On Wed, 2017-04-26 at 08:38 -0700, Casey Schaufler wrote:
> On 4/26/2017 8:02 AM, Sebastien Buisson wrote:
> > From: Daniel Jurgens <danielj@xxxxxxxxxxxx>
> >
> > Add a generic notification mechanism in the LSM. Interested
> > consumers
> > can register a callback with the LSM and security modules can
> > produce
> > events.
>
> Why is this a generic mechanism? Do you ever see anyone
> other than SELinux using it?
I do - any security module that wants to support access control over
Lustre filesystems or Infiniband. Seems ironic for you to be arguing
for a SELinux-specific interface rather than a LSM interface.
>
> > Add a call to the notification mechanism from SELinux when the AVC
> > cache changes.
>
> This seems like a whole lot of mechanism for
> something you could accomplish with a log message.
> What am I missing?
It's a notification to a kernel subsystem that policy has changed so
that the subsystem can update any cached state.
>
> >
> > Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx>
> > Signed-off-by: Sebastien Buisson <sbuisson@xxxxxxx>
> > ---
> > include/linux/security.h | 23 +++++++++++++++++++++++
> > security/security.c | 20 ++++++++++++++++++++
> > security/selinux/hooks.c | 12 ++++++++++++
> > 3 files changed, 55 insertions(+)
> >
> > diff --git a/include/linux/security.h b/include/linux/security.h
> > index af675b5..73a9c93 100644
> > --- a/include/linux/security.h
> > +++ b/include/linux/security.h
> > @@ -68,6 +68,10 @@
> > struct user_namespace;
> > struct timezone;
> >
> > +enum lsm_event {
> > + LSM_POLICY_CHANGE,
> > +};
> > +
> > /* These functions are in security/commoncap.c */
> > extern int cap_capable(const struct cred *cred, struct
> > user_namespace *ns,
> > int cap, int audit);
> > @@ -163,6 +167,10 @@ struct security_mnt_opts {
> > int num_mnt_opts;
> > };
> >
> > +int call_lsm_notifier(enum lsm_event event, void *data);
> > +int register_lsm_notifier(struct notifier_block *nb);
> > +int unregister_lsm_notifier(struct notifier_block *nb);
> > +
> > static inline void security_init_mnt_opts(struct security_mnt_opts
> > *opts)
> > {
> > opts->mnt_opts = NULL;
> > @@ -381,6 +389,21 @@ int security_sem_semop(struct sem_array *sma,
> > struct sembuf *sops,
> > struct security_mnt_opts {
> > };
> >
> > +static inline int call_lsm_notifier(enum lsm_event event, void
> > *data)
> > +{
> > + return 0;
> > +}
> > +
> > +static inline int register_lsm_notifier(struct notifier_block *nb)
> > +{
> > + return 0;
> > +}
> > +
> > +static inline int unregister_lsm_notifier(struct notifier_block
> > *nb)
> > +{
> > + return 0;
> > +}
> > +
> > static inline void security_init_mnt_opts(struct security_mnt_opts
> > *opts)
> > {
> > }
> > diff --git a/security/security.c b/security/security.c
> > index b9fea39..ef9d9e1 100644
> > --- a/security/security.c
> > +++ b/security/security.c
> > @@ -32,6 +32,8 @@
> > /* Maximum number of letters for an LSM name string */
> > #define SECURITY_NAME_MAX 10
> >
> > +static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
> > +
> > struct security_hook_heads security_hook_heads
> > __lsm_ro_after_init;
> > char *lsm_names;
> > /* Boot-time LSM user choice */
> > @@ -146,6 +148,24 @@ void __init security_add_hooks(struct
> > security_hook_list *hooks, int count,
> > panic("%s - Cannot get early memory.\n",
> > __func__);
> > }
> >
> > +int call_lsm_notifier(enum lsm_event event, void *data)
> > +{
> > + return atomic_notifier_call_chain(&lsm_notifier_chain,
> > event, data);
> > +}
> > +EXPORT_SYMBOL(call_lsm_notifier);
> > +
> > +int register_lsm_notifier(struct notifier_block *nb)
> > +{
> > + return atomic_notifier_chain_register(&lsm_notifier_chain,
> > nb);
> > +}
> > +EXPORT_SYMBOL(register_lsm_notifier);
> > +
> > +int unregister_lsm_notifier(struct notifier_block *nb)
> > +{
> > + return
> > atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
> > +}
> > +EXPORT_SYMBOL(unregister_lsm_notifier);
> > +
> > /*
> > * Hook list operation macros.
> > *
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index e67a526..a4d36f8 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -171,6 +171,14 @@ static int selinux_netcache_avc_callback(u32
> > event)
> > return 0;
> > }
> >
> > +static int selinux_lsm_notifier_avc_callback(u32 event)
> > +{
> > + if (event == AVC_CALLBACK_RESET)
> > + call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> > +
> > + return 0;
> > +}
> > +
> > /*
> > * initialise the security for the init task
> > */
> > @@ -6379,6 +6387,10 @@ static __init int selinux_init(void)
> > if (avc_add_callback(selinux_netcache_avc_callback,
> > AVC_CALLBACK_RESET))
> > panic("SELinux: Unable to register AVC netcache
> > callback\n");
> >
> > + if (avc_add_callback(selinux_lsm_notifier_avc_callback,
> > + AVC_CALLBACK_RESET))
> > + panic("SELinux: Unable to register AVC LSM
> > notifier callback\n");
> > +
> > if (selinux_enforcing)
> > printk(KERN_DEBUG "SELinux: Starting in enforcing
> > mode\n");
> > else
