Commit 3612605a authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull general security layer updates from James Morris:

 - Convert security hooks from list to hlist, a nice cleanup, saving
   about 50% of space, from Sargun Dhillon.

 - Only pass the cred, not the secid, to kill_pid_info_as_cred and
   security_task_kill (as the secid can be determined from the cred),
   from Stephen Smalley.

 - Close a potential race in kernel_read_file(), by making the file
   unwritable before calling the LSM check (vs after), from Kees Cook.

* 'next-general' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  security: convert security hooks to use hlist
  exec: Set file unwritable before LSM check
  usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill
parents 62f8e6c5 df0ce173
...@@ -65,7 +65,6 @@ struct usb_dev_state { ...@@ -65,7 +65,6 @@ struct usb_dev_state {
const struct cred *cred; const struct cred *cred;
void __user *disccontext; void __user *disccontext;
unsigned long ifclaimed; unsigned long ifclaimed;
u32 secid;
u32 disabled_bulk_eps; u32 disabled_bulk_eps;
bool privileges_dropped; bool privileges_dropped;
unsigned long interface_allowed_mask; unsigned long interface_allowed_mask;
...@@ -95,7 +94,6 @@ struct async { ...@@ -95,7 +94,6 @@ struct async {
struct usb_memory *usbm; struct usb_memory *usbm;
unsigned int mem_usage; unsigned int mem_usage;
int status; int status;
u32 secid;
u8 bulk_addr; u8 bulk_addr;
u8 bulk_status; u8 bulk_status;
}; };
...@@ -586,7 +584,6 @@ static void async_completed(struct urb *urb) ...@@ -586,7 +584,6 @@ static void async_completed(struct urb *urb)
struct usb_dev_state *ps = as->ps; struct usb_dev_state *ps = as->ps;
struct siginfo sinfo; struct siginfo sinfo;
struct pid *pid = NULL; struct pid *pid = NULL;
u32 secid = 0;
const struct cred *cred = NULL; const struct cred *cred = NULL;
int signr; int signr;
...@@ -602,7 +599,6 @@ static void async_completed(struct urb *urb) ...@@ -602,7 +599,6 @@ static void async_completed(struct urb *urb)
sinfo.si_addr = as->userurb; sinfo.si_addr = as->userurb;
pid = get_pid(as->pid); pid = get_pid(as->pid);
cred = get_cred(as->cred); cred = get_cred(as->cred);
secid = as->secid;
} }
snoop(&urb->dev->dev, "urb complete\n"); snoop(&urb->dev->dev, "urb complete\n");
snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length, snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
...@@ -618,7 +614,7 @@ static void async_completed(struct urb *urb) ...@@ -618,7 +614,7 @@ static void async_completed(struct urb *urb)
spin_unlock(&ps->lock); spin_unlock(&ps->lock);
if (signr) { if (signr) {
kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred, secid); kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred);
put_pid(pid); put_pid(pid);
put_cred(cred); put_cred(cred);
} }
...@@ -1013,7 +1009,6 @@ static int usbdev_open(struct inode *inode, struct file *file) ...@@ -1013,7 +1009,6 @@ static int usbdev_open(struct inode *inode, struct file *file)
init_waitqueue_head(&ps->wait); init_waitqueue_head(&ps->wait);
ps->disc_pid = get_pid(task_pid(current)); ps->disc_pid = get_pid(task_pid(current));
ps->cred = get_current_cred(); ps->cred = get_current_cred();
security_task_getsecid(current, &ps->secid);
smp_wmb(); smp_wmb();
list_add_tail(&ps->list, &dev->filelist); list_add_tail(&ps->list, &dev->filelist);
file->private_data = ps; file->private_data = ps;
...@@ -1727,7 +1722,6 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb ...@@ -1727,7 +1722,6 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
as->ifnum = ifnum; as->ifnum = ifnum;
as->pid = get_pid(task_pid(current)); as->pid = get_pid(task_pid(current));
as->cred = get_current_cred(); as->cred = get_current_cred();
security_task_getsecid(current, &as->secid);
snoop_urb(ps->dev, as->userurb, as->urb->pipe, snoop_urb(ps->dev, as->userurb, as->urb->pipe,
as->urb->transfer_buffer_length, 0, SUBMIT, as->urb->transfer_buffer_length, 0, SUBMIT,
NULL, 0); NULL, 0);
...@@ -2617,7 +2611,7 @@ static void usbdev_remove(struct usb_device *udev) ...@@ -2617,7 +2611,7 @@ static void usbdev_remove(struct usb_device *udev)
sinfo.si_code = SI_ASYNCIO; sinfo.si_code = SI_ASYNCIO;
sinfo.si_addr = ps->disccontext; sinfo.si_addr = ps->disccontext;
kill_pid_info_as_cred(ps->discsignr, &sinfo, kill_pid_info_as_cred(ps->discsignr, &sinfo,
ps->disc_pid, ps->cred, ps->secid); ps->disc_pid, ps->cred);
} }
} }
} }
......
