Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'selinux-pr-20211101' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

- Add LSM/SELinux/Smack controls and auditing for io-uring.

As usual, the individual commit descriptions have more detail, but we
were basically missing two things which we're adding here:

+ establishment of a proper audit context so that auditing of
io-uring ops works similarly to how it does for syscalls (with
some io-uring additions because io-uring ops are *not* syscalls)

+ additional LSM hooks to enable access control points for some of
the more unusual io-uring features, e.g. credential overrides.

The additional audit callouts and LSM hooks were done in conjunction
with the io-uring folks, based on conversations and RFC patches
earlier in the year.

- Fixup the binder credential handling so that the proper credentials
are used in the LSM hooks; the commit description and the code
comment which is removed in these patches are helpful to understand
the background and why this is the proper fix.

- Enable SELinux genfscon policy support for securityfs, allowing
improved SELinux filesystem labeling for other subsystems which make
use of securityfs, e.g. IMA.

* tag 'selinux-pr-20211101' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
security: Return xattr name from security_dentry_init_security()
selinux: fix a sock regression in selinux_ip_postroute_compat()
binder: use cred instead of task for getsecid
binder: use cred instead of task for selinux checks
binder: use euid from cred instead of using task
LSM: Avoid warnings about potentially unused hook variables
selinux: fix all of the W=1 build warnings
selinux: make better use of the nf_hook_state passed to the NF hooks
selinux: fix race condition when computing ocontext SIDs
selinux: remove unneeded ipv6 hook wrappers
selinux: remove the SELinux lockdown implementation
selinux: enable genfscon labeling for securityfs
Smack: Brutalist io_uring support
selinux: add support for the io_uring access controls
lsm,io_uring: add LSM hooks to io_uring
io_uring: convert io_uring to the secure anon inode interface
fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure()
audit: add filtering for io_uring records
audit,io_uring,io-wq: add some basic audit support to io_uring
audit: prepare audit_context for use in calling contexts beyond syscalls

+883 -420
+10 -17
drivers/android/binder.c
··· 2056 2056 ret = -EINVAL; 2057 2057 goto done; 2058 2058 } 2059 - if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { 2059 + if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { 2060 2060 ret = -EPERM; 2061 2061 goto done; 2062 2062 } ··· 2102 2102 proc->pid, thread->pid, fp->handle); 2103 2103 return -EINVAL; 2104 2104 } 2105 - if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) { 2105 + if (security_binder_transfer_binder(proc->cred, target_proc->cred)) { 2106 2106 ret = -EPERM; 2107 2107 goto done; 2108 2108 } ··· 2190 2190 ret = -EBADF; 2191 2191 goto err_fget; 2192 2192 } 2193 - ret = security_binder_transfer_file(proc->tsk, target_proc->tsk, file); 2193 + ret = security_binder_transfer_file(proc->cred, target_proc->cred, file); 2194 2194 if (ret < 0) { 2195 2195 ret = -EPERM; 2196 2196 goto err_security; ··· 2595 2595 return_error_line = __LINE__; 2596 2596 goto err_invalid_target_handle; 2597 2597 } 2598 - if (security_binder_transaction(proc->tsk, 2599 - target_proc->tsk) < 0) { 2598 + if (security_binder_transaction(proc->cred, 2599 + target_proc->cred) < 0) { 2600 2600 return_error = BR_FAILED_REPLY; 2601 2601 return_error_param = -EPERM; 2602 2602 return_error_line = __LINE__; ··· 2711 2711 t->from = thread; 2712 2712 else 2713 2713 t->from = NULL; 2714 - t->sender_euid = task_euid(proc->tsk); 2714 + t->sender_euid = proc->cred->euid; 2715 2715 t->to_proc = target_proc; 2716 2716 t->to_thread = target_thread; 2717 2717 t->code = tr->code; ··· 2722 2722 u32 secid; 2723 2723 size_t added_size; 2724 2724 2725 - /* 2726 - * Arguably this should be the task's subjective LSM secid but 2727 - * we can't reliably access the subjective creds of a task 2728 - * other than our own so we must use the objective creds, which 2729 - * are safe to access. The downside is that if a task is 2730 - * temporarily overriding it's creds it will not be reflected 2731 - * here; however, it isn't clear that binder would handle that 2732 - * case well anyway. 2733 - */ 2734 - security_task_getsecid_obj(proc->tsk, &secid); 2725 + security_cred_getsecid(proc->cred, &secid); 2735 2726 ret = security_secid_to_secctx(secid, &secctx, &secctx_sz); 2736 2727 if (ret) { 2737 2728 return_error = BR_FAILED_REPLY; ··· 4344 4353 } 4345 4354 binder_alloc_deferred_release(&proc->alloc); 4346 4355 put_task_struct(proc->tsk); 4356 + put_cred(proc->cred); 4347 4357 binder_stats_deleted(BINDER_STAT_PROC); 4348 4358 kfree(proc); 4349 4359 } ··· 4556 4564 ret = -EBUSY; 4557 4565 goto out; 4558 4566 } 4559 - ret = security_binder_set_context_mgr(proc->tsk); 4567 + ret = security_binder_set_context_mgr(proc->cred); 4560 4568 if (ret < 0) 4561 4569 goto out; 4562 4570 if (uid_valid(context->binder_context_mgr_uid)) { ··· 5047 5055 spin_lock_init(&proc->outer_lock); 5048 5056 get_task_struct(current->group_leader); 5049 5057 proc->tsk = current->group_leader; 5058 + proc->cred = get_cred(filp->f_cred); 5050 5059 INIT_LIST_HEAD(&proc->todo); 5051 5060 init_waitqueue_head(&proc->freeze_wait); 5052 5061 proc->default_priority = task_nice(current);
+4
drivers/android/binder_internal.h
··· 364 364 * (invariant after initialized) 365 365 * @tsk task_struct for group_leader of process 366 366 * (invariant after initialized) 367 + * @cred struct cred associated with the `struct file` 368 + * in binder_open() 369 + * (invariant after initialized) 367 370 * @deferred_work_node: element for binder_deferred_list 368 371 * (protected by binder_deferred_lock) 369 372 * @deferred_work: bitmap of deferred work to perform ··· 429 426 struct list_head waiting_threads; 430 427 int pid; 431 428 struct task_struct *tsk; 429 + const struct cred *cred; 432 430 struct hlist_node deferred_work_node; 433 431 int deferred_work; 434 432 int outstanding_txns;
+29
fs/anon_inodes.c
··· 148 148 } 149 149 EXPORT_SYMBOL_GPL(anon_inode_getfile); 150 150 151 + /** 152 + * anon_inode_getfile_secure - Like anon_inode_getfile(), but creates a new 153 + * !S_PRIVATE anon inode rather than reuse the 154 + * singleton anon inode and calls the 155 + * inode_init_security_anon() LSM hook. This 156 + * allows for both the inode to have its own 157 + * security context and for the LSM to enforce 158 + * policy on the inode's creation. 159 + * 160 + * @name: [in] name of the "class" of the new file 161 + * @fops: [in] file operations for the new file 162 + * @priv: [in] private data for the new file (will be file's private_data) 163 + * @flags: [in] flags 164 + * @context_inode: 165 + * [in] the logical relationship with the new inode (optional) 166 + * 167 + * The LSM may use @context_inode in inode_init_security_anon(), but a 168 + * reference to it is not held. Returns the newly created file* or an error 169 + * pointer. See the anon_inode_getfile() documentation for more information. 170 + */ 171 + struct file *anon_inode_getfile_secure(const char *name, 172 + const struct file_operations *fops, 173 + void *priv, int flags, 174 + const struct inode *context_inode) 175 + { 176 + return __anon_inode_getfile(name, fops, priv, flags, 177 + context_inode, true); 178 + } 179 + 151 180 static int __anon_inode_getfd(const char *name, 152 181 const struct file_operations *fops, 153 182 void *priv, int flags,
+1 -2
fs/ceph/xattr.c
··· 1311 1311 int err; 1312 1312 1313 1313 err = security_dentry_init_security(dentry, mode, &dentry->d_name, 1314 - &as_ctx->sec_ctx, 1314 + &name, &as_ctx->sec_ctx, 1315 1315 &as_ctx->sec_ctxlen); 1316 1316 if (err < 0) { 1317 1317 WARN_ON_ONCE(err != -EOPNOTSUPP); ··· 1335 1335 * It only supports single security module and only selinux has 1336 1336 * dentry_init_security hook. 1337 1337 */ 1338 - name = XATTR_NAME_SELINUX; 1339 1338 name_len = strlen(name); 1340 1339 err = ceph_pagelist_reserve(pagelist, 1341 1340 4 * 2 + name_len + as_ctx->sec_ctxlen);
+4
fs/io-wq.c
··· 14 14 #include <linux/rculist_nulls.h> 15 15 #include <linux/cpu.h> 16 16 #include <linux/tracehook.h> 17 + #include <linux/audit.h> 17 18 #include <uapi/linux/io_uring.h> 18 19 19 20 #include "io-wq.h" ··· 594 593 snprintf(buf, sizeof(buf), "iou-wrk-%d", wq->task->pid); 595 594 set_task_comm(current, buf); 596 595 596 + audit_alloc_kernel(current); 597 + 597 598 while (!test_bit(IO_WQ_BIT_EXIT, &wq->state)) { 598 599 long ret; 599 600 ··· 634 631 io_worker_handle_work(worker); 635 632 } 636 633 634 + audit_free(current); 637 635 io_worker_exit(worker); 638 636 return 0; 639 637 }
+63 -8
fs/io_uring.c
··· 79 79 #include <linux/pagemap.h> 80 80 #include <linux/io_uring.h> 81 81 #include <linux/tracehook.h> 82 + #include <linux/audit.h> 83 + #include <linux/security.h> 82 84 83 85 #define CREATE_TRACE_POINTS 84 86 #include <trace/events/io_uring.h> ··· 914 912 unsigned needs_async_setup : 1; 915 913 /* opcode is not supported by this kernel */ 916 914 unsigned not_supported : 1; 915 + /* skip auditing */ 916 + unsigned audit_skip : 1; 917 917 /* size of async data needed, if any */ 918 918 unsigned short async_size; 919 919 }; ··· 929 925 .buffer_select = 1, 930 926 .needs_async_setup = 1, 931 927 .plug = 1, 928 + .audit_skip = 1, 932 929 .async_size = sizeof(struct io_async_rw), 933 930 }, 934 931 [IORING_OP_WRITEV] = { ··· 939 934 .pollout = 1, 940 935 .needs_async_setup = 1, 941 936 .plug = 1, 937 + .audit_skip = 1, 942 938 .async_size = sizeof(struct io_async_rw), 943 939 }, 944 940 [IORING_OP_FSYNC] = { 945 941 .needs_file = 1, 942 + .audit_skip = 1, 946 943 }, 947 944 [IORING_OP_READ_FIXED] = { 948 945 .needs_file = 1, 949 946 .unbound_nonreg_file = 1, 950 947 .pollin = 1, 951 948 .plug = 1, 949 + .audit_skip = 1, 952 950 .async_size = sizeof(struct io_async_rw), 953 951 }, 954 952 [IORING_OP_WRITE_FIXED] = { ··· 960 952 .unbound_nonreg_file = 1, 961 953 .pollout = 1, 962 954 .plug = 1, 955 + .audit_skip = 1, 963 956 .async_size = sizeof(struct io_async_rw), 964 957 }, 965 958 [IORING_OP_POLL_ADD] = { 966 959 .needs_file = 1, 967 960 .unbound_nonreg_file = 1, 961 + .audit_skip = 1, 968 962 }, 969 - [IORING_OP_POLL_REMOVE] = {}, 963 + [IORING_OP_POLL_REMOVE] = { 964 + .audit_skip = 1, 965 + }, 970 966 [IORING_OP_SYNC_FILE_RANGE] = { 971 967 .needs_file = 1, 968 + .audit_skip = 1, 972 969 }, 973 970 [IORING_OP_SENDMSG] = { 974 971 .needs_file = 1, ··· 991 978 .async_size = sizeof(struct io_async_msghdr), 992 979 }, 993 980 [IORING_OP_TIMEOUT] = { 981 + .audit_skip = 1, 994 982 .async_size = sizeof(struct io_timeout_data), 995 983 }, 996 984 [IORING_OP_TIMEOUT_REMOVE] = { 997 985 /* used by timeout updates' prep() */ 986 + .audit_skip = 1, 998 987 }, 999 988 [IORING_OP_ACCEPT] = { 1000 989 .needs_file = 1, 1001 990 .unbound_nonreg_file = 1, 1002 991 .pollin = 1, 1003 992 }, 1004 - [IORING_OP_ASYNC_CANCEL] = {}, 993 + [IORING_OP_ASYNC_CANCEL] = { 994 + .audit_skip = 1, 995 + }, 1005 996 [IORING_OP_LINK_TIMEOUT] = { 997 + .audit_skip = 1, 1006 998 .async_size = sizeof(struct io_timeout_data), 1007 999 }, 1008 1000 [IORING_OP_CONNECT] = { ··· 1022 1004 }, 1023 1005 [IORING_OP_OPENAT] = {}, 1024 1006 [IORING_OP_CLOSE] = {}, 1025 - [IORING_OP_FILES_UPDATE] = {}, 1026 - [IORING_OP_STATX] = {}, 1007 + [IORING_OP_FILES_UPDATE] = { 1008 + .audit_skip = 1, 1009 + }, 1010 + [IORING_OP_STATX] = { 1011 + .audit_skip = 1, 1012 + }, 1027 1013 [IORING_OP_READ] = { 1028 1014 .needs_file = 1, 1029 1015 .unbound_nonreg_file = 1, 1030 1016 .pollin = 1, 1031 1017 .buffer_select = 1, 1032 1018 .plug = 1, 1019 + .audit_skip = 1, 1033 1020 .async_size = sizeof(struct io_async_rw), 1034 1021 }, 1035 1022 [IORING_OP_WRITE] = { ··· 1043 1020 .unbound_nonreg_file = 1, 1044 1021 .pollout = 1, 1045 1022 .plug = 1, 1023 + .audit_skip = 1, 1046 1024 .async_size = sizeof(struct io_async_rw), 1047 1025 }, 1048 1026 [IORING_OP_FADVISE] = { 1049 1027 .needs_file = 1, 1028 + .audit_skip = 1, 1050 1029 }, 1051 1030 [IORING_OP_MADVISE] = {}, 1052 1031 [IORING_OP_SEND] = { 1053 1032 .needs_file = 1, 1054 1033 .unbound_nonreg_file = 1, 1055 1034 .pollout = 1, 1035 + .audit_skip = 1, 1056 1036 }, 1057 1037 [IORING_OP_RECV] = { 1058 1038 .needs_file = 1, 1059 1039 .unbound_nonreg_file = 1, 1060 1040 .pollin = 1, 1061 1041 .buffer_select = 1, 1042 + .audit_skip = 1, 1062 1043 }, 1063 1044 [IORING_OP_OPENAT2] = { 1064 1045 }, 1065 1046 [IORING_OP_EPOLL_CTL] = { 1066 1047 .unbound_nonreg_file = 1, 1048 + .audit_skip = 1, 1067 1049 }, 1068 1050 [IORING_OP_SPLICE] = { 1069 1051 .needs_file = 1, 1070 1052 .hash_reg_file = 1, 1071 1053 .unbound_nonreg_file = 1, 1054 + .audit_skip = 1, 1072 1055 }, 1073 - [IORING_OP_PROVIDE_BUFFERS] = {}, 1074 - [IORING_OP_REMOVE_BUFFERS] = {}, 1056 + [IORING_OP_PROVIDE_BUFFERS] = { 1057 + .audit_skip = 1, 1058 + }, 1059 + [IORING_OP_REMOVE_BUFFERS] = { 1060 + .audit_skip = 1, 1061 + }, 1075 1062 [IORING_OP_TEE] = { 1076 1063 .needs_file = 1, 1077 1064 .hash_reg_file = 1, 1078 1065 .unbound_nonreg_file = 1, 1066 + .audit_skip = 1, 1079 1067 }, 1080 1068 [IORING_OP_SHUTDOWN] = { 1081 1069 .needs_file = 1, ··· 6615 6581 if (unlikely((req->flags & REQ_F_CREDS) && req->creds != current_cred())) 6616 6582 creds = override_creds(req->creds); 6617 6583 6584 + if (!io_op_defs[req->opcode].audit_skip) 6585 + audit_uring_entry(req->opcode); 6586 + 6618 6587 switch (req->opcode) { 6619 6588 case IORING_OP_NOP: 6620 6589 ret = io_nop(req, issue_flags); ··· 6732 6695 ret = -EINVAL; 6733 6696 break; 6734 6697 } 6698 + 6699 + if (!io_op_defs[req->opcode].audit_skip) 6700 + audit_uring_exit(!ret, ret); 6735 6701 6736 6702 if (creds) 6737 6703 revert_creds(creds); ··· 7130 7090 7131 7091 personality = READ_ONCE(sqe->personality); 7132 7092 if (personality) { 7093 + int ret; 7094 + 7133 7095 req->creds = xa_load(&ctx->personalities, personality); 7134 7096 if (!req->creds) 7135 7097 return -EINVAL; 7136 7098 get_cred(req->creds); 7099 + ret = security_uring_override_creds(req->creds); 7100 + if (ret) { 7101 + put_cred(req->creds); 7102 + return ret; 7103 + } 7137 7104 req->flags |= REQ_F_CREDS; 7138 7105 } 7139 7106 ··· 7447 7400 set_cpus_allowed_ptr(current, cpu_online_mask); 7448 7401 current->flags |= PF_NO_SETAFFINITY; 7449 7402 7403 + audit_alloc_kernel(current); 7404 + 7450 7405 mutex_lock(&sqd->lock); 7451 7406 while (1) { 7452 7407 bool cap_entries, sqt_spin = false; ··· 7513 7464 io_ring_set_wakeup_flag(ctx); 7514 7465 io_run_task_work(); 7515 7466 mutex_unlock(&sqd->lock); 7467 + 7468 + audit_free(current); 7516 7469 7517 7470 complete(&sqd->exited); 7518 7471 do_exit(0); ··· 8672 8621 struct task_struct *tsk; 8673 8622 struct io_sq_data *sqd; 8674 8623 bool attached; 8624 + 8625 + ret = security_uring_sqpoll(); 8626 + if (ret) 8627 + return ret; 8675 8628 8676 8629 sqd = io_get_sq_data(p, &attached); 8677 8630 if (IS_ERR(sqd)) { ··· 10331 10276 return ERR_PTR(ret); 10332 10277 #endif 10333 10278 10334 - file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx, 10335 - O_RDWR | O_CLOEXEC); 10279 + file = anon_inode_getfile_secure("[io_uring]", &io_uring_fops, ctx, 10280 + O_RDWR | O_CLOEXEC, NULL); 10336 10281 #if defined(CONFIG_UNIX) 10337 10282 if (IS_ERR(file)) { 10338 10283 sock_release(ctx->ring_sock);
+2 -1
fs/nfs/nfs4proc.c
··· 127 127 return NULL; 128 128 129 129 err = security_dentry_init_security(dentry, sattr->ia_mode, 130 - &dentry->d_name, (void **)&label->label, &label->len); 130 + &dentry->d_name, NULL, 131 + (void **)&label->label, &label->len); 131 132 if (err == 0) 132 133 return label; 133 134
+4
include/linux/anon_inodes.h
··· 15 15 struct file *anon_inode_getfile(const char *name, 16 16 const struct file_operations *fops, 17 17 void *priv, int flags); 18 + struct file *anon_inode_getfile_secure(const char *name, 19 + const struct file_operations *fops, 20 + void *priv, int flags, 21 + const struct inode *context_inode); 18 22 int anon_inode_getfd(const char *name, const struct file_operations *fops, 19 23 void *priv, int flags); 20 24 int anon_inode_getfd_secure(const char *name,
+26
include/linux/audit.h
··· 286 286 /* These are defined in auditsc.c */ 287 287 /* Public API */ 288 288 extern int audit_alloc(struct task_struct *task); 289 + extern int audit_alloc_kernel(struct task_struct *task); 289 290 extern void __audit_free(struct task_struct *task); 291 + extern void __audit_uring_entry(u8 op); 292 + extern void __audit_uring_exit(int success, long code); 290 293 extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1, 291 294 unsigned long a2, unsigned long a3); 292 295 extern void __audit_syscall_exit(int ret_success, long ret_value); ··· 325 322 { 326 323 if (unlikely(task->audit_context)) 327 324 __audit_free(task); 325 + } 326 + static inline void audit_uring_entry(u8 op) 327 + { 328 + /* 329 + * We intentionally check audit_context() before audit_enabled as most 330 + * Linux systems (as of ~2021) rely on systemd which forces audit to 331 + * be enabled regardless of the user's audit configuration. 332 + */ 333 + if (unlikely(audit_context() && audit_enabled)) 334 + __audit_uring_entry(op); 335 + } 336 + static inline void audit_uring_exit(int success, long code) 337 + { 338 + if (unlikely(!audit_dummy_context())) 339 + __audit_uring_exit(success, code); 328 340 } 329 341 static inline void audit_syscall_entry(int major, unsigned long a0, 330 342 unsigned long a1, unsigned long a2, ··· 572 554 { 573 555 return 0; 574 556 } 557 + static inline int audit_alloc_kernel(struct task_struct *task) 558 + { 559 + return 0; 560 + } 575 561 static inline void audit_free(struct task_struct *task) 562 + { } 563 + static inline void audit_uring_entry(u8 op) 564 + { } 565 + static inline void audit_uring_exit(int success, long code) 576 566 { } 577 567 static inline void audit_syscall_entry(int major, unsigned long a0, 578 568 unsigned long a1, unsigned long a2,
+14 -8
include/linux/lsm_hook_defs.h
··· 26 26 * #undef LSM_HOOK 27 27 * }; 28 28 */ 29 - LSM_HOOK(int, 0, binder_set_context_mgr, struct task_struct *mgr) 30 - LSM_HOOK(int, 0, binder_transaction, struct task_struct *from, 31 - struct task_struct *to) 32 - LSM_HOOK(int, 0, binder_transfer_binder, struct task_struct *from, 33 - struct task_struct *to) 34 - LSM_HOOK(int, 0, binder_transfer_file, struct task_struct *from, 35 - struct task_struct *to, struct file *file) 29 + LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr) 30 + LSM_HOOK(int, 0, binder_transaction, const struct cred *from, 31 + const struct cred *to) 32 + LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from, 33 + const struct cred *to) 34 + LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from, 35 + const struct cred *to, struct file *file) 36 36 LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child, 37 37 unsigned int mode) 38 38 LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent) ··· 83 83 LSM_HOOK(int, 0, move_mount, const struct path *from_path, 84 84 const struct path *to_path) 85 85 LSM_HOOK(int, 0, dentry_init_security, struct dentry *dentry, 86 - int mode, const struct qstr *name, void **ctx, u32 *ctxlen) 86 + int mode, const struct qstr *name, const char **xattr_name, 87 + void **ctx, u32 *ctxlen) 87 88 LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode, 88 89 struct qstr *name, const struct cred *old, struct cred *new) 89 90 ··· 403 402 LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) 404 403 LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) 405 404 #endif /* CONFIG_PERF_EVENTS */ 405 + 406 + #ifdef CONFIG_IO_URING 407 + LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) 408 + LSM_HOOK(int, 0, uring_sqpoll, void) 409 + #endif /* CONFIG_IO_URING */
+23 -7
include/linux/lsm_hooks.h
··· 196 196 * @dentry dentry to use in calculating the context. 197 197 * @mode mode used to determine resource type. 198 198 * @name name of the last path component used to create file 199 + * @xattr_name pointer to place the pointer to security xattr name. 200 + * Caller does not have to free the resulting pointer. Its 201 + * a pointer to static string. 199 202 * @ctx pointer to place the pointer to the resulting context in. 200 203 * @ctxlen point to place the length of the resulting context. 201 204 * @dentry_create_files_as: ··· 1316 1313 * 1317 1314 * @binder_set_context_mgr: 1318 1315 * Check whether @mgr is allowed to be the binder context manager. 1319 - * @mgr contains the task_struct for the task being registered. 1316 + * @mgr contains the struct cred for the current binder process. 1320 1317 * Return 0 if permission is granted. 1321 1318 * @binder_transaction: 1322 1319 * Check whether @from is allowed to invoke a binder transaction call 1323 1320 * to @to. 1324 - * @from contains the task_struct for the sending task. 1325 - * @to contains the task_struct for the receiving task. 1321 + * @from contains the struct cred for the sending process. 1322 + * @to contains the struct cred for the receiving process. 1326 1323 * @binder_transfer_binder: 1327 1324 * Check whether @from is allowed to transfer a binder reference to @to. 1328 - * @from contains the task_struct for the sending task. 1329 - * @to contains the task_struct for the receiving task. 1325 + * @from contains the struct cred for the sending process. 1326 + * @to contains the struct cred for the receiving process. 1330 1327 * @binder_transfer_file: 1331 1328 * Check whether @from is allowed to transfer @file to @to. 1332 - * @from contains the task_struct for the sending task. 1329 + * @from contains the struct cred for the sending process. 1333 1330 * @file contains the struct file being transferred. 1334 - * @to contains the task_struct for the receiving task. 1331 + * @to contains the struct cred for the receiving process. 1335 1332 * 1336 1333 * @ptrace_access_check: 1337 1334 * Check permission before allowing the current process to trace the ··· 1560 1557 * Read perf_event security info if allowed. 1561 1558 * @perf_event_write: 1562 1559 * Write perf_event security info if allowed. 1560 + * 1561 + * Security hooks for io_uring 1562 + * 1563 + * @uring_override_creds: 1564 + * Check if the current task, executing an io_uring operation, is allowed 1565 + * to override it's credentials with @new. 1566 + * 1567 + * @new: the new creds to use 1568 + * 1569 + * @uring_sqpoll: 1570 + * Check whether the current task is allowed to spawn a io_uring polling 1571 + * thread (IORING_SETUP_SQPOLL). 1572 + * 1563 1573 */ 1564 1574 union security_list_options { 1565 1575 #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
