2015-05-02 22:10:46 +00:00
|
|
|
/*
|
|
|
|
|
* Linux Security Module interfaces
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
|
|
|
|
|
* Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
|
|
|
|
|
* Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
|
|
|
|
|
* Copyright (C) 2001 James Morris <jmorris@intercode.com.au>
|
|
|
|
|
* Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
|
|
|
|
|
* Copyright (C) 2015 Intel Corporation.
|
|
|
|
|
* Copyright (C) 2015 Casey Schaufler <casey@schaufler-ca.com>
|
IB/core: Enforce PKey security on QPs
Add new LSM hooks to allocate and free security contexts and check for
permission to access a PKey.
Allocate and free a security context when creating and destroying a QP.
This context is used for controlling access to PKeys.
When a request is made to modify a QP that changes the port, PKey index,
or alternate path, check that the QP has permission for the PKey in the
PKey table index on the subnet prefix of the port. If the QP is shared
make sure all handles to the QP also have access.
Store which port and PKey index a QP is using. After the reset to init
transition the user can modify the port, PKey index and alternate path
independently. So port and PKey settings changes can be a merge of the
previous settings and the new ones.
In order to maintain access control if there are PKey table or subnet
prefix change keep a list of all QPs are using each PKey index on
each port. If a change occurs all QPs using that device and port must
have access enforced for the new cache settings.
These changes add a transaction to the QP modify process. Association
with the old port and PKey index must be maintained if the modify fails,
and must be removed if it succeeds. Association with the new port and
PKey index must be established prior to the modify and removed if the
modify fails.
1. When a QP is modified to a particular Port, PKey index or alternate
path insert that QP into the appropriate lists.
2. Check permission to access the new settings.
3. If step 2 grants access attempt to modify the QP.
4a. If steps 2 and 3 succeed remove any prior associations.
4b. If ether fails remove the new setting associations.
If a PKey table or subnet prefix changes walk the list of QPs and
check that they have permission. If not send the QP to the error state
and raise a fatal error event. If it's a shared QP make sure all the
QPs that share the real_qp have permission as well. If the QP that
owns a security structure is denied access the security structure is
marked as such and the QP is added to an error_list. Once the moving
the QP to error is complete the security structure mark is cleared.
Maintaining the lists correctly turns QP destroy into a transaction.
The hardware driver for the device frees the ib_qp structure, so while
the destroy is in progress the ib_qp pointer in the ib_qp_security
struct is undefined. When the destroy process begins the ib_qp_security
structure is marked as destroying. This prevents any action from being
taken on the QP pointer. After the QP is destroyed successfully it
could still listed on an error_list wait for it to be processed by that
flow before cleaning up the structure.
If the destroy fails the QPs port and PKey settings are reinserted into
the appropriate lists, the destroying flag is cleared, and access control
is enforced, in case there were any cache changes during the destroy
flow.
To keep the security changes isolated a new file is used to hold security
related functionality.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Acked-by: Doug Ledford <dledford@redhat.com>
[PM: merge fixup in ib_verbs.h and uverbs_cmd.c]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2017-05-19 12:48:52 +00:00
|
|
|
* Copyright (C) 2016 Mellanox Techonologies
|
2015-05-02 22:10:46 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* Due to this file being licensed under the GPL there is controversy over
|
|
|
|
|
* whether this permits you to write a module that #includes this file
|
|
|
|
|
* without placing your module under the GPL. Please consult a lawyer for
|
|
|
|
|
* advice before doing this.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __LINUX_LSM_HOOKS_H
|
|
|
|
|
#define __LINUX_LSM_HOOKS_H
|
|
|
|
|
|
|
|
|
|
#include <linux/security.h>
|
2015-05-02 22:11:42 +00:00
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/rculist.h>
|
security: Allow all LSMs to provide xattrs for inode_init_security hook
Currently, the LSM infrastructure supports only one LSM providing an xattr
and EVM calculating the HMAC on that xattr, plus other inode metadata.
Allow all LSMs to provide one or multiple xattrs, by extending the security
blob reservation mechanism. Introduce the new lbs_xattr_count field of the
lsm_blob_sizes structure, so that each LSM can specify how many xattrs it
needs, and the LSM infrastructure knows how many xattr slots it should
allocate.
Modify the inode_init_security hook definition, by passing the full
xattr array allocated in security_inode_init_security(), and the current
number of xattr slots in that array filled by LSMs. The first parameter
would allow EVM to access and calculate the HMAC on xattrs supplied by
other LSMs, the second to not leave gaps in the xattr array, when an LSM
requested but did not provide xattrs (e.g. if it is not initialized).
Introduce lsm_get_xattr_slot(), which LSMs can call as many times as the
number specified in the lbs_xattr_count field of the lsm_blob_sizes
structure. During each call, lsm_get_xattr_slot() increments the number of
filled xattrs, so that at the next invocation it returns the next xattr
slot to fill.
