Commit Graph

2021 Commits

Author SHA1 Message Date
GUO Zihua
9a95c5bfbf ima: Avoid blocking in RCU read-side critical section
A panic happens in ima_match_policy:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
PGD 42f873067 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
Kdump: loaded Tainted: P
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
               BIOS 0.0.0 02/06/2015
RIP: 0010:ima_match_policy+0x84/0x450
Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
      7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
      f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
      44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
FS:  00007f5195b51740(0000)
GS:ff3e278b12d40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ima_get_action+0x22/0x30
 process_measurement+0xb0/0x830
 ? page_add_file_rmap+0x15/0x170
 ? alloc_set_pte+0x269/0x4c0
 ? prep_new_page+0x81/0x140
 ? simple_xattr_get+0x75/0xa0
 ? selinux_file_open+0x9d/0xf0
 ima_file_check+0x64/0x90
 path_openat+0x571/0x1720
 do_filp_open+0x9b/0x110
 ? page_counter_try_charge+0x57/0xc0
 ? files_cgroup_alloc_fd+0x38/0x60
 ? __alloc_fd+0xd4/0x250
 ? do_sys_open+0x1bd/0x250
 do_sys_open+0x1bd/0x250
 do_syscall_64+0x5d/0x1d0
 entry_SYSCALL_64_after_hwframe+0x65/0xca

Commit c7423dbdbc ("ima: Handle -ESTALE returned by
ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
RCU read-side critical section which contains kmalloc with GFP_KERNEL.
This implies a possible sleep and violates limitations of RCU read-side
critical sections on non-PREEMPT systems.

Sleeping within RCU read-side critical section might cause
synchronize_rcu() returning early and break RCU protection, allowing a
UAF to happen.

The root cause of this issue could be described as follows:
|	Thread A	|	Thread B	|
|			|ima_match_policy	|
|			|  rcu_read_lock	|
|ima_lsm_update_rule	|			|
|  synchronize_rcu	|			|
|			|    kmalloc(GFP_KERNEL)|
|			|      sleep		|
==> synchronize_rcu returns early
|  kfree(entry)		|			|
|			|    entry = entry->next|
==> UAF happens and entry now becomes NULL (or could be anything).
|			|    entry->action	|
==> Accessing entry might cause panic.

To fix this issue, we are converting all kmalloc that is called within
RCU read-side critical section to use GFP_ATOMIC.

Fixes: c7423dbdbc ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Cc: stable@vger.kernel.org
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-06-13 14:26:50 -04:00
Linus Torvalds
353ad6c083 integrity-v6.10
-----BEGIN PGP SIGNATURE-----
 
 iIoEABYIADIWIQQdXVVFGN5XqKr1Hj7LwZzRsCrn5QUCZkQD2xQcem9oYXJAbGlu
 dXguaWJtLmNvbQAKCRDLwZzRsCrn5b81APwINCoiLDB0L9KkyUhQjqvLLZCS85u9
 Qo3/wdUGAb2tygD/RYKJgtGxvqO1Ap1IysytKHId0yo+vokdXG5stpMPJQE=
 =dIrw
 -----END PGP SIGNATURE-----

Merge tag 'integrity-v6.10' of ssh://ra.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity updates from Mimi Zohar:
 "Two IMA changes, one EVM change, a use after free bug fix, and a code
  cleanup to address "-Wflex-array-member-not-at-end" warnings:

   - The existing IMA {ascii, binary}_runtime_measurements lists include
     a hard coded SHA1 hash. To address this limitation, define per TPM
     enabled hash algorithm {ascii, binary}_runtime_measurements lists

   - Close an IMA integrity init_module syscall measurement gap by
     defining a new critical-data record

   - Enable (partial) EVM support on stacked filesystems (overlayfs).
     Only EVM portable & immutable file signatures are copied up, since
     they do not contain filesystem specific metadata"