...@@ -895,13 +895,13 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, ...@@ -895,13 +895,13 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0) if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0)
return -EINVAL; return -EINVAL;
ret = security_kernel_read_file(file, id); ret = deny_write_access(file);
if (ret) if (ret)
return ret; return ret;
ret = deny_write_access(file); ret = security_kernel_read_file(file, id);
if (ret) if (ret)
return ret; goto out;
i_size = i_size_read(file_inode(file)); i_size = i_size_read(file_inode(file));
if (max_size > 0 && i_size > max_size) { if (max_size > 0 && i_size > max_size) {
......
This diff is collapsed.
...@@ -319,7 +319,7 @@ extern int force_sig_info(int, struct siginfo *, struct task_struct *); ...@@ -319,7 +319,7 @@ extern int force_sig_info(int, struct siginfo *, struct task_struct *);
extern int __kill_pgrp_info(int sig, struct siginfo *info, struct pid *pgrp); extern int __kill_pgrp_info(int sig, struct siginfo *info, struct pid *pgrp);
extern int kill_pid_info(int sig, struct siginfo *info, struct pid *pid); extern int kill_pid_info(int sig, struct siginfo *info, struct pid *pid);
extern int kill_pid_info_as_cred(int, struct siginfo *, struct pid *, extern int kill_pid_info_as_cred(int, struct siginfo *, struct pid *,
const struct cred *, u32); const struct cred *);
extern int kill_pgrp(struct pid *pid, int sig, int priv); extern int kill_pgrp(struct pid *pid, int sig, int priv);
extern int kill_pid(struct pid *pid, int sig, int priv); extern int kill_pid(struct pid *pid, int sig, int priv);
extern __must_check bool do_notify_parent(struct task_struct *, int); extern __must_check bool do_notify_parent(struct task_struct *, int);
......
...@@ -345,7 +345,7 @@ int security_task_setscheduler(struct task_struct *p); ...@@ -345,7 +345,7 @@ int security_task_setscheduler(struct task_struct *p);
int security_task_getscheduler(struct task_struct *p); int security_task_getscheduler(struct task_struct *p);
int security_task_movememory(struct task_struct *p); int security_task_movememory(struct task_struct *p);
int security_task_kill(struct task_struct *p, struct siginfo *info, int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid); int sig, const struct cred *cred);
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5); unsigned long arg4, unsigned long arg5);
void security_task_to_inode(struct task_struct *p, struct inode *inode); void security_task_to_inode(struct task_struct *p, struct inode *inode);
...@@ -1008,7 +1008,7 @@ static inline int security_task_movememory(struct task_struct *p) ...@@ -1008,7 +1008,7 @@ static inline int security_task_movememory(struct task_struct *p)
static inline int security_task_kill(struct task_struct *p, static inline int security_task_kill(struct task_struct *p,
struct siginfo *info, int sig, struct siginfo *info, int sig,
u32 secid) const struct cred *cred)
{ {
return 0; return 0;
} }
......
