On Thursday, 2/28/2019 at 5:18 PM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> Convert the kernel_ask_as hooks to use the lsm_export
Should be act_as, not? ^^
> structure instead of a u32 secid. There is some scaffolding
> involved that will be removed when security_kernel_ask_as()
> is updated.
>
> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> ---
> include/linux/lsm_hooks.h | 4 ++--
> security/security.c | 15 ++++++++++++++-
> security/selinux/hooks.c | 17 ++++++++++++++---
> security/smack/smack_lsm.c | 12 +++++++++++-
> 4 files changed, 41 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 44597189fea4..796eb441be95 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -562,7 +562,7 @@
> * @kernel_act_as:
> * Set the credentials for a kernel service to act as (subjective context).
> * @new points to the credentials to be modified.
> - * @secid specifies the security ID to be set
> + * @l specifies the security data to be set
> * The current task must be the one that nominated @secid.
> * Return 0 if successful.
> * @kernel_create_files_as:
> @@ -1588,7 +1588,7 @@ union security_list_options {
> gfp_t gfp);
> void (*cred_transfer)(struct cred *new, const struct cred *old);
> void (*cred_getsecid)(const struct cred *c, struct lsm_export *l);
> - int (*kernel_act_as)(struct cred *new, u32 secid);
> + int (*kernel_act_as)(struct cred *new, struct lsm_export *l);
> int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
> int (*kernel_module_request)(char *kmod_name);
> int (*kernel_load_data)(enum kernel_load_data_id id);
> diff --git a/security/security.c b/security/security.c
> index 909b6b8d1a50..1a29fe08a5d9 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -738,6 +738,15 @@ static inline void lsm_export_secid(struct lsm_export *data, u32 *secid)
> }
> }
>
> +static inline void lsm_export_to_all(struct lsm_export *data, u32 secid)
> +{
> + data->selinux = secid;
> + data->smack = secid;
> + data->apparmor = secid;
> + data->flags = LSM_EXPORT_SELINUX | LSM_EXPORT_SMACK |
> + LSM_EXPORT_APPARMOR;
> +}
> +
> /* Security operations */
>
> int security_binder_set_context_mgr(struct task_struct *mgr)
> @@ -1633,7 +1642,11 @@ EXPORT_SYMBOL(security_cred_getsecid);
>
> int security_kernel_act_as(struct cred *new, u32 secid)
> {
> - return call_int_hook(kernel_act_as, 0, new, secid);
> + struct lsm_export data = { .flags = LSM_EXPORT_NONE };
> +
> + lsm_export_to_all(&data, secid);
> +
> + return call_int_hook(kernel_act_as, 0, new, &data);
> }
>
> int security_kernel_create_files_as(struct cred *new, struct inode *inode)
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 6f61a894f7c5..efcd905bdabf 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -220,6 +220,14 @@ static inline void selinux_export_secid(struct lsm_export *l, u32 secid)
> l->flags |= LSM_EXPORT_SELINUX;
> }
>
> +static inline void selinux_import_secid(struct lsm_export *l, u32 *secid)
> +{
> + if (l->flags | LSM_EXPORT_SELINUX)
> + *secid = l->selinux;
> + else
> + *secid = SECSID_NULL;
> +}
> +
> /*
> * get the security ID of a set of credentials
> */
> @@ -3669,19 +3677,22 @@ static void selinux_cred_getsecid(const struct cred *c, struct lsm_export *l)
> * set the security data for a kernel service
> * - all the creation contexts are set to unlabelled
> */
> -static int selinux_kernel_act_as(struct cred *new, u32 secid)
> +static int selinux_kernel_act_as(struct cred *new, struct lsm_export *l)
> {
> struct task_security_struct *tsec = selinux_cred(new);
> + u32 nsid;
> u32 sid = current_sid();
> int ret;
>
> + selinux_import_secid(l, &nsid);
> +
> ret = avc_has_perm(&selinux_state,
> - sid, secid,
> + sid, nsid,
> SECCLASS_KERNEL_SERVICE,
> KERNEL_SERVICE__USE_AS_OVERRIDE,
> NULL);
> if (ret == 0) {
> - tsec->sid = secid;
> + tsec->sid = nsid;
> tsec->create_sid = 0;
> tsec->keycreate_sid = 0;
> tsec->sockcreate_sid = 0;
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index d5ff34a5803b..0e1f6ef25eb2 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -473,6 +473,14 @@ static inline void smack_export_secid(struct lsm_export *l, u32 secid)
> l->flags |= LSM_EXPORT_SMACK;
> }
>
> +static inline void smack_import_secid(struct lsm_export *l, u32 *secid)
> +{
> + if (l->flags | LSM_EXPORT_SMACK)
> + *secid = l->smack;
> + else
> + *secid = 0;
> +}
> +
> /*
> * LSM hooks.
> * We he, that is fun!
> @@ -1910,10 +1918,12 @@ static void smack_cred_getsecid(const struct cred *cred, struct lsm_export *l)
> *
> * Set the security data for a kernel service.
> */
> -static int smack_kernel_act_as(struct cred *new, u32 secid)
> +static int smack_kernel_act_as(struct cred *new, struct lsm_export *l)
> {
> + u32 secid;
> struct task_smack *new_tsp = smack_cred(new);
>
> + smack_import_secid(l, &secid);
> new_tsp->smk_task = smack_from_secid(secid);
> return 0;
> }
> --
> 2.17.0
