LSM: Infrastructure management of the ipc security blob

Move management of the kern_ipc_perm->security and msg_msg->security blobs out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
author: Casey Schaufler <casey@schaufler-ca.com> 2018-11-20 14:55:02 -0500
committer: Kees Cook <keescook@chromium.org> 2019-01-08 16:18:45 -0500
commit: ecd5f82e05ddd9b06c258167ec7467ac79741d77 (patch)
tree: 9cefea64fc40202a284fcb07ecf50f871f7562b0 /security/security.c
parent: 019bcca4626a9ed119e1d9ebfadb9fdbdcf9b35b (diff)
1 files changed, 87 insertions, 4 deletions
diff --git a/security/security.c b/security/security.c
index e59a1e1514ee..953fc3ea18a9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -30,6 +30,7 @@
 #include <linux/personality.h>
 #include <linux/backing-dev.h>
 #include <linux/string.h>
+#include <linux/msg.h>
 #include <net/flow.h>
 #define MAX_LSM_EVM_XATTR       2
@@ -169,6 +170,8 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
        if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
                blob_sizes.lbs_inode = sizeof(struct rcu_head);
        lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
+        lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
+        lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
        lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
 }
@@ -293,6 +296,8 @@ static void __init ordered_lsm_init(void)
        init_debug("cred blob size     = %d\n", blob_sizes.lbs_cred);
        init_debug("file blob size     = %d\n", blob_sizes.lbs_file);
        init_debug("inode blob size    = %d\n", blob_sizes.lbs_inode);
+        init_debug("ipc blob size      = %d\n", blob_sizes.lbs_ipc);
+        init_debug("msg_msg blob size  = %d\n", blob_sizes.lbs_msg_msg);
        init_debug("task blob size     = %d\n", blob_sizes.lbs_task);
        /*
@@ -539,6 +544,48 @@ int lsm_task_alloc(struct task_struct *task)
 }
 /**
+ * lsm_ipc_alloc - allocate a composite ipc blob
+ * @kip: the ipc that needs a blob
+ *
+ * Allocate the ipc blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_ipc_alloc(struct kern_ipc_perm *kip)
+{
+        if (blob_sizes.lbs_ipc == 0) {
+                kip->security = NULL;
+                return 0;
+        }
+        kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
+        if (kip->security == NULL)
+                return -ENOMEM;
+        return 0;
+}
+/**
+ * lsm_msg_msg_alloc - allocate a composite msg_msg blob
+ * @mp: the msg_msg that needs a blob
+ *
+ * Allocate the ipc blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_msg_msg_alloc(struct msg_msg *mp)
+{
+        if (blob_sizes.lbs_msg_msg == 0) {
+                mp->security = NULL;
+                return 0;
+        }
+        mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
+        if (mp->security == NULL)
+                return -ENOMEM;
+        return 0;
+}
+/**
 * lsm_early_task - during initialization allocate a composite task blob
 * @task: the task that needs a blob
 *
@@ -1631,22 +1678,40 @@ void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
 int security_msg_msg_alloc(struct msg_msg *msg)
 {
-        return call_int_hook(msg_msg_alloc_security, 0, msg);
+        int rc = lsm_msg_msg_alloc(msg);
+        if (unlikely(rc))
+                return rc;
+        rc = call_int_hook(msg_msg_alloc_security, 0, msg);
+        if (unlikely(rc))
+                security_msg_msg_free(msg);
+        return rc;
 }
 void security_msg_msg_free(struct msg_msg *msg)
 {
        call_void_hook(msg_msg_free_security, msg);
+        kfree(msg->security);
+        msg->security = NULL;
 }
 int security_msg_queue_alloc(struct kern_ipc_perm *msq)
 {
-        return call_int_hook(msg_queue_alloc_security, 0, msq);
+        int rc = lsm_ipc_alloc(msq);
+        if (unlikely(rc))
+                return rc;
+        rc = call_int_hook(msg_queue_alloc_security, 0, msq);
+        if (unlikely(rc))
+                security_msg_queue_free(msq);
+        return rc;
 }
 void security_msg_queue_free(struct kern_ipc_perm *msq)
 {
        call_void_hook(msg_queue_free_security, msq);
+        kfree(msq->security);
+        msq->security = NULL;
 }
 int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
@@ -1673,12 +1738,21 @@ int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
