[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABdmKX3HN8MFM3LRe-Og+umTMAfrNximN9GmBtQCKGLxFsfogA@mail.gmail.com>
Date: Wed, 11 Jan 2023 16:21:02 -0800
From: "T.J. Mercier" <tjmercier@...gle.com>
To: Casey Schaufler <casey@...aufler-ca.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arve Hjønnevåg <arve@...roid.com>,
Todd Kjos <tkjos@...roid.com>,
Martijn Coenen <maco@...roid.com>,
Joel Fernandes <joel@...lfernandes.org>,
Christian Brauner <brauner@...nel.org>,
Carlos Llamas <cmllamas@...gle.com>,
Suren Baghdasaryan <surenb@...gle.com>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Paris <eparis@...isplace.org>, hannes@...xchg.org,
daniel.vetter@...ll.ch, android-mm@...gle.com, jstultz@...gle.com,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, selinux@...r.kernel.org,
Jeffrey Vander Stoep <jeffv@...gle.com>
Subject: Re: [PATCH 4/4] security: binder: Add transfer_charge SElinux hook
On Tue, Jan 10, 2023 at 11:39 AM Casey Schaufler <casey@...aufler-ca.com> wrote:
>
> On 1/9/2023 4:30 PM, T.J. Mercier wrote:
> > On Mon, Jan 9, 2023 at 2:28 PM Casey Schaufler <casey@...aufler-ca.com> wrote:
> >> On 1/9/2023 1:38 PM, T.J. Mercier wrote:
> >>> Any process can cause a memory charge transfer to occur to any other
> >>> process when transmitting a file descriptor through binder. This should
> >>> only be possible for central allocator processes,
> >> How is a "central allocator process" identified?
> > Any process with the transfer_charge permission. On Android this is
> > the graphics allocator HAL which would have this added to its policy.
>
> OK. You're putting SELinux policy directly into the name of the LSM hook.
>
> >
> >> If I have a LSM that
> >> is not SELinux (e.g. AppArmor, Smack) or no LSM at all, how can/should this
> >> be enforced?
> > Sorry, why would you be expecting enforcement with no LSM?
>
> Because the LSM is supposed to be a set of *additional* restrictions.
> If there are no restrictions when there's no LSM, you can't add to
> existing restrictions. If binder works correctly without any restrictions
> that's fine. It seems odd that you'd add SELinux restrictions if there
> are no basic restrictions. If, on the other hand, binder doesn't have
> native restrictions because it always assumes SELinux, it ought to have
> a CONFIG dependency on SELinux.
>
> None of which is really important.
>
> > Are you
> > suggesting that this check should be different than the ones that
> > already exist for Binder here?
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hook_defs.h#n29
>
> This one seems just a little bit more like an implementation of
> SELinux policy in the hook than some of the others. If there is no way
> to identify the special process without SELinux policy it's going to
> be really difficult for a different LSM to utilize the hook.
>
I think I see what you're saying... there is potentially no way to
have an equivalent attribute with other LSMs?
> >
> >> Why isn't binder enforcing this restriction itself?
> > Binder has no direct knowledge of which process has been designated as
> > an allocator / charge transferrer. That is defined externally by
> > whoever configures the system.
>
> So the attribute isn't a binder attribute, it's an SELinux attribute?
> That isn't appropriate in the LSM interface, at least not explicitly.
>
The transfer feature is something offered by binder, but mapped to a
process only in the SELinux policy.
> >
> >>> so a new SELinux
> >>> permission is added to restrict which processes are allowed to initiate
> >>> these charge transfers.
> >> Which is all perfectly reasonable if you have SELinux.
> >>
> >>> Signed-off-by: T.J. Mercier <tjmercier@...gle.com>
> >>> ---
> >>> drivers/android/binder.c | 5 +++++
> >>> include/linux/lsm_hook_defs.h | 2 ++
> >>> include/linux/lsm_hooks.h | 6 ++++++
> >>> include/linux/security.h | 2 ++
> >>> security/security.c | 6 ++++++
> >>> security/selinux/hooks.c | 9 +++++++++
> >>> security/selinux/include/classmap.h | 2 +-
> >>> 7 files changed, 31 insertions(+), 1 deletion(-)
> >>>
> >>> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> >>> index 9830848c8d25..9063db04826d 100644
> >>> --- a/drivers/android/binder.c
> >>> +++ b/drivers/android/binder.c
> >>> @@ -2279,6 +2279,11 @@ static int binder_translate_fd(u32 fd, binder_size_t fd_offset, __u32 flags,
> >>> if (IS_ENABLED(CONFIG_MEMCG) && (flags & BINDER_FD_FLAG_XFER_CHARGE)) {
> >>> struct dma_buf *dmabuf;
> >>>
> >>> + if (security_binder_transfer_charge(proc->cred, target_proc->cred)) {
> >>> + ret = -EPERM;
> >>> + goto err_security;
> >>> + }
> >>> +
> >>> if (unlikely(!is_dma_buf_file(file))) {
> >>> binder_user_error(
> >>> "%d:%d got transaction with XFER_CHARGE for non-dmabuf fd, %d\n",
> >>> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> >>> index ed6cb2ac55fa..8db2a958557e 100644
> >>> --- a/include/linux/lsm_hook_defs.h
> >>> +++ b/include/linux/lsm_hook_defs.h
> >>> @@ -33,6 +33,8 @@ LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from,
> >>> const struct cred *to)
> >>> LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from,
> >>> const struct cred *to, struct file *file)
> >>> +LSM_HOOK(int, 0, binder_transfer_charge, const struct cred *from,
> >>> + const struct cred *to)
> >>> LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child,
> >>> unsigned int mode)
> >>> LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent)
> >>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> >>> index 0a5ba81f7367..39c40c7bf519 100644
> >>> --- a/include/linux/lsm_hooks.h
> >>> +++ b/include/linux/lsm_hooks.h
> >>> @@ -1385,6 +1385,12 @@
> >>> * @file contains the struct file being transferred.
