[PATCH v27 05/25] LSM: Use lsmblob in security_audit_rule_match

From: Casey Schaufler
Date: Thu Jun 10 2021 - 20:10:28 EST


Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.

Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Cc: linux-audit@xxxxxxxxxx
Cc: linux-integrity@xxxxxxxxxxxxxxx
To: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
include/linux/security.h | 7 ++++---
kernel/auditfilter.c | 6 ++++--
kernel/auditsc.c | 16 +++++++++++-----
security/integrity/ima/ima.h | 4 ++--
security/integrity/ima/ima_policy.c | 7 +++++--
security/security.c | 10 ++++++++--
6 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ca9485105f00..916a0f606035 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1944,7 +1944,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
#ifdef CONFIG_SECURITY
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
int security_audit_rule_known(struct audit_krule *krule);
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule);
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+ void **lsmrule);
void security_audit_rule_free(void **lsmrule);

#else
@@ -1960,8 +1961,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
return 0;
}

-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
- void **lsmrule)
+static inline int security_audit_rule_match(struct lsmblob *blob, u32 field,
+ u32 op, void **lsmrule)
{
return 0;
}
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index a2340e81cfa7..6a04d762d272 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1331,6 +1331,7 @@ int audit_filter(int msgtype, unsigned int listtype)
struct audit_field *f = &e->rule.fields[i];
pid_t pid;
u32 sid;
+ struct lsmblob blob;

switch (f->type) {
case AUDIT_PID:
@@ -1362,8 +1363,9 @@ int audit_filter(int msgtype, unsigned int listtype)
if (f->lsm_isset) {
security_task_getsecid_subj(current,
&sid);
- result = security_audit_rule_match(sid,
- f->type, f->op,
+ lsmblob_init(&blob, sid);
+ result = security_audit_rule_match(
+ &blob, f->type, f->op,
f->lsm_rules);
}
break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 392afe3e2fd6..71d894dcdc01 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -472,6 +472,7 @@ static int audit_filter_rules(struct task_struct *tsk,
const struct cred *cred;
int i, need_sid = 1;
u32 sid;
+ struct lsmblob blob;
unsigned int sessionid;

cred = rcu_dereference_check(tsk->cred, tsk == current || task_creation);
@@ -670,8 +671,10 @@ static int audit_filter_rules(struct task_struct *tsk,
security_task_getsecid_subj(tsk, &sid);
need_sid = 0;
}
- result = security_audit_rule_match(sid, f->type,
- f->op, f->lsm_rules);
+ lsmblob_init(&blob, sid);
+ result = security_audit_rule_match(&blob,
+ f->type, f->op,
+ f->lsm_rules);
}
break;
case AUDIT_OBJ_USER:
@@ -684,15 +687,17 @@ static int audit_filter_rules(struct task_struct *tsk,
if (f->lsm_isset) {
/* Find files that match */
if (name) {
+ lsmblob_init(&blob, name->osid);
result = security_audit_rule_match(
- name->osid,
+ &blob,
f->type,
f->op,
f->lsm_rules);
} else if (ctx) {
list_for_each_entry(n, &ctx->names_list, list) {
+ lsmblob_init(&blob, name->osid);
if (security_audit_rule_match(
- n->osid,
+ &blob,
f->type,
f->op,
f->lsm_rules)) {
@@ -704,7 +709,8 @@ static int audit_filter_rules(struct task_struct *tsk,
/* Find ipc objects that match */
if (!ctx || ctx->type != AUDIT_IPC)
break;
- if (security_audit_rule_match(ctx->ipc.osid,
+ lsmblob_init(&blob, ctx->ipc.osid);
+ if (security_audit_rule_match(&blob,
f->type, f->op,
f->lsm_rules))
++result;
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index f0e448ed1f9f..55f3bd4f0b01 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -433,8 +433,8 @@ static inline void ima_filter_rule_free(void *lsmrule)
{
}

-static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
- void *lsmrule)
+static inline int ima_filter_rule_match(struct lsmblob *blob, u32 field,
+ u32 op, void *lsmrule)
{
return -EINVAL;
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d804b9a0dd95..a05841e1012b 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -607,6 +607,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
for (i = 0; i < MAX_LSM_RULES; i++) {
int rc = 0;
u32 osid;
+ struct lsmblob lsmdata;

if (!ima_lsm_isset(rule, i)) {
if (!rule->lsm[i].args_p)
@@ -619,14 +620,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
case LSM_OBJ_ROLE:
case LSM_OBJ_TYPE:
security_inode_getsecid(inode, &osid);
- rc = ima_filter_rule_match(osid, rule->lsm[i].type,
+ lsmblob_init(&lsmdata, osid);
+ rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type,
Audit_equal,
rule->lsm[i].rule);
break;
case LSM_SUBJ_USER:
case LSM_SUBJ_ROLE:
case LSM_SUBJ_TYPE:
- rc = ima_filter_rule_match(secid, rule->lsm[i].type,
+ lsmblob_init(&lsmdata, secid);
+ rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type,
Audit_equal,
rule->lsm[i].rule);
break;
diff --git a/security/security.c b/security/security.c
index 6387107e4014..d467231342da 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2671,11 +2671,14 @@ void security_audit_rule_free(void **lsmrule)
hlist_for_each_entry(hp, &security_hook_heads.audit_rule_free, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
+ if (lsmrule[hp->lsmid->slot] == NULL)
+ continue;
hp->hook.audit_rule_free(lsmrule[hp->lsmid->slot]);
}
}

-int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule)
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+ void **lsmrule)
{
struct security_hook_list *hp;
int rc;
@@ -2683,7 +2686,10 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void **lsmrule)
hlist_for_each_entry(hp, &security_hook_heads.audit_rule_match, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
- rc = hp->hook.audit_rule_match(secid, field, op,
+ if (lsmrule[hp->lsmid->slot] == NULL)
+ continue;
+ rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
+ field, op,
&lsmrule[hp->lsmid->slot]);
if (rc)
return rc;
--
2.29.2