Cleanup security_inode_init_security(). Unify the !initxattrs and
initxattrs case by simply not allocating the new_xattrs array in the
former. Update the documentation to reflect the changes, and fix the
description of the xattr name, as it is not allocated anymore.
Adapt both SELinux and Smack to use the new definition of the
inode_init_security hook, and to call lsm_get_xattr_slot() to obtain and
fill the reserved slots in the xattr array.
Move the xattr->name assignment after the xattr->value one, so that it is
done only in case of successful memory allocation.
Finally, change the default return value of the inode_init_security hook
from zero to -EOPNOTSUPP, so that BPF LSM correctly follows the hook
conventions.
Reported-by: Nicolas Bouchinet <nicolas.bouchinet@clip-os.org>
Link: https://lore.kernel.org/linux-integrity/Y1FTSIo+1x+4X0LS@archlinux/
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: minor comment and variable tweaks, approved by RS]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-06-10 07:57:35 +00:00
|
|
|
#include <linux/xattr.h>
|
2015-05-02 22:10:46 +00:00
|
|
|
|
2015-05-02 22:11:42 +00:00
|
|
|
union security_list_options {
|
2020-03-29 00:43:50 +00:00
|
|
|
#define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
|
|
|
|
|
#include "lsm_hook_defs.h"
|
|
|
|
|
#undef LSM_HOOK
|
2015-05-02 22:10:46 +00:00
|
|
|
};
|
|
|
|
|
|
2015-05-02 22:11:36 +00:00
|
|
|
struct security_hook_heads {
|
2020-03-29 00:43:50 +00:00
|
|
|
#define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME;
|
|
|
|
|
#include "lsm_hook_defs.h"
|
|
|
|
|
#undef LSM_HOOK
|
2016-10-28 08:22:25 +00:00
|
|
|
} __randomize_layout;
|
2015-05-02 22:11:36 +00:00
|
|
|
|
2015-05-02 22:11:42 +00:00
|
|
|
/*
|
|
|
|
|
* Security module hook list structure.
|
|
|
|
|
* For use with generic list macros for common operations.
|
|
|
|
|
*/
|
|
|
|
|
struct security_hook_list {
|
2018-03-29 01:28:23 +00:00
|
|
|
struct hlist_node list;
|
|
|
|
|
struct hlist_head *head;
|
2015-05-02 22:11:42 +00:00
|
|
|
union security_list_options hook;
|
2022-02-17 14:18:57 +00:00
|
|
|
const char *lsm;
|
2016-10-28 08:22:25 +00:00
|
|
|
} __randomize_layout;
|
2015-05-02 22:11:42 +00:00
|
|
|
|
2018-11-12 17:30:56 +00:00
|
|
|
/*
|
|
|
|
|
* Security blob size or offset data.
|
|
|
|
|
*/
|
|
|
|
|
struct lsm_blob_sizes {
|
|
|
|
|
int lbs_cred;
|
2018-11-12 20:02:49 +00:00
|
|
|
int lbs_file;
|
2018-09-22 00:19:29 +00:00
|
|
|
int lbs_inode;
|
2021-04-22 15:41:15 +00:00
|
|
|
int lbs_superblock;
|
2018-11-20 19:55:02 +00:00
|
|
|
int lbs_ipc;
|
|
|
|
|
int lbs_msg_msg;
|
2018-09-22 00:19:37 +00:00
|
|
|
int lbs_task;
|
security: Allow all LSMs to provide xattrs for inode_init_security hook
Currently, the LSM infrastructure supports only one LSM providing an xattr
and EVM calculating the HMAC on that xattr, plus other inode metadata.
Allow all LSMs to provide one or multiple xattrs, by extending the security
blob reservation mechanism. Introduce the new lbs_xattr_count field of the
lsm_blob_sizes structure, so that each LSM can specify how many xattrs it
needs, and the LSM infrastructure knows how many xattr slots it should
allocate.
Modify the inode_init_security hook definition, by passing the full
xattr array allocated in security_inode_init_security(), and the current
number of xattr slots in that array filled by LSMs. The first parameter
would allow EVM to access and calculate the HMAC on xattrs supplied by
other LSMs, the second to not leave gaps in the xattr array, when an LSM
requested but did not provide xattrs (e.g. if it is not initialized).
Introduce lsm_get_xattr_slot(), which LSMs can call as many times as the
number specified in the lbs_xattr_count field of the lsm_blob_sizes
structure. During each call, lsm_get_xattr_slot() increments the number of
filled xattrs, so that at the next invocation it returns the next xattr
slot to fill.
