[PATCH v29 20/28] LSM: Verify LSM display sanity in binder

From: Casey Schaufler
Date: Fri Sep 24 2021 - 14:17:08 EST


Verify that the tasks on the ends of a binder transaction
use the same "interface_lsm" security module. This prevents
confusion of security "contexts".

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
security/security.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)

diff --git a/security/security.c b/security/security.c
index a61477c6b0f6..155da0e9b778 100644
--- a/security/security.c
+++ b/security/security.c
@@ -860,9 +860,38 @@ int security_binder_set_context_mgr(struct task_struct *mgr)
return call_int_hook(binder_set_context_mgr, 0, mgr);
}

+/**
+ * security_binder_transaction - Binder driver transaction check
+ * @from: source of the transaction
+ * @to: destination of the transaction
+ *
+ * Verify that the tasks have the same LSM "display", then
+ * call the security module hooks.
+ *
+ * Returns -EINVAL if the displays don't match, or the
+ * result of the security module checks.
+ */
int security_binder_transaction(struct task_struct *from,
struct task_struct *to)
{
+ int from_ilsm = lsm_task_ilsm(from);
+ int to_ilsm = lsm_task_ilsm(to);
+
+ /*
+ * If the ilsm is LSMBLOB_INVALID the first module that has
+ * an entry is used. This will be in the 0 slot.
+ *
+ * This is currently only required if the server has requested
+ * peer contexts, but it would be unwieldly to have too much of
+ * the binder driver detail here.
+ */
+ if (from_ilsm == LSMBLOB_INVALID)
+ from_ilsm = 0;
+ if (to_ilsm == LSMBLOB_INVALID)
+ to_ilsm = 0;
+ if (from_ilsm != to_ilsm)
+ return -EINVAL;
+
return call_int_hook(binder_transaction, 0, from, to);
}

--
2.31.1