security: shmem: implement kernel private shmem inodes

We have a problem where the big_key key storage implementation uses a shmem backed inode to hold the key contents. Because of this detail of implementation LSM checks are being done between processes trying to read the keys and the tmpfs backed inode. The LSM checks are already being handled on the key interface level and should not be enforced at the inode level (since the inode is an implementation detail, not a part of the security model) This patch implements a new function shmem_kernel_file_setup() which returns the equivalent to shmem_file_setup() only the underlying inode has S_PRIVATE set. This means that all LSM checks for the inode in question are skipped. It should only be used for kernel internal operations where the inode is not exposed to userspace without proper LSM checking. It is possible that some other users of shmem_file_setup() should use the new interface, but this has not been explored. Reproducing this bug is a little bit difficult. The steps I used on Fedora are: (1) Turn off selinux enforcing: setenforce 0 (2) Create a huge key k=`dd if=/dev/zero bs=8192 count=1 | keyctl padd big_key test-key @s` (3) Access the key in another context: runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $k >/dev/null (4) Examine the audit logs: ausearch -m AVC -i --subject httpd_t | audit2allow If the last command's output includes a line that looks like: allow httpd_t user_tmpfs_t:file { open read }; There was an inode check between httpd and the tmpfs filesystem. With this patch no such denial will be seen. (NOTE! you should clear your audit log if you have tested for this previously) (Please return you box to enforcing) Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> cc: Hugh Dickins <hughd@google.com> cc: linux-mm@kvack.org
author: Eric Paris <eparis@redhat.com> 2013-12-02 06:24:19 -0500
committer: David Howells <dhowells@redhat.com> 2013-12-02 06:24:19 -0500
commit: c7277090927a5e71871e799a355ed2940f6c8fc6 (patch)
tree: 7d570fe7496a7d2b4dd671146074ab52bbc4c609 /mm
parent: 9c5e45df215b4788f7a41c983ce862d08a083c2d (diff)
1 files changed, 29 insertions, 7 deletions
diff --git a/mm/shmem.c b/mm/shmem.c
index 8297623fcaed..902a14842b74 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2918,13 +2918,8 @@ static struct dentry_operations anon_ops = {
        .d_dname = simple_dname
 };
-/**
+static struct file *__shmem_file_setup(const char *name, loff_t size,
- * shmem_file_setup - get an unlinked file living in tmpfs
+                                       unsigned long flags, unsigned int i_flags)
- * @name: name for dentry (to be seen in /proc/<pid>/maps
- * @size: size to be set for the file
- * @flags: VM_NORESERVE suppresses pre-accounting of the entire object size
- */
-struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags)
 {
        struct file *res;
        struct inode *inode;
@@ -2957,6 +2952,7 @@ struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags
        if (!inode)
                goto put_dentry;
+        inode->i_flags |= i_flags;
        d_instantiate(path.dentry, inode);
        inode->i_size = size;
        clear_nlink(inode);     /* It is unlinked */
@@ -2977,6 +2973,32 @@ put_memory:
        shmem_unacct_size(flags, size);
        return res;
 }
+/**
+ * shmem_kernel_file_setup - get an unlinked file living in tmpfs which must be
+ *      kernel internal.  There will be NO LSM permission checks against the
+ *      underlying inode.  So users of this interface must do LSM checks at a
+ *      higher layer.  The one user is the big_key implementation.  LSM checks
+ *      are provided at the key level rather than the inode level.
