From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com, paul@paul-moore.com,
linux-security-module@vger.kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
mic@digikod.net
Subject: [PATCH v39 31/42] LSM: Exclusive secmark usage
Date: Fri, 15 Dec 2023 14:16:25 -0800 [thread overview]
Message-ID: <20231215221636.105680-32-casey@schaufler-ca.com> (raw)
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
The network secmark can only be used by one security module
at a time. Establish mechanism to identify to security modules
whether they have access to the secmark. SELinux already
incorparates mechanism, but it has to be added to Smack and
AppArmor.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/apparmor/include/net.h | 5 +++++
security/apparmor/lsm.c | 7 ++++---
security/security.c | 6 ++++++
security/selinux/hooks.c | 4 +++-
security/smack/smack.h | 5 +++++
security/smack/smack_lsm.c | 3 ++-
security/smack/smack_netfilter.c | 10 ++++++++--
8 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 605aaf38c3f5..4deb1a4d2d1a 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -81,6 +81,7 @@ struct lsm_blob_sizes {
int lbs_msg_msg;
int lbs_task;
int lbs_xattr_count; /* number of xattr slots in new_xattrs array */
+ bool lbs_secmark; /* expressed desire for secmark use */
};
/**
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
index c42ed8a73f1c..2e43e1e8303c 100644
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -51,6 +51,11 @@ struct aa_sk_ctx {
struct aa_label *peer;
};
+static inline bool aa_secmark(void)
+{
+ return apparmor_blob_sizes.lbs_secmark;
+}
+
static inline struct aa_sk_ctx *aa_sock(const struct sock *sk)
{
return sk->sk_security + apparmor_blob_sizes.lbs_sock;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 075942b253ae..ab9b0b37f1f7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1322,7 +1322,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
struct aa_sk_ctx *ctx = aa_sock(sk);
- if (!skb->secmark)
+ if (!aa_secmark() || !skb->secmark)
return 0;
return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
@@ -1426,7 +1426,7 @@ static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb
{
struct aa_sk_ctx *ctx = aa_sock(sk);
- if (!skb->secmark)
+ if (!aa_secmark() || !skb->secmark)
return 0;
return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT,
@@ -1442,6 +1442,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
.lbs_file = sizeof(struct aa_file_ctx),
.lbs_task = sizeof(struct aa_task_ctx),
.lbs_sock = sizeof(struct aa_sk_ctx),
+ .lbs_secmark = true,
};
static const struct lsm_id apparmor_lsmid = {
@@ -2105,7 +2106,7 @@ static unsigned int apparmor_ip_postroute(void *priv,
struct aa_sk_ctx *ctx;
struct sock *sk;
- if (!skb->secmark)
+ if (!aa_secmark() || !skb->secmark)
return NF_ACCEPT;
sk = skb_to_full_sk(skb);
diff --git a/security/security.c b/security/security.c
index 3f0a4c5094a5..8469816c0472 100644
--- a/security/security.c
+++ b/security/security.c
@@ -232,6 +232,12 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
lsm_set_blob_size(&needed->lbs_xattr_count,
&blob_sizes.lbs_xattr_count);
+ if (needed->lbs_secmark) {
+ if (!blob_sizes.lbs_secmark)
+ blob_sizes.lbs_secmark = true;
+ else
+ needed->lbs_secmark = false;
+ }
}
/* Prepare LSM for initialization. */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a6deccbbcc40..3e590f632f59 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -164,7 +164,8 @@ __setup("checkreqprot=", checkreqprot_setup);
*/
static int selinux_secmark_enabled(void)
{
- return (selinux_policycap_alwaysnetwork() ||
+ return selinux_blob_sizes.lbs_secmark &&
+ (selinux_policycap_alwaysnetwork() ||
atomic_read(&selinux_secmark_refcount));
}
@@ -6969,6 +6970,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
.lbs_sock = sizeof(struct sk_security_struct),
.lbs_superblock = sizeof(struct superblock_security_struct),
.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
+ .lbs_secmark = true,
};
#ifdef CONFIG_PERF_EVENTS
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 297f21446f45..0f5bc5c03b9e 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -369,6 +369,11 @@ static inline int smk_inode_transmutable(const struct inode *isp)
return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
}
+static inline bool smack_secmark(void)
+{
+ return smack_blob_sizes.lbs_secmark;
+}
+
/*
* Present a pointer to the smack label entry in an inode blob.