...@@ -770,7 +770,7 @@ static int check_kill_permission(int sig, struct siginfo *info, ...@@ -770,7 +770,7 @@ static int check_kill_permission(int sig, struct siginfo *info,
} }
} }
return security_task_kill(t, info, sig, 0); return security_task_kill(t, info, sig, NULL);
} }
/** /**
...@@ -1361,7 +1361,7 @@ static int kill_as_cred_perm(const struct cred *cred, ...@@ -1361,7 +1361,7 @@ static int kill_as_cred_perm(const struct cred *cred,
/* like kill_pid_info(), but doesn't use uid/euid of "current" */ /* like kill_pid_info(), but doesn't use uid/euid of "current" */
int kill_pid_info_as_cred(int sig, struct siginfo *info, struct pid *pid, int kill_pid_info_as_cred(int sig, struct siginfo *info, struct pid *pid,
const struct cred *cred, u32 secid) const struct cred *cred)
{ {
int ret = -EINVAL; int ret = -EINVAL;
struct task_struct *p; struct task_struct *p;
...@@ -1380,7 +1380,7 @@ int kill_pid_info_as_cred(int sig, struct siginfo *info, struct pid *pid, ...@@ -1380,7 +1380,7 @@ int kill_pid_info_as_cred(int sig, struct siginfo *info, struct pid *pid,
ret = -EPERM; ret = -EPERM;
goto out_unlock; goto out_unlock;
} }
ret = security_task_kill(p, info, sig, secid); ret = security_task_kill(p, info, sig, cred);
if (ret) if (ret)
goto out_unlock; goto out_unlock;
......
...@@ -52,8 +52,8 @@ static const struct whitelist_entry whitelist[] = { ...@@ -52,8 +52,8 @@ static const struct whitelist_entry whitelist[] = {
{ "net/unix/af_unix.c", "unix_skb_parms", "char" }, { "net/unix/af_unix.c", "unix_skb_parms", "char" },
/* big_key payload.data struct splashing */ /* big_key payload.data struct splashing */
{ "security/keys/big_key.c", "path", "void *" }, { "security/keys/big_key.c", "path", "void *" },
/* walk struct security_hook_heads as an array of struct list_head */ /* walk struct security_hook_heads as an array of struct hlist_head */
{ "security/security.c", "list_head", "security_hook_heads" }, { "security/security.c", "hlist_head", "security_hook_heads" },
{ } { }
}; };
......
...@@ -716,16 +716,23 @@ static int apparmor_task_setrlimit(struct task_struct *task, ...@@ -716,16 +716,23 @@ static int apparmor_task_setrlimit(struct task_struct *task,
} }
static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
int sig, u32 secid) int sig, const struct cred *cred)
{ {
struct aa_label *cl, *tl; struct aa_label *cl, *tl;
int error; int error;
if (secid) if (cred) {
/* TODO: after secid to label mapping is done. /*
* Dealing with USB IO specific behavior * Dealing with USB IO specific behavior
*/ */
return 0; cl = aa_get_newest_cred_label(cred);
tl = aa_get_task_label(target);
error = aa_may_signal(cl, tl, sig);
aa_put_label(cl);
aa_put_label(tl);
return error;
}
cl = __begin_current_label_crit_section(); cl = __begin_current_label_crit_section();
tl = aa_get_task_label(target); tl = aa_get_task_label(target);
error = aa_may_signal(cl, tl, sig); error = aa_may_signal(cl, tl, sig);
......