* tag 'integrity-v6.10' of ssh://ra.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: add crypto agility support for template-hash algorithm
  evm: Rename is_unsupported_fs to is_unsupported_hmac_fs
  fs: Rename SB_I_EVM_UNSUPPORTED to SB_I_EVM_HMAC_UNSUPPORTED
  evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509
  ima: re-evaluate file integrity on file metadata change
  evm: Store and detect metadata inode attributes changes
  ima: Move file-change detection variables into new structure
  evm: Use the metadata inode to calculate metadata hash
  evm: Implement per signature type decision in security_inode_copy_up_xattr
  security: allow finer granularity in permitting copy-up of security xattrs
  ima: Rename backing_inode to real_inode
  integrity: Avoid -Wflex-array-member-not-at-end warnings
  ima: define an init_module critical data record
  ima: Fix use-after-free on a dentry's dname.name
2024-05-15 08:43:02 -07:00
Linus Torvalds
ccae19c623 selinux/stable-6.10 PR 20240513
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmZCWd4UHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXMFMQ/8DlQhbe+NzeAjBg2O7RqNKoE/UU2l
 JAkzgQ7h35/sgsfDIEhPv0VOzq2cwLSaw5/qSGGrQDWR4AKz55HvBSJQDElgzPo2
 wtL2lozjJ03+P391aeXEHdkqzgp2F3c6oNthIcFvRmi3EVcWr7eqnjWU+bJzFtMA
 z4IgX01yiUF6EMdTJcWjSLclk3dOqHWPV657RadYyp2pr3u9rc9gqgxichs0dQW0
 X/vexUBg81TdSeHS+u9Jgrz+TCsQdP3CHSFibXDv1rX89bqCbG9wYNTyTBHH9f0j
 LPpV2bKaesxIZV6dZyIKKSqCtHGBcjcJEjUbl7JFkQOS/a8NPMDH2ZYkHqbyq4BH
 SX+kRhthmXZiZ2IWhMRikaE4FBIWI7JAC4riKB2Dd0RzJrNEgaawU0wM+evKai9F
 s3GCk/P7wnTT4GlDHSkYEiiRF9c3DNkfVb9mqG78PRMR4X+z/0dsX5iaJTwlyMxo
 69JSoTNzMxVdDtvD+K89V7GCm8NmGFjLwQUqb282L/6ibzC/5CCUQXn8ZWvNRPql
 IUoQhKbveCWR3m9vAMeGpE61oNgFp0mHj3Zb/vE5Yu7HxOn2y1lFv2XGxR6bGyTF
 T53AaHM15uFomhqhG+iM3b4FDhNIJpbUc4MJsq3iMgFC941n1ceXyeBEgf31+Z2x
 k1ZlxqLAWn05auA=
 =2Wbi
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20240513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

 - Attempt to pre-allocate the SELinux status page so it doesn't appear
   to userspace that we are skipping SELinux policy sequence numbers

 - Reject invalid SELinux policy bitmaps with an error at policy load
   time

 - Consistently use the same type, u32, for ebitmap offsets

 - Improve the "symhash" hash function for better distribution on common
   policies

 - Correct a number of printk format specifiers in the ebitmap code

 - Improved error checking in sel_write_load()

 - Ensure we have a proper return code in the
   filename_trans_read_helper_compat() function

 - Make better use of the current_sid() helper function

 - Allow for more hash table statistics when debugging is enabled

 - Migrate from printk_ratelimit() to pr_warn_ratelimited()

 - Miscellaneous cleanups and tweaks to selinux_lsm_getattr()

 - More consitification work in the conditional policy space

* tag 'selinux-pr-20240513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: constify source policy in cond_policydb_dup()
  selinux: avoid printk_ratelimit()
  selinux: pre-allocate the status page
  selinux: clarify return code in filename_trans_read_helper_compat()
  selinux: use u32 as bit position type in ebitmap code
  selinux: improve symtab string hashing
  selinux: dump statistics for more hash tables
  selinux: make more use of current_sid()
  selinux: update numeric format specifiers for ebitmaps
  selinux: improve error checking in sel_write_load()
  selinux: cleanup selinux_lsm_getattr()
  selinux: reject invalid ebitmaps
2024-05-15 08:36:30 -07:00
Davide Caratti
8ec9897ec2 netlabel: fix RCU annotation for IPv4 options on socket creation
Xiumei reports the following splat when netlabel and TCP socket are used:

 =============================
 WARNING: suspicious RCU usage
 6.9.0-rc2+ #637 Not tainted
 -----------------------------
 net/ipv4/cipso_ipv4.c:1880 suspicious rcu_dereference_protected() usage!