*/
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a9ab31a40e36..c93e81facf1b 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4090,7 +4090,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
#ifdef CONFIG_NETWORK_SECMARK
static struct smack_known *smack_from_skb(struct sk_buff *skb)
{
- if (skb == NULL || skb->secmark == 0)
+ if (!smack_secmark() || skb == NULL || skb->secmark == 0)
return NULL;
return smack_from_secid(skb->secmark);
@@ -5064,6 +5064,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
.lbs_sock = sizeof(struct socket_smack),
.lbs_superblock = sizeof(struct superblock_smack),
.lbs_xattr_count = SMACK_INODE_INIT_XATTRS,
+ .lbs_secmark = true,
};
static const struct lsm_id smack_lsmid = {
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index bad71b7e648d..fd146e3a2286 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -26,7 +26,7 @@ static unsigned int smack_ip_output(void *priv,
struct socket_smack *ssp;
struct smack_known *skp;
- if (sk) {
+ if (smack_secmark() && sk) {
ssp = smack_sock(sk);
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
@@ -54,12 +54,18 @@ static const struct nf_hook_ops smack_nf_ops[] = {
static int __net_init smack_nf_register(struct net *net)
{
+ if (!smack_secmark())
+ return 0;
+
return nf_register_net_hooks(net, smack_nf_ops,
ARRAY_SIZE(smack_nf_ops));
}
static void __net_exit smack_nf_unregister(struct net *net)
{
+ if (!smack_secmark())
+ return;
+
nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
}
@@ -70,7 +76,7 @@ static struct pernet_operations smack_net_ops = {
static int __init smack_nf_ip_init(void)
{
- if (smack_enabled == 0)
+ if (smack_enabled == 0 || !smack_secmark())
return 0;
printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
--
2.41.0
next prev parent reply other threads:[~2023-12-15 22:40 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20231215221636.105680-1-casey.ref@schaufler-ca.com>
2023-12-15 22:15 ` [PATCH v39 00/42] LSM: General module stacking Casey Schaufler
2023-12-15 22:15 ` [PATCH v39 01/42] integrity: disassociate ima_filter_rule from security_audit_rule Casey Schaufler
2024-03-06 9:54 ` Roberto Sassu
2024-03-06 16:56 ` Casey Schaufler
2024-03-07 7:56 ` Roberto Sassu
2024-06-21 16:50 ` Paul Moore
2024-06-21 19:07 ` Paul Moore
2024-06-21 20:23 ` Mimi Zohar
2024-06-21 20:34 ` Roberto Sassu
2024-06-21 21:19 ` Paul Moore
2024-06-21 21:18 ` Paul Moore
2023-12-15 22:15 ` [PATCH v39 02/42] SM: Infrastructure management of the sock security Casey Schaufler
2024-06-21 20:31 ` Paul Moore
2024-06-21 22:24 ` Casey Schaufler
2024-06-23 19:57 ` Paul Moore
2023-12-15 22:15 ` [PATCH v39 03/42] LSM: Add the lsmblob data structure Casey Schaufler
2023-12-15 22:15 ` [PATCH v39 04/42] IMA: avoid label collisions with stacked LSMs Casey Schaufler
2024-03-06 10:09 ` Roberto Sassu
2024-03-06 17:04 ` Casey Schaufler
2024-03-07 8:15 ` Roberto Sassu
2024-03-07 17:36 ` Casey Schaufler
2023-12-15 22:15 ` [PATCH v39 05/42] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 06/42] LSM: Add lsmblob_to_secctx hook Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 07/42] Audit: maintain an lsmblob in audit_context Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 08/42] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 09/42] Audit: Update shutdown LSM data Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 10/42] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 11/42] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 12/42] Audit: use an lsmblob in audit_names Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 13/42] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 14/42] Audit: Change context data from secid to lsmblob Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 15/42] Netlabel: Use lsmblob for audit data Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 16/42] LSM: Ensure the correct LSM context releaser Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 17/42] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 18/42] LSM: Use lsmcontext in security_lsmblob_to_secctx Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 19/42] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 20/42] LSM: Use lsmcontext in security_dentry_init_security Casey Schaufler
2023-12-18 2:50 ` Xiubo Li
2023-12-18 16:55 ` Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 21/42] LSM: security_lsmblob_to_secctx module selection Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 22/42] Audit: Create audit_stamp structure Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 23/42] Audit: Allow multiple records in an audit_buffer Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 24/42] Audit: Add record for multiple task security contexts Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 25/42] audit: multiple subject lsm values for netlabel Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 26/42] Audit: Add record for multiple object contexts Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 27/42] LSM: Remove unused lsmcontext_init() Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 28/42] LSM: Improve logic in security_getprocattr Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 29/42] LSM: secctx provider check on release Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 30/42] LSM: Single calls in socket_getpeersec hooks Casey Schaufler
2023-12-15 22:16 ` Casey Schaufler [this message]
2023-12-15 22:16 ` [PATCH v39 32/42] LSM: Identify which LSM handles the context string Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 33/42] AppArmor: Remove the exclusive flag Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 34/42] LSM: Add mount opts blob size tracking Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 35/42] LSM: allocate mnt_opts blobs instead of module specific data Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 36/42] LSM: Infrastructure management of the key security blob Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 37/42] LSM: Infrastructure management of the mnt_opts " Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 38/42] LSM: Correct handling of ENOSYS in inode_setxattr Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 39/42] LSM: Remove lsmblob scaffolding Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 40/42] LSM: Allow reservation of netlabel Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 41/42] LSM: restrict security_cred_getsecid() to a single LSM Casey Schaufler
2023-12-15 22:16 ` [PATCH v39 42/42] Smack: Remove LSM_FLAG_EXCLUSIVE Casey Schaufler
2023-12-18 2:18 ` Leesoo Ahn
2024-02-02 0:24 ` [PATCH v39 00/42] LSM: General module stacking John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231215221636.105680-32-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).