Cleanup security_inode_init_security(). Unify the !initxattrs and
initxattrs case by simply not allocating the new_xattrs array in the
former. Update the documentation to reflect the changes, and fix the
description of the xattr name, as it is not allocated anymore.
Adapt both SELinux and Smack to use the new definition of the
inode_init_security hook, and to call lsm_get_xattr_slot() to obtain and
fill the reserved slots in the xattr array.
Move the xattr->name assignment after the xattr->value one, so that it is
done only in case of successful memory allocation.
Finally, change the default return value of the inode_init_security hook
from zero to -EOPNOTSUPP, so that BPF LSM correctly follows the hook
conventions.
Reported-by: Nicolas Bouchinet <nicolas.bouchinet@clip-os.org>
Link: https://lore.kernel.org/linux-integrity/Y1FTSIo+1x+4X0LS@archlinux/
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: minor comment and variable tweaks, approved by RS]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-06-10 07:57:35 +00:00
|
|
|
int lbs_xattr_count; /* number of xattr slots in new_xattrs array */
|
2018-11-12 17:30:56 +00:00
|
|
|
};
|
|
|
|
|
|
security: Allow all LSMs to provide xattrs for inode_init_security hook
Currently, the LSM infrastructure supports only one LSM providing an xattr
and EVM calculating the HMAC on that xattr, plus other inode metadata.
Allow all LSMs to provide one or multiple xattrs, by extending the security
blob reservation mechanism. Introduce the new lbs_xattr_count field of the
lsm_blob_sizes structure, so that each LSM can specify how many xattrs it
needs, and the LSM infrastructure knows how many xattr slots it should
allocate.
Modify the inode_init_security hook definition, by passing the full
xattr array allocated in security_inode_init_security(), and the current
number of xattr slots in that array filled by LSMs. The first parameter
would allow EVM to access and calculate the HMAC on xattrs supplied by
other LSMs, the second to not leave gaps in the xattr array, when an LSM
requested but did not provide xattrs (e.g. if it is not initialized).
Introduce lsm_get_xattr_slot(), which LSMs can call as many times as the
number specified in the lbs_xattr_count field of the lsm_blob_sizes
structure. During each call, lsm_get_xattr_slot() increments the number of
filled xattrs, so that at the next invocation it returns the next xattr
slot to fill.
Cleanup security_inode_init_security(). Unify the !initxattrs and
initxattrs case by simply not allocating the new_xattrs array in the
former. Update the documentation to reflect the changes, and fix the
description of the xattr name, as it is not allocated anymore.
Adapt both SELinux and Smack to use the new definition of the
inode_init_security hook, and to call lsm_get_xattr_slot() to obtain and
fill the reserved slots in the xattr array.
Move the xattr->name assignment after the xattr->value one, so that it is
done only in case of successful memory allocation.
Finally, change the default return value of the inode_init_security hook
from zero to -EOPNOTSUPP, so that BPF LSM correctly follows the hook
conventions.
Reported-by: Nicolas Bouchinet <nicolas.bouchinet@clip-os.org>
Link: https://lore.kernel.org/linux-integrity/Y1FTSIo+1x+4X0LS@archlinux/
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: minor comment and variable tweaks, approved by RS]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-06-10 07:57:35 +00:00
|
|
|
/**
|
|
|
|
|
* lsm_get_xattr_slot - Return the next available slot and increment the index
|
|
|
|
|
* @xattrs: array storing LSM-provided xattrs
|
|
|
|
|
* @xattr_count: number of already stored xattrs (updated)
|
|
|
|
|
*
|
|
|
|
|
* Retrieve the first available slot in the @xattrs array to fill with an xattr,
|
|
|
|
|
* and increment @xattr_count.
|
|
|
|
|
*
|
|
|
|
|
* Return: The slot to fill in @xattrs if non-NULL, NULL otherwise.
|
|
|
|
|
*/
|
|
|
|
|
static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs,
|
|
|
|
|
int *xattr_count)
|
|
|
|
|
{
|
|
|
|
|
if (unlikely(!xattrs))
|
|
|
|
|
return NULL;
|
|
|
|
|
return &xattrs[(*xattr_count)++];
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-29 00:43:50 +00:00
|
|
|
/*
|
|
|
|
|
* LSM_RET_VOID is used as the default value in LSM_HOOK definitions for void
|
|
|
|
|
* LSM hooks (in include/linux/lsm_hook_defs.h).
|
|
|
|
|
*/
|
|
|
|
|
#define LSM_RET_VOID ((void) 0)
|
|
|
|
|
|
2015-05-02 22:11:36 +00:00
|
|
|
/*
|
|
|
|
|
* Initializing a security_hook_list structure takes
|
|
|
|
|
* up a lot of space in a source file. This macro takes
|
|
|
|
|
* care of the common case and reduces the amount of
|
|
|
|
|
* text involved.