 other info that might help us debug this:

 rcu_scheduler_active = 2, debug_locks = 1
 1 lock held by ncat/23333:
  #0: ffffffff906030c0 (rcu_read_lock){....}-{1:2}, at: netlbl_sock_setattr+0x25/0x1b0

 stack backtrace:
 CPU: 11 PID: 23333 Comm: ncat Kdump: loaded Not tainted 6.9.0-rc2+ #637
 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0  07/26/2013
 Call Trace:
  <TASK>
  dump_stack_lvl+0xa9/0xc0
  lockdep_rcu_suspicious+0x117/0x190
  cipso_v4_sock_setattr+0x1ab/0x1b0
  netlbl_sock_setattr+0x13e/0x1b0
  selinux_netlbl_socket_post_create+0x3f/0x80
  selinux_socket_post_create+0x1a0/0x460
  security_socket_post_create+0x42/0x60
  __sock_create+0x342/0x3a0
  __sys_socket_create.part.22+0x42/0x70
  __sys_socket+0x37/0xb0
  __x64_sys_socket+0x16/0x20
  do_syscall_64+0x96/0x180
  ? do_user_addr_fault+0x68d/0xa30
  ? exc_page_fault+0x171/0x280
  ? asm_exc_page_fault+0x22/0x30
  entry_SYSCALL_64_after_hwframe+0x71/0x79
 RIP: 0033:0x7fbc0ca3fc1b
 Code: 73 01 c3 48 8b 0d 05 f2 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d5 f1 1b 00 f7 d8 64 89 01 48
 RSP: 002b:00007fff18635208 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fbc0ca3fc1b
 RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002
 RBP: 000055d24f80f8a0 R08: 0000000000000003 R09: 0000000000000001

R10: 0000000000020000 R11: 0000000000000246 R12: 000055d24f80f8a0
 R13: 0000000000000000 R14: 000055d24f80fb88 R15: 0000000000000000
  </TASK>

The current implementation of cipso_v4_sock_setattr() replaces IP options
under the assumption that the caller holds the socket lock; however, such
assumption is not true, nor needed, in selinux_socket_post_create() hook.

Let all callers of cipso_v4_sock_setattr() specify the "socket lock held"
condition, except selinux_socket_post_create() _ where such condition can
safely be set as true even without holding the socket lock.

Fixes: f6d8bd051c ("inet: add RCU protection to inet->opt")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/f4260d000a3a55b9e8b6a3b4e3fffc7da9f82d41.1715359817.git.dcaratti@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-05-13 14:58:12 -07:00
Christian Göttsche
581646c3fb selinux: constify source policy in cond_policydb_dup()
cond_policydb_dup() duplicates conditional parts of an existing policy.
Declare the source policy const, since it should not be modified.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: various line length fixups]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-04-30 19:01:04 -04:00
Christian Göttsche
851541709a selinux: avoid printk_ratelimit()
The usage of printk_ratelimit() is discouraged, see
include/linux/printk.h, thus use pr_warn_ratelimited().

While editing this line address the following checkpatch warning:

    WARNING: Integer promotion: Using 'h' in '%hu' is unnecessary

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-04-30 19:01:04 -04:00
Christian Göttsche
fc983171e4 selinux: pre-allocate the status page
Since the status page is currently only allocated on first use, the
sequence number of the initial policyload (i.e. 1) is not stored,
leading to the observable sequence of 0, 2, 3, 4, ...

Try to pre-allocate the status page during the initialization of the
selinuxfs, so selinux_status_update_policyload() will set the sequence
number.

This brings the status page to return the actual sequence number for the
initial policy load, which is also observable via the netlink socket.
I could not find any occurrence where userspace depends on the actual
value returned by selinux_status_policyload(3), thus the breakage should
be unnoticed.

Closes: https://lore.kernel.org/selinux/87o7fmua12.fsf@redhat.com/
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: trimmed 'reported-by' that was missing an email]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-04-30 19:01:04 -04:00
Stefan Berger
3253804773 security: allow finer granularity in permitting copy-up of security xattrs
Copying up xattrs is solely based on the security xattr name. For finer
granularity add a dentry parameter to the security_inode_copy_up_xattr
hook definition, allowing decisions to be based on the xattr content as
well.

Co-developed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Amir Goldstein <amir73il@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com> (LSM,SELinux)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2024-04-09 17:14:57 -04:00
Ondrej Mosnacek
4e551db042 selinux: clarify return code in filename_trans_read_helper_compat()
For the "conflicting/duplicate rules" branch in
filename_trans_read_helper_compat() the Smatch static checker reports:

    security/selinux/ss/policydb.c:1953 filename_trans_read_helper_compat()
    warn: missing error code 'rc'

While the value of rc will already always be zero here, it is not
obvious that it's the case and that it's the intended return value
(Smatch expects rc to be assigned within 5 lines from the goto).
Therefore, add an explicit assignment just before the goto to make the
intent more clear and the code less error-prone.