> >>> * @to contains the struct cred for the receiving process.
> >>> * Return 0 if permission is granted.
> >>> + * @binder_transfer_charge:
> >>> + * Check whether @from is allowed to transfer the memory charge for a
> >>> + * buffer out of its cgroup to @to.
> >>> + * @from contains the struct cred for the sending process.
> >>> + * @to contains the struct cred for the receiving process.
> >>> + * Return 0 if permission is granted.
> >>> *
> >>> * @ptrace_access_check:
> >>> * Check permission before allowing the current process to trace the
> >>> diff --git a/include/linux/security.h b/include/linux/security.h
> >>> index 5b67f208f7de..3b7472308430 100644
> >>> --- a/include/linux/security.h
> >>> +++ b/include/linux/security.h
> >>> @@ -270,6 +270,8 @@ int security_binder_transfer_binder(const struct cred *from,
> >>> const struct cred *to);
> >>> int security_binder_transfer_file(const struct cred *from,
> >>> const struct cred *to, struct file *file);
> >>> +int security_binder_transfer_charge(const struct cred *from,
> >>> + const struct cred *to);
> >>> int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
> >>> int security_ptrace_traceme(struct task_struct *parent);
> >>> int security_capget(struct task_struct *target,
> >>> diff --git a/security/security.c b/security/security.c
> >>> index d1571900a8c7..97e1e74d1ff2 100644
> >>> --- a/security/security.c
> >>> +++ b/security/security.c
> >>> @@ -801,6 +801,12 @@ int security_binder_transfer_file(const struct cred *from,
> >>> return call_int_hook(binder_transfer_file, 0, from, to, file);
> >>> }
> >>>
> >>> +int security_binder_transfer_charge(const struct cred *from,
> >>> + const struct cred *to)
> >>> +{
> >>> + return call_int_hook(binder_transfer_charge, 0, from, to);
> >>> +}
> >>> +
> >>> int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
> >>> {
> >>> return call_int_hook(ptrace_access_check, 0, child, mode);
> >>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >>> index 3c5be76a9199..823ef14924bd 100644
> >>> --- a/security/selinux/hooks.c
> >>> +++ b/security/selinux/hooks.c
> >>> @@ -2066,6 +2066,14 @@ static int selinux_binder_transfer_file(const struct cred *from,
> >>> &ad);
> >>> }
> >>>
> >>> +static int selinux_binder_transfer_charge(const struct cred *from, const struct cred *to)
> >>> +{
> >>> + return avc_has_perm(&selinux_state,
> >>> + cred_sid(from), cred_sid(to),
> >>> + SECCLASS_BINDER, BINDER__TRANSFER_CHARGE,
> >>> + NULL);
> >>> +}
> >>> +
> >>> static int selinux_ptrace_access_check(struct task_struct *child,
> >>> unsigned int mode)
> >>> {
> >>> @@ -7052,6 +7060,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
> >>> LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
> >>> LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
> >>> LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
> >>> + LSM_HOOK_INIT(binder_transfer_charge, selinux_binder_transfer_charge),
> >>>
> >>> LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
> >>> LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
> >>> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> >>> index a3c380775d41..2eef180d10d7 100644
> >>> --- a/security/selinux/include/classmap.h
> >>> +++ b/security/selinux/include/classmap.h
> >>> @@ -172,7 +172,7 @@ const struct security_class_mapping secclass_map[] = {
> >>> { "tun_socket",
> >>> { COMMON_SOCK_PERMS, "attach_queue", NULL } },
> >>> { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
> >>> - NULL } },
> >>> + "transfer_charge", NULL } },
> >>> { "cap_userns",
> >>> { COMMON_CAP_PERMS, NULL } },
> >>> { "cap2_userns",
Powered by blists - more mailing lists