Re: [PATCH 6/7 v21] LSM: Switch to lists of hooks

From: Stephen Smalley
Date: Wed Mar 11 2015 - 15:26:02 EST


On 03/11/2015 02:47 PM, Casey Schaufler wrote:
> On 3/11/2015 9:42 AM, Stephen Smalley wrote:
>> On 03/09/2015 09:20 PM, Casey Schaufler wrote:
>>> Subject: [PATCH 6/7 v21] LSM: Switch to lists of hooks
>>>
>>> Instead of using a vector of security operations
>>> with explicit, special case stacking of the capability
>>> and yama hooks use lists of hooks with capability and
>>> yama hooks included as appropriate.
>>>
>>> The security_operations structure is no longer required.
>>> Instead, there is a union of the function pointers that
>>> allows all the hooks lists to use a common mechanism for
>>> list management while retaining typing. Each module
>>> supplies an array describing the hooks it provides instead
>>> of a sparsely populated security_operations structure.
>>> The description includes the element that gets put on
>>> the hook list, avoiding the issues surrounding individual
>>> element allocation.
>>>
>>> The method for registering security modules is changed to
>>> reflect the information available. The method for removing
>>> a module, currently only used by SELinux, has also changed.
>>> It should be generic now, however if there are potential
>>> race conditions based on ordering of hook removal that needs
>>> to be addressed by the calling module.
>>>
>>> The security hooks are called from the lists and the first
>>> failure is returned.
>>>
>>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
>>>
>>> ---
>>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>>> index 0c45f08..3fd8610 100644
>>> --- a/security/selinux/hooks.c
>>> +++ b/security/selinux/hooks.c
>>> @@ -2008,24 +2002,12 @@ static int selinux_ptrace_access_check(struct task_struct *child,
>>>
>>> static int selinux_ptrace_traceme(struct task_struct *parent)
>>> {
>>> - int rc;
>>> -
>>> - rc = cap_ptrace_traceme(parent);
>>> - if (rc)
>>> - return rc;
>>> -
>>> return task_has_perm(parent, current, PROCESS__PTRACE);
>>> }
>>>
>>> static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
>>> kernel_cap_t *inheritable, kernel_cap_t *permitted)
>>> {
>>> - int error;
>>> -
>>> - error = current_has_perm(target, PROCESS__GETCAP);
>>> - if (error)
>>> - return error;
>>> -
>>> return cap_capget(target, effective, inheritable, permitted);
>> Deleted the wrong code here.
>>
>>> }
>> And failed to delete the cap_capset() call from selinux_capset(), and
>> the cap_capable() call from selinux_capable(), so we're calling that
>> code twice after the patch.
>
> So I see. It was right in v19, but wrong in v20. I'll have an update quickly.

Also looks like there is a residual cap_bprm_secureexec() call in
security/apparmor/domain.c.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/