 int security_shm_alloc(struct kern_ipc_perm *shp)
 {
-        return call_int_hook(shm_alloc_security, 0, shp);
+        int rc = lsm_ipc_alloc(shp);
+        if (unlikely(rc))
+                return rc;
+        rc = call_int_hook(shm_alloc_security, 0, shp);
+        if (unlikely(rc))
+                security_shm_free(shp);
+        return rc;
 }
 void security_shm_free(struct kern_ipc_perm *shp)
 {
        call_void_hook(shm_free_security, shp);
+        kfree(shp->security);
+        shp->security = NULL;
 }
 int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)
@@ -1698,12 +1772,21 @@ int security_shm_shmat(struct kern_ipc_perm *shp, char __user *shmaddr, int shmf
 int security_sem_alloc(struct kern_ipc_perm *sma)
 {
-        return call_int_hook(sem_alloc_security, 0, sma);
+        int rc = lsm_ipc_alloc(sma);
+        if (unlikely(rc))
+                return rc;
+        rc = call_int_hook(sem_alloc_security, 0, sma);
+        if (unlikely(rc))
+                security_sem_free(sma);
+        return rc;
 }
 void security_sem_free(struct kern_ipc_perm *sma)
 {
        call_void_hook(sem_free_security, sma);
+        kfree(sma->security);
+        sma->security = NULL;
 }
 int security_sem_associate(struct kern_ipc_perm *sma, int semflg)
author	Casey Schaufler <casey@schaufler-ca.com>	2018-11-20 14:55:02 -0500
committer	Kees Cook <keescook@chromium.org>	2019-01-08 16:18:45 -0500
commit	ecd5f82e05ddd9b06c258167ec7467ac79741d77 (patch)
tree	9cefea64fc40202a284fcb07ecf50f871f7562b0 /security/security.c
parent	019bcca4626a9ed119e1d9ebfadb9fdbdcf9b35b (diff)

diff --git a/security/security.c b/security/security.c index e59a1e1514ee..953fc3ea18a9 100644 --- a/security/security.c +++ b/security/security.c
@@ -30,6 +30,7 @@
30	#include <linux/personality.h>	30	#include <linux/personality.h>
31	#include <linux/backing-dev.h>	31	#include <linux/backing-dev.h>
32	#include <linux/string.h>	32	#include <linux/string.h>
		33	#include <linux/msg.h>
33	#include <net/flow.h>	34	#include <net/flow.h>
34		35
35	#define MAX_LSM_EVM_XATTR 2	36	#define MAX_LSM_EVM_XATTR 2
@@ -169,6 +170,8 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
169	if (needed->lbs_inode && blob_sizes.lbs_inode == 0)	170	if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
170	blob_sizes.lbs_inode = sizeof(struct rcu_head);	171	blob_sizes.lbs_inode = sizeof(struct rcu_head);
171	lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);	172	lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
		173	lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
		174	lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
172	lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);	175	lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
173	}	176	}
174		177
@@ -293,6 +296,8 @@ static void __init ordered_lsm_init(void)
293	init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);	296	init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);
294	init_debug("file blob size = %d\n", blob_sizes.lbs_file);	297	init_debug("file blob size = %d\n", blob_sizes.lbs_file);
295	init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);	298	init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);
		299	init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc);
		300	init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
296	init_debug("task blob size = %d\n", blob_sizes.lbs_task);	301	init_debug("task blob size = %d\n", blob_sizes.lbs_task);
297		302
298	/*	303	/*
@@ -539,6 +544,48 @@ int lsm_task_alloc(struct task_struct *task)
539	}	544	}
540		545
541	/**	546	/**
		547	* lsm_ipc_alloc - allocate a composite ipc blob
		548	* @kip: the ipc that needs a blob
		549	*
		550	* Allocate the ipc blob for all the modules
		551	*
		552	* Returns 0, or -ENOMEM if memory can't be allocated.
		553	*/
		554	int lsm_ipc_alloc(struct kern_ipc_perm *kip)
		555	{
		556	if (blob_sizes.lbs_ipc == 0) {
		557	kip->security = NULL;
		558	return 0;
		559	}
		560
		561	kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
		562	if (kip->security == NULL)
		563	return -ENOMEM;
		564	return 0;
		565	}
		566
		567	/**
		568	* lsm_msg_msg_alloc - allocate a composite msg_msg blob
		569	* @mp: the msg_msg that needs a blob
		570	*
		571	* Allocate the ipc blob for all the modules
		572	*
		573	* Returns 0, or -ENOMEM if memory can't be allocated.