+ * @name: name for dentry (to be seen in /proc/<pid>/maps
+ * @size: size to be set for the file
+ * @flags: VM_NORESERVE suppresses pre-accounting of the entire object size
+ */
+struct file *shmem_kernel_file_setup(const char *name, loff_t size, unsigned long flags)
+{
+        return __shmem_file_setup(name, size, flags, S_PRIVATE);
+}
+/**
+ * shmem_file_setup - get an unlinked file living in tmpfs
+ * @name: name for dentry (to be seen in /proc/<pid>/maps
+ * @size: size to be set for the file
+ * @flags: VM_NORESERVE suppresses pre-accounting of the entire object size
+ */
+struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags)
+{
+        return __shmem_file_setup(name, size, flags, 0);
+}
 EXPORT_SYMBOL_GPL(shmem_file_setup);
 /**
author	Eric Paris <eparis@redhat.com>	2013-12-02 06:24:19 -0500
committer	David Howells <dhowells@redhat.com>	2013-12-02 06:24:19 -0500
commit	c7277090927a5e71871e799a355ed2940f6c8fc6 (patch)
tree	7d570fe7496a7d2b4dd671146074ab52bbc4c609 /mm
parent	9c5e45df215b4788f7a41c983ce862d08a083c2d (diff)

diff --git a/mm/shmem.c b/mm/shmem.c index 8297623fcaed..902a14842b74 100644 --- a/mm/shmem.c +++ b/mm/shmem.c
@@ -2918,13 +2918,8 @@ static struct dentry_operations anon_ops = {
2918	.d_dname = simple_dname	2918	.d_dname = simple_dname
2919	};	2919	};
2920		2920
2921	/**	2921	static struct file __shmem_file_setup(const char name, loff_t size,
2922	* shmem_file_setup - get an unlinked file living in tmpfs	2922	unsigned long flags, unsigned int i_flags)
2923	* @name: name for dentry (to be seen in /proc/<pid>/maps
2924	* @size: size to be set for the file
2925	* @flags: VM_NORESERVE suppresses pre-accounting of the entire object size
2926	*/
2927	struct file shmem_file_setup(const char name, loff_t size, unsigned long flags)
2928	{	2923	{
2929	struct file *res;	2924	struct file *res;
2930	struct inode *inode;	2925	struct inode *inode;
@@ -2957,6 +2952,7 @@ struct file shmem_file_setup(const char name, loff_t size, unsigned long flags
2957	if (!inode)	2952	if (!inode)
2958	goto put_dentry;	2953	goto put_dentry;
2959		2954
		2955	inode->i_flags \|= i_flags;
2960	d_instantiate(path.dentry, inode);	2956	d_instantiate(path.dentry, inode);
2961	inode->i_size = size;	2957	inode->i_size = size;
2962	clear_nlink(inode); /* It is unlinked */	2958	clear_nlink(inode); /* It is unlinked */
@@ -2977,6 +2973,32 @@ put_memory:
2977	shmem_unacct_size(flags, size);	2973	shmem_unacct_size(flags, size);
2978	return res;	2974	return res;
2979	}	2975	}
		2976
		2977	/**
		2978	* shmem_kernel_file_setup - get an unlinked file living in tmpfs which must be
		2979	* kernel internal. There will be NO LSM permission checks against the
		2980	* underlying inode. So users of this interface must do LSM checks at a
		2981	* higher layer. The one user is the big_key implementation. LSM checks
		2982	* are provided at the key level rather than the inode level.
		2983	* @name: name for dentry (to be seen in /proc/<pid>/maps
		2984	* @size: size to be set for the file
		2985	* @flags: VM_NORESERVE suppresses pre-accounting of the entire object size
		2986	*/
		2987	struct file shmem_kernel_file_setup(const char name, loff_t size, unsigned long flags)
		2988	{
		2989	return __shmem_file_setup(name, size, flags, S_PRIVATE);
		2990	}
		2991
		2992	/**
		2993	* shmem_file_setup - get an unlinked file living in tmpfs
		2994	* @name: name for dentry (to be seen in /proc/<pid>/maps
		2995	* @size: size to be set for the file
		2996	* @flags: VM_NORESERVE suppresses pre-accounting of the entire object size
		2997	*/
		2998	struct file shmem_file_setup(const char name, loff_t size, unsigned long flags)
		2999	{
		3000	return __shmem_file_setup(name, size, flags, 0);
		3001	}
2980	EXPORT_SYMBOL_GPL(shmem_file_setup);	3002	EXPORT_SYMBOL_GPL(shmem_file_setup);
2981		3003
2982	/**	3004	/**