|
|
|
|
|
*/
|
2015-05-02 22:11:42 +00:00
|
|
|
#define LSM_HOOK_INIT(HEAD, HOOK) \
|
|
|
|
|
{ .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }
|
|
|
|
|
|
|
|
|
|
extern struct security_hook_heads security_hook_heads;
|
2017-01-19 01:09:05 +00:00
|
|
|
extern char *lsm_names;
|
2015-05-02 22:11:42 +00:00
|
|
|
|
2017-01-19 01:09:05 +00:00
|
|
|
extern void security_add_hooks(struct security_hook_list *hooks, int count,
|
2022-02-17 14:18:57 +00:00
|
|
|
const char *lsm);
|
2015-05-02 22:10:46 +00:00
|
|
|
|
2018-09-19 23:13:25 +00:00
|
|
|
#define LSM_FLAG_LEGACY_MAJOR BIT(0)
|
2018-09-20 02:57:06 +00:00
|
|
|
#define LSM_FLAG_EXCLUSIVE BIT(1)
|
2018-09-19 23:13:25 +00:00
|
|
|
|
2018-09-20 00:48:21 +00:00
|
|
|
enum lsm_order {
|
|
|
|
|
LSM_ORDER_FIRST = -1, /* This is only for capabilities. */
|
|
|
|
|
LSM_ORDER_MUTABLE = 0,
|
security: Introduce LSM_ORDER_LAST and set it for the integrity LSM
Introduce LSM_ORDER_LAST, to satisfy the requirement of LSMs needing to be
last, e.g. the 'integrity' LSM, without changing the kernel command line or
configuration.
Also, set this order for the 'integrity' LSM. While not enforced, this is
the only LSM expected to use it.
Similarly to LSM_ORDER_FIRST, LSMs with LSM_ORDER_LAST are always enabled
and put at the end of the LSM list, if selected in the kernel
configuration. Setting one of these orders alone, does not cause the LSMs
to be selected and compiled built-in in the kernel.
Finally, for LSM_ORDER_MUTABLE LSMs, set the found variable to true if an
LSM is found, regardless of its order. In this way, the kernel would not
wrongly report that the LSM is not built-in in the kernel if its order is
LSM_ORDER_LAST.
Fixes: 79f7865d844c ("LSM: Introduce "lsm=" for boottime LSM selection")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-03-10 08:53:59 +00:00
|
|
|
LSM_ORDER_LAST = 1, /* This is only for integrity. */
|
2018-09-20 00:48:21 +00:00
|
|
|
};
|
|
|
|
|
|
2018-10-11 00:18:21 +00:00
|
|
|
struct lsm_info {
|
2018-10-11 00:18:24 +00:00
|
|
|
const char *name; /* Required. */
|
2018-09-20 00:48:21 +00:00
|
|
|
enum lsm_order order; /* Optional: default is LSM_ORDER_MUTABLE */
|
2018-09-19 23:13:25 +00:00
|
|
|
unsigned long flags; /* Optional: flags describing LSM */
|
2018-10-09 21:42:57 +00:00
|
|
|
int *enabled; /* Optional: controlled by CONFIG_LSM */
|
2018-10-11 00:18:21 +00:00
|
|
|
int (*init)(void); /* Required. */
|
2018-11-12 17:30:56 +00:00
|
|
|
struct lsm_blob_sizes *blobs; /* Optional: for blob sharing. */
|
2018-10-11 00:18:21 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
|
2019-08-20 00:17:37 +00:00
|
|
|
extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
|
2018-10-11 00:18:21 +00:00
|
|
|
|
2018-10-11 00:18:23 +00:00
|
|
|
#define DEFINE_LSM(lsm) \
|
2018-10-11 00:18:21 +00:00
|
|
|
static struct lsm_info __lsm_##lsm \
|
2020-10-22 02:36:07 +00:00
|
|
|
__used __section(".lsm_info.init") \
|
2018-10-11 00:18:23 +00:00
|
|
|
__aligned(sizeof(unsigned long))
|
2018-10-11 00:18:21 +00:00
|
|
|
|
2019-08-20 00:17:37 +00:00
|
|
|
#define DEFINE_EARLY_LSM(lsm) \
|
|
|
|
|
static struct lsm_info __early_lsm_##lsm \
|
2020-10-22 02:36:07 +00:00
|
|
|
__used __section(".early_lsm_info.init") \
|
2019-08-20 00:17:37 +00:00
|
|
|
__aligned(sizeof(unsigned long))
|
|
|
|
|
|
2018-09-22 00:19:29 +00:00
|
|
|
extern int lsm_inode_alloc(struct inode *inode);
|
|
|
|
|
|
2015-05-02 22:10:46 +00:00
|
|
|
#endif /* ! __LINUX_LSM_HOOKS_H */
|