On Tue, Jan 10, 2023 at 11:39 AM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > On 1/9/2023 4:30 PM, T.J. Mercier wrote: > > On Mon, Jan 9, 2023 at 2:28 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > >> On 1/9/2023 1:38 PM, T.J. Mercier wrote: > >>> Any process can cause a memory charge transfer to occur to any other > >>> process when transmitting a file descriptor through binder. This should > >>> only be possible for central allocator processes, > >> How is a "central allocator process" identified? > > Any process with the transfer_charge permission. On Android this is > > the graphics allocator HAL which would have this added to its policy. > > OK. You're putting SELinux policy directly into the name of the LSM hook. > > > > >> If I have a LSM that > >> is not SELinux (e.g. AppArmor, Smack) or no LSM at all, how can/should this > >> be enforced? > > Sorry, why would you be expecting enforcement with no LSM? > > Because the LSM is supposed to be a set of *additional* restrictions. > If there are no restrictions when there's no LSM, you can't add to > existing restrictions. If binder works correctly without any restrictions > that's fine. It seems odd that you'd add SELinux restrictions if there > are no basic restrictions. If, on the other hand, binder doesn't have > native restrictions because it always assumes SELinux, it ought to have > a CONFIG dependency on SELinux. > > None of which is really important. > > > Are you > > suggesting that this check should be different than the ones that > > already exist for Binder here? > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/lsm_hook_defs.h#n29 > > This one seems just a little bit more like an implementation of > SELinux policy in the hook than some of the others. If there is no way > to identify the special process without SELinux policy it's going to > be really difficult for a different LSM to utilize the hook. > I think I see what you're saying... there is potentially no way to have an equivalent attribute with other LSMs? > > > >> Why isn't binder enforcing this restriction itself? > > Binder has no direct knowledge of which process has been designated as > > an allocator / charge transferrer. That is defined externally by > > whoever configures the system. > > So the attribute isn't a binder attribute, it's an SELinux attribute? > That isn't appropriate in the LSM interface, at least not explicitly. > The transfer feature is something offered by binder, but mapped to a process only in the SELinux policy. > > > >>> so a new SELinux > >>> permission is added to restrict which processes are allowed to initiate > >>> these charge transfers. > >> Which is all perfectly reasonable if you have SELinux. > >> > >>> Signed-off-by: T.J. Mercier <tjmercier@xxxxxxxxxx> > >>> --- > >>> drivers/android/binder.c | 5 +++++ > >>> include/linux/lsm_hook_defs.h | 2 ++ > >>> include/linux/lsm_hooks.h | 6 ++++++ > >>> include/linux/security.h | 2 ++ > >>> security/security.c | 6 ++++++ > >>> security/selinux/hooks.c | 9 +++++++++ > >>> security/selinux/include/classmap.h | 2 +- > >>> 7 files changed, 31 insertions(+), 1 deletion(-) > >>> > >>> diff --git a/drivers/android/binder.c b/drivers/android/binder.c > >>> index 9830848c8d25..9063db04826d 100644 > >>> --- a/drivers/android/binder.c > >>> +++ b/drivers/android/binder.c > >>> @@ -2279,6 +2279,11 @@ static int binder_translate_fd(u32 fd, binder_size_t fd_offset, __u32 flags, > >>> if (IS_ENABLED(CONFIG_MEMCG) && (flags & BINDER_FD_FLAG_XFER_CHARGE)) { > >>> struct dma_buf *dmabuf; > >>> > >>> + if (security_binder_transfer_charge(proc->cred, target_proc->cred)) { > >>> + ret = -EPERM; > >>> + goto err_security; > >>> + } > >>> + > >>> if (unlikely(!is_dma_buf_file(file))) { > >>> binder_user_error( > >>> "%d:%d got transaction with XFER_CHARGE for non-dmabuf fd, %d\n", > >>> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > >>> index ed6cb2ac55fa..8db2a958557e 100644 > >>> --- a/include/linux/lsm_hook_defs.h > >>> +++ b/include/linux/lsm_hook_defs.h > >>> @@ -33,6 +33,8 @@ LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from, > >>> const struct cred *to) > >>> LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from, > >>> const struct cred *to, struct file *file) > >>> +LSM_HOOK(int, 0, binder_transfer_charge, const struct cred *from, > >>> + const struct cred *to) > >>> LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child, > >>> unsigned int mode) > >>> LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent) > >>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > >>> index 0a5ba81f7367..39c40c7bf519 100644 > >>> --- a/include/linux/lsm_hooks.h > >>> +++ b/include/linux/lsm_hooks.h > >>> @@ -1385,6 +1385,12 @@ > >>> * @file contains the struct file being transferred. > >>> * @to contains the struct cred for the receiving process. > >>> * Return 0 if permission is granted. > >>> + * @binder_transfer_charge: > >>> + * Check whether @from is allowed to transfer the memory charge for a > >>> + * buffer out of its cgroup to @to. > >>> + * @from contains the struct cred for the sending process. > >>> + * @to contains the struct cred for the receiving process. > >>> + * Return 0 if permission is granted. > >>> * > >>> * @ptrace_access_check: > >>> * Check permission before allowing the current process to trace the > >>> diff --git a/include/linux/security.h b/include/linux/security.h > >>> index 5b67f208f7de..3b7472308430 100644 > >>> --- a/include/linux/security.h > >>> +++ b/include/linux/security.h > >>> @@ -270,6 +270,8 @@ int security_binder_transfer_binder(const struct cred *from, > >>> const struct cred *to); > >>> int security_binder_transfer_file(const struct cred *from, > >>> const struct cred *to, struct file *file); > >>> +int security_binder_transfer_charge(const struct cred *from, > >>> + const struct cred *to); > >>> int security_ptrace_access_check(struct task_struct *child, unsigned int mode); > >>> int security_ptrace_traceme(struct task_struct *parent); > >>> int security_capget(struct task_struct *target, > >>> diff --git a/security/security.c b/security/security.c > >>> index d1571900a8c7..97e1e74d1ff2 100644 > >>> --- a/security/security.c > >>> +++ b/security/security.c > >>> @@ -801,6 +801,12 @@ int security_binder_transfer_file(const struct cred *from, > >>> return call_int_hook(binder_transfer_file, 0, from, to, file); > >>> } > >>> > >>> +int security_binder_transfer_charge(const struct cred *from, > >>> + const struct cred *to) > >>> +{ > >>> + return call_int_hook(binder_transfer_charge, 0, from, to); > >>> +} > >>> + > >>> int security_ptrace_access_check(struct task_struct *child, unsigned int mode) > >>> { > >>> return call_int_hook(ptrace_access_check, 0, child, mode); > >>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > >>> index 3c5be76a9199..823ef14924bd 100644 > >>> --- a/security/selinux/hooks.c > >>> +++ b/security/selinux/hooks.c > >>> @@ -2066,6 +2066,14 @@ static int selinux_binder_transfer_file(const struct cred *from, > >>> &ad); > >>> } > >>> > >>> +static int selinux_binder_transfer_charge(const struct cred *from, const struct cred *to) > >>> +{ > >>> + return avc_has_perm(&selinux_state, > >>> + cred_sid(from), cred_sid(to), > >>> + SECCLASS_BINDER, BINDER__TRANSFER_CHARGE, > >>> + NULL); > >>> +} > >>> + > >>> static int selinux_ptrace_access_check(struct task_struct *child, > >>> unsigned int mode) > >>> { > >>> @@ -7052,6 +7060,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { > >>> LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction), > >>> LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder), > >>> LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file), > >>> + LSM_HOOK_INIT(binder_transfer_charge, selinux_binder_transfer_charge), > >>> > >>> LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check), > >>> LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme), > >>> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h > >>> index a3c380775d41..2eef180d10d7 100644 > >>> --- a/security/selinux/include/classmap.h > >>> +++ b/security/selinux/include/classmap.h > >>> @@ -172,7 +172,7 @@ const struct security_class_mapping secclass_map[] = { > >>> { "tun_socket", > >>> { COMMON_SOCK_PERMS, "attach_queue", NULL } }, > >>> { "binder", { "impersonate", "call", "set_context_mgr", "transfer", > >>> - NULL } }, > >>> + "transfer_charge", NULL } }, > >>> { "cap_userns", > >>> { COMMON_CAP_PERMS, NULL } }, > >>> { "cap2_userns",