Fixes: c3a276111e ("selinux: optimize storage of filename transitions")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/selinux/722b90c4-1f4b-42ff-a6c2-108ea262bd10@moroto.mountain/
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-04-04 16:38:37 -04:00
Christian Göttsche
37801a36b4 selinux: avoid dereference of garbage after mount failure
In case kern_mount() fails and returns an error pointer return in the
error branch instead of continuing and dereferencing the error pointer.

While on it drop the never read static variable selinuxfs_mount.

Cc: stable@vger.kernel.org
Fixes: 0619f0f5e3 ("selinux: wrap selinuxfs state")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-04-01 23:32:35 -04:00
Christian Göttsche
abb0f43fcd selinux: use u32 as bit position type in ebitmap code
The extensible bitmap supports bit positions up to U32_MAX due to the
type of the member highbit being u32.  Use u32 consistently as the type
for bit positions to announce to callers what range of values is
supported.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: merge fuzz, subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-27 20:08:55 -04:00
Christian Göttsche
32db469edf selinux: improve symtab string hashing
The number of buckets is calculated by performing a binary AND against
the mask of the hash table, which is one less than its size (which is a
power of two).  This leads to all top bits being discarded, requiring
for short or similar inputs a hash function with a good avalanche
effect.

Use djb2a:

    # current
    common prefixes:  7 entries and 5/8 buckets used, longest chain
                      length 2, sum of chain length^2 11
    classes:  134 entries and 100/256 buckets used, longest chain
              length 5, sum of chain length^2 234
    roles:  15 entries and 6/16 buckets used, longest chain length 5,
            sum of chain length^2 57
    types:  4448 entries and 3016/8192 buckets used, longest chain
            length 41, sum of chain length^2 14922
    users:  7 entries and 3/8 buckets used, longest chain length 3,
            sum of chain length^2 17
    bools:  306 entries and 221/512 buckets used, longest chain
            length 4, sum of chain length^2 524
    levels:  1 entries and 1/1 buckets used, longest chain length 1,
             sum of chain length^2 1
    categories:  1024 entries and 400/1024 buckets used, longest chain
                 length 4, sum of chain length^2 2740

    # patch
    common prefixes:  7 entries and 5/8 buckets used, longest chain
                     length 2, sum of chain length^2 11
    classes:  134 entries and 101/256 buckets used, longest chain
              length 3, sum of chain length^2 210
    roles:  15 entries and 9/16 buckets used, longest chain length 3,
            sum of chain length^2 31
    types:  4448 entries and 3459/8192 buckets used, longest chain
            length 5, sum of chain length^2 6778
    users:  7 entries and 5/8 buckets used, longest chain length 3,
            sum of chain length^2 13
    bools:  306 entries and 236/512 buckets used, longest chain
            length 5, sum of chain length^2 470
    levels:  1 entries and 1/1 buckets used, longest chain length 1,
             sum of chain length^2 1
    categories:  1024 entries and 518/1024 buckets used, longest chain
                 length 7, sum of chain length^2 2992

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: line length fixes in the commit message]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-27 19:26:25 -04:00
Christian Göttsche
0fd0b4fefa selinux: dump statistics for more hash tables
Dump in the SELinux debug configuration the statistics for the
conditional rules avtab, the role transition, and class and common
permission hash tables.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: style fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-27 19:26:24 -04:00
Christian Göttsche
cdc12eb412 selinux: make more use of current_sid()
Use the internal helper current_sid() where applicable.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-27 18:25:18 -04:00
Christian Göttsche
4b3124de63 selinux: update numeric format specifiers for ebitmaps
Use the correct, according to Documentation/core-api/printk-formats.rst,
format specifiers for numeric arguments in string formatting.
The general bit type is u32 thus use %u, EBITMAP_SIZE is a constant
computed via sizeof() thus use %zu.

Fixes: 0142c56682 ("selinux: reject invalid ebitmaps")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Closes: https://lore.kernel.org/linux-next/20240327131044.2c629921@canb.auug.org.au/
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-27 16:44:35 -04:00
Paul Moore
42c7732380 selinux: improve error checking in sel_write_load()
Move our existing input sanity checking to the top of sel_write_load()
and add a check to ensure the buffer size is non-zero.

Move a local variable initialization from the declaration to before it
is used.

Minor style adjustments.

