On 1/9/2023 1:38 PM, T.J. Mercier wrote:
> Any process can cause a memory charge transfer to occur to any other
> process when transmitting a file descriptor through binder. This should
> only be possible for central allocator processes,
How is a "central allocator process" identified? If I have a LSM that
is not SELinux (e.g. AppArmor, Smack) or no LSM at all, how can/should this
be enforced? Why isn't binder enforcing this restriction itself?
> so a new SELinux
> permission is added to restrict which processes are allowed to initiate
> these charge transfers.
Which is all perfectly reasonable if you have SELinux.
>
> Signed-off-by: T.J. Mercier <tjmercier@xxxxxxxxxx>
> ---
> drivers/android/binder.c | 5 +++++
> include/linux/lsm_hook_defs.h | 2 ++
> include/linux/lsm_hooks.h | 6 ++++++
> include/linux/security.h | 2 ++
> security/security.c | 6 ++++++
> security/selinux/hooks.c | 9 +++++++++
> security/selinux/include/classmap.h | 2 +-
> 7 files changed, 31 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 9830848c8d25..9063db04826d 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2279,6 +2279,11 @@ static int binder_translate_fd(u32 fd, binder_size_t fd_offset, __u32 flags,
> if (IS_ENABLED(CONFIG_MEMCG) && (flags & BINDER_FD_FLAG_XFER_CHARGE)) {
> struct dma_buf *dmabuf;
>
> + if (security_binder_transfer_charge(proc->cred, target_proc->cred)) {
> + ret = -EPERM;
> + goto err_security;
> + }
> +
> if (unlikely(!is_dma_buf_file(file))) {
> binder_user_error(
> "%d:%d got transaction with XFER_CHARGE for non-dmabuf fd, %d\n",
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index ed6cb2ac55fa..8db2a958557e 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -33,6 +33,8 @@ LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from,
> const struct cred *to)
> LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from,
> const struct cred *to, struct file *file)
> +LSM_HOOK(int, 0, binder_transfer_charge, const struct cred *from,
> + const struct cred *to)
> LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child,
> unsigned int mode)
> LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent)
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 0a5ba81f7367..39c40c7bf519 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1385,6 +1385,12 @@
> * @file contains the struct file being transferred.
> * @to contains the struct cred for the receiving process.
> * Return 0 if permission is granted.
> + * @binder_transfer_charge:
> + * Check whether @from is allowed to transfer the memory charge for a
> + * buffer out of its cgroup to @to.
> + * @from contains the struct cred for the sending process.
> + * @to contains the struct cred for the receiving process.
> + * Return 0 if permission is granted.
> *
> * @ptrace_access_check:
> * Check permission before allowing the current process to trace the
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 5b67f208f7de..3b7472308430 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -270,6 +270,8 @@ int security_binder_transfer_binder(const struct cred *from,
> const struct cred *to);
> int security_binder_transfer_file(const struct cred *from,
> const struct cred *to, struct file *file);
> +int security_binder_transfer_charge(const struct cred *from,
> + const struct cred *to);
> int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
> int security_ptrace_traceme(struct task_struct *parent);
> int security_capget(struct task_struct *target,
> diff --git a/security/security.c b/security/security.c
> index d1571900a8c7..97e1e74d1ff2 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -801,6 +801,12 @@ int security_binder_transfer_file(const struct cred *from,
> return call_int_hook(binder_transfer_file, 0, from, to, file);
> }
>
> +int security_binder_transfer_charge(const struct cred *from,
> + const struct cred *to)
> +{
> + return call_int_hook(binder_transfer_charge, 0, from, to);
> +}
> +
> int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
> {
> return call_int_hook(ptrace_access_check, 0, child, mode);
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3c5be76a9199..823ef14924bd 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2066,6 +2066,14 @@ static int selinux_binder_transfer_file(const struct cred *from,
> &ad);
> }
>
> +static int selinux_binder_transfer_charge(const struct cred *from, const struct cred *to)
> +{
> + return avc_has_perm(&selinux_state,
> + cred_sid(from), cred_sid(to),
> + SECCLASS_BINDER, BINDER__TRANSFER_CHARGE,
> + NULL);
> +}
> +
> static int selinux_ptrace_access_check(struct task_struct *child,
> unsigned int mode)
> {
> @@ -7052,6 +7060,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
> LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
> LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
> + LSM_HOOK_INIT(binder_transfer_charge, selinux_binder_transfer_charge),
>
> LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
> LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index a3c380775d41..2eef180d10d7 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -172,7 +172,7 @@ const struct security_class_mapping secclass_map[] = {
> { "tun_socket",
> { COMMON_SOCK_PERMS, "attach_queue", NULL } },
> { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
> - NULL } },
> + "transfer_charge", NULL } },
> { "cap_userns",
> { COMMON_CAP_PERMS, NULL } },
> { "cap2_userns",