+39 -16
include/linux/security.h
··· 258 258 extern int early_security_init(void); 259 259 260 260 /* Security operations */ 261 - int security_binder_set_context_mgr(struct task_struct *mgr); 262 - int security_binder_transaction(struct task_struct *from, 263 - struct task_struct *to); 264 - int security_binder_transfer_binder(struct task_struct *from, 265 - struct task_struct *to); 266 - int security_binder_transfer_file(struct task_struct *from, 267 - struct task_struct *to, struct file *file); 261 + int security_binder_set_context_mgr(const struct cred *mgr); 262 + int security_binder_transaction(const struct cred *from, 263 + const struct cred *to); 264 + int security_binder_transfer_binder(const struct cred *from, 265 + const struct cred *to); 266 + int security_binder_transfer_file(const struct cred *from, 267 + const struct cred *to, struct file *file); 268 268 int security_ptrace_access_check(struct task_struct *child, unsigned int mode); 269 269 int security_ptrace_traceme(struct task_struct *parent); 270 270 int security_capget(struct task_struct *target, ··· 317 317 int len, void **mnt_opts); 318 318 int security_move_mount(const struct path *from_path, const struct path *to_path); 319 319 int security_dentry_init_security(struct dentry *dentry, int mode, 320 - const struct qstr *name, void **ctx, 321 - u32 *ctxlen); 320 + const struct qstr *name, 321 + const char **xattr_name, void **ctx, 322 + u32 *ctxlen); 322 323 int security_dentry_create_files_as(struct dentry *dentry, int mode, 323 324 struct qstr *name, 324 325 const struct cred *old, ··· 509 508 return 0; 510 509 } 511 510 512 - static inline int security_binder_set_context_mgr(struct task_struct *mgr) 511 + static inline int security_binder_set_context_mgr(const struct cred *mgr) 513 512 { 514 513 return 0; 515 514 } 516 515 517 - static inline int security_binder_transaction(struct task_struct *from, 518 - struct task_struct *to) 516 + static inline int security_binder_transaction(const struct cred *from, 517 + const struct cred *to) 519 518 { 520 519 return 0; 521 520 } 522 521 523 - static inline int security_binder_transfer_binder(struct task_struct *from, 524 - struct task_struct *to) 522 + static inline int security_binder_transfer_binder(const struct cred *from, 523 + const struct cred *to) 525 524 { 526 525 return 0; 527 526 } 528 527 529 - static inline int security_binder_transfer_file(struct task_struct *from, 530 - struct task_struct *to, 528 + static inline int security_binder_transfer_file(const struct cred *from, 529 + const struct cred *to, 531 530 struct file *file) 532 531 { 533 532 return 0; ··· 740 739 static inline int security_dentry_init_security(struct dentry *dentry, 741 740 int mode, 742 741 const struct qstr *name, 742 + const char **xattr_name, 743 743 void **ctx, 744 744 u32 *ctxlen) 745 745 { ··· 1041 1039 static inline void security_transfer_creds(struct cred *new, 1042 1040 const struct cred *old) 1043 1041 { 1042 + } 1043 + 1044 + static inline void security_cred_getsecid(const struct cred *c, u32 *secid) 1045 + { 1046 + *secid = 0; 1044 1047 } 1045 1048 1046 1049 static inline int security_kernel_act_as(struct cred *cred, u32 secid) ··· 2044 2037 } 2045 2038 #endif /* CONFIG_SECURITY */ 2046 2039 #endif /* CONFIG_PERF_EVENTS */ 2040 + 2041 + #ifdef CONFIG_IO_URING 2042 + #ifdef CONFIG_SECURITY 2043 + extern int security_uring_override_creds(const struct cred *new); 2044 + extern int security_uring_sqpoll(void); 2045 + #else 2046 + static inline int security_uring_override_creds(const struct cred *new) 2047 + { 2048 + return 0; 2049 + } 2050 + static inline int security_uring_sqpoll(void) 2051 + { 2052 + return 0; 2053 + } 2054 + #endif /* CONFIG_SECURITY */ 2055 + #endif /* CONFIG_IO_URING */ 2047 2056 2048 2057 #endif /* ! __LINUX_SECURITY_H */
+3 -1
include/uapi/linux/audit.h
··· 118 118 #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ 119 119 #define AUDIT_BPF 1334 /* BPF subsystem */ 120 120 #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ 121 + #define AUDIT_URINGOP 1336 /* io_uring operation */ 121 122 122 123 #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 123 124 #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ ··· 167 166 #define AUDIT_FILTER_EXCLUDE 0x05 /* Apply rule before record creation */ 168 167 #define AUDIT_FILTER_TYPE AUDIT_FILTER_EXCLUDE /* obsolete misleading naming */ 169 168 #define AUDIT_FILTER_FS 0x06 /* Apply rule at __audit_inode_child */ 169 + #define AUDIT_FILTER_URING_EXIT 0x07 /* Apply rule at io_uring op exit */ 170 170 171 - #define AUDIT_NR_FILTERS 7 171 + #define AUDIT_NR_FILTERS 8 172 172 173 173 #define AUDIT_FILTER_PREPEND 0x10 /* Prepend to front of list */ 174 174
+6 -1
kernel/audit.h
··· 100 100 /* The per-task audit context. */ 101 101 struct audit_context { 102 102 int dummy; /* must be the first element */ 103 - int in_syscall; /* 1 if task is in a syscall */ 103 + enum { 104 + AUDIT_CTX_UNUSED, /* audit_context is currently unused */ 105 + AUDIT_CTX_SYSCALL, /* in use by syscall */ 106 + AUDIT_CTX_URING, /* in use by io_uring */ 107 + } context; 104 108 enum audit_state state, current_state; 105 109 unsigned int serial; /* serial number for record */ 106 110 int major; /* syscall number */ 111 + int uring_op; /* uring operation */ 107 112 struct timespec64 ctime; /* time of syscall entry */ 108 113 unsigned long argv[4]; /* syscall arguments */ 109 114 long return_code;/* syscall return code */
+2 -1
kernel/audit_tree.c
··· 726 726 { 727 727 728 728 if (pathname[0] != '/' || 729 - rule->listnr != AUDIT_FILTER_EXIT || 729 + (rule->listnr != AUDIT_FILTER_EXIT && 730 + rule->listnr != AUDIT_FILTER_URING_EXIT) || 730 731 op != Audit_equal || 731 732 rule->inode_f || rule->watch || rule->tree) 732 733 return -EINVAL;
+2 -1
kernel/audit_watch.c
··· 183 183 return -EOPNOTSUPP; 184 184 185 185 if (path[0] != '/' || path[len-1] == '/' || 186 - krule->listnr != AUDIT_FILTER_EXIT || 186 + (krule->listnr != AUDIT_FILTER_EXIT && 187 + krule->listnr != AUDIT_FILTER_URING_EXIT) || 187 188 op != Audit_equal || 188 189 krule->inode_f || krule->watch || krule->tree) 189 190 return -EINVAL;
+12 -3
kernel/auditfilter.c
··· 44 44 LIST_HEAD_INIT(audit_filter_list[4]), 45 45 LIST_HEAD_INIT(audit_filter_list[5]), 46 46 LIST_HEAD_INIT(audit_filter_list[6]), 47 - #if AUDIT_NR_FILTERS != 7 47 + LIST_HEAD_INIT(audit_filter_list[7]), 48 + #if AUDIT_NR_FILTERS != 8 48 49 #error Fix audit_filter_list initialiser 49 50 #endif 50 51 }; ··· 57 56 LIST_HEAD_INIT(audit_rules_list[4]), 58 57 LIST_HEAD_INIT(audit_rules_list[5]), 59 58 LIST_HEAD_INIT(audit_rules_list[6]), 59 + LIST_HEAD_INIT(audit_rules_list[7]), 60 60 }; 61 61 62 62 DEFINE_MUTEX(audit_filter_mutex); ··· 153 151 static inline int audit_to_inode(struct audit_krule *krule, 154 152 struct audit_field *f) 155 153 { 156 - if (krule->listnr != AUDIT_FILTER_EXIT || 154 + if ((krule->listnr != AUDIT_FILTER_EXIT && 155 + krule->listnr != AUDIT_FILTER_URING_EXIT) || 157 156 krule->inode_f || krule->watch || krule->tree || 158 157 (f->op != Audit_equal && f->op != Audit_not_equal)) 159 158 return -EINVAL; ··· 251 248 pr_err("AUDIT_FILTER_ENTRY is deprecated\n"); 252 249 goto exit_err; 253 250 case AUDIT_FILTER_EXIT: 251 + case AUDIT_FILTER_URING_EXIT: 254 252 case AUDIT_FILTER_TASK: 255 253 #endif 256 254 case AUDIT_FILTER_USER: ··· 334 330 break; 335 331 case AUDIT_FSTYPE: 336 332 if (entry->rule.listnr != AUDIT_FILTER_FS) 333 + return -EINVAL; 334 + break; 335 + case AUDIT_PERM: 336 + if (entry->rule.listnr == AUDIT_FILTER_URING_EXIT) 337 337 return -EINVAL; 338 338 break; 339 339 } ··· 988 980 } 989 981 990 982 entry->rule.prio = ~0ULL; 991 - if (entry->rule.listnr == AUDIT_FILTER_EXIT) { 983 + if (entry->rule.listnr == AUDIT_FILTER_EXIT || 984 + entry->rule.listnr == AUDIT_FILTER_URING_EXIT) { 992 985 if (entry->rule.flags & AUDIT_FILTER_PREPEND) 993 986 entry->rule.prio = ++prio_high; 994 987 else
+367 -99
kernel/auditsc.c