Reported-by: Sam Sun <samsun1006219@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-26 16:42:09 -04:00
Paul Moore
e6b5ebca41 selinux: cleanup selinux_lsm_getattr()
A number of small changes to selinux_lsm_getattr() to improve the
quality and readability of the code:

* Explicitly set the `value` parameter to NULL in the case where an
  attribute has not been set.
* Rename the `__tsec` variable to `tsec` to better fit the SELinux code.
* Rename `bad` to `err_unlock` to better indicate the jump target drops
  the RCU lock.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-26 16:37:45 -04:00
Christian Göttsche
0142c56682 selinux: reject invalid ebitmaps
Reject ebitmaps with a node containing an empty map or with an incorrect
highbit.  Both checks are already performed by userspace, the former
since 2008 (patch 13cd4c896068 ("initial import from svn trunk revision
2950")), the latter since v2.7 in 2017 (patch 75b14a5de10a ("libsepol:
ebitmap: reject loading bitmaps with incorrect high bit")).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-26 16:36:14 -04:00
Casey Schaufler
a5a858f622 lsm: use 32-bit compatible data types in LSM syscalls
Change the size parameters in lsm_list_modules(), lsm_set_self_attr()
and lsm_get_self_attr() from size_t to u32. This avoids the need to
have different interfaces for 32 and 64 bit systems.

Cc: stable@vger.kernel.org
Fixes: a04a119808 ("LSM: syscalls for current process attributes")
Fixes: ad4aff9ec2 ("LSM: Create lsm_list_modules system call")
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reported-and-reviewed-by: Dmitry V. Levin <ldv@strace.io>
[PM: subject and metadata tweaks, syscall.h fixes]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-03-14 11:31:26 -04:00
Linus Torvalds
cc4a875cf3 lsm/stable-6.9 PR 20240312
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmXwt3cUHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXObOhAAqldn1nbYS/t1D/k/9ZN/PtSQetK4
 S58D8+gB59Sg0daWFaRhCwwShIbXS/6XzhqaVb3iAPptJs0YDFMbWLAW2d+dd69K
 /7C8diguHbuJdEnCJtFYQIVinavaYVRlyoQcO8uwTz8uvTgXPOhr2P9NcOApJXcR
 xqttuADVo/9Zn0O9/+GUPCH0ROL0SMnuUjwdVP3bpPHj9zEk8F1/A6chzTeSLJru
 Y4+cRrN/r0JTkvRqPdnF9LSvxK7mtAEaHkKGeLQbw0O5pv3r3w0EWMJvq+uonGU2
 WX0eR5VMfevkFMUdw8FKOTa+OZ0HJ2KKIb4sB4wDMgeGyov7Z6SxgvFeQiSyD3aB
 QnyfLDzeEuPfousxUd45dUDnsWNnSgFF+JAdi0LSzm5hMuLeQDozTsFmh0orQcX1
 L5A6VtAbSPP0ffl+tuPi48q3P3LlSjMP0B8W20NXFYhXukKXCgXVMr/dEvpwpu1m
 o1glviGIXeLQQSnX3lMWb7Ds2igmCtXPrqkdu2vpRhMp0od6n4R4jH73Aj5MeSQn
 n3sP73dg5sAaMjtI2NOisMeFUp09MMlOumCCM+AIplPXremm1kwgKRTIp0rKsLW9
 VoQPXa43LQc3hAgPrpGuE+4yBfaBUq7Z8I37IFER/2y4K8b9YkduW4kDh7OdRz+d
 iQ4Nnu2lR/+CCH0=
 =0mTM
 -----END PGP SIGNATURE-----

Merge tag 'lsm-pr-20240312' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

Pull lsm updates from Paul Moore:

 - Promote IMA/EVM to a proper LSM

   This is the bulk of the diffstat, and the source of all the changes
   in the VFS code. Prior to the start of the LSM stacking work it was
   important that IMA/EVM were separate from the rest of the LSMs,
   complete with their own hooks, infrastructure, etc. as it was the
   only way to enable IMA/EVM at the same time as a LSM.

   However, now that the bulk of the LSM infrastructure supports
   multiple simultaneous LSMs, we can simplify things greatly by
   bringing IMA/EVM into the LSM infrastructure as proper LSMs. This is
   something I've wanted to see happen for quite some time and Roberto
   was kind enough to put in the work to make it happen.

 - Use the LSM hook default values to simplify the call_int_hook() macro

   Previously the call_int_hook() macro required callers to supply a
   default return value, despite a default value being specified when
   the LSM hook was defined.

   This simplifies the macro by using the defined default return value
   which makes life easier for callers and should also reduce the number
   of return value bugs in the future (we've had a few pop up recently,
   hence this work).

 - Use the KMEM_CACHE() macro instead of kmem_cache_create()

   The guidance appears to be to use the KMEM_CACHE() macro when
   possible and there is no reason why we can't use the macro, so let's
   use it.

