Re: [PATCH v20 02/23] LSM: Create and manage the lsmblob data structure.
On Wed, Aug 26, 2020 at 11:03 AM Casey Schaufler <casey(a)schaufler-ca.com> wrote:
When more than one security module is exporting data to
audit and networking sub-systems a single 32 bit integer
is no longer sufficient to represent the data. Add a
structure to be used instead.
The lsmblob structure is currently an array of
u32 "secids". There is an entry for each of the
security modules built into the system that would
use secids if active. The system assigns the module
a "slot" when it registers hooks. If modules are
compiled in but not registered there will be unused
slots.
A new lsm_id structure, which contains the name
of the LSM and its slot number, is created. There
is an instance for each LSM, which assigns the name
and passes it to the infrastructure to set the slot.
The audit rules data is expanded to use an array of
security module data rather than a single instance.
Because IMA uses the audit rule functions it is
affected as well.
Acked-by: Stephen Smalley <sds(a)tycho.nsa.gov>
Acked-by: Paul Moore <paul(a)paul-moore.com>
Signed-off-by: Casey Schaufler <casey(a)schaufler-ca.com>
---
include/linux/audit.h | 4 +-
include/linux/lsm_hooks.h | 12 ++++-
include/linux/security.h | 67 +++++++++++++++++++++++++--
kernel/auditfilter.c | 24 +++++-----
kernel/auditsc.c | 12 ++---
security/apparmor/lsm.c | 7 ++-
security/bpf/hooks.c | 12 ++++-
security/commoncap.c | 7 ++-
security/integrity/ima/ima_policy.c | 40 +++++++++++-----
security/loadpin/loadpin.c | 8 +++-
security/lockdown/lockdown.c | 7 ++-
security/safesetid/lsm.c | 8 +++-
security/security.c | 72 ++++++++++++++++++++++++-----
security/selinux/hooks.c | 8 +++-
security/smack/smack_lsm.c | 7 ++-
security/tomoyo/tomoyo.c | 8 +++-
security/yama/yama_lsm.c | 7 ++-
17 files changed, 254 insertions(+), 56 deletions(-)
...
diff --git a/include/linux/security.h b/include/linux/security.h
index 0a0a03b36a3b..c91389d7aebc 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -131,6 +131,65 @@ enum lockdown_reason {
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
+/*
+ * Data exported by the security modules
+ *
+ * Any LSM that provides secid or secctx based hooks must be included.
+ */
+#define LSMBLOB_ENTRIES ( \
+ (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0))
+
+struct lsmblob {
+ u32 secid[LSMBLOB_ENTRIES];
+};
+
+#define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */
+#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */
+#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */
+
+/**
+ * lsmblob_init - initialize an lsmblob structure.
+ * @blob: Pointer to the data to initialize
+ * @secid: The initial secid value
+ *
+ * Set all secid for all modules to the specified value.
+ */
+static inline void lsmblob_init(struct lsmblob *blob, u32 secid)
+{
+ int i;
+
+ for (i = 0; i < LSMBLOB_ENTRIES; i++)
+ blob->secid[i] = secid;
+}
As I'm going through the v20 draft of these patches it occurs to me,
at least in the intermediate patches, that there is a pretty common
pattern involving lsmblob_init():
lsmblob_init(blob, secid);
func(blob, ...);
... would it make sense to have lsmblob_init() return *blob instead of
void? It doesn't really matter too much, but it seems like it could
help cleanup some of the code:
func(lsmblob_init(blob, secid), ...);
--
paul moore
www.paul-moore.com