++++ security/security.c | 14 ++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 20d8cf194fb7..79d7c73676d7 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1416,6 +1416,18 @@ * @ctx is a pointer in which to place the allocated security context. * @ctxlen points to the place to put the length of @ctx. * + * Security hooks for the general notification queue: + * + * @watch_key: + * Check to see if a process is allowed to watch for event notifications + * from a key or keyring. + * @key: The key to watch. + * + * @watch_devices: + * Check to see if a process is allowed to watch for event notifications + * from devices (as a global set). + * + * * Security hooks for using the eBPF maps and programs functionalities through * eBPF syscalls. * @@ -1698,6 +1710,12 @@ union security_list_options { int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen); int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen); int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen); +#ifdef CONFIG_KEY_NOTIFICATIONS + int (*watch_key)(struct key *key); +#endif +#ifdef CONFIG_DEVICE_NOTIFICATIONS + int (*watch_devices)(void); +#endif #ifdef CONFIG_SECURITY_NETWORK int (*unix_stream_connect)(struct sock *sock, struct sock *other, @@ -1985,6 +2003,12 @@ struct security_hook_heads { struct hlist_head inode_notifysecctx; struct hlist_head inode_setsecctx; struct hlist_head inode_getsecctx; +#ifdef CONFIG_KEY_NOTIFICATIONS + struct hlist_head watch_key; +#endif +#ifdef CONFIG_DEVICE_NOTIFICATIONS + struct hlist_head watch_devices; +#endif #ifdef CONFIG_SECURITY_NETWORK struct hlist_head unix_stream_connect; struct hlist_head unix_may_send; diff --git a/include/linux/security.h b/include/linux/security.h index 3e8d4bacd59d..8f2fa100d128 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1274,6 +1274,23 @@ static inline int security_locked_down(enum lockdown_reason what) } #endif /* CONFIG_SECURITY */ +#if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS) +int security_watch_key(struct key *key); +#else +static inline int security_watch_key(struct key *key) +{ + return 0; +} +#endif +#if defined(CONFIG_SECURITY) && defined(CONFIG_DEVICE_NOTIFICATIONS) +int security_watch_devices(void); +#else +static inline int security_watch_devices(void) +{ + return 0; +} +#endif + #ifdef CONFIG_SECURITY_NETWORK int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk); diff --git a/security/security.c b/security/security.c index cd2d18d2d279..578863f230a6 100644 --- a/security/security.c +++ b/security/security.c @@ -1956,6 +1956,20 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) } EXPORT_SYMBOL(security_inode_getsecctx); +#ifdef CONFIG_KEY_NOTIFICATIONS +int security_watch_key(struct key *key) +{ + return call_int_hook(watch_key, 0, key); +} +#endif + +#ifdef CONFIG_DEVICE_NOTIFICATIONS +int security_watch_devices(void) +{ + return call_int_hook(watch_devices, 0); +} +#endif + #ifdef CONFIG_SECURITY_NETWORK int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
Powered by blists - more mailing lists