 - Fix a number of comment typos in the LSM hook comment blocks

   Not much to say here, we fixed some questionable grammar decisions in
   the LSM hook comment blocks.

* tag 'lsm-pr-20240312' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: (28 commits)
  cred: Use KMEM_CACHE() instead of kmem_cache_create()
  lsm: use default hook return value in call_int_hook()
  lsm: fix typos in security/security.c comment headers
  integrity: Remove LSM
  ima: Make it independent from 'integrity' LSM
  evm: Make it independent from 'integrity' LSM
  evm: Move to LSM infrastructure
  ima: Move IMA-Appraisal to LSM infrastructure
  ima: Move to LSM infrastructure
  integrity: Move integrity_kernel_module_request() to IMA
  security: Introduce key_post_create_or_update hook
  security: Introduce inode_post_remove_acl hook
  security: Introduce inode_post_set_acl hook
  security: Introduce inode_post_create_tmpfile hook
  security: Introduce path_post_mknod hook
  security: Introduce file_release hook
  security: Introduce file_post_open hook
  security: Introduce inode_post_removexattr hook
  security: Introduce inode_post_setattr hook
  security: Align inode_setattr hook definition with EVM
  ...
2024-03-12 20:03:34 -07:00
Linus Torvalds
ca661c5e1d selinux/stable-6.9 PR 20240312
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCAAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmXwty8UHHBhdWxAcGF1
 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXPRmg//YrjM6PrX46u18ta9T9n6cU/DnhWR
 +bB3bfovlUkaRBEqZzdc/ACv+fhPoXFlkiQo6vON/2ERQN6XdLYezPSA0Iu+tyDo
 Lm7zuMEhnP5XD37kBLC0H1ATKCl089t8LO8P5Nxwj6UHGQ4HjNNQFKtql5pReG+5
 sf881CSHqw+Z5KeM/9QGZTOHIUdEYa+XlV5b7QvCyY0lbn5CmeNctvp6Pu5S1Ubw
 g5OdF85vb3FHZKon+B/Zr/rwayeobaXkk65SP3soKlPGkWzbqPPY1t/8atwdNTLl
 xjvqB1zDo1bARdXDmTRjGhZ8sOhLSBqyKey+zkMw864hYliw8mFx/0oLl8DMQnlb
 kJgTScPPNmAvop1dNoN1IK/KlVCCKtIoVAIDD2s8PMRTKEBOo77B6ijjpcoVOys9
 vZexOb1AdbuIyXGrHvRwsgDXW/UsQUmMIxs6U9jmvhFtOuBLjtjdnjqm44Jq/utD
 wVCURVhT0CmV4eXFHn6oTqLs7nj3AV0VV+2ZuveDRH3VfeweFXugkpuVYUQ+8zYh
 96QIXQH2aiBttNMnYrX6jRhQZIGSMD089jghGIKEtB7Sr0CZ9S+w8X7RjXJsvSjD
 R3fh20K3tzZ2Jk+pg01yJj0dzau2royaRusrp2JRH6dfal+SP1QxOXX4tnC2/1Cw
 qgWK04dY+PEaNsI=
 =Vd4D
 -----END PGP SIGNATURE-----

Merge tag 'selinux-pr-20240312' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:
 "Really only a few notable changes:

   - Continue the coding style/formatting fixup work

     This is the bulk of the diffstat in this pull request, with the
     focus this time around being the security/selinux/ss directory.

     We've only got a couple of files left to cleanup and once we're
     done with that we can start enabling some automatic style
     verfication and introduce tooling to help new folks format their
     code correctly.

   - Don't restrict xattr copy-up when SELinux policy is not loaded

     This helps systems that use overlayfs, or similar filesystems,
     preserve their SELinux labels during early boot when the SELinux
     policy has yet to be loaded.

   - Reduce the work we do during inode initialization time

     This isn't likely to show up in any benchmark results, but we
     removed an unnecessary SELinux object class lookup/calculation
     during inode initialization.

   - Correct the return values in selinux_socket_getpeersec_dgram()

     We had some inconsistencies with respect to our return values
     across selinux_socket_getpeersec_dgram() and
     selinux_socket_getpeersec_stream().