		574	*/
		575	int lsm_msg_msg_alloc(struct msg_msg *mp)
		576	{
		577	if (blob_sizes.lbs_msg_msg == 0) {
		578	mp->security = NULL;
		579	return 0;
		580	}
		581
		582	mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
		583	if (mp->security == NULL)
		584	return -ENOMEM;
		585	return 0;
		586	}
		587
		588	/**
542	* lsm_early_task - during initialization allocate a composite task blob	589	* lsm_early_task - during initialization allocate a composite task blob
543	* @task: the task that needs a blob	590	* @task: the task that needs a blob
544	*	591	*
@@ -1631,22 +1678,40 @@ void security_ipc_getsecid(struct kern_ipc_perm ipcp, u32 secid)
1631		1678
1632	int security_msg_msg_alloc(struct msg_msg *msg)	1679	int security_msg_msg_alloc(struct msg_msg *msg)
1633	{	1680	{
1634	return call_int_hook(msg_msg_alloc_security, 0, msg);	1681	int rc = lsm_msg_msg_alloc(msg);
		1682
		1683	if (unlikely(rc))
		1684	return rc;
		1685	rc = call_int_hook(msg_msg_alloc_security, 0, msg);
		1686	if (unlikely(rc))
		1687	security_msg_msg_free(msg);
		1688	return rc;
1635	}	1689	}
1636		1690
1637	void security_msg_msg_free(struct msg_msg *msg)	1691	void security_msg_msg_free(struct msg_msg *msg)
1638	{	1692	{
1639	call_void_hook(msg_msg_free_security, msg);	1693	call_void_hook(msg_msg_free_security, msg);
		1694	kfree(msg->security);
		1695	msg->security = NULL;
1640	}	1696	}
1641		1697
1642	int security_msg_queue_alloc(struct kern_ipc_perm *msq)	1698	int security_msg_queue_alloc(struct kern_ipc_perm *msq)
1643	{	1699	{
1644	return call_int_hook(msg_queue_alloc_security, 0, msq);	1700	int rc = lsm_ipc_alloc(msq);
		1701
		1702	if (unlikely(rc))
		1703	return rc;
		1704	rc = call_int_hook(msg_queue_alloc_security, 0, msq);
		1705	if (unlikely(rc))
		1706	security_msg_queue_free(msq);
		1707	return rc;
1645	}	1708	}
1646		1709
1647	void security_msg_queue_free(struct kern_ipc_perm *msq)	1710	void security_msg_queue_free(struct kern_ipc_perm *msq)
1648	{	1711	{
1649	call_void_hook(msg_queue_free_security, msq);	1712	call_void_hook(msg_queue_free_security, msq);
		1713	kfree(msq->security);
		1714	msq->security = NULL;
1650	}	1715	}
1651		1716
1652	int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)	1717	int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
@@ -1673,12 +1738,21 @@ int security_msg_queue_msgrcv(struct kern_ipc_perm msq, struct msg_msg msg,
1673		1738
1674	int security_shm_alloc(struct kern_ipc_perm *shp)	1739	int security_shm_alloc(struct kern_ipc_perm *shp)
1675	{	1740	{
1676	return call_int_hook(shm_alloc_security, 0, shp);	1741	int rc = lsm_ipc_alloc(shp);
		1742
		1743	if (unlikely(rc))
		1744	return rc;
		1745	rc = call_int_hook(shm_alloc_security, 0, shp);
		1746	if (unlikely(rc))
		1747	security_shm_free(shp);
		1748	return rc;
1677	}	1749	}
1678		1750
1679	void security_shm_free(struct kern_ipc_perm *shp)	1751	void security_shm_free(struct kern_ipc_perm *shp)
1680	{	1752	{
1681	call_void_hook(shm_free_security, shp);	1753	call_void_hook(shm_free_security, shp);
		1754	kfree(shp->security);
		1755	shp->security = NULL;
1682	}	1756	}
1683		1757
1684	int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)	1758	int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)
@@ -1698,12 +1772,21 @@ int security_shm_shmat(struct kern_ipc_perm shp, char __user shmaddr, int shmf
1698		1772
1699	int security_sem_alloc(struct kern_ipc_perm *sma)	1773	int security_sem_alloc(struct kern_ipc_perm *sma)
1700	{	1774	{
1701	return call_int_hook(sem_alloc_security, 0, sma);	1775	int rc = lsm_ipc_alloc(sma);
		1776
		1777	if (unlikely(rc))
		1778	return rc;
		1779	rc = call_int_hook(sem_alloc_security, 0, sma);
		1780	if (unlikely(rc))
		1781	security_sem_free(sma);
		1782	return rc;
1702	}	1783	}
1703		1784
1704	void security_sem_free(struct kern_ipc_perm *sma)	1785	void security_sem_free(struct kern_ipc_perm *sma)
1705	{	1786	{
1706	call_void_hook(sem_free_security, sma);	1787	call_void_hook(sem_free_security, sma);
		1788	kfree(sma->security);
		1789	sma->security = NULL;
1707	}	1790	}
1708		1791
1709	int security_sem_associate(struct kern_ipc_perm *sma, int semflg)	1792	int security_sem_associate(struct kern_ipc_perm *sma, int semflg)