|
Message-ID: <20210204034628.GC29022@mail.hallyn.com> Date: Wed, 3 Feb 2021 21:46:28 -0600 From: "Serge E. Hallyn" <serge@...lyn.com> To: Mickaël Salaün <mic@...ikod.net> Cc: James Morris <jmorris@...ei.org>, Jann Horn <jannh@...gle.com>, "Serge E . Hallyn" <serge@...lyn.com>, Al Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Andy Lutomirski <luto@...capital.net>, Anton Ivanov <anton.ivanov@...bridgegreys.com>, Arnd Bergmann <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>, Jeff Dike <jdike@...toit.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Michael Kerrisk <mtk.manpages@...il.com>, Richard Weinberger <richard@....at>, Shuah Khan <shuah@...nel.org>, Vincent Dagonneau <vincent.dagonneau@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-arch@...r.kernel.org, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, linux-security-module@...r.kernel.org, x86@...nel.org, Mickaël Salaün <mic@...ux.microsoft.com> Subject: Re: [PATCH v28 03/12] landlock: Set up the security framework and manage credentials On Tue, Feb 02, 2021 at 05:27:01PM +0100, Mickaël Salaün wrote: > From: Mickaël Salaün <mic@...ux.microsoft.com> > > Process's credentials point to a Landlock domain, which is underneath > implemented with a ruleset. In the following commits, this domain is > used to check and enforce the ptrace and filesystem security policies. > A domain is inherited from a parent to its child the same way a thread > inherits a seccomp policy. > > Cc: James Morris <jmorris@...ei.org> > Cc: Kees Cook <keescook@...omium.org> > Cc: Serge E. Hallyn <serge@...lyn.com> Acked-by: Serge Hallyn <serge@...lyn.com> > Signed-off-by: Mickaël Salaün <mic@...ux.microsoft.com> > Reviewed-by: Jann Horn <jannh@...gle.com> > --- > > Changes since v25: > * Rename function to landlock_add_cred_hooks(). > > Changes since v23: > * Add an early check for the current domain in hook_cred_free() to avoid > superfluous call. > * Cosmetic cleanup to make the code more readable. > > Changes since v22: > * Add Reviewed-by: Jann Horn <jannh@...gle.com> > > Changes since v21: > * Fix copyright dates. > > Changes since v17: > * Constify returned domain pointers from landlock_get_current_domain() > and landlock_get_task_domain() helpers. > > Changes since v15: > * Optimize landlocked() for current thread. > * Display the greeting message when everything is initialized. > > Changes since v14: > * Uses pr_fmt from common.h . > * Constify variables. > * Remove useless NULL initialization. > > Changes since v13: > * totally get ride of the seccomp dependency > * only keep credential management and LSM setup. > > Previous changes: > https://lore.kernel.org/lkml/20191104172146.30797-4-mic@digikod.net/ > --- > security/Kconfig | 10 +++---- > security/landlock/Makefile | 3 +- > security/landlock/common.h | 20 +++++++++++++ > security/landlock/cred.c | 46 ++++++++++++++++++++++++++++++ > security/landlock/cred.h | 58 ++++++++++++++++++++++++++++++++++++++ > security/landlock/setup.c | 31 ++++++++++++++++++++ > security/landlock/setup.h | 16 +++++++++++ > 7 files changed, 178 insertions(+), 6 deletions(-) > create mode 100644 security/landlock/common.h > create mode 100644 security/landlock/cred.c > create mode 100644 security/landlock/cred.h > create mode 100644 security/landlock/setup.c > create mode 100644 security/landlock/setup.h > > diff --git a/security/Kconfig b/security/Kconfig > index 15a4342b5d01..0ced7fd33e4d 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -278,11 +278,11 @@ endchoice > > config LSM > string "Ordered list of enabled LSMs" > - default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK > - default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR > - default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO > - default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC > - default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" > + default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK > + default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR > + default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO > + default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC > + default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" > help > A comma-separated list of LSMs, in initialization order. > Any LSMs left off this list will be ignored. This can be > diff --git a/security/landlock/Makefile b/security/landlock/Makefile > index d846eba445bb..041ea242e627 100644 > --- a/security/landlock/Makefile > +++ b/security/landlock/Makefile > @@ -1,3 +1,4 @@ > obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o > > -landlock-y := object.o ruleset.o > +landlock-y := setup.o object.o ruleset.o \ > + cred.o > diff --git a/security/landlock/common.h b/security/landlock/common.h > new file mode 100644 > index 000000000000..5dc0fe15707d > --- /dev/null > +++ b/security/landlock/common.h > @@ -0,0 +1,20 @@ > +/* SPDX-License-Identifier: GPL-2.0-only */ > +/* > + * Landlock LSM - Common constants and helpers > + * > + * Copyright © 2016-2020 Mickaël Salaün <mic@...ikod.net> > + * Copyright © 2018-2020 ANSSI > + */ > + > +#ifndef _SECURITY_LANDLOCK_COMMON_H > +#define _SECURITY_LANDLOCK_COMMON_H > + > +#define LANDLOCK_NAME "landlock" > + > +#ifdef pr_fmt > +#undef pr_fmt > +#endif > + > +#define pr_fmt(fmt) LANDLOCK_NAME ": " fmt > + > +#endif /* _SECURITY_LANDLOCK_COMMON_H */ > diff --git a/security/landlock/cred.c b/security/landlock/cred.c > new file mode 100644 > index 000000000000..6725af24c684 > --- /dev/null > +++ b/security/landlock/cred.c > @@ -0,0 +1,46 @@ > +// SPDX-License-Identifier: GPL-2.0-only > +/* > + * Landlock LSM - Credential hooks > + * > + * Copyright © 2017-2020 Mickaël Salaün <mic@...ikod.net> > + * Copyright © 2018-2020 ANSSI > + */ > + > +#include <linux/cred.h> > +#include <linux/lsm_hooks.h> > + > +#include "common.h" > +#include "cred.h" > +#include "ruleset.h" > +#include "setup.h" > + > +static int hook_cred_prepare(struct cred *const new, > + const struct cred *const old, const gfp_t gfp) > +{ > + struct landlock_ruleset *const old_dom = landlock_cred(old)->domain; > + > + if (old_dom) { > + landlock_get_ruleset(old_dom); > + landlock_cred(new)->domain = old_dom; > + } > + return 0; > +} > + > +static void hook_cred_free(struct cred *const cred) > +{ > + struct landlock_ruleset *const dom = landlock_cred(cred)->domain; > + > + if (dom) > + landlock_put_ruleset_deferred(dom); > +} > + > +static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { > + LSM_HOOK_INIT(cred_prepare, hook_cred_prepare), > + LSM_HOOK_INIT(cred_free, hook_cred_free), > +}; > + > +__init void landlock_add_cred_hooks(void) > +{ > + security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), > + LANDLOCK_NAME); > +} > diff --git a/security/landlock/cred.h b/security/landlock/cred.h > new file mode 100644 > index 000000000000..5f99d3decade > --- /dev/null > +++ b/security/landlock/cred.h > @@ -0,0 +1,58 @@ > +/* SPDX-License-Identifier: GPL-2.0-only */ > +/* > + * Landlock LSM - Credential hooks > + * > + * Copyright © 2019-2020 Mickaël Salaün <mic@...ikod.net> > + * Copyright © 2019-2020 ANSSI > + */ > + > +#ifndef _SECURITY_LANDLOCK_CRED_H > +#define _SECURITY_LANDLOCK_CRED_H > + > +#include <linux/cred.h> > +#include <linux/init.h> > +#include <linux/rcupdate.h> > + > +#include "ruleset.h" > +#include "setup.h" > + > +struct landlock_cred_security { > + struct landlock_ruleset *domain; > +}; > + > +static inline struct landlock_cred_security *landlock_cred( > + const struct cred *cred) > +{ > + return cred->security + landlock_blob_sizes.lbs_cred; > +} > + > +static inline const struct landlock_ruleset *landlock_get_current_domain(void) > +{ > + return landlock_cred(current_cred())->domain; > +} > + > +/* > + * The call needs to come from an RCU read-side critical section. > + */ > +static inline const struct landlock_ruleset *landlock_get_task_domain( > + const struct task_struct *const task) > +{ > + return landlock_cred(__task_cred(task))->domain; > +} > + > +static inline bool landlocked(const struct task_struct *const task) > +{ > + bool has_dom; > + > + if (task == current) > + return !!landlock_get_current_domain(); > + > + rcu_read_lock(); > + has_dom = !!landlock_get_task_domain(task); > + rcu_read_unlock(); > + return has_dom; > +} > + > +__init void landlock_add_cred_hooks(void); > + > +#endif /* _SECURITY_LANDLOCK_CRED_H */ > diff --git a/security/landlock/setup.c b/security/landlock/setup.c > new file mode 100644 > index 000000000000..8661112fb238 > --- /dev/null > +++ b/security/landlock/setup.c > @@ -0,0 +1,31 @@ > +// SPDX-License-Identifier: GPL-2.0-only > +/* > + * Landlock LSM - Security framework setup > + * > + * Copyright © 2016-2020 Mickaël Salaün <mic@...ikod.net> > + * Copyright © 2018-2020 ANSSI > + */ > + > +#include <linux/init.h> > +#include <linux/lsm_hooks.h> > + > +#include "common.h" > +#include "cred.h" > +#include "setup.h" > + > +struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { > + .lbs_cred = sizeof(struct landlock_cred_security), > +}; > + > +static int __init landlock_init(void) > +{ > + landlock_add_cred_hooks(); > + pr_info("Up and running.\n"); > + return 0; > +} > + > +DEFINE_LSM(LANDLOCK_NAME) = { > + .name = LANDLOCK_NAME, > + .init = landlock_init, > + .blobs = &landlock_blob_sizes, > +}; > diff --git a/security/landlock/setup.h b/security/landlock/setup.h > new file mode 100644 > index 000000000000..9fdbf33fcc33 > --- /dev/null > +++ b/security/landlock/setup.h > @@ -0,0 +1,16 @@ > +/* SPDX-License-Identifier: GPL-2.0-only */ > +/* > + * Landlock LSM - Security framework setup > + * > + * Copyright © 2016-2020 Mickaël Salaün <mic@...ikod.net> > + * Copyright © 2018-2020 ANSSI > + */ > + > +#ifndef _SECURITY_LANDLOCK_SETUP_H > +#define _SECURITY_LANDLOCK_SETUP_H > + > +#include <linux/lsm_hooks.h> > + > +extern struct lsm_blob_sizes landlock_blob_sizes; > + > +#endif /* _SECURITY_LANDLOCK_SETUP_H */ > -- > 2.30.0
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.