     This provides a more uniform set of error codes across the two
     functions and should help make it easier for users to identify
     the source of a failure"

* tag 'selinux-pr-20240312' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (24 commits)
  selinux: fix style issues in security/selinux/ss/symtab.c
  selinux: fix style issues in security/selinux/ss/symtab.h
  selinux: fix style issues in security/selinux/ss/sidtab.c
  selinux: fix style issues in security/selinux/ss/sidtab.h
  selinux: fix style issues in security/selinux/ss/services.h
  selinux: fix style issues in security/selinux/ss/policydb.c
  selinux: fix style issues in security/selinux/ss/policydb.h
  selinux: fix style issues in security/selinux/ss/mls_types.h
  selinux: fix style issues in security/selinux/ss/mls.c
  selinux: fix style issues in security/selinux/ss/mls.h
  selinux: fix style issues in security/selinux/ss/hashtab.c
  selinux: fix style issues in security/selinux/ss/hashtab.h
  selinux: fix style issues in security/selinux/ss/ebitmap.c
  selinux: fix style issues in security/selinux/ss/ebitmap.h
  selinux: fix style issues in security/selinux/ss/context.h
  selinux: fix style issues in security/selinux/ss/context.h
  selinux: fix style issues in security/selinux/ss/constraint.h
  selinux: fix style issues in security/selinux/ss/conditional.c
  selinux: fix style issues in security/selinux/ss/conditional.h
  selinux: fix style issues in security/selinux/ss/avtab.c
  ...
2024-03-12 19:48:03 -07:00
Jakub Kicinski
65f5dd4f02 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Cross-merge networking fixes after downstream PR.

Conflicts:

net/mptcp/protocol.c
  adf1bb78da ("mptcp: fix snd_wnd initialization for passive socket")
  9426ce476a ("mptcp: annotate lockless access for RX path fields")
https://lore.kernel.org/all/20240228103048.19255709@canb.auug.org.au/

Adjacent changes:

drivers/dpll/dpll_core.c
  0d60d8df6f ("dpll: rely on rcu for netdev_dpll_pin()")
  e7f8df0e81 ("dpll: move xa_erase() call in to match dpll_pin_alloc() error path order")

drivers/net/veth.c
  1ce7d306ea ("veth: try harder when allocating queue memory")
  0bef512012 ("net: add netdev_lockdep_set_classes() to virtual drivers")

drivers/net/wireless/intel/iwlwifi/mvm/d3.c
  8c9bef26e9 ("wifi: iwlwifi: mvm: d3: implement suspend with MLO")
  78f65fbf42 ("wifi: iwlwifi: mvm: ensure offloading TID queue exists")

net/wireless/nl80211.c
  f78c137533 ("wifi: nl80211: reject iftype change with mesh ID change")
  414532d8aa ("wifi: cfg80211: use IEEE80211_MAX_MESH_ID_LEN appropriately")

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-02-29 14:24:56 -08:00
Paul Moore
a1fc79343a selinux: fix style issues in security/selinux/ss/symtab.c
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:09 -05:00
Paul Moore
5fca473c13 selinux: fix style issues in security/selinux/ss/symtab.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:08 -05:00
Paul Moore
dc9a746798 selinux: fix style issues in security/selinux/ss/sidtab.c
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:08 -05:00
Paul Moore
72a1c577d1 selinux: fix style issues in security/selinux/ss/sidtab.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:07 -05:00
Paul Moore
317e02905a selinux: fix style issues in security/selinux/ss/services.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:07 -05:00
Paul Moore
ec12c6ee2a selinux: fix style issues in security/selinux/ss/policydb.c
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:07 -05:00
Paul Moore
a32582db36 selinux: fix style issues in security/selinux/ss/policydb.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:06 -05:00
Paul Moore
793f9add02 selinux: fix style issues in security/selinux/ss/mls_types.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:06 -05:00
Paul Moore
4afec3607b selinux: fix style issues in security/selinux/ss/mls.c
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:05 -05:00
Paul Moore
470948bc2d selinux: fix style issues in security/selinux/ss/mls.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:05 -05:00
Paul Moore
dfd9bb40a4 selinux: fix style issues in security/selinux/ss/hashtab.c
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:05 -05:00
Paul Moore
a84f5aa628 selinux: fix style issues in security/selinux/ss/hashtab.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:04 -05:00
Paul Moore
e951485f74 selinux: fix style issues in security/selinux/ss/ebitmap.c
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:04 -05:00
Paul Moore
3ec3a835ac selinux: fix style issues in security/selinux/ss/ebitmap.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:03 -05:00
Paul Moore
05363a7f7d selinux: fix style issues in security/selinux/ss/context.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:03 -05:00
Paul Moore
b27e564c09 selinux: fix style issues in security/selinux/ss/context.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:02 -05:00
Paul Moore
e6162e4c3f selinux: fix style issues in security/selinux/ss/constraint.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:02 -05:00
Paul Moore
ade6a96f12 selinux: fix style issues in security/selinux/ss/conditional.c
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:02 -05:00
Paul Moore
1602a6c2ec selinux: fix style issues in security/selinux/ss/conditional.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:01 -05:00
Paul Moore
00ddc59112 selinux: fix style issues in security/selinux/ss/avtab.c
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:01 -05:00
Paul Moore
954a8ac0ce selinux: fix style issues in security/selinux/ss/avtab.h
As part of on ongoing effort to perform more automated testing and
provide more tools for individual developers to validate their
patches before submitting, we are trying to make our code
"clang-format clean".  My hope is that once we have fixed all of our
style "quirks", developers will be able to run clang-format on their
patches to help avoid silly formatting problems and ensure their
changes fit in well with the rest of the SELinux kernel code.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:26:00 -05:00
Mickaël Salaün
86dc969314 selinux: fix lsm_get_self_attr()
selinux_getselfattr() doesn't properly initialize the string pointer
it passes to selinux_lsm_getattr() which can cause a problem when an
attribute hasn't been explicitly set; selinux_lsm_getattr() returns
0/success, but does not set or initialize the string label/attribute.
Failure to properly initialize the string causes problems later in
selinux_getselfattr() when the function attempts to kfree() the
string.

Cc: Casey Schaufler <casey@schaufler-ca.com>
Fixes: 762c934317 ("SELinux: Add selfattr hooks")
Suggested-by: Paul Moore <paul@paul-moore.com>
[PM: description changes as discussed in the thread]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-23 17:16:33 -05:00
Roberto Sassu
314a8dc728 security: Align inode_setattr hook definition with EVM
Add the idmap parameter to the definition, so that evm_inode_setattr() can
be registered as this hook implementation.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-15 23:43:41 -05:00
David Disseldorp
7c655bee5c selinux: only filter copy-up xattrs following initialization
Extended attribute copy-up functionality added via 19472b69d6
("selinux: Implementation for inode_copy_up_xattr() hook") sees
"security.selinux" contexts dropped, instead relying on contexts
applied via the inode_copy_up() hook.

When copy-up takes place during early boot, prior to selinux
initialization / policy load, the context stripping can be unwanted
and unexpected.

With this change, filtering of "security.selinux" xattrs will only occur
after selinux initialization.

Signed-off-by: David Disseldorp <ddiss@suse.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-02 13:53:08 -05:00
Paul Moore
bfda63fa22 selinux: correct return values in selinux_socket_getpeersec_dgram()
Instead of returning -EINVAL if any type of error occurs, limit
-EINVAL to only those errors caused by passing a bad/invalid socket
or packet/skb.  In other cases where everything is correct but there
isn't a valid peer label we return -ENOPROTOOPT.

This helps make selinux_socket_getpeersec_dgram() more consistent
with selinux_socket_getpeersec_stream().

Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-02-02 13:46:39 -05:00
Paul Moore
90593caf7d selinux: reduce the object class calculations at inode init time
We only need to call inode_mode_to_security_class() once in
selinux_inode_init_security().

Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-01-25 10:52:21 -05:00
Andrii Nakryiko
0054493e51 bpf,selinux: Allocate bpf_security_struct per BPF token
Utilize newly added bpf_token_create/bpf_token_free LSM hooks to
allocate struct bpf_security_struct for each BPF token object in
SELinux. This just follows similar pattern for BPF prog and map.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20240124022127.2379740-18-andrii@kernel.org
2024-01-24 16:21:02 -08:00
Andrii Nakryiko
a2431c7eab bpf,lsm: Refactor bpf_map_alloc/bpf_map_free LSM hooks
Similarly to bpf_prog_alloc LSM hook, rename and extend bpf_map_alloc
hook into bpf_map_create, taking not just struct bpf_map, but also
bpf_attr and bpf_token, to give a fuller context to LSMs.

Unlike bpf_prog_alloc, there is no need to move the hook around, as it
currently is firing right before allocating BPF map ID and FD, which
seems to be a sweet spot.

But like bpf_prog_alloc/bpf_prog_free combo, make sure that bpf_map_free
LSM hook is called even if bpf_map_create hook returned error, as if few
LSMs are combined together it could be that one LSM successfully
allocated security blob for its needs, while subsequent LSM rejected BPF
map creation. The former LSM would still need to free up LSM blob, so we
need to ensure security_bpf_map_free() is called regardless of the
outcome.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/bpf/20240124022127.2379740-11-andrii@kernel.org
2024-01-24 16:21:01 -08:00