LSM: Infrastructure management of the task security

Move management of the task_struct->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. The only user of this blob is AppArmor. The AppArmor use is abstracted to avoid future conflict. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
author: Casey Schaufler <casey@schaufler-ca.com> 2018-09-21 20:19:37 -0400
committer: Kees Cook <keescook@chromium.org> 2019-01-08 16:18:45 -0500
commit: f4ad8f2c40769b3cc9497ba0883bbaf823f7752f (patch)
tree: ae8e8bfc5a3abfaa5ea3c90908efd941a230bbdf /security/security.c
parent: afb1cbe37440c7f38b9cf46fc331cc9dfd5cce21 (diff)
1 files changed, 53 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c
index 4989fb65e662..e59a1e1514ee 100644
--- a/security/security.c
+++ b/security/security.c
@@ -169,6 +169,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
        if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
                blob_sizes.lbs_inode = sizeof(struct rcu_head);
        lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
+        lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
 }
 /* Prepare LSM for initialization. */
@@ -292,6 +293,7 @@ static void __init ordered_lsm_init(void)
        init_debug("cred blob size     = %d\n", blob_sizes.lbs_cred);
        init_debug("file blob size     = %d\n", blob_sizes.lbs_file);
        init_debug("inode blob size    = %d\n", blob_sizes.lbs_inode);
+        init_debug("task blob size     = %d\n", blob_sizes.lbs_task);
        /*
         * Create any kmem_caches needed for blobs
@@ -515,6 +517,46 @@ int lsm_inode_alloc(struct inode *inode)
        return 0;
 }
+/**
+ * lsm_task_alloc - allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_task_alloc(struct task_struct *task)
+{
+        if (blob_sizes.lbs_task == 0) {
+                task->security = NULL;
+                return 0;
+        }
+        task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
+        if (task->security == NULL)
+                return -ENOMEM;
+        return 0;
+}
+/**
+ * lsm_early_task - during initialization allocate a composite task blob
+ * @task: the task that needs a blob
+ *
+ * Allocate the task blob for all the modules if it's not already there
+ */
+void __init lsm_early_task(struct task_struct *task)
+{
+        int rc;
+        if (task == NULL)
+                panic("%s: task cred.\n", __func__);
+        if (task->security != NULL)
+                return;
+        rc = lsm_task_alloc(task);
+        if (rc)
+                panic("%s: Early task alloc failed.\n", __func__);
+}
 /*
 * Hook list operation macros.
 *
@@ -1359,12 +1401,22 @@ int security_file_open(struct file *file)
 int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
 {
-        return call_int_hook(task_alloc, 0, task, clone_flags);
+        int rc = lsm_task_alloc(task);
+        if (rc)
+                return rc;
+        rc = call_int_hook(task_alloc, 0, task, clone_flags);
+        if (unlikely(rc))
+                security_task_free(task);
+        return rc;
 }
 void security_task_free(struct task_struct *task)
 {
        call_void_hook(task_free, task);
+        kfree(task->security);
+        task->security = NULL;
 }
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
author	Casey Schaufler <casey@schaufler-ca.com>	2018-09-21 20:19:37 -0400
committer	Kees Cook <keescook@chromium.org>	2019-01-08 16:18:45 -0500
commit	f4ad8f2c40769b3cc9497ba0883bbaf823f7752f (patch)
tree	ae8e8bfc5a3abfaa5ea3c90908efd941a230bbdf /security/security.c
parent	afb1cbe37440c7f38b9cf46fc331cc9dfd5cce21 (diff)

diff --git a/security/security.c b/security/security.c index 4989fb65e662..e59a1e1514ee 100644 --- a/security/security.c +++ b/security/security.c
@@ -169,6 +169,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
169	if (needed->lbs_inode && blob_sizes.lbs_inode == 0)	169	if (needed->lbs_inode && blob_sizes.lbs_inode == 0)
170	blob_sizes.lbs_inode = sizeof(struct rcu_head);	170	blob_sizes.lbs_inode = sizeof(struct rcu_head);
171	lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);	171	lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
		172	lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
172	}	173	}
173		174
174	/* Prepare LSM for initialization. */	175	/* Prepare LSM for initialization. */
@@ -292,6 +293,7 @@ static void __init ordered_lsm_init(void)
292	init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);	293	init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);
293	init_debug("file blob size = %d\n", blob_sizes.lbs_file);	294	init_debug("file blob size = %d\n", blob_sizes.lbs_file);
294	init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);	295	init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);
		296	init_debug("task blob size = %d\n", blob_sizes.lbs_task);
295		297
296	/*	298	/*
297	* Create any kmem_caches needed for blobs	299	* Create any kmem_caches needed for blobs
@@ -515,6 +517,46 @@ int lsm_inode_alloc(struct inode *inode)
515	return 0;	517	return 0;
516	}	518	}
517		519
		520	/**
		521	* lsm_task_alloc - allocate a composite task blob
		522	* @task: the task that needs a blob
		523	*
		524	* Allocate the task blob for all the modules
		525	*
		526	* Returns 0, or -ENOMEM if memory can't be allocated.
		527	*/
		528	int lsm_task_alloc(struct task_struct *task)
		529	{
		530	if (blob_sizes.lbs_task == 0) {
		531	task->security = NULL;
		532	return 0;
		533	}
		534
		535	task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
		536	if (task->security == NULL)
		537	return -ENOMEM;
		538	return 0;
		539	}
		540
		541	/**
		542	* lsm_early_task - during initialization allocate a composite task blob
		543	* @task: the task that needs a blob
		544	*
		545	* Allocate the task blob for all the modules if it's not already there
		546	*/
		547	void __init lsm_early_task(struct task_struct *task)
		548	{
		549	int rc;
		550
		551	if (task == NULL)
		552	panic("%s: task cred.\n", __func__);
		553	if (task->security != NULL)
		554	return;
		555	rc = lsm_task_alloc(task);
		556	if (rc)
		557	panic("%s: Early task alloc failed.\n", __func__);
		558	}
		559
518	/*	560	/*
519	* Hook list operation macros.	561	* Hook list operation macros.
520	*	562	*
@@ -1359,12 +1401,22 @@ int security_file_open(struct file *file)
1359		1401
1360	int security_task_alloc(struct task_struct *task, unsigned long clone_flags)	1402	int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
1361	{	1403	{
1362	return call_int_hook(task_alloc, 0, task, clone_flags);	1404	int rc = lsm_task_alloc(task);
		1405
		1406	if (rc)
		1407	return rc;
		1408	rc = call_int_hook(task_alloc, 0, task, clone_flags);
		1409	if (unlikely(rc))
		1410	security_task_free(task);
		1411	return rc;
1363	}	1412	}
1364		1413
1365	void security_task_free(struct task_struct *task)	1414	void security_task_free(struct task_struct *task)
1366	{	1415	{
1367	call_void_hook(task_free, task);	1416	call_void_hook(task_free, task);
		1417
		1418	kfree(task->security);
		1419	task->security = NULL;
1368	}	1420	}
1369		1421
1370	int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)	1422	int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)