··· 805 805 return rule->mask[word] & bit; 806 806 } 807 807 808 + /** 809 + * audit_filter_uring - apply filters to an io_uring operation 810 + * @tsk: associated task 811 + * @ctx: audit context 812 + */ 813 + static void audit_filter_uring(struct task_struct *tsk, 814 + struct audit_context *ctx) 815 + { 816 + struct audit_entry *e; 817 + enum audit_state state; 818 + 819 + if (auditd_test_task(tsk)) 820 + return; 821 + 822 + rcu_read_lock(); 823 + list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_URING_EXIT], 824 + list) { 825 + if (audit_in_mask(&e->rule, ctx->uring_op) && 826 + audit_filter_rules(tsk, &e->rule, ctx, NULL, &state, 827 + false)) { 828 + rcu_read_unlock(); 829 + ctx->current_state = state; 830 + return; 831 + } 832 + } 833 + rcu_read_unlock(); 834 + } 835 + 808 836 /* At syscall exit time, this filter is called if the audit_state is 809 837 * not low enough that auditing cannot take place, but is also not 810 838 * high enough that we already know we have to write an audit record ··· 943 915 context->aux = aux->next; 944 916 kfree(aux); 945 917 } 918 + context->aux = NULL; 946 919 while ((aux = context->aux_pids)) { 947 920 context->aux_pids = aux->next; 948 921 kfree(aux); 949 922 } 923 + context->aux_pids = NULL; 924 + } 925 + 926 + /** 927 + * audit_reset_context - reset a audit_context structure 928 + * @ctx: the audit_context to reset 929 + * 930 + * All fields in the audit_context will be reset to an initial state, all 931 + * references held by fields will be dropped, and private memory will be 932 + * released. When this function returns the audit_context will be suitable 933 + * for reuse, so long as the passed context is not NULL or a dummy context. 934 + */ 935 + static void audit_reset_context(struct audit_context *ctx) 936 + { 937 + if (!ctx) 938 + return; 939 + 940 + /* if ctx is non-null, reset the "ctx->state" regardless */ 941 + ctx->context = AUDIT_CTX_UNUSED; 942 + if (ctx->dummy) 943 + return; 944 + 945 + /* 946 + * NOTE: It shouldn't matter in what order we release the fields, so 947 + * release them in the order in which they appear in the struct; 948 + * this gives us some hope of quickly making sure we are 949 + * resetting the audit_context properly. 950 + * 951 + * Other things worth mentioning: 952 + * - we don't reset "dummy" 953 + * - we don't reset "state", we do reset "current_state" 954 + * - we preserve "filterkey" if "state" is AUDIT_STATE_RECORD 955 + * - much of this is likely overkill, but play it safe for now 956 + * - we really need to work on improving the audit_context struct 957 + */ 958 + 959 + ctx->current_state = ctx->state; 960 + ctx->serial = 0; 961 + ctx->major = 0; 962 + ctx->uring_op = 0; 963 + ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; 964 + memset(ctx->argv, 0, sizeof(ctx->argv)); 965 + ctx->return_code = 0; 966 + ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0); 967 + ctx->return_valid = AUDITSC_INVALID; 968 + audit_free_names(ctx); 969 + if (ctx->state != AUDIT_STATE_RECORD) { 970 + kfree(ctx->filterkey); 971 + ctx->filterkey = NULL; 972 + } 973 + audit_free_aux(ctx); 974 + kfree(ctx->sockaddr); 975 + ctx->sockaddr = NULL; 976 + ctx->sockaddr_len = 0; 977 + ctx->pid = ctx->ppid = 0; 978 + ctx->uid = ctx->euid = ctx->suid = ctx->fsuid = KUIDT_INIT(0); 979 + ctx->gid = ctx->egid = ctx->sgid = ctx->fsgid = KGIDT_INIT(0); 980 + ctx->personality = 0; 981 + ctx->arch = 0; 982 + ctx->target_pid = 0; 983 + ctx->target_auid = ctx->target_uid = KUIDT_INIT(0); 984 + ctx->target_sessionid = 0; 985 + ctx->target_sid = 0; 986 + ctx->target_comm[0] = '\0'; 987 + unroll_tree_refs(ctx, NULL, 0); 988 + WARN_ON(!list_empty(&ctx->killed_trees)); 989 + ctx->type = 0; 990 + audit_free_module(ctx); 991 + ctx->fds[0] = -1; 992 + audit_proctitle_free(ctx); 950 993 } 951 994 952 995 static inline struct audit_context *audit_alloc_context(enum audit_state state) ··· 1027 928 context = kzalloc(sizeof(*context), GFP_KERNEL); 1028 929 if (!context) 1029 930 return NULL; 931 + context->context = AUDIT_CTX_UNUSED; 1030 932 context->state = state; 1031 933 context->prio = state == AUDIT_STATE_RECORD ? ~0ULL : 0; 1032 934 INIT_LIST_HEAD(&context->killed_trees); ··· 1053 953 char *key = NULL; 1054 954 1055 955 if (likely(!audit_ever_enabled)) 1056 - return 0; /* Return if not auditing. */ 956 + return 0; 1057 957 1058 958 state = audit_filter_task(tsk, &key); 1059 959 if (state == AUDIT_STATE_DISABLED) { ··· 1073 973 return 0; 1074 974 } 1075 975 976 + /** 977 + * audit_alloc_kernel - allocate an audit_context for a kernel task 978 + * @tsk: the kernel task 979 + * 980 + * Similar to the audit_alloc() function, but intended for kernel private 981 + * threads. Returns zero on success, negative values on failure. 982 + */ 983 + int audit_alloc_kernel(struct task_struct *tsk) 984 + { 985 + /* 986 + * At the moment we are just going to call into audit_alloc() to 987 + * simplify the code, but there two things to keep in mind with this 988 + * approach: 989 + * 990 + * 1. Filtering internal kernel tasks is a bit laughable in almost all 991 + * cases, but there is at least one case where there is a benefit: 992 + * the '-a task,never' case allows the admin to effectively disable 993 + * task auditing at runtime. 994 + * 995 + * 2. The {set,clear}_task_syscall_work() ops likely have zero effect 996 + * on these internal kernel tasks, but they probably don't hurt either. 997 + */ 998 + return audit_alloc(tsk); 999 + } 1000 + 1076 1001 static inline void audit_free_context(struct audit_context *context) 1077 1002 { 1078 - audit_free_module(context); 1079 - audit_free_names(context); 1080 - unroll_tree_refs(context, NULL, 0); 1003 + /* resetting is extra work, but it is likely just noise */ 1004 + audit_reset_context(context); 1081 1005 free_tree_refs(context); 1082 - audit_free_aux(context); 1083 1006 kfree(context->filterkey); 1084 - kfree(context->sockaddr); 1085 - audit_proctitle_free(context); 1086 1007 kfree(context); 1087 1008 } 1088 1009 ··· 1600 1479 audit_log_end(ab); 1601 1480 } 1602 1481 1482 + /** 1483 + * audit_log_uring - generate a AUDIT_URINGOP record 1484 + * @ctx: the audit context 1485 + */ 1486 + static void audit_log_uring(struct audit_context *ctx) 1487 + { 1488 + struct audit_buffer *ab; 1489 + const struct cred *cred; 1490 + 1491 + ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_URINGOP); 1492 + if (!ab) 1493 + return; 1494 + cred = current_cred(); 1495 + audit_log_format(ab, "uring_op=%d", ctx->uring_op); 1496 + if (ctx->return_valid != AUDITSC_INVALID) 1497 + audit_log_format(ab, " success=%s exit=%ld", 1498 + (ctx->return_valid == AUDITSC_SUCCESS ? 1499 + "yes" : "no"), 1500 + ctx->return_code); 1501 + audit_log_format(ab, 1502 + " items=%d" 1503 + " ppid=%d pid=%d uid=%u gid=%u euid=%u suid=%u" 1504 + " fsuid=%u egid=%u sgid=%u fsgid=%u", 1505 + ctx->name_count, 1506 + task_ppid_nr(current), task_tgid_nr(current), 1507 + from_kuid(&init_user_ns, cred->uid), 1508 + from_kgid(&init_user_ns, cred->gid), 1509 + from_kuid(&init_user_ns, cred->euid), 1510 + from_kuid(&init_user_ns, cred->suid), 1511 + from_kuid(&init_user_ns, cred->fsuid), 1512 + from_kgid(&init_user_ns, cred->egid), 1513 + from_kgid(&init_user_ns, cred->sgid), 1514 + from_kgid(&init_user_ns, cred->fsgid)); 1515 + audit_log_task_context(ab); 1516 + audit_log_key(ab, ctx->filterkey); 1517 + audit_log_end(ab); 1518 + } 1519 + 1603 1520 static void audit_log_exit(void) 1604 1521 { 1605 1522 int i, call_panic = 0; ··· 1648 1489 1649 1490 context->personality = current->personality; 1650 1491 1651 - ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 1652 - if (!ab) 1653 - return; /* audit_panic has been called */ 1654 - audit_log_format(ab, "arch=%x syscall=%d", 1655 - context->arch, context->major); 1656 - if (context->personality != PER_LINUX) 1657 - audit_log_format(ab, " per=%lx", context->personality); 1658 - if (context->return_valid != AUDITSC_INVALID) 1659 - audit_log_format(ab, " success=%s exit=%ld", 1660 - (context->return_valid==AUDITSC_SUCCESS)?"yes":"no", 1661 - context->return_code); 1662 - 1663 - audit_log_format(ab, 1664 - " a0=%lx a1=%lx a2=%lx a3=%lx items=%d", 1665 - context->argv[0], 1666 - context->argv[1], 1667 - context->argv[2], 1668 - context->argv[3], 1669 - context->name_count); 1670 - 1671 - audit_log_task_info(ab); 1672 - audit_log_key(ab, context->filterkey); 1673 - audit_log_end(ab); 1492 + switch (context->context) { 1493 + case AUDIT_CTX_SYSCALL: 1494 + ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); 1495 + if (!ab) 1496 + return; 1497 + audit_log_format(ab, "arch=%x syscall=%d", 1498 + context->arch, context->major); 1499 + if (context->personality != PER_LINUX) 1500 + audit_log_format(ab, " per=%lx", context->personality); 1501 + if (context->return_valid != AUDITSC_INVALID) 1502 + audit_log_format(ab, " success=%s exit=%ld", 1503 + (context->return_valid == AUDITSC_SUCCESS ? 1504 + "yes" : "no"), 1505 + context->return_code); 1506 + audit_log_format(ab, 1507 + " a0=%lx a1=%lx a2=%lx a3=%lx items=%d", 1508 + context->argv[0], 1509 + context->argv[1], 1510 + context->argv[2], 1511 + context->argv[3], 1512 + context->name_count); 1513 + audit_log_task_info(ab); 1514 + audit_log_key(ab, context->filterkey); 1515 + audit_log_end(ab); 1516 + break; 1517 + case AUDIT_CTX_URING: 1518 + audit_log_uring(context); 1519 + break; 1520 + default: 1521 + BUG(); 1522 + break; 1523 + } 1674 1524 1675 1525 for (aux = context->aux; aux; aux = aux->next) { 1676 1526 ··· 1770 1602 audit_log_name(context, n, NULL, i++, &call_panic); 1771 1603 } 1772 1604 1773 - audit_log_proctitle(); 1605 + if (context->context == AUDIT_CTX_SYSCALL) 1606 + audit_log_proctitle(); 1774 1607 1775 1608 /* Send end of event record to help user space know we are finished */ 1776 1609 ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); 1777 1610 if (ab) 1778 1611 audit_log_end(ab); 1779 1612 if (call_panic) 1780 - audit_panic("error converting sid to string"); 1613 + audit_panic("error in audit_log_exit()"); 1781 1614 } 1782 1615 1783 1616 /** 1784 1617 * __audit_free - free a per-task audit context 1785 1618 * @tsk: task whose audit context block to free 1786 1619 * 1787 - * Called from copy_process and do_exit 1620 + * Called from copy_process, do_exit, and the io_uring code 1788 1621 */ 1789 1622 void __audit_free(struct task_struct *tsk) 1790 1623 { ··· 1794 1625 if (!context) 1795 1626 return; 1796 1627 1628 + /* this may generate CONFIG_CHANGE records */ 1797 1629 if (!list_empty(&context->killed_trees)) 1798 1630 audit_kill_trees(context); 1799 1631 ··· 1803 1633 * random task_struct that doesn't doesn't have any meaningful data we 1804 1634 * need to log via audit_log_exit(). 1805 1635 */ 1806 - if (tsk == current && !context->dummy && context->in_syscall) { 1636 + if (tsk == current && !context->dummy) { 1807 1637 context->return_valid = AUDITSC_INVALID; 1808 1638 context->return_code = 0; 1809 - 1810 - audit_filter_syscall(tsk, context); 1811 - audit_filter_inodes(tsk, context); 1812 - if (context->current_state == AUDIT_STATE_RECORD) 1813 - audit_log_exit(); 1639 + if (context->context == AUDIT_CTX_SYSCALL) { 1640 + audit_filter_syscall(tsk, context); 1641 + audit_filter_inodes(tsk, context); 1642 + if (context->current_state == AUDIT_STATE_RECORD) 1643 + audit_log_exit(); 1644 + } else if (context->context == AUDIT_CTX_URING) { 1645 + /* TODO: verify this case is real and valid */ 1646 + audit_filter_uring(tsk, context); 1647 + audit_filter_inodes(tsk, context); 1648 + if (context->current_state == AUDIT_STATE_RECORD) 1649 + audit_log_uring(context); 1650 + } 1814 1651 } 1815 1652 1816 1653 audit_set_context(tsk, NULL); 1817 1654 audit_free_context(context); 1655 + } 1656 + 1657 + /** 1658 + * audit_return_fixup - fixup the return codes in the audit_context 1659 + * @ctx: the audit_context 1660 + * @success: true/false value to indicate if the operation succeeded or not 1661 + * @code: operation return code 1662 + * 1663 + * We need to fixup the return code in the audit logs if the actual return 1664 + * codes are later going to be fixed by the arch specific signal handlers. 1665 + */ 1666 + static void audit_return_fixup(struct audit_context *ctx, 1667 + int success, long code) 1668 + { 1669 + /* 1670 + * This is actually a test for: 1671 + * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) || 1672 + * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK) 1673 + * 1674 + * but is faster than a bunch of || 1675 + */ 1676 + if (unlikely(code <= -ERESTARTSYS) && 1677 + (code >= -ERESTART_RESTARTBLOCK) && 1678 + (code != -ENOIOCTLCMD)) 1679 + ctx->return_code = -EINTR; 1680 + else 1681 + ctx->return_code = code; 1682 + ctx->return_valid = (success ? AUDITSC_SUCCESS : AUDITSC_FAILURE); 1683 + } 1684 + 1685 + /** 1686 + * __audit_uring_entry - prepare the kernel task's audit context for io_uring 1687 + * @op: the io_uring opcode 1688 + * 1689 + * This is similar to audit_syscall_entry() but is intended for use by io_uring 1690 + * operations. This function should only ever be called from 1691 + * audit_uring_entry() as we rely on the audit context checking present in that 1692 + * function. 1693 + */ 1694 + void __audit_uring_entry(u8 op) 1695 + { 1696 + struct audit_context *ctx = audit_context(); 1697 + 1698 + if (ctx->state == AUDIT_STATE_DISABLED) 1699 + return; 1700 + 1701 + /* 1702 + * NOTE: It's possible that we can be called from the process' context 1703 + * before it returns to userspace, and before audit_syscall_exit() 1704 + * is called. In this case there is not much to do, just record 1705 + * the io_uring details and return. 1706 + */ 1707 + ctx->uring_op = op; 1708 + if (ctx->context == AUDIT_CTX_SYSCALL) 1709 + return; 1710 + 1711 + ctx->dummy = !audit_n_rules; 1712 + if (!ctx->dummy && ctx->state == AUDIT_STATE_BUILD) 1713 + ctx->prio = 0; 1714 + 1715 + ctx->context = AUDIT_CTX_URING; 1716 + ctx->current_state = ctx->state; 1717 + ktime_get_coarse_real_ts64(&ctx->ctime); 1718 + } 1719 + 1720 + /** 1721 + * __audit_uring_exit - wrap up the kernel task's audit context after io_uring 1722 + * @success: true/false value to indicate if the operation succeeded or not 1723 + * @code: operation return code 1724 + * 1725 + * This is similar to audit_syscall_exit() but is intended for use by io_uring 1726 + * operations. This function should only ever be called from 1727 + * audit_uring_exit() as we rely on the audit context checking present in that 1728 + * function. 1729 + */ 1730 + void __audit_uring_exit(int success, long code) 1731 + { 1732 + struct audit_context *ctx = audit_context(); 1733 + 1734 + if (ctx->context == AUDIT_CTX_SYSCALL) { 1735 + /* 1736 + * NOTE: See the note in __audit_uring_entry() about the case 1737 + * where we may be called from process context before we 1738 + * return to userspace via audit_syscall_exit(). In this 1739 + * case we simply emit a URINGOP record and bail, the 1740 + * normal syscall exit handling will take care of 1741 + * everything else. 1742 + * It is also worth mentioning that when we are called, 1743 + * the current process creds may differ from the creds 1744 + * used during the normal syscall processing; keep that 1745 + * in mind if/when we move the record generation code. 1746 + */ 1747 + 1748 + /* 1749 + * We need to filter on the syscall info here to decide if we 1750 + * should emit a URINGOP record. I know it seems odd but this 1751 + * solves the problem where users have a filter to block *all* 1752 + * syscall records in the "exit" filter; we want to preserve 1753 + * the behavior here. 1754 + */ 1755 + audit_filter_syscall(current, ctx); 1756 + if (ctx->current_state != AUDIT_STATE_RECORD) 1757 + audit_filter_uring(current, ctx); 1758 + audit_filter_inodes(current, ctx); 1759 + if (ctx->current_state != AUDIT_STATE_RECORD) 1760 + return; 1761 + 1762 + audit_log_uring(ctx); 1763 + return; 1764 + } 1765 + 1766 + /* this may generate CONFIG_CHANGE records */ 1767 + if (!list_empty(&ctx->killed_trees)) 1768 + audit_kill_trees(ctx); 1769 + 1770 + /* run through both filters to ensure we set the filterkey properly */ 1771 + audit_filter_uring(current, ctx); 1772 + audit_filter_inodes(current, ctx); 1773 + if (ctx->current_state != AUDIT_STATE_RECORD) 1774 + goto out; 1775 + audit_return_fixup(ctx, success, code); 1776 + audit_log_exit(); 1777 + 1778 + out: 1779 + audit_reset_context(ctx); 1818 1780 } 1819 1781 1820 1782 /** ··· 1974 1672 if (!audit_enabled || !context) 1975 1673 return; 1976 1674 1977 - BUG_ON(context->in_syscall || context->name_count); 1675 + WARN_ON(context->context != AUDIT_CTX_UNUSED); 1676 + WARN_ON(context->name_count); 1677 + if (context->context != AUDIT_CTX_UNUSED || context->name_count) { 1678 + audit_panic("unrecoverable error in audit_syscall_entry()"); 1679 + return; 1680 + } 1978 1681 1979 1682 state = context->state; 1980 1683 if (state == AUDIT_STATE_DISABLED) ··· 1998 1691 context->argv[1] = a2; 1999 1692 context->argv[2] = a3; 2000 1693 context->argv[3] = a4; 2001 - context->serial = 0; 2002 - context->in_syscall = 1; 1694 + context->context = AUDIT_CTX_SYSCALL; 2003 1695 context->current_state = state; 2004 - context->ppid = 0; 2005 1696 ktime_get_coarse_real_ts64(&context->ctime); 2006 1697 } 2007 1698 ··· 2016 1711 */ 2017 1712 void __audit_syscall_exit(int success, long return_code) 2018 1713 { 2019 - struct audit_context *context; 1714 + struct audit_context *context = audit_context(); 2020 1715 2021 - context = audit_context(); 2022 - if (!context) 2023 - return; 1716 + if (!context || context->dummy || 1717 + context->context != AUDIT_CTX_SYSCALL) 1718 + goto out; 2024 1719 1720 + /* this may generate CONFIG_CHANGE records */ 2025 1721 if (!list_empty(&context->killed_trees)) 2026 1722 audit_kill_trees(context); 2027 1723 2028 - if (!context->dummy && context->in_syscall) { 2029 - if (success) 2030 - context->return_valid = AUDITSC_SUCCESS; 2031 - else 2032 - context->return_valid = AUDITSC_FAILURE; 1724 + /* run through both filters to ensure we set the filterkey properly */ 1725 + audit_filter_syscall(current, context); 1726 + audit_filter_inodes(current, context); 1727 + if (context->current_state < AUDIT_STATE_RECORD) 1728 + goto out; 2033 1729 2034 - /* 2035 - * we need to fix up the return code in the audit logs if the 2036 - * actual return codes are later going to be fixed up by the 2037 - * arch specific signal handlers 2038 - * 2039 - * This is actually a test for: 2040 - * (rc == ERESTARTSYS ) || (rc == ERESTARTNOINTR) || 2041 - * (rc == ERESTARTNOHAND) || (rc == ERESTART_RESTARTBLOCK) 2042 - * 2043 - * but is faster than a bunch of || 2044 - */ 2045 - if (unlikely(return_code <= -ERESTARTSYS) && 2046 - (return_code >= -ERESTART_RESTARTBLOCK) && 2047 - (return_code != -ENOIOCTLCMD)) 2048 - context->return_code = -EINTR; 2049 - else 2050 - context->return_code = return_code; 1730 + audit_return_fixup(context, success, return_code); 1731 + audit_log_exit(); 2051 1732 2052 - audit_filter_syscall(current, context); 2053 - audit_filter_inodes(current, context); 2054 - if (context->current_state == AUDIT_STATE_RECORD) 2055 - audit_log_exit(); 2056 - } 2057 - 2058 - context->in_syscall = 0; 2059 - context->prio = context->state == AUDIT_STATE_RECORD ? ~0ULL : 0; 2060 - 2061 - audit_free_module(context); 2062 - audit_free_names(context); 2063 - unroll_tree_refs(context, NULL, 0); 2064 - audit_free_aux(context); 2065 - context->aux = NULL; 2066 - context->aux_pids = NULL; 2067 - context->target_pid = 0; 2068 - context->target_sid = 0; 2069 - context->sockaddr_len = 0; 2070 - context->type = 0; 2071 - context->fds[0] = -1; 2072 - if (context->state != AUDIT_STATE_RECORD) { 2073 - kfree(context->filterkey); 2074 - context->filterkey = NULL; 2075 - } 1733 + out: 1734 + audit_reset_context(context); 2076 1735 } 2077 1736 2078 1737 static inline void handle_one(const struct inode *inode) ··· 2188 1919 struct audit_context *context = audit_context(); 2189 1920 struct audit_names *n; 2190 1921 2191 - if (!context->in_syscall) 1922 + if (context->context == AUDIT_CTX_UNUSED) 2192 1923 return; 2193 1924 2194 1925 n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN); ··· 2260 1991 struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS]; 2261 1992 int i; 2262 1993 2263 - if (!context->in_syscall) 1994 + if (context->context == AUDIT_CTX_UNUSED) 2264 1995 return; 2265 1996 2266 1997 rcu_read_lock(); ··· 2378 2109 struct list_head *list = &audit_filter_list[AUDIT_FILTER_FS]; 2379 2110 int i; 2380 2111 2381 - if (!context->in_syscall) 2112 + if (context->context == AUDIT_CTX_UNUSED) 2382 2113 return; 2383 2114 2384 2115 rcu_read_lock(); ··· 2477 2208 int auditsc_get_stamp(struct audit_context *ctx, 2478 2209 struct timespec64 *t, unsigned int *serial) 2479 2210 { 2480 - if (!ctx->in_syscall) 2211 + if (ctx->context == AUDIT_CTX_UNUSED) 2481 2212 return 0; 2482 2213 if (!ctx->serial) 2483 2214 ctx->serial = audit_serial(); ··· 2975 2706 struct list_head *audit_killed_trees(void) 2976 2707 { 2977 2708 struct audit_context *ctx = audit_context(); 2978 - 2979 - if (likely(!ctx || !ctx->in_syscall)) 2709 + if (likely(!ctx || ctx->context == AUDIT_CTX_UNUSED)) 2980 2710 return NULL; 2981 2711 return &ctx->killed_trees; 2982 2712 }
+24 -11
security/security.c
··· 706 706 #define LSM_RET_DEFAULT(NAME) (NAME##_default) 707 707 #define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME) 708 708 #define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \ 709 - static const int LSM_RET_DEFAULT(NAME) = (DEFAULT); 709 + static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT); 710 710 #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ 711 711 DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME) 712 712 ··· 747 747 748 748 /* Security operations */ 749 749 750 - int security_binder_set_context_mgr(struct task_struct *mgr) 750 + int security_binder_set_context_mgr(const struct cred *mgr) 751 751 { 752 752 return call_int_hook(binder_set_context_mgr, 0, mgr); 753 753 } 754 754 755 - int security_binder_transaction(struct task_struct *from, 756 - struct task_struct *to) 755 + int security_binder_transaction(const struct cred *from, 756 + const struct cred *to) 757 757 { 758 758 return call_int_hook(binder_transaction, 0, from, to); 759 759 } 760 760 761 - int security_binder_transfer_binder(struct task_struct *from, 762 - struct task_struct *to) 761 + int security_binder_transfer_binder(const struct cred *from, 762 + const struct cred *to) 763 763 { 764 764 return call_int_hook(binder_transfer_binder, 0, from, to); 765 765 } 766 766 767 - int security_binder_transfer_file(struct task_struct *from, 768 - struct task_struct *to, struct file *file) 767 + int security_binder_transfer_file(const struct cred *from, 768 + const struct cred *to, struct file *file) 769 769 { 770 770 return call_int_hook(binder_transfer_file, 0, from, to, file); 771 771 } ··· 1052 1052 } 1053 1053 1054 1054 int security_dentry_init_security(struct dentry *dentry, int mode, 1055 - const struct qstr *name, void **ctx, 1056 - u32 *ctxlen) 1055 + const struct qstr *name, 1056 + const char **xattr_name, void **ctx, 1057 + u32 *ctxlen) 1057 1058 { 1058 1059 return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode, 1059 - name, ctx, ctxlen); 1060 + name, xattr_name, ctx, ctxlen); 1060 1061 } 1061 1062 EXPORT_SYMBOL(security_dentry_init_security); 1062 1063 ··· 2626 2625 return call_int_hook(perf_event_write, 0, event); 2627 2626 } 2628 2627 #endif /* CONFIG_PERF_EVENTS */ 2628 + 2629 + #ifdef CONFIG_IO_URING 2630 + int security_uring_override_creds(const struct cred *new) 2631 + { 2632 + return call_int_hook(uring_override_creds, 0, new); 2633 + } 2634 + 2635 + int security_uring_sqpoll(void) 2636 + { 2637 + return call_int_hook(uring_sqpoll, 0); 2638 + } 2639 + #endif /* CONFIG_IO_URING */
+12 -1
security/selinux/avc.c
··· 547 547 548 548 /** 549 549 * avc_lookup - Look up an AVC entry. 550 + * @avc: the access vector cache 550 551 * @ssid: source security identifier 551 552 * @tsid: target security identifier 552 553 * @tclass: target security class ··· 598 597 599 598 /** 600 599 * avc_insert - Insert an AVC entry. 600 + * @avc: the access vector cache 601 601 * @ssid: source security identifier 602 602 * @tsid: target security identifier 603 603 * @tclass: target security class ··· 827 825 828 826 /** 829 827 * avc_update_node - Update an AVC entry 828 + * @avc: the access vector cache 830 829 * @event : Updating event 831 830 * @perms : Permission mask bits 832 - * @ssid,@tsid,@tclass : identifier of an AVC entry 831 + * @driver: xperm driver information 832 + * @xperm: xperm permissions 833 + * @ssid: AVC entry source sid 834 + * @tsid: AVC entry target sid 835 + * @tclass : AVC entry target object class 833 836 * @seqno : sequence number when decision was made 834 837 * @xpd: extended_perms_decision to be added to the node 835 838 * @flags: the AVC_* flags, e.g. AVC_EXTENDED_PERMS, or 0. ··· 935 928 936 929 /** 937 930 * avc_flush - Flush the cache 931 + * @avc: the access vector cache 938 932 */ 939 933 static void avc_flush(struct selinux_avc *avc) 940 934 { ··· 964 956 965 957 /** 966 958 * avc_ss_reset - Flush the cache and revalidate migrated permissions. 959 + * @avc: the access vector cache 967 960 * @seqno: policy sequence number 968 961 */ 969 962 int avc_ss_reset(struct selinux_avc *avc, u32 seqno) ··· 1114 1105 1115 1106 /** 1116 1107 * avc_has_perm_noaudit - Check permissions but perform no auditing. 1108 + * @state: SELinux state 1117 1109 * @ssid: source security identifier 1118 1110 * @tsid: target security identifier 1119 1111 * @tclass: target security class ··· 1166 1156 1167 1157 /** 1168 1158 * avc_has_perm - Check permissions and perform any appropriate auditing. 1159 + * @state: SELinux state 1169 1160 * @ssid: source security identifier 1170 1161 * @tsid: target security identifier 1171 1162 * @tclass: target security class
+90 -149
security/selinux/hooks.c
··· 255 255 return sid; 256 256 } 257 257 258 - /* 259 - * get the security ID of a task for use with binder 260 - */ 261 - static inline u32 task_sid_binder(const struct task_struct *task) 262 - { 263 - /* 264 - * In many case where this function is used we should be using the 265 - * task's subjective SID, but we can't reliably access the subjective 266 - * creds of a task other than our own so we must use the objective 267 - * creds/SID, which are safe to access. The downside is that if a task 268 - * is temporarily overriding it's creds it will not be reflected here; 269 - * however, it isn't clear that binder would handle that case well 270 - * anyway. 271 - * 272 - * If this ever changes and we can safely reference the subjective 273 - * creds/SID of another task, this function will make it easier to 274 - * identify the various places where we make use of the task SIDs in 275 - * the binder code. It is also likely that we will need to adjust 276 - * the main drivers/android binder code as well. 277 - */ 278 - return task_sid_obj(task); 279 - } 280 - 281 258 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry); 282 259 283 260 /* ··· 737 760 !strcmp(sb->s_type->name, "tracefs") || 738 761 !strcmp(sb->s_type->name, "binder") || 739 762 !strcmp(sb->s_type->name, "bpf") || 740 - !strcmp(sb->s_type->name, "pstore")) 763 + !strcmp(sb->s_type->name, "pstore") || 764 + !strcmp(sb->s_type->name, "securityfs")) 741 765 sbsec->flags |= SE_SBGENFS; 742 766 743 767 if (!strcmp(sb->s_type->name, "sysfs") || ··· 2044 2066 2045 2067 /* Hook functions begin here. */ 2046 2068 2047 - static int selinux_binder_set_context_mgr(struct task_struct *mgr) 2069 + static int selinux_binder_set_context_mgr(const struct cred *mgr) 2048 2070 { 2049 2071 return avc_has_perm(&selinux_state, 2050 - current_sid(), task_sid_binder(mgr), SECCLASS_BINDER, 2072 + current_sid(), cred_sid(mgr), SECCLASS_BINDER, 2051 2073 BINDER__SET_CONTEXT_MGR, NULL); 2052 2074 } 2053 2075 2054 - static int selinux_binder_transaction(struct task_struct *from, 2055 - struct task_struct *to) 2076 + static int selinux_binder_transaction(const struct cred *from, 2077 + const struct cred *to) 2056 2078 { 2057 2079 u32 mysid = current_sid(); 2058 - u32 fromsid = task_sid_binder(from); 2080 + u32 fromsid = cred_sid(from); 2081 + u32 tosid = cred_sid(to); 2059 2082 int rc; 2060 2083 2061 2084 if (mysid != fromsid) { ··· 2067 2088 return rc; 2068 2089 } 2069 2090 2070 - return avc_has_perm(&selinux_state, fromsid, task_sid_binder(to), 2091 + return avc_has_perm(&selinux_state, fromsid, tosid, 2071 2092 SECCLASS_BINDER, BINDER__CALL, NULL); 2072 2093 } 2073 2094 2074 - static int selinux_binder_transfer_binder(struct task_struct *from, 2075 - struct task_struct *to) 2095 + static int selinux_binder_transfer_binder(const struct cred *from, 2096 + const struct cred *to) 2076 2097 { 2077 2098 return avc_has_perm(&selinux_state, 2078 - task_sid_binder(from), task_sid_binder(to), 2099 + cred_sid(from), cred_sid(to), 2079 2100 SECCLASS_BINDER, BINDER__TRANSFER, 2080 2101 NULL); 2081 2102 } 2082 2103 2083 - static int selinux_binder_transfer_file(struct task_struct *from, 2084 - struct task_struct *to, 2104 + static int selinux_binder_transfer_file(const struct cred *from, 2105 + const struct cred *to, 2085 2106 struct file *file) 2086 2107 { 2087 - u32 sid = task_sid_binder(to); 2108 + u32 sid = cred_sid(to); 2088 2109 struct file_security_struct *fsec = selinux_file(file); 2089 2110 struct dentry *dentry = file->f_path.dentry; 2090 2111 struct inode_security_struct *isec; ··· 2927 2948 } 2928 2949 2929 2950 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2930 - const struct qstr *name, void **ctx, 2951 + const struct qstr *name, 2952 + const char **xattr_name, void **ctx, 2931 2953 u32 *ctxlen) 2932 2954 { 2933 2955 u32 newsid; ··· 2940 2960 &newsid); 2941 2961 if (rc) 2942 2962 return rc; 2963 + 2964 + if (xattr_name) 2965 + *xattr_name = XATTR_NAME_SELINUX; 2943 2966 2944 2967 return security_sid_to_context(&selinux_state, newsid, (char **)ctx, 2945 2968 ctxlen); ··· 5671 5688 5672 5689 #ifdef CONFIG_NETFILTER 5673 5690 5674 - static unsigned int selinux_ip_forward(struct sk_buff *skb, 5675 - const struct net_device *indev, 5676 - u16 family) 5691 + static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb, 5692 + const struct nf_hook_state *state) 5677 5693 { 5678 - int err; 5694 + int ifindex; 5695 + u16 family; 5679 5696 char *addrp; 5680 5697 u32 peer_sid; 5681 5698 struct common_audit_data ad; 5682 5699 struct lsm_network_audit net = {0,}; 5683 - u8 secmark_active; 5684 - u8 netlbl_active; 5685 - u8 peerlbl_active; 5700 + int secmark_active, peerlbl_active; 5686 5701 5687 5702 if (!selinux_policycap_netpeer()) 5688 5703 return NF_ACCEPT; 5689 5704 5690 5705 secmark_active = selinux_secmark_enabled(); 5691 - netlbl_active = netlbl_enabled(); 5692 5706 peerlbl_active = selinux_peerlbl_enabled(); 5693 5707 if (!secmark_active && !peerlbl_active) 5694 5708 return NF_ACCEPT; 5695 5709 5710 + family = state->pf; 5696 5711 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 5697 5712 return NF_DROP; 5698 5713 5714 + ifindex = state->in->ifindex; 5699 5715 ad.type = LSM_AUDIT_DATA_NET; 5700 5716 ad.u.net = &net; 5701 - ad.u.net->netif = indev->ifindex; 5717 + ad.u.net->netif = ifindex; 5702 5718 ad.u.net->family = family; 5703 5719 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 5704 5720 return NF_DROP; 5705 5721 5706 5722 if (peerlbl_active) { 5707 - err = selinux_inet_sys_rcv_skb(dev_net(indev), indev->ifindex, 5723 + int err; 5724 + 5725 + err = selinux_inet_sys_rcv_skb(state->net, ifindex, 5708 5726 addrp, family, peer_sid, &ad); 5709 5727 if (err) { 5710 5728 selinux_netlbl_err(skb, family, err, 1); ··· 5719 5735 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) 5720 5736 return NF_DROP; 5721 5737 5722 - if (netlbl_active) 5738 + if (netlbl_enabled()) 5723 5739 /* we do this in the FORWARD path and not the POST_ROUTING 5724 5740 * path because we want to make sure we apply the necessary 5725 5741 * labeling before IPsec is applied so we can leverage AH ··· 5730 5746 return NF_ACCEPT; 5731 5747 } 5732 5748 5733 - static unsigned int selinux_ipv4_forward(void *priv, 5734 - struct sk_buff *skb, 5735 - const struct nf_hook_state *state) 5736 - { 5737 - return selinux_ip_forward(skb, state->in, PF_INET); 5738 - } 5739 - 5740 - #if IS_ENABLED(CONFIG_IPV6) 5741 - static unsigned int selinux_ipv6_forward(void *priv, 5742 - struct sk_buff *skb, 5743 - const struct nf_hook_state *state) 5744 - { 5745 - return selinux_ip_forward(skb, state->in, PF_INET6); 5746 - } 5747 - #endif /* IPV6 */ 5748 - 5749 - static unsigned int selinux_ip_output(struct sk_buff *skb, 5750 - u16 family) 5749 + static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, 5750 + const struct nf_hook_state *state) 5751 5751 { 5752 5752 struct sock *sk; 5753 5753 u32 sid; ··· 5766 5798 sid = sksec->sid; 5767 5799 } else 5768 5800 sid = SECINITSID_KERNEL; 5769 - if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0) 5801 + if (selinux_netlbl_skbuff_setsid(skb, state->pf, sid) != 0) 5770 5802 return NF_DROP; 5771 5803 5772 5804 return NF_ACCEPT; 5773 5805 } 5774 5806 5775 - static unsigned int selinux_ipv4_output(void *priv, 5776 - struct sk_buff *skb, 5777 - const struct nf_hook_state *state) 5778 - { 5779 - return selinux_ip_output(skb, PF_INET); 5780 - } 5781 - 5782 - #if IS_ENABLED(CONFIG_IPV6) 5783 - static unsigned int selinux_ipv6_output(void *priv, 5784 - struct sk_buff *skb, 5785 - const struct nf_hook_state *state) 5786 - { 5787 - return selinux_ip_output(skb, PF_INET6); 5788 - } 5789 - #endif /* IPV6 */ 5790 5807 5791 5808 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, 5792 - int ifindex, 5793 - u16 family) 5809 + const struct nf_hook_state *state) 5794 5810 { 5795 - struct sock *sk = skb_to_full_sk(skb); 5811 + struct sock *sk; 5796 5812 struct sk_security_struct *sksec; 5797 5813 struct common_audit_data ad; 5798 5814 struct lsm_network_audit net = {0,}; 5799 - char *addrp; 5800 5815 u8 proto; 5801 5816 5817 + sk = skb_to_full_sk(skb); 5802 5818 if (sk == NULL) 5803 5819 return NF_ACCEPT; 5804 5820 sksec = sk->sk_security; 5805 5821 5806 5822 ad.type = LSM_AUDIT_DATA_NET; 5807 5823 ad.u.net = &net; 5808 - ad.u.net->netif = ifindex; 5809 - ad.u.net->family = family; 5810 - if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 5824 + ad.u.net->netif = state->out->ifindex; 5825 + ad.u.net->family = state->pf; 5826 + if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) 5811 5827 return NF_DROP; 5812 5828 5813 5829 if (selinux_secmark_enabled()) ··· 5806 5854 return NF_ACCEPT; 5807 5855 } 5808 5856 5809 - static unsigned int selinux_ip_postroute(struct sk_buff *skb, 5810 - const struct net_device *outdev, 5811 - u16 family) 5857 + static unsigned int selinux_ip_postroute(void *priv, 5858 + struct sk_buff *skb, 5859 + const struct nf_hook_state *state) 5812 5860 { 5861 + u16 family; 5813 5862 u32 secmark_perm; 5814 5863 u32 peer_sid; 5815 - int ifindex = outdev->ifindex; 5864 + int ifindex; 5816 5865 struct sock *sk; 5817 5866 struct common_audit_data ad; 5818 5867 struct lsm_network_audit net = {0,}; 5819 5868 char *addrp; 5820 - u8 secmark_active; 5821 - u8 peerlbl_active; 5869 + int secmark_active, peerlbl_active; 5822 5870 5823 5871 /* If any sort of compatibility mode is enabled then handoff processing 5824 5872 * to the selinux_ip_postroute_compat() function to deal with the 5825 5873 * special handling. We do this in an attempt to keep this function 5826 5874 * as fast and as clean as possible. */ 5827 5875 if (!selinux_policycap_netpeer()) 5828 - return selinux_ip_postroute_compat(skb, ifindex, family); 5876 + return selinux_ip_postroute_compat(skb, state); 5829 5877 5830 5878 secmark_active = selinux_secmark_enabled(); 5831 5879 peerlbl_active = selinux_peerlbl_enabled(); ··· 5851 5899 return NF_ACCEPT; 5852 5900 #endif 5853 5901 5902 + family = state->pf; 5854 5903 if (sk == NULL) { 5855 5904 /* Without an associated socket the packet is either coming 5856 5905 * from the kernel or it is being forwarded; check the packet ··· 5912 5959 secmark_perm = PACKET__SEND; 5913 5960 } 5914 5961 5962 + ifindex = state->out->ifindex; 5915 5963 ad.type = LSM_AUDIT_DATA_NET; 5916 5964 ad.u.net = &net; 5917 5965 ad.u.net->netif = ifindex; ··· 5930 5976 u32 if_sid; 5931 5977 u32 node_sid; 5932 5978 5933 - if (sel_netif_sid(dev_net(outdev), ifindex, &if_sid)) 5979 + if (sel_netif_sid(state->net, ifindex, &if_sid)) 5934 5980 return NF_DROP; 5935 5981 if (avc_has_perm(&selinux_state, 5936 5982 peer_sid, if_sid, ··· 5947 5993 5948 5994 return NF_ACCEPT; 5949 5995 } 5950 - 5951 - static unsigned int selinux_ipv4_postroute(void *priv, 5952 - struct sk_buff *skb, 5953 - const struct nf_hook_state *state) 5954 - { 5955 - return selinux_ip_postroute(skb, state->out, PF_INET); 5956 - } 5957 - 5958 - #if IS_ENABLED(CONFIG_IPV6) 5959 - static unsigned int selinux_ipv6_postroute(void *priv, 5960 - struct sk_buff *skb, 5961 - const struct nf_hook_state *state) 5962 - { 5963 - return selinux_ip_postroute(skb, state->out, PF_INET6); 5964 - } 5965 - #endif /* IPV6 */ 5966 - 5967 5996 #endif /* CONFIG_NETFILTER */ 5968 5997 5969 5998 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) ··· 6950 7013 } 6951 7014 #endif 6952 7015 6953 - static int selinux_lockdown(enum lockdown_reason what) 6954 - { 6955 - struct common_audit_data ad; 6956 - u32 sid = current_sid(); 6957 - int invalid_reason = (what <= LOCKDOWN_NONE) || 6958 - (what == LOCKDOWN_INTEGRITY_MAX) || 6959 - (what >= LOCKDOWN_CONFIDENTIALITY_MAX); 6960 - 6961 - if (WARN(invalid_reason, "Invalid lockdown reason")) { 6962 - audit_log(audit_context(), 6963 - GFP_ATOMIC, AUDIT_SELINUX_ERR, 6964 - "lockdown_reason=invalid"); 6965 - return -EINVAL; 6966 - } 6967 - 6968 - ad.type = LSM_AUDIT_DATA_LOCKDOWN; 6969 - ad.u.reason = what; 6970 - 6971 - if (what <= LOCKDOWN_INTEGRITY_MAX) 6972 - return avc_has_perm(&selinux_state, 6973 - sid, sid, SECCLASS_LOCKDOWN, 6974 - LOCKDOWN__INTEGRITY, &ad); 6975 - else 6976 - return avc_has_perm(&selinux_state, 6977 - sid, sid, SECCLASS_LOCKDOWN, 6978 - LOCKDOWN__CONFIDENTIALITY, &ad); 6979 - } 6980 - 6981 7016 struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { 6982 7017 .lbs_cred = sizeof(struct task_security_struct), 6983 7018 .lbs_file = sizeof(struct file_security_struct), ··· 7019 7110 SECCLASS_PERF_EVENT, PERF_EVENT__WRITE, NULL); 7020 7111 } 7021 7112 #endif 7113 + 7114 + #ifdef CONFIG_IO_URING 7115 + /** 7116 + * selinux_uring_override_creds - check the requested cred override 7117 + * @new: the target creds 7118 + * 7119 + * Check to see if the current task is allowed to override it's credentials 7120 + * to service an io_uring operation. 7121 + */ 7122 + static int selinux_uring_override_creds(const struct cred *new) 7123 + { 7124 + return avc_has_perm(&selinux_state, current_sid(), cred_sid(new), 7125 + SECCLASS_IO_URING, IO_URING__OVERRIDE_CREDS, NULL); 7126 + } 7127 + 7128 + /** 7129 + * selinux_uring_sqpoll - check if a io_uring polling thread can be created 7130 + * 7131 + * Check to see if the current task is allowed to create a new io_uring 7132 + * kernel polling thread. 7133 + */ 7134 + static int selinux_uring_sqpoll(void) 7135 + { 7136 + int sid = current_sid(); 7137 + 7138 + return avc_has_perm(&selinux_state, sid, sid, 7139 + SECCLASS_IO_URING, IO_URING__SQPOLL, NULL); 7140 + } 7141 + #endif /* CONFIG_IO_URING */ 7022 7142 7023 7143 /* 7024 7144 * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: ··· 7287 7349 LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), 7288 7350 #endif 7289 7351 7290 - LSM_HOOK_INIT(locked_down, selinux_lockdown), 7352 + #ifdef CONFIG_IO_URING 7353 + LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), 7354 + LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), 7355 + #endif 7291 7356 7292 7357 /* 7293 7358 * PUT "CLONING" (ACCESSING + ALLOCATING) HOOKS HERE ··· 7411 7470 7412 7471 static const struct nf_hook_ops selinux_nf_ops[] = { 7413 7472 { 7414 - .hook = selinux_ipv4_postroute, 7473 + .hook = selinux_ip_postroute, 7415 7474 .pf = NFPROTO_IPV4, 7416 7475 .hooknum = NF_INET_POST_ROUTING, 7417 7476 .priority = NF_IP_PRI_SELINUX_LAST, 7418 7477 }, 7419 7478 { 7420 - .hook = selinux_ipv4_forward, 7479 + .hook = selinux_ip_forward, 7421 7480 .pf = NFPROTO_IPV4, 7422 7481 .hooknum = NF_INET_FORWARD, 7423 7482 .priority = NF_IP_PRI_SELINUX_FIRST, 7424 7483 }, 7425 7484 { 7426 - .hook = selinux_ipv4_output, 7485 + .hook = selinux_ip_output, 7427 7486 .pf = NFPROTO_IPV4, 7428 7487 .hooknum = NF_INET_LOCAL_OUT, 7429 7488 .priority = NF_IP_PRI_SELINUX_FIRST, 7430 7489 }, 7431 7490 #if IS_ENABLED(CONFIG_IPV6) 7432 7491 { 7433 - .hook = selinux_ipv6_postroute, 7492 + .hook = selinux_ip_postroute, 7434 7493 .pf = NFPROTO_IPV6, 7435 7494 .hooknum = NF_INET_POST_ROUTING, 7436 7495 .priority = NF_IP6_PRI_SELINUX_LAST, 7437 7496 }, 7438 7497 { 7439 - .hook = selinux_ipv6_forward, 7498 + .hook = selinux_ip_forward, 7440 7499 .pf = NFPROTO_IPV6, 7441 7500 .hooknum = NF_INET_FORWARD, 7442 7501 .priority = NF_IP6_PRI_SELINUX_FIRST, 7443 7502 }, 7444 7503 { 7445 - .hook = selinux_ipv6_output, 7504 + .hook = selinux_ip_output, 7446 7505 .pf = NFPROTO_IPV6, 7447 7506 .hooknum = NF_INET_LOCAL_OUT, 7448 7507 .priority = NF_IP6_PRI_SELINUX_FIRST,
+2 -2
security/selinux/include/classmap.h
··· 250 250 { COMMON_SOCK_PERMS, NULL } }, 251 251 { "perf_event", 252 252 { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, 253 - { "lockdown", 254 - { "integrity", "confidentiality", NULL } }, 255 253 { "anon_inode", 256 254 { COMMON_FILE_PERMS, NULL } }, 255 + { "io_uring", 256 + { "override_creds", "sqpoll", NULL } }, 257 257 { NULL } 258 258 }; 259 259
+5 -2
security/selinux/netlabel.c
··· 29 29 /** 30 30 * selinux_netlbl_sidlookup_cached - Cache a SID lookup 31 31 * @skb: the packet 32 + * @family: the packet's address family 32 33 * @secattr: the NetLabel security attributes 33 34 * @sid: the SID 34 35 * ··· 129 128 /** 130 129 * selinux_netlbl_err - Handle a NetLabel packet error 131 130 * @skb: the packet 131 + * @family: the packet's address family 132 132 * @error: the error code 133 133 * @gateway: true if host is acting as a gateway, false otherwise 134 134 * ··· 162 160 /** 163 161 * selinux_netlbl_sk_security_reset - Reset the NetLabel fields 164 162 * @sksec: the sk_security_struct 165 - * @family: the socket family 166 163 * 167 164 * Description: 168 165 * Called when the NetLabel state of a sk_security_struct needs to be reset. ··· 314 313 /** 315 314 * selinux_netlbl_inet_conn_request - Label an incoming stream connection 316 315 * @req: incoming connection request socket 316 + * @family: the request socket's address family 317 317 * 318 318 * Description: 319 319 * A new incoming connection request is represented by @req, we need to label ··· 345 343 /** 346 344 * selinux_netlbl_inet_csk_clone - Initialize the newly created sock 347 345 * @sk: the new sock 346 + * @family: the sock's address family 348 347 * 349 348 * Description: 350 349 * A new connection has been established using @sk, we've already labeled the ··· 381 378 382 379 /** 383 380 * selinux_netlbl_socket_post_create - Label a socket using NetLabel 384 - * @sock: the socket to label 381 + * @sk: the sock to label 385 382 * @family: protocol family 386 383 * 387 384 * Description:
+1 -1
security/selinux/netport.c
··· 73 73 /** 74 74 * sel_netport_find - Search for a port record 75 75 * @protocol: protocol 76 - * @port: pnum 76 + * @pnum: port 77 77 * 78 78 * Description: 79 79 * Search the network port table and return the matching record. If an entry
+1
security/selinux/ss/hashtab.c
··· 8 8 #include <linux/slab.h> 9 9 #include <linux/errno.h> 10 10 #include "hashtab.h" 11 + #include "security.h" 11 12 12 13 static struct kmem_cache *hashtab_node_cachep __ro_after_init; 13 14
+4
security/selinux/ss/mls.c
··· 553 553 #ifdef CONFIG_NETLABEL 554 554 /** 555 555 * mls_export_netlbl_lvl - Export the MLS sensitivity levels to NetLabel 556 + * @p: the policy 556 557 * @context: the security context 557 558 * @secattr: the NetLabel security attributes 558 559 * ··· 575 574 576 575 /** 577 576 * mls_import_netlbl_lvl - Import the NetLabel MLS sensitivity levels 577 + * @p: the policy 578 578 * @context: the security context 579 579 * @secattr: the NetLabel security attributes 580 580 * ··· 597 595 598 596 /** 599 597 * mls_export_netlbl_cat - Export the MLS categories to NetLabel 598 + * @p: the policy 600 599 * @context: the security context 601 600 * @secattr: the NetLabel security attributes 602 601 * ··· 625 622 626 623 /** 627 624 * mls_import_netlbl_cat - Import the MLS categories from NetLabel 625 + * @p: the policy 628 626 * @context: the security context 629 627 * @secattr: the NetLabel security attributes 630 628 *
+87 -89
security/selinux/ss/services.c
··· 1102 1102 * @state: SELinux state 1103 1103 * @ssid: source security identifier 1104 1104 * @tsid: target security identifier 1105 - * @tclass: target security class 1105 + * @orig_tclass: target security class 1106 1106 * @avd: access vector decisions 1107 1107 * @xperms: extended permissions 1108 1108 * ··· 1626 1626 * @scontext_len: length in bytes 1627 1627 * @sid: security identifier, SID 1628 1628 * @def_sid: default SID to assign on error 1629 + * @gfp_flags: the allocator get-free-page (GFP) flags 1629 1630 * 1630 1631 * Obtains a SID associated with the security context that 1631 1632 * has the string representation specified by @scontext. ··· 1920 1919 * @ssid: source security identifier 1921 1920 * @tsid: target security identifier 1922 1921 * @tclass: target security class 1922 + * @qstr: object name 1923 1923 * @out_sid: security identifier for new subject/object 1924 1924 * 1925 1925 * Compute a SID to use for labeling a new subject or object in the ··· 1949 1947 1950 1948 /** 1951 1949 * security_member_sid - Compute the SID for member selection. 1950 + * @state: SELinux state 1952 1951 * @ssid: source security identifier 1953 1952 * @tsid: target security identifier 1954 1953 * @tclass: target security class ··· 2276 2273 * @state: SELinux state 2277 2274 * @data: binary policy data 2278 2275 * @len: length of data in bytes 2276 + * @load_state: policy load state 2279 2277 * 2280 2278 * Load a new set of security policy configuration data, 2281 2279 * validate it and convert the SID table as necessary. ··· 2381 2377 } 2382 2378 2383 2379 /** 2380 + * ocontext_to_sid - Helper to safely get sid for an ocontext 2381 + * @sidtab: SID table 2382 + * @c: ocontext structure 2383 + * @index: index of the context entry (0 or 1) 2384 + * @out_sid: pointer to the resulting SID value 2385 + * 2386 + * For all ocontexts except OCON_ISID the SID fields are populated 2387 + * on-demand when needed. Since updating the SID value is an SMP-sensitive 2388 + * operation, this helper must be used to do that safely. 2389 + * 2390 + * WARNING: This function may return -ESTALE, indicating that the caller 2391 + * must retry the operation after re-acquiring the policy pointer! 2392 + */ 2393 + static int ocontext_to_sid(struct sidtab *sidtab, struct ocontext *c, 2394 + size_t index, u32 *out_sid) 2395 + { 2396 + int rc; 2397 + u32 sid; 2398 + 2399 + /* Ensure the associated sidtab entry is visible to this thread. */ 2400 + sid = smp_load_acquire(&c->sid[index]); 2401 + if (!sid) { 2402 + rc = sidtab_context_to_sid(sidtab, &c->context[index], &sid); 2403 + if (rc) 2404 + return rc; 2405 + 2406 + /* 2407 + * Ensure the new sidtab entry is visible to other threads 2408 + * when they see the SID. 2409 + */ 2410 + smp_store_release(&c->sid[index], sid); 2411 + } 2412 + *out_sid = sid; 2413 + return 0; 2414 + } 2415 + 2416 + /** 2384 2417 * security_port_sid - Obtain the SID for a port. 2385 2418 * @state: SELinux state 2386 2419 * @protocol: protocol number ··· 2455 2414 } 2456 2415 2457 2416 if (c) { 2458 - if (!c->sid[0]) { 2459 - rc = sidtab_context_to_sid(sidtab, &c->context[0], 2460 - &c->sid[0]); 2461 - if (rc == -ESTALE) { 2462 - rcu_read_unlock(); 2463 - goto retry; 2464 - } 2465 - if (rc) 2466 - goto out; 2417 + rc = ocontext_to_sid(sidtab, c, 0, out_sid); 2418 + if (rc == -ESTALE) { 2419 + rcu_read_unlock(); 2420 + goto retry; 2467 2421 } 2468 - *out_sid = c->sid[0]; 2422 + if (rc) 2423 + goto out; 2469 2424 } else { 2470 2425 *out_sid = SECINITSID_PORT; 2471 2426 } ··· 2510 2473 } 2511 2474 2512 2475 if (c) { 2513 - if (!c->sid[0]) { 2514 - rc = sidtab_context_to_sid(sidtab, 2515 - &c->context[0], 2516 - &c->sid[0]); 2517 - if (rc == -ESTALE) { 2518 - rcu_read_unlock(); 2519 - goto retry; 2520 - } 2521 - if (rc) 2522 - goto out; 2476 + rc = ocontext_to_sid(sidtab, c, 0, out_sid); 2477 + if (rc == -ESTALE) { 2478 + rcu_read_unlock(); 2479 + goto retry; 2523 2480 } 2524 - *out_sid = c->sid[0]; 2481 + if (rc) 2482 + goto out; 2525 2483 } else 2526 2484 *out_sid = SECINITSID_UNLABELED; 2527 2485 ··· 2529 2497 * security_ib_endport_sid - Obtain the SID for a subnet management interface. 2530 2498 * @state: SELinux state 2531 2499 * @dev_name: device name 2532 - * @port: port number 2500 + * @port_num: port number 2533 2501 * @out_sid: security identifier 2534 2502 */ 2535 2503 int security_ib_endport_sid(struct selinux_state *state, ··· 2565 2533 } 2566 2534 2567 2535 if (c) { 2568 - if (!c->sid[0]) { 2569 - rc = sidtab_context_to_sid(sidtab, &c->context[0], 2570 - &c->sid[0]); 2571 - if (rc == -ESTALE) { 2572 - rcu_read_unlock(); 2573 - goto retry; 2574 - } 2575 - if (rc) 2576 - goto out; 2536 + rc = ocontext_to_sid(sidtab, c, 0, out_sid); 2537 + if (rc == -ESTALE) { 2538 + rcu_read_unlock(); 2539 + goto retry; 2577 2540 } 2578 - *out_sid = c->sid[0]; 2541 + if (rc) 2542 + goto out; 2579 2543 } else 2580 2544 *out_sid = SECINITSID_UNLABELED; 2581 2545 ··· 2615 2587 } 2616 2588 2617 2589 if (c) { 2618 - if (!c->sid[0] || !c->sid[1]) { 2619 - rc = sidtab_context_to_sid(sidtab, &c->context[0], 2620 - &c->sid[0]); 2621 - if (rc == -ESTALE) { 2622 - rcu_read_unlock(); 2623 - goto retry; 2624 - } 2625 - if (rc) 2626 - goto out; 2627 - rc = sidtab_context_to_sid(sidtab, &c->context[1], 2628 - &c->sid[1]); 2629 - if (rc == -ESTALE) { 2630 - rcu_read_unlock(); 2631 - goto retry; 2632 - } 2633 - if (rc) 2634 - goto out; 2590 + rc = ocontext_to_sid(sidtab, c, 0, if_sid); 2591 + if (rc == -ESTALE) { 2592 + rcu_read_unlock(); 2593 + goto retry; 2635 2594 } 2636 - *if_sid = c->sid[0]; 2595 + if (rc) 2596 + goto out; 2637 2597 } else 2638 2598 *if_sid = SECINITSID_NETIF; 2639 2599 ··· 2713 2697 } 2714 2698 2715 2699 if (c) { 2716 - if (!c->sid[0]) { 2717 - rc = sidtab_context_to_sid(sidtab, 2718 - &c->context[0], 2719 - &c->sid[0]); 2720 - if (rc == -ESTALE) { 2721 - rcu_read_unlock(); 2722 - goto retry; 2723 - } 2724 - if (rc) 2725 - goto out; 2700 + rc = ocontext_to_sid(sidtab, c, 0, out_sid); 2701 + if (rc == -ESTALE) { 2702 + rcu_read_unlock(); 2703 + goto retry; 2726 2704 } 2727 - *out_sid = c->sid[0]; 2705 + if (rc) 2706 + goto out; 2728 2707 } else { 2729 2708 *out_sid = SECINITSID_NODE; 2730 2709 } ··· 2860 2849 2861 2850 /** 2862 2851 * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem 2852 + * @policy: policy 2863 2853 * @fstype: filesystem type 2864 2854 * @path: path from root of mount 2865 - * @sclass: file security class 2855 + * @orig_sclass: file security class 2866 2856 * @sid: SID for path 2867 2857 * 2868 2858 * Obtain a SID to use for a file in a filesystem that ··· 2885 2873 u16 sclass; 2886 2874 struct genfs *genfs; 2887 2875 struct ocontext *c; 2888 - int rc, cmp = 0; 2876 + int cmp = 0; 2889 2877 2890 2878 while (path[0] == '/' && path[1] == '/') 2891 2879 path++; ··· 2899 2887 break; 2900 2888 } 2901 2889 2902 - rc = -ENOENT; 2903 2890 if (!genfs || cmp) 2904 - goto out; 2891 + return -ENOENT; 2905 2892 2906 2893 for (c = genfs->head; c; c = c->next) { 2907 2894 len = strlen(c->u.name); ··· 2909 2898 break; 2910 2899 } 2911 2900 2912 - rc = -ENOENT; 2913 2901 if (!c) 2914 - goto out; 2902 + return -ENOENT; 2915 2903 2916 - if (!c->sid[0]) { 2917 - rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]); 2918 - if (rc) 2919 - goto out; 2920 - } 2921 - 2922 - *sid = c->sid[0]; 2923 - rc = 0; 2924 - out: 2925 - return rc; 2904 + return ocontext_to_sid(sidtab, c, 0, sid); 2926 2905 } 2927 2906 2928 2907 /** ··· 2920 2919 * @state: SELinux state 2921 2920 * @fstype: filesystem type 2922 2921 * @path: path from root of mount 2923 - * @sclass: file security class 2922 + * @orig_sclass: file security class 2924 2923 * @sid: SID for path 2925 2924 * 2926 2925 * Acquire policy_rwlock before calling __security_genfs_sid() and release ··· 2997 2996 2998 2997 if (c) { 2999 2998 sbsec->behavior = c->v.behavior; 3000 - if (!c->sid[0]) { 3001 - rc = sidtab_context_to_sid(sidtab, &c->context[0], 3002 - &c->sid[0]); 3003 - if (rc == -ESTALE) { 3004 - rcu_read_unlock(); 3005 - goto retry; 3006 - } 3007 - if (rc) 3008 - goto out; 2999 + rc = ocontext_to_sid(sidtab, c, 0, &sbsec->sid); 3000 + if (rc == -ESTALE) { 3001 + rcu_read_unlock(); 3002 + goto retry; 3009 3003 } 3010 - sbsec->sid = c->sid[0]; 3004 + if (rc) 3005 + goto out; 3011 3006 } else { 3012 3007 rc = __security_genfs_sid(policy, fstype, "/", 3013 3008 SECCLASS_DIR, &sbsec->sid); ··· 3302 3305 * @nlbl_sid: NetLabel SID 3303 3306 * @nlbl_type: NetLabel labeling protocol type 3304 3307 * @xfrm_sid: XFRM SID 3308 + * @peer_sid: network peer sid 3305 3309 * 3306 3310 * Description: 3307 3311 * Compare the @nlbl_sid and @xfrm_sid values and if the two SIDs can be
+46
security/smack/smack_lsm.c
··· 4700 4700 return 0; 4701 4701 } 4702 4702 4703 + #ifdef CONFIG_IO_URING 4704 + /** 4705 + * smack_uring_override_creds - Is io_uring cred override allowed? 4706 + * @new: the target creds 4707 + * 4708 + * Check to see if the current task is allowed to override it's credentials 4709 + * to service an io_uring operation. 4710 + */ 4711 + static int smack_uring_override_creds(const struct cred *new) 4712 + { 4713 + struct task_smack *tsp = smack_cred(current_cred()); 4714 + struct task_smack *nsp = smack_cred(new); 4715 + 4716 + /* 4717 + * Allow the degenerate case where the new Smack value is 4718 + * the same as the current Smack value. 4719 + */ 4720 + if (tsp->smk_task == nsp->smk_task) 4721 + return 0; 4722 + 4723 + if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4724 + return 0; 4725 + 4726 + return -EPERM; 4727 + } 4728 + 4729 + /** 4730 + * smack_uring_sqpoll - check if a io_uring polling thread can be created 4731 + * 4732 + * Check to see if the current task is allowed to create a new io_uring 4733 + * kernel polling thread. 4734 + */ 4735 + static int smack_uring_sqpoll(void) 4736 + { 4737 + if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 4738 + return 0; 4739 + 4740 + return -EPERM; 4741 + } 4742 + 4743 + #endif /* CONFIG_IO_URING */ 4744 + 4703 4745 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4704 4746 .lbs_cred = sizeof(struct task_smack), 4705 4747 .lbs_file = sizeof(struct smack_known *), ··· 4894 4852 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4895 4853 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4896 4854 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4855 + #ifdef CONFIG_IO_URING 4856 + LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 4857 + LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 4858 + #endif 4897 4859 }; 4898 4860 4899 4861