1. 21 Jul, 2023 1 commit
  2. 10 Jul, 2023 5 commits
    • Roberto Sassu's avatar
      evm: Support multiple LSMs providing an xattr · c31288e5
      Roberto Sassu authored
      Currently, evm_inode_init_security() processes a single LSM xattr from the
      array passed by security_inode_init_security(), and calculates the HMAC on
      it and other inode metadata.
      
      As the LSM infrastructure now can pass to EVM an array with multiple
      xattrs, scan them until the terminator (xattr name NULL), and calculate the
      HMAC on all of them.
      
      Also, double check that the xattrs array terminator is the first non-filled
      slot (obtained with lsm_get_xattr_slot()). Consumers of the xattrs array,
      such as the initxattrs() callbacks, rely on the terminator.
      
      Finally, change the name of the lsm_xattr parameter of evm_init_hmac() to
      xattrs, to reflect the new type of information passed.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Acked-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      c31288e5
    • Roberto Sassu's avatar
      evm: Align evm_inode_init_security() definition with LSM infrastructure · 6db7d1de
      Roberto Sassu authored
      Change the evm_inode_init_security() definition to align with the LSM
      infrastructure. Keep the existing behavior of including in the HMAC
      calculation only the first xattr provided by LSMs.
      
      Changing the evm_inode_init_security() definition requires passing the
      xattr array allocated by security_inode_init_security(), and the number of
      xattrs filled by previously invoked LSMs.
      
      Use the newly introduced lsm_get_xattr_slot() to position EVM correctly in
      the xattrs array, like a regular LSM, and to increment the number of filled
      slots. For now, the LSM infrastructure allocates enough xattrs slots to
      store the EVM xattr, without using the reservation mechanism.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Acked-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      6db7d1de
    • Roberto Sassu's avatar
      smack: Set the SMACK64TRANSMUTE xattr in smack_inode_init_security() · baed456a
      Roberto Sassu authored
      With the newly added ability of LSMs to supply multiple xattrs, set
      SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate().
      Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling
      lsm_get_xattr_slot() a second time, if the transmuting conditions are met.
      
      The LSM infrastructure passes all xattrs provided by LSMs to the
      filesystems through the initxattrs() callback, so that filesystems can
      store xattrs in the disk.
      
      After the change, the SMK_INODE_TRANSMUTE inode flag is always set by
      d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it
      was done by smack_inode_post_setxattr() as result of the __vfs_setxattr()
      call.
      
      Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by
      adding a new xattr without checking and updating the existing HMAC.
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Reviewed-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      baed456a
    • Roberto Sassu's avatar
      security: Allow all LSMs to provide xattrs for inode_init_security hook · 6bcdfd2c
      Roberto Sassu authored
      Currently, the LSM infrastructure supports only one LSM providing an xattr
      and EVM calculating the HMAC on that xattr, plus other inode metadata.
      
      Allow all LSMs to provide one or multiple xattrs, by extending the security
      blob reservation mechanism. Introduce the new lbs_xattr_count field of the
      lsm_blob_sizes structure, so that each LSM can specify how many xattrs it
      needs, and the LSM infrastructure knows how many xattr slots it should
      allocate.
      
      Modify the inode_init_security hook definition, by passing the full
      xattr array allocated in security_inode_init_security(), and the current
      number of xattr slots in that array filled by LSMs. The first parameter
      would allow EVM to access and calculate the HMAC on xattrs supplied by
      other LSMs, the second to not leave gaps in the xattr array, when an LSM
      requested but did not provide xattrs (e.g. if it is not initialized).
      
      Introduce lsm_get_xattr_slot(), which LSMs can call as many times as the
      number specified in the lbs_xattr_count field of the lsm_blob_sizes
      structure. During each call, lsm_get_xattr_slot() increments the number of
      filled xattrs, so that at the next invocation it returns the next xattr
      slot to fill.
      
      Cleanup security_inode_init_security(). Unify the !initxattrs and
      initxattrs case by simply not allocating the new_xattrs array in the
      former. Update the documentation to reflect the changes, and fix the
      description of the xattr name, as it is not allocated anymore.
      
      Adapt both SELinux and Smack to use the new definition of the
      inode_init_security hook, and to call lsm_get_xattr_slot() to obtain and
      fill the reserved slots in the xattr array.
      
      Move the xattr->name assignment after the xattr->value one, so that it is
      done only in case of successful memory allocation.
      
      Finally, change the default return value of the inode_init_security hook
      from zero to -EOPNOTSUPP, so that BPF LSM correctly follows the hook
      conventions.
      Reported-by: default avatarNicolas Bouchinet <nicolas.bouchinet@clip-os.org>
      Link: https://lore.kernel.org/linux-integrity/Y1FTSIo+1x+4X0LS@archlinux/Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Acked-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      [PM: minor comment and variable tweaks, approved by RS]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      6bcdfd2c
    • Pairman Guo's avatar
      lsm: fix typo in security_file_lock() comment header · ff72942c
      Pairman Guo authored
      In the description of function definition security_file_lock(),
      the line "@cmd: fnctl command" has a typo where "fnctl" should be
      "fcntl". This patch fixes the typo.
      Signed-off-by: default avatarPairman Guo <pairmanxlr@gmail.com>
      [PM: commit message cleanup]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      ff72942c
  3. 09 Jul, 2023 10 commits
  4. 08 Jul, 2023 24 commits