[PATCH 08/11] capsicum: add new LSM hooks on FD/file conversion

From: David Drysdale
Date: Mon Jun 30 2014 - 06:35:17 EST


Add the following new LSM hooks:
- file_lookup: check an fd->struct file conversion operation,
potentially failing the lookup or potentially altering the looked
up file
- file_install: check a file to be installed in the fd table, to
potentially allow the LSM to replace it.

Signed-off-by: David Drysdale <drysdale@xxxxxxxxxx>
---
include/linux/security.h | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
security/security.c | 13 +++++++++++++
2 files changed, 61 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 6478ce3252c7..4d0c079187d4 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,6 +53,7 @@ struct msg_queue;
struct xattr;
struct xfrm_sec_ctx;
struct mm_struct;
+struct capsicum_rights;

/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX 10
@@ -656,6 +657,28 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* to receive an open file descriptor via socket IPC.
* @file contains the file structure being received.
* Return 0 if permission is granted.
+ * @file_lookup:
+ * This hook allows security modules to intercept file descriptor lookups
+ * to check whether a required set of rights are available for the file
+ * descriptor. This allows the security model to fail the lookup, or to
+ * substitute a new return value for fget().
+ * @file is the file in the process's file table, which may be replaced by
+ * another file as the return value from the hook.
+ * @required_rights is the rights that the file descriptor should hold, or
+ * may be NULL to indicate that no specific rights are needed.
+ * @actual_rights is returned (if it is non-NULL) as a pointer to the
+ * rights that the file descriptor has. The caller does not own this
+ * memory, and should only use if while maintaining a refcount to the
+ * returned unwrapped file.
+ * Return PTR_ERR holding the unwrapped file.
+ * @file_install:
+ * This hook allows security modules to intercept newly created files that
+ * are about to be installed in the file descriptor table, to potentially
+ * substitute a different file for the newly opened file.
+ * @base_rights is the rights associated with an existing file that the
+ * new file is derived from; CAP_ALL for non-capabilities.
+ * @file is the newly opened struct file.
+ * Return PTR_ERR holding the struct file to be used.
* @file_open
* Save open-time permission checking state for later use upon
* file_permission, and recheck access if anything has changed
@@ -1555,6 +1578,11 @@ struct security_operations {
struct fown_struct *fown, int sig);
int (*file_receive) (struct file *file);
int (*file_open) (struct file *file, const struct cred *cred);
+ struct file * (*file_lookup)(struct file *orig,
+ const struct capsicum_rights *required_rights,
+ const struct capsicum_rights **actual_rights);
+ struct file * (*file_install)(const struct capsicum_rights *base_rights,
+ struct file *file);

int (*task_create) (unsigned long clone_flags);
void (*task_free) (struct task_struct *task);
@@ -1829,6 +1857,11 @@ int security_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int sig);
int security_file_receive(struct file *file);
int security_file_open(struct file *file, const struct cred *cred);
+struct file *security_file_lookup(struct file *orig,
+ const struct capsicum_rights *required_rights,
+ const struct capsicum_rights **actual_rights);
+struct file *security_file_install(const struct capsicum_rights *base_rights,
+ struct file *file);
int security_task_create(unsigned long clone_flags);
void security_task_free(struct task_struct *task);
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
@@ -2324,6 +2357,21 @@ static inline int security_file_open(struct file *file,
return 0;
}

+static inline struct file *
+security_file_lookup(struct file *orig,
+ const struct capsicum_rights *required_rights,
+ const struct capsicum_rights **actual_rights)
+{
+ return orig;
+}
+
+static inline struct file *
+security_file_install(const struct capsicum_rights *base_rights,
+ struct file *file)
+{
+ return file;
+}
+
static inline int security_task_create(unsigned long clone_flags)
{
return 0;
diff --git a/security/security.c b/security/security.c
index 8b774f362a3d..5ab3e893b46c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -802,6 +802,19 @@ int security_file_open(struct file *file, const struct cred *cred)
return fsnotify_perm(file, MAY_OPEN);
}

+struct file *security_file_lookup(struct file *file,
+ const struct capsicum_rights *required_rights,
+ const struct capsicum_rights **actual_rights)
+{
+ return security_ops->file_lookup(file, required_rights, actual_rights);
+}
+
+struct file *security_file_install(const struct capsicum_rights *base_rights,
+ struct file *file)
+{
+ return security_ops->file_install(base_rights, file);
+}
+
int security_task_create(unsigned long clone_flags)
{
return security_ops->task_create(clone_flags);
--
2.0.0.526.g5318336

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/