...@@ -61,11 +61,11 @@ static void __init do_security_initcalls(void) ...@@ -61,11 +61,11 @@ static void __init do_security_initcalls(void)
int __init security_init(void) int __init security_init(void)
{ {
int i; int i;
struct list_head *list = (struct list_head *) &security_hook_heads; struct hlist_head *list = (struct hlist_head *) &security_hook_heads;
for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct list_head); for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head);
i++) i++)
INIT_LIST_HEAD(&list[i]); INIT_HLIST_HEAD(&list[i]);
pr_info("Security Framework initialized\n"); pr_info("Security Framework initialized\n");
/* /*
...@@ -163,7 +163,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, ...@@ -163,7 +163,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
hooks[i].lsm = lsm; hooks[i].lsm = lsm;
list_add_tail_rcu(&hooks[i].list, hooks[i].head); hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
} }
if (lsm_append(lsm, &lsm_names) < 0) if (lsm_append(lsm, &lsm_names) < 0)
panic("%s - Cannot get early memory.\n", __func__); panic("%s - Cannot get early memory.\n", __func__);
...@@ -201,7 +201,7 @@ EXPORT_SYMBOL(unregister_lsm_notifier); ...@@ -201,7 +201,7 @@ EXPORT_SYMBOL(unregister_lsm_notifier);
do { \ do { \
struct security_hook_list *P; \ struct security_hook_list *P; \
\ \
list_for_each_entry(P, &security_hook_heads.FUNC, list) \ hlist_for_each_entry(P, &security_hook_heads.FUNC, list) \
P->hook.FUNC(__VA_ARGS__); \ P->hook.FUNC(__VA_ARGS__); \
} while (0) } while (0)
...@@ -210,7 +210,7 @@ EXPORT_SYMBOL(unregister_lsm_notifier); ...@@ -210,7 +210,7 @@ EXPORT_SYMBOL(unregister_lsm_notifier);
do { \ do { \
struct security_hook_list *P; \ struct security_hook_list *P; \
\ \
list_for_each_entry(P, &security_hook_heads.FUNC, list) { \ hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
RC = P->hook.FUNC(__VA_ARGS__); \ RC = P->hook.FUNC(__VA_ARGS__); \
if (RC != 0) \ if (RC != 0) \
break; \ break; \
...@@ -317,7 +317,7 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) ...@@ -317,7 +317,7 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
* agree that it should be set it will. If any module * agree that it should be set it will. If any module
* thinks it should not be set it won't. * thinks it should not be set it won't.
*/ */
list_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) { hlist_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) {
rc = hp->hook.vm_enough_memory(mm, pages); rc = hp->hook.vm_enough_memory(mm, pages);
if (rc <= 0) { if (rc <= 0) {
cap_sys_admin = 0; cap_sys_admin = 0;
...@@ -805,7 +805,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf ...@@ -805,7 +805,7 @@ int security_inode_getsecurity(struct inode *inode, const char *name, void **buf
/* /*
* Only one module will provide an attribute with a given name. * Only one module will provide an attribute with a given name.
*/ */
list_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) { hlist_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc); rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc);
if (rc != -EOPNOTSUPP) if (rc != -EOPNOTSUPP)
return rc; return rc;
...@@ -823,7 +823,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void ...@@ -823,7 +823,7 @@ int security_inode_setsecurity(struct inode *inode, const char *name, const void
/* /*
* Only one module will provide an attribute with a given name. * Only one module will provide an attribute with a given name.
