CRED: Allow kernel services to override LSM settings for task actions

Allow kernel services to override LSM settings appropriate to the actions
performed by a task by duplicating a set of credentials, modifying it and then
using task_struct::cred to point to it when performing operations on behalf of
a task.

This is used, for example, by CacheFiles which has to transparently access the
cache on behalf of a process that thinks it is doing, say, NFS accesses with a
potentially inappropriate (with respect to accessing the cache) set of
credentials.

This patch provides two LSM hooks for modifying a task security record:

 (*) security_kernel_act_as() which allows modification of the security datum
     with which a task acts on other objects (most notably files).

 (*) security_kernel_create_files_as() which allows modification of the
     security datum that is used to initialise the security data on a file that
     a task creates.

The patch also provides four new credentials handling functions, which wrap the
LSM functions:

 (1) prepare_kernel_cred()

     Prepare a set of credentials for a kernel service to use, based either on
     a daemon's credentials or on init_cred.  All the keyrings are cleared.

 (2) set_security_override()

     Set the LSM security ID in a set of credentials to a specific security
     context, assuming permission from the LSM policy.

 (3) set_security_override_from_ctx()

     As (2), but takes the security context as a string.

 (4) set_create_files_as()

     Set the file creation LSM security ID in a set of credentials to be the
     same as that on a particular inode.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [Smack changes]
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

4 files changed, 105 insertions, 0 deletions

diff --git a/security/capability.c b/security/capability.c
index 185804f99ad1..b9e391425e6f 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -348,6 +348,16 @@ static void cap_cred_commit(struct cred *new, const struct cred *old)
 {
 }
 
+static int cap_kernel_act_as(struct cred *new, u32 secid)
+{
+        return 0;
+}
+
+static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
+{
+        return 0;
+}
+
 static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
 {
         return 0;
@@ -889,6 +899,8 @@ void security_fixup_ops(struct security_operations *ops)
         set_to_cap_if_null(ops, cred_free);
         set_to_cap_if_null(ops, cred_prepare);
         set_to_cap_if_null(ops, cred_commit);
+        set_to_cap_if_null(ops, kernel_act_as);
+        set_to_cap_if_null(ops, kernel_create_files_as);
         set_to_cap_if_null(ops, task_setuid);
         set_to_cap_if_null(ops, task_fix_setuid);
         set_to_cap_if_null(ops, task_setgid);
diff --git a/security/security.c b/security/security.c
index dc5babb2d6d8..038ef04b2c7f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -616,6 +616,16 @@ void security_commit_creds(struct cred *new, const struct cred *old)
         return security_ops->cred_commit(new, old);
 }
 
+int security_kernel_act_as(struct cred *new, u32 secid)
+{
+        return security_ops->kernel_act_as(new, secid);
+}
+
+int security_kernel_create_files_as(struct cred *new, struct inode *inode)
+{
+        return security_ops->kernel_create_files_as(new, inode);
+}
+
 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
 {
         return security_ops->task_setuid(id0, id1, id2, flags);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 91b06f2aa963..520f82ab3fbf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3277,6 +3277,50 @@ static void selinux_cred_commit(struct cred *new, const struct cred *old)
         secondary_ops->cred_commit(new, old);
 }
 
+/*
+ * set the security data for a kernel service
+ * - all the creation contexts are set to unlabelled
+ */
+static int selinux_kernel_act_as(struct cred *new, u32 secid)
+{
+        struct task_security_struct *tsec = new->security;
+        u32 sid = current_sid();
+        int ret;
+
+        ret = avc_has_perm(sid, secid,
+                           SECCLASS_KERNEL_SERVICE,
+                           KERNEL_SERVICE__USE_AS_OVERRIDE,
+                           NULL);
+        if (ret == 0) {
+                tsec->sid = secid;
+                tsec->create_sid = 0;
+                tsec->keycreate_sid = 0;
+                tsec->sockcreate_sid = 0;
+        }
+        return ret;
+}
+
+/*
+ * set the file creation context in a security record to the same as the
+ * objective context of the specified inode
+ */
+static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
+{
+        struct inode_security_struct *isec = inode->i_security;
+        struct task_security_struct *tsec = new->security;
+        u32 sid = current_sid();
+        int ret;
+
+        ret = avc_has_perm(sid, isec->sid,
+                           SECCLASS_KERNEL_SERVICE,
+                           KERNEL_SERVICE__CREATE_FILES_AS,
+                           NULL);
+
+        if (ret == 0)
+                tsec->create_sid = isec->sid;
+        return 0;
+}
+
 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
 {
         /* Since setuid only affects the current process, and
@@ -5593,6 +5637,8 @@ static struct security_operations selinux_ops = {
         .cred_free =                    selinux_cred_free,
         .cred_prepare =                 selinux_cred_prepare,
         .cred_commit =                  selinux_cred_commit,
+        .kernel_act_as =                selinux_kernel_act_as,
+        .kernel_create_files_as =       selinux_kernel_create_files_as,
         .task_setuid =                  selinux_task_setuid,
         .task_fix_setuid =              selinux_task_fix_setuid,
         .task_setgid =                  selinux_task_setgid,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index de396742abf4..8ad48161cef5 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1012,6 +1012,41 @@ static void smack_cred_commit(struct cred *new, const struct cred *old)
 }
 
 /**
+ * smack_kernel_act_as - Set the subjective context in a set of credentials
+ * @new points to the set of credentials to be modified.
+ * @secid specifies the security ID to be set
+ *
+ * Set the security data for a kernel service.
+ */
+static int smack_kernel_act_as(struct cred *new, u32 secid)
+{
+        char *smack = smack_from_secid(secid);
+
+        if (smack == NULL)
+                return -EINVAL;
+
+        new->security = smack;
+        return 0;
+}
+
+/**
+ * smack_kernel_create_files_as - Set the file creation label in a set of creds
+ * @new points to the set of credentials to be modified
+ * @inode points to the inode to use as a reference
+ *
+ * Set the file creation context in a set of credentials to the same
+ * as the objective context of the specified inode
+ */
+static int smack_kernel_create_files_as(struct cred *new,
+                                        struct inode *inode)
+{
+        struct inode_smack *isp = inode->i_security;
+
+        new->security = isp->smk_inode;
+        return 0;
+}
+
+/**
  * smack_task_setpgid - Smack check on setting pgid
  * @p: the task object
  * @pgid: unused
@@ -2641,6 +2676,8 @@ struct security_operations smack_ops = {
         .cred_free =                    smack_cred_free,
         .cred_prepare =                 smack_cred_prepare,
         .cred_commit =                  smack_cred_commit,
+        .kernel_act_as =                smack_kernel_act_as,
+        .kernel_create_files_as =       smack_kernel_create_files_as,
         .task_fix_setuid =              cap_task_fix_setuid,
         .task_setpgid =                 smack_task_setpgid,
         .task_getpgid =                 smack_task_getpgid,