• Roberto Sassu's avatar
    security: Allow all LSMs to provide xattrs for inode_init_security hook · 6bcdfd2c
    Roberto Sassu authored
    Currently, the LSM infrastructure supports only one LSM providing an xattr
    and EVM calculating the HMAC on that xattr, plus other inode metadata.
    
    Allow all LSMs to provide one or multiple xattrs, by extending the security
    blob reservation mechanism. Introduce the new lbs_xattr_count field of the
    lsm_blob_sizes structure, so that each LSM can specify how many xattrs it
    needs, and the LSM infrastructure knows how many xattr slots it should
    allocate.
    
    Modify the inode_init_security hook definition, by passing the full
    xattr array allocated in security_inode_init_security(), and the current
    number of xattr slots in that array filled by LSMs. The first parameter
    would allow EVM to access and calculate the HMAC on xattrs supplied by
    other LSMs, the second to not leave gaps in the xattr array, when an LSM
    requested but did not provide xattrs (e.g. if it is not initialized).
    
    Introduce lsm_get_xattr_slot(), which LSMs can call as many times as the
    number specified in the lbs_xattr_count field of the lsm_blob_sizes
    structure. During each call, lsm_get_xattr_slot() increments the number of
    filled xattrs, so that at the next invocation it returns the next xattr
    slot to fill.
    
    Cleanup security_inode_init_security(). Unify the !initxattrs and
    initxattrs case by simply not allocating the new_xattrs array in the
    former. Update the documentation to reflect the changes, and fix the
    description of the xattr name, as it is not allocated anymore.
    
    Adapt both SELinux and Smack to use the new definition of the
    inode_init_security hook, and to call lsm_get_xattr_slot() to obtain and
    fill the reserved slots in the xattr array.
    
    Move the xattr->name assignment after the xattr->value one, so that it is
    done only in case of successful memory allocation.
    
    Finally, change the default return value of the inode_init_security hook
    from zero to -EOPNOTSUPP, so that BPF LSM correctly follows the hook
    conventions.
    Reported-by: default avatarNicolas Bouchinet <nicolas.bouchinet@clip-os.org>
    Link: https://lore.kernel.org/linux-integrity/Y1FTSIo+1x+4X0LS@archlinux/Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
    Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    [PM: minor comment and variable tweaks, approved by RS]
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    6bcdfd2c
security.c 151 KB