*/ */
list_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) { hlist_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) {
rc = hp->hook.inode_setsecurity(inode, name, value, size, rc = hp->hook.inode_setsecurity(inode, name, value, size,
flags); flags);
if (rc != -EOPNOTSUPP) if (rc != -EOPNOTSUPP)
...@@ -1114,9 +1114,9 @@ int security_task_movememory(struct task_struct *p) ...@@ -1114,9 +1114,9 @@ int security_task_movememory(struct task_struct *p)
} }
int security_task_kill(struct task_struct *p, struct siginfo *info, int security_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid) int sig, const struct cred *cred)
{ {
return call_int_hook(task_kill, 0, p, info, sig, secid); return call_int_hook(task_kill, 0, p, info, sig, cred);
} }
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
...@@ -1126,7 +1126,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, ...@@ -1126,7 +1126,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
int rc = -ENOSYS; int rc = -ENOSYS;
struct security_hook_list *hp; struct security_hook_list *hp;
list_for_each_entry(hp, &security_hook_heads.task_prctl, list) { hlist_for_each_entry(hp, &security_hook_heads.task_prctl, list) {
thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5); thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5);
if (thisrc != -ENOSYS) { if (thisrc != -ENOSYS) {
rc = thisrc; rc = thisrc;
...@@ -1651,7 +1651,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x, ...@@ -1651,7 +1651,7 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
* For speed optimization, we explicitly break the loop rather than * For speed optimization, we explicitly break the loop rather than
* using the macro * using the macro
*/ */
list_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match, hlist_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
list) { list) {
rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl); rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl);
break; break;
......
...@@ -4156,16 +4156,19 @@ static int selinux_task_movememory(struct task_struct *p) ...@@ -4156,16 +4156,19 @@ static int selinux_task_movememory(struct task_struct *p)
} }
static int selinux_task_kill(struct task_struct *p, struct siginfo *info, static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid) int sig, const struct cred *cred)
{ {
u32 secid;
u32 perm; u32 perm;
if (!sig) if (!sig)
perm = PROCESS__SIGNULL; /* null signal; existence test */ perm = PROCESS__SIGNULL; /* null signal; existence test */
else else
perm = signal_to_av(sig); perm = signal_to_av(sig);
if (!secid) if (!cred)
secid = current_sid(); secid = current_sid();
else
secid = cred_sid(cred);
return avc_has_perm(&selinux_state, return avc_has_perm(&selinux_state,
secid, task_sid(p), SECCLASS_PROCESS, perm, NULL); secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
} }
......
...@@ -2228,15 +2228,13 @@ static int smack_task_movememory(struct task_struct *p) ...@@ -2228,15 +2228,13 @@ static int smack_task_movememory(struct task_struct *p)
* @p: the task object * @p: the task object
* @info: unused * @info: unused
* @sig: unused * @sig: unused
* @secid: identifies the smack to use in lieu of current's * @cred: identifies the cred to use in lieu of current's
* *
* Return 0 if write access is permitted * Return 0 if write access is permitted
* *
* The secid behavior is an artifact of an SELinux hack
* in the USB code. Someday it may go away.
*/ */
static int smack_task_kill(struct task_struct *p, struct siginfo *info, static int smack_task_kill(struct task_struct *p, struct siginfo *info,
int sig, u32 secid) int sig, const struct cred *cred)
{ {
struct smk_audit_info ad; struct smk_audit_info ad;
struct smack_known *skp; struct smack_known *skp;
...@@ -2252,17 +2250,17 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, ...@@ -2252,17 +2250,17 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
* Sending a signal requires that the sender * Sending a signal requires that the sender
* can write the receiver. * can write the receiver.
*/ */
if (secid == 0) { if (cred == NULL) {
rc = smk_curacc(tkp, MAY_DELIVER, &ad); rc = smk_curacc(tkp, MAY_DELIVER, &ad);
rc = smk_bu_task(p, MAY_DELIVER, rc); rc = smk_bu_task(p, MAY_DELIVER, rc);
return rc; return rc;
} }
/* /*
* If the secid isn't 0 we're dealing with some USB IO * If the cred isn't NULL we're dealing with some USB IO
* specific behavior. This is not clean. For one thing * specific behavior. This is not clean. For one thing
* we can't take privilege into account. * we can't take privilege into account.
*/ */
skp = smack_from_secid(secid); skp = smk_of_task(cred->security);
rc = smk_access(skp, tkp, MAY_DELIVER, &ad); rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
return rc; return rc;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment