Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Deven Bowers <deven.desai@linux.microsoft.com>,
agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com,
jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
viro@zeniv.linux.org.uk, paul@paul-moore.com, eparis@redhat.com,
jannh@google.com, dm-devel@redhat.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org,
linux-audit@redhat.com
Cc: tyhicks@linux.microsoft.com, linux-kernel@vger.kernel.org,
corbet@lwn.net, sashal@kernel.org,
jaskarankhurana@linux.microsoft.com, mdsakib@microsoft.com,
nramas@linux.microsoft.com, pasha.tatshin@soleen.com,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [RFC PATCH v4 05/12] fs: add security blob and hooks for block_device
Date: Fri, 17 Jul 2020 17:14:51 -0700 [thread overview]
Message-ID: <1843d707-c62e-fa13-c663-c123ea1205a0@schaufler-ca.com> (raw)
In-Reply-To: <20200717230941.1190744-6-deven.desai@linux.microsoft.com>
On 7/17/2020 4:09 PM, Deven Bowers wrote:
> Add a security blob and associated allocation, deallocation and set hooks
> for a block_device structure.
>
> Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
> ---
> fs/block_dev.c | 8 +++++
> include/linux/fs.h | 1 +
> include/linux/lsm_hook_defs.h | 5 +++
> include/linux/lsm_hooks.h | 11 +++++++
> include/linux/security.h | 22 +++++++++++++
> security/security.c | 61 +++++++++++++++++++++++++++++++++++
> 6 files changed, 108 insertions(+)
>
> diff --git a/fs/block_dev.c b/fs/block_dev.c
> index 0ae656e022fd..8602dd62c3e2 100644
> --- a/fs/block_dev.c
> +++ b/fs/block_dev.c
> @@ -34,6 +34,7 @@
> #include <linux/falloc.h>
> #include <linux/uaccess.h>
> #include <linux/suspend.h>
> +#include <linux/security.h>
> #include "internal.h"
>
> struct bdev_inode {
> @@ -768,11 +769,18 @@ static struct inode *bdev_alloc_inode(struct super_block *sb)
> struct bdev_inode *ei = kmem_cache_alloc(bdev_cachep, GFP_KERNEL);
> if (!ei)
> return NULL;
> +
> + if (unlikely(security_bdev_alloc(&ei->bdev))) {
> + kmem_cache_free(bdev_cachep, ei);
> + return NULL;
> + }
> +
> return &ei->vfs_inode;
> }
>
> static void bdev_free_inode(struct inode *inode)
> {
> + security_bdev_free(&BDEV_I(inode)->bdev);
> kmem_cache_free(bdev_cachep, BDEV_I(inode));
> }
>
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index f5abba86107d..42d7e3ce7712 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -509,6 +509,7 @@ struct block_device {
> int bd_fsfreeze_count;
> /* Mutex for freeze */
> struct mutex bd_fsfreeze_mutex;
> + void *security;
> } __randomize_layout;
>
> /* XArray tags, for tagging dirty and writeback pages in the pagecache. */
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index af998f93d256..f3c0da0db4e8 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -391,3 +391,8 @@ LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event)
> LSM_HOOK(int, 0, perf_event_read, struct perf_event *event)
> LSM_HOOK(int, 0, perf_event_write, struct perf_event *event)
> #endif /* CONFIG_PERF_EVENTS */
> +
> +LSM_HOOK(int, 0, bdev_alloc_security, struct block_device *bdev)
> +LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev)
> +LSM_HOOK(int, 0, bdev_setsecurity, struct block_device *bdev, const char *name,
> + const void *value, size_t size)
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 95b7c1d32062..8a728b7dd32d 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1507,6 +1507,16 @@
> *
> * @what: kernel feature being accessed
> *
> + * @bdev_alloc_security:
> + * Initialize the security field inside a block_device structure.
> + *
> + * @bdev_free_security:
> + * Cleanup the security information stored inside a block_device structure.
> + *
> + * @bdev_setsecurity:
> + * Set the security property associated with @name for @bdev with
> + * value @value. @size indicates the size of the @value in bytes.
> + *
> * Security hooks for perf events
> *
> * @perf_event_open:
> @@ -1553,6 +1563,7 @@ struct lsm_blob_sizes {
> int lbs_ipc;
> int lbs_msg_msg;
> int lbs_task;
> + int lbs_bdev;
> };
>
> /*
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 0a0a03b36a3b..8f83fdc6c65d 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -451,6 +451,11 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
> int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
> int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
> int security_locked_down(enum lockdown_reason what);
> +int security_bdev_alloc(struct block_device *bdev);
> +void security_bdev_free(struct block_device *bdev);
> +int security_bdev_setsecurity(struct block_device *bdev,
> + const char *name, const void *value,
> + size_t size);
> #else /* CONFIG_SECURITY */
>
> static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> @@ -1291,6 +1296,23 @@ static inline int security_locked_down(enum lockdown_reason what)
> {
> return 0;
> }
> +
> +static inline int security_bdev_alloc(struct block_device *bdev)
> +{
> + return 0;
> +}
> +
> +static inline void security_bdev_free(struct block_device *bdev)
> +{
> +}
> +
> +static inline int security_bdev_setsecurity(struct block_device *bdev,
> + const char *name,
> + const void *value, size_t size)
> +{
> + return 0;
> +}
> +
> #endif /* CONFIG_SECURITY */
>
> #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
> diff --git a/security/security.c b/security/security.c
> index 70a7ad357bc6..8e61b7e6adfc 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -28,6 +28,7 @@
> #include <linux/string.h>
> #include <linux/msg.h>
> #include <net/flow.h>
> +#include <linux/fs.h>
>
> #define MAX_LSM_EVM_XATTR 2
>
> @@ -202,6 +203,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
> lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
> lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
> lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
> + lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev);
> }
>
> /* Prepare LSM for initialization. */
> @@ -337,6 +339,7 @@ static void __init ordered_lsm_init(void)
> init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc);
> init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);
> init_debug("task blob size = %d\n", blob_sizes.lbs_task);
> + init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev);
>
> /*
> * Create any kmem_caches needed for blobs
> @@ -654,6 +657,28 @@ static int lsm_msg_msg_alloc(struct msg_msg *mp)
> return 0;
> }
>
> +/**
> + * lsm_bdev_alloc - allocate a composite block_device blob
> + * @bdev: the block_device that needs a blob
> + *
> + * Allocate the block_device blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +static int lsm_bdev_alloc(struct block_device *bdev)
> +{
> + if (blob_sizes.lbs_bdev == 0) {
> + bdev->security = NULL;
> + return 0;
> + }
> +
> + bdev->security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL);
> + if (!bdev->security)
> + return -ENOMEM;
> +
> + return 0;
> +}
> +
> /**
> * lsm_early_task - during initialization allocate a composite task blob
> * @task: the task that needs a blob
> @@ -2516,6 +2541,42 @@ int security_locked_down(enum lockdown_reason what)
> }
> EXPORT_SYMBOL(security_locked_down);
>
> +int security_bdev_alloc(struct block_device *bdev)
> +{
> + int rc = 0;
> +
> + rc = lsm_bdev_alloc(bdev);
> + if (unlikely(rc))
> + return rc;
> +
> + rc = call_int_hook(bdev_alloc_security, 0, bdev);
> + if (unlikely(rc))
> + security_bdev_free(bdev);
> +
> + return 0;
> +}
> +EXPORT_SYMBOL(security_bdev_alloc);
> +
> +void security_bdev_free(struct block_device *bdev)
> +{
> + if (!bdev->security)
> + return;
> +
> + call_void_hook(bdev_free_security, bdev);
> +
> + kfree(bdev->security);
> + bdev->security = NULL;
> +}
> +EXPORT_SYMBOL(security_bdev_free);
> +
> +int security_bdev_setsecurity(struct block_device *bdev,
> + const char *name, const void *value,
> + size_t size)
> +{
> + return call_int_hook(bdev_setsecurity, 0, bdev, name, value, size);
> +}
What is your expectation regarding multiple security modules using the
same @name? What do you expect a security module to do if it does not
support a particular @name? You may have a case where SELinux supports
a @name that AppArmor (or KSRI) doesn't. -ENOSYS may be you friend here.
> +EXPORT_SYMBOL(security_bdev_setsecurity);
> +
> #ifdef CONFIG_PERF_EVENTS
> int security_perf_event_open(struct perf_event_attr *attr, int type)
> {
next prev parent reply other threads:[~2020-07-18 0:15 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-17 23:09 [RFC PATCH v4 00/12] Integrity Policy Enforcement LSM (IPE) Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 01/12] scripts: add ipe tooling to generate boot policy Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 02/12] security: add ipe lsm evaluation loop and audit system Deven Bowers
2020-07-17 23:16 ` Randy Dunlap
2020-07-20 16:44 ` Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 03/12] security: add ipe lsm policy parser and policy loading Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 04/12] ipe: add property for trust of boot volume Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 05/12] fs: add security blob and hooks for block_device Deven Bowers
2020-07-18 0:14 ` Casey Schaufler [this message]
2020-07-20 16:42 ` Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 06/12] dm-verity: move signature check after tree validation Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 07/12] dm-verity: add bdev_setsecurity hook for dm-verity signature Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 08/12] ipe: add property for signed dmverity volumes Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 09/12] dm-verity: add bdev_setsecurity hook for root-hash Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 10/12] ipe: add property for dmverity roothash Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 11/12] documentation: add ipe documentation Deven Bowers
2020-07-17 23:09 ` [RFC PATCH v4 12/12] cleanup: uapi/linux/audit.h Deven Bowers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1843d707-c62e-fa13-c663-c123ea1205a0@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=agk@redhat.com \
--cc=axboe@kernel.dk \
--cc=corbet@lwn.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dm-devel@redhat.com \
--cc=eparis@redhat.com \
--cc=jannh@google.com \
--cc=jaskarankhurana@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mdsakib@microsoft.com \
--cc=nramas@linux.microsoft.com \
--cc=pasha.tatshin@soleen.com \
--cc=paul@paul-moore.com \
--cc=sashal@kernel.org \
--cc=serge@hallyn.com \
--cc=snitzer@redhat.com \
--cc=tyhicks@linux.microsoft.com \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).