diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-05-03 18:50:52 +0300 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-05-03 18:50:52 +0300 |
commit | 0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch) | |
tree | 405d4cb3f772ef069ed7f291adc4b74a4e73346e /security/security.c | |
parent | 89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff) | |
parent | 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff) | |
download | linux-0302e28dee643932ee7b3c112ebccdbb9f8ec32c.tar.xz |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
IMA:
- provide ">" and "<" operators for fowner/uid/euid rules
KEYS:
- add a system blacklist keyring
- add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction
functionality to userland via keyctl()
LSM:
- harden LSM API with __ro_after_init
- add prlmit security hook, implement for SELinux
- revive security_task_alloc hook
TPM:
- implement contextual TPM command 'spaces'"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits)
tpm: Fix reference count to main device
tpm_tis: convert to using locality callbacks
tpm: fix handling of the TPM 2.0 event logs
tpm_crb: remove a cruft constant
keys: select CONFIG_CRYPTO when selecting DH / KDF
apparmor: Make path_max parameter readonly
apparmor: fix parameters so that the permission test is bypassed at boot
apparmor: fix invalid reference to index variable of iterator line 836
apparmor: use SHASH_DESC_ON_STACK
security/apparmor/lsm.c: set debug messages
apparmor: fix boolreturn.cocci warnings
Smack: Use GFP_KERNEL for smk_netlbl_mls().
smack: fix double free in smack_parse_opts_str()
KEYS: add SP800-56A KDF support for DH
KEYS: Keyring asymmetric key restrict method with chaining
KEYS: Restrict asymmetric key linkage using a specific keychain
KEYS: Add a lookup_restriction function for the asymmetric key type
KEYS: Add KEYCTL_RESTRICT_KEYRING
KEYS: Consistent ordering for __key_link_begin and restrict check
KEYS: Add an optional lookup_restriction hook to key_type
...
Diffstat (limited to 'security/security.c')
-rw-r--r-- | security/security.c | 370 |
1 files changed, 18 insertions, 352 deletions
diff --git a/security/security.c b/security/security.c index 23555c5504f6..b9fea3999cf8 100644 --- a/security/security.c +++ b/security/security.c @@ -32,6 +32,7 @@ /* Maximum number of letters for an LSM name string */ #define SECURITY_NAME_MAX 10 +struct security_hook_heads security_hook_heads __lsm_ro_after_init; char *lsm_names; /* Boot-time LSM user choice */ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = @@ -54,6 +55,12 @@ static void __init do_security_initcalls(void) */ int __init security_init(void) { + int i; + struct list_head *list = (struct list_head *) &security_hook_heads; + + for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct list_head); + i++) + INIT_LIST_HEAD(&list[i]); pr_info("Security Framework initialized\n"); /* @@ -934,6 +941,11 @@ int security_task_create(unsigned long clone_flags) return call_int_hook(task_create, 0, clone_flags); } +int security_task_alloc(struct task_struct *task, unsigned long clone_flags) +{ + return call_int_hook(task_alloc, 0, task, clone_flags); +} + void security_task_free(struct task_struct *task) { call_void_hook(task_free, task); @@ -1040,6 +1052,12 @@ int security_task_getioprio(struct task_struct *p) return call_int_hook(task_getioprio, 0, p); } +int security_task_prlimit(const struct cred *cred, const struct cred *tcred, + unsigned int flags) +{ + return call_int_hook(task_prlimit, 0, cred, tcred, flags); +} + int security_task_setrlimit(struct task_struct *p, unsigned int resource, struct rlimit *new_rlim) { @@ -1625,355 +1643,3 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, actx); } #endif /* CONFIG_AUDIT */ - -struct security_hook_heads security_hook_heads = { - .binder_set_context_mgr = - LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr), - .binder_transaction = - LIST_HEAD_INIT(security_hook_heads.binder_transaction), - .binder_transfer_binder = - LIST_HEAD_INIT(security_hook_heads.binder_transfer_binder), - .binder_transfer_file = - LIST_HEAD_INIT(security_hook_heads.binder_transfer_file), - - .ptrace_access_check = - LIST_HEAD_INIT(security_hook_heads.ptrace_access_check), - .ptrace_traceme = - LIST_HEAD_INIT(security_hook_heads.ptrace_traceme), - .capget = LIST_HEAD_INIT(security_hook_heads.capget), - .capset = LIST_HEAD_INIT(security_hook_heads.capset), - .capable = LIST_HEAD_INIT(security_hook_heads.capable), - .quotactl = LIST_HEAD_INIT(security_hook_heads.quotactl), - .quota_on = LIST_HEAD_INIT(security_hook_heads.quota_on), - .syslog = LIST_HEAD_INIT(security_hook_heads.syslog), - .settime = LIST_HEAD_INIT(security_hook_heads.settime), - .vm_enough_memory = - LIST_HEAD_INIT(security_hook_heads.vm_enough_memory), - .bprm_set_creds = - LIST_HEAD_INIT(security_hook_heads.bprm_set_creds), - .bprm_check_security = - LIST_HEAD_INIT(security_hook_heads.bprm_check_security), - .bprm_secureexec = - LIST_HEAD_INIT(security_hook_heads.bprm_secureexec), - .bprm_committing_creds = - LIST_HEAD_INIT(security_hook_heads.bprm_committing_creds), - .bprm_committed_creds = - LIST_HEAD_INIT(security_hook_heads.bprm_committed_creds), - .sb_alloc_security = - LIST_HEAD_INIT(security_hook_heads.sb_alloc_security), - .sb_free_security = - LIST_HEAD_INIT(security_hook_heads.sb_free_security), - .sb_copy_data = LIST_HEAD_INIT(security_hook_heads.sb_copy_data), - .sb_remount = LIST_HEAD_INIT(security_hook_heads.sb_remount), - .sb_kern_mount = - LIST_HEAD_INIT(security_hook_heads.sb_kern_mount), - .sb_show_options = - LIST_HEAD_INIT(security_hook_heads.sb_show_options), - .sb_statfs = LIST_HEAD_INIT(security_hook_heads.sb_statfs), - .sb_mount = LIST_HEAD_INIT(security_hook_heads.sb_mount), - .sb_umount = LIST_HEAD_INIT(security_hook_heads.sb_umount), - .sb_pivotroot = LIST_HEAD_INIT(security_hook_heads.sb_pivotroot), - .sb_set_mnt_opts = - LIST_HEAD_INIT(security_hook_heads.sb_set_mnt_opts), - .sb_clone_mnt_opts = - LIST_HEAD_INIT(security_hook_heads.sb_clone_mnt_opts), - .sb_parse_opts_str = - LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str), - .dentry_init_security = - LIST_HEAD_INIT(security_hook_heads.dentry_init_security), - .dentry_create_files_as = - LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as), -#ifdef CONFIG_SECURITY_PATH - .path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink), - .path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir), - .path_rmdir = LIST_HEAD_INIT(security_hook_heads.path_rmdir), - .path_mknod = LIST_HEAD_INIT(security_hook_heads.path_mknod), - .path_truncate = - LIST_HEAD_INIT(security_hook_heads.path_truncate), - .path_symlink = LIST_HEAD_INIT(security_hook_heads.path_symlink), - .path_link = LIST_HEAD_INIT(security_hook_heads.path_link), - .path_rename = LIST_HEAD_INIT(security_hook_heads.path_rename), - .path_chmod = LIST_HEAD_INIT(security_hook_heads.path_chmod), - .path_chown = LIST_HEAD_INIT(security_hook_heads.path_chown), - .path_chroot = LIST_HEAD_INIT(security_hook_heads.path_chroot), -#endif - .inode_alloc_security = - LIST_HEAD_INIT(security_hook_heads.inode_alloc_security), - .inode_free_security = - LIST_HEAD_INIT(security_hook_heads.inode_free_security), - .inode_init_security = - LIST_HEAD_INIT(security_hook_heads.inode_init_security), - .inode_create = LIST_HEAD_INIT(security_hook_heads.inode_create), - .inode_link = LIST_HEAD_INIT(security_hook_heads.inode_link), - .inode_unlink = LIST_HEAD_INIT(security_hook_heads.inode_unlink), - .inode_symlink = - LIST_HEAD_INIT(security_hook_heads.inode_symlink), - .inode_mkdir = LIST_HEAD_INIT(security_hook_heads.inode_mkdir), - .inode_rmdir = LIST_HEAD_INIT(security_hook_heads.inode_rmdir), - .inode_mknod = LIST_HEAD_INIT(security_hook_heads.inode_mknod), - .inode_rename = LIST_HEAD_INIT(security_hook_heads.inode_rename), - .inode_readlink = - LIST_HEAD_INIT(security_hook_heads.inode_readlink), - .inode_follow_link = - LIST_HEAD_INIT(security_hook_heads.inode_follow_link), - .inode_permission = - LIST_HEAD_INIT(security_hook_heads.inode_permission), - .inode_setattr = - LIST_HEAD_INIT(security_hook_heads.inode_setattr), - .inode_getattr = - LIST_HEAD_INIT(security_hook_heads.inode_getattr), - .inode_setxattr = - LIST_HEAD_INIT(security_hook_heads.inode_setxattr), - .inode_post_setxattr = - LIST_HEAD_INIT(security_hook_heads.inode_post_setxattr), - .inode_getxattr = - LIST_HEAD_INIT(security_hook_heads.inode_getxattr), - .inode_listxattr = - LIST_HEAD_INIT(security_hook_heads.inode_listxattr), - .inode_removexattr = - LIST_HEAD_INIT(security_hook_heads.inode_removexattr), - .inode_need_killpriv = - LIST_HEAD_INIT(security_hook_heads.inode_need_killpriv), - .inode_killpriv = - LIST_HEAD_INIT(security_hook_heads.inode_killpriv), - .inode_getsecurity = - LIST_HEAD_INIT(security_hook_heads.inode_getsecurity), - .inode_setsecurity = - LIST_HEAD_INIT(security_hook_heads.inode_setsecurity), - .inode_listsecurity = - LIST_HEAD_INIT(security_hook_heads.inode_listsecurity), - .inode_getsecid = - LIST_HEAD_INIT(security_hook_heads.inode_getsecid), - .inode_copy_up = - LIST_HEAD_INIT(security_hook_heads.inode_copy_up), - .inode_copy_up_xattr = - LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr), - .file_permission = - LIST_HEAD_INIT(security_hook_heads.file_permission), - .file_alloc_security = - LIST_HEAD_INIT(security_hook_heads.file_alloc_security), - .file_free_security = - LIST_HEAD_INIT(security_hook_heads.file_free_security), - .file_ioctl = LIST_HEAD_INIT(security_hook_heads.file_ioctl), - .mmap_addr = LIST_HEAD_INIT(security_hook_heads.mmap_addr), - .mmap_file = LIST_HEAD_INIT(security_hook_heads.mmap_file), - .file_mprotect = - LIST_HEAD_INIT(security_hook_heads.file_mprotect), - .file_lock = LIST_HEAD_INIT(security_hook_heads.file_lock), - .file_fcntl = LIST_HEAD_INIT(security_hook_heads.file_fcntl), - .file_set_fowner = - LIST_HEAD_INIT(security_hook_heads.file_set_fowner), - .file_send_sigiotask = - LIST_HEAD_INIT(security_hook_heads.file_send_sigiotask), - .file_receive = LIST_HEAD_INIT(security_hook_heads.file_receive), - .file_open = LIST_HEAD_INIT(security_hook_heads.file_open), - .task_create = LIST_HEAD_INIT(security_hook_heads.task_create), - .task_free = LIST_HEAD_INIT(security_hook_heads.task_free), - .cred_alloc_blank = - LIST_HEAD_INIT(security_hook_heads.cred_alloc_blank), - .cred_free = LIST_HEAD_INIT(security_hook_heads.cred_free), - .cred_prepare = LIST_HEAD_INIT(security_hook_heads.cred_prepare), - .cred_transfer = - LIST_HEAD_INIT(security_hook_heads.cred_transfer), - .kernel_act_as = - LIST_HEAD_INIT(security_hook_heads.kernel_act_as), - .kernel_create_files_as = - LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as), - .kernel_module_request = - LIST_HEAD_INIT(security_hook_heads.kernel_module_request), - .kernel_read_file = - LIST_HEAD_INIT(security_hook_heads.kernel_read_file), - .kernel_post_read_file = - LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file), - .task_fix_setuid = - LIST_HEAD_INIT(security_hook_heads.task_fix_setuid), - .task_setpgid = LIST_HEAD_INIT(security_hook_heads.task_setpgid), - .task_getpgid = LIST_HEAD_INIT(security_hook_heads.task_getpgid), - .task_getsid = LIST_HEAD_INIT(security_hook_heads.task_getsid), - .task_getsecid = - LIST_HEAD_INIT(security_hook_heads.task_getsecid), - .task_setnice = LIST_HEAD_INIT(security_hook_heads.task_setnice), - .task_setioprio = - LIST_HEAD_INIT(security_hook_heads.task_setioprio), - .task_getioprio = - LIST_HEAD_INIT(security_hook_heads.task_getioprio), - .task_setrlimit = - LIST_HEAD_INIT(security_hook_heads.task_setrlimit), - .task_setscheduler = - LIST_HEAD_INIT(security_hook_heads.task_setscheduler), - .task_getscheduler = - LIST_HEAD_INIT(security_hook_heads.task_getscheduler), - .task_movememory = - LIST_HEAD_INIT(security_hook_heads.task_movememory), - .task_kill = LIST_HEAD_INIT(security_hook_heads.task_kill), - .task_prctl = LIST_HEAD_INIT(security_hook_heads.task_prctl), - .task_to_inode = - LIST_HEAD_INIT(security_hook_heads.task_to_inode), - .ipc_permission = - LIST_HEAD_INIT(security_hook_heads.ipc_permission), - .ipc_getsecid = LIST_HEAD_INIT(security_hook_heads.ipc_getsecid), - .msg_msg_alloc_security = - LIST_HEAD_INIT(security_hook_heads.msg_msg_alloc_security), - .msg_msg_free_security = - LIST_HEAD_INIT(security_hook_heads.msg_msg_free_security), - .msg_queue_alloc_security = - LIST_HEAD_INIT(security_hook_heads.msg_queue_alloc_security), - .msg_queue_free_security = - LIST_HEAD_INIT(security_hook_heads.msg_queue_free_security), - .msg_queue_associate = - LIST_HEAD_INIT(security_hook_heads.msg_queue_associate), - .msg_queue_msgctl = - LIST_HEAD_INIT(security_hook_heads.msg_queue_msgctl), - .msg_queue_msgsnd = - LIST_HEAD_INIT(security_hook_heads.msg_queue_msgsnd), - .msg_queue_msgrcv = - LIST_HEAD_INIT(security_hook_heads.msg_queue_msgrcv), - .shm_alloc_security = - LIST_HEAD_INIT(security_hook_heads.shm_alloc_security), - .shm_free_security = - LIST_HEAD_INIT(security_hook_heads.shm_free_security), - .shm_associate = - LIST_HEAD_INIT(security_hook_heads.shm_associate), - .shm_shmctl = LIST_HEAD_INIT(security_hook_heads.shm_shmctl), - .shm_shmat = LIST_HEAD_INIT(security_hook_heads.shm_shmat), - .sem_alloc_security = - LIST_HEAD_INIT(security_hook_heads.sem_alloc_security), - .sem_free_security = - LIST_HEAD_INIT(security_hook_heads.sem_free_security), - .sem_associate = - LIST_HEAD_INIT(security_hook_heads.sem_associate), - .sem_semctl = LIST_HEAD_INIT(security_hook_heads.sem_semctl), - .sem_semop = LIST_HEAD_INIT(security_hook_heads.sem_semop), - .netlink_send = LIST_HEAD_INIT(security_hook_heads.netlink_send), - .d_instantiate = - LIST_HEAD_INIT(security_hook_heads.d_instantiate), - .getprocattr = LIST_HEAD_INIT(security_hook_heads.getprocattr), - .setprocattr = LIST_HEAD_INIT(security_hook_heads.setprocattr), - .ismaclabel = LIST_HEAD_INIT(security_hook_heads.ismaclabel), - .secid_to_secctx = - LIST_HEAD_INIT(security_hook_heads.secid_to_secctx), - .secctx_to_secid = - LIST_HEAD_INIT(security_hook_heads.secctx_to_secid), - .release_secctx = - LIST_HEAD_INIT(security_hook_heads.release_secctx), - .inode_invalidate_secctx = - LIST_HEAD_INIT(security_hook_heads.inode_invalidate_secctx), - .inode_notifysecctx = - LIST_HEAD_INIT(security_hook_heads.inode_notifysecctx), - .inode_setsecctx = - LIST_HEAD_INIT(security_hook_heads.inode_setsecctx), - .inode_getsecctx = - LIST_HEAD_INIT(security_hook_heads.inode_getsecctx), -#ifdef CONFIG_SECURITY_NETWORK - .unix_stream_connect = - LIST_HEAD_INIT(security_hook_heads.unix_stream_connect), - .unix_may_send = - LIST_HEAD_INIT(security_hook_heads.unix_may_send), - .socket_create = - LIST_HEAD_INIT(security_hook_heads.socket_create), - .socket_post_create = - LIST_HEAD_INIT(security_hook_heads.socket_post_create), - .socket_bind = LIST_HEAD_INIT(security_hook_heads.socket_bind), - .socket_connect = - LIST_HEAD_INIT(security_hook_heads.socket_connect), - .socket_listen = - LIST_HEAD_INIT(security_hook_heads.socket_listen), - .socket_accept = - LIST_HEAD_INIT(security_hook_heads.socket_accept), - .socket_sendmsg = - LIST_HEAD_INIT(security_hook_heads.socket_sendmsg), - .socket_recvmsg = - LIST_HEAD_INIT(security_hook_heads.socket_recvmsg), - .socket_getsockname = - LIST_HEAD_INIT(security_hook_heads.socket_getsockname), - .socket_getpeername = - LIST_HEAD_INIT(security_hook_heads.socket_getpeername), - .socket_getsockopt = - LIST_HEAD_INIT(security_hook_heads.socket_getsockopt), - .socket_setsockopt = - LIST_HEAD_INIT(security_hook_heads.socket_setsockopt), - .socket_shutdown = - LIST_HEAD_INIT(security_hook_heads.socket_shutdown), - .socket_sock_rcv_skb = - LIST_HEAD_INIT(security_hook_heads.socket_sock_rcv_skb), - .socket_getpeersec_stream = - LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_stream), - .socket_getpeersec_dgram = - LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_dgram), - .sk_alloc_security = - LIST_HEAD_INIT(security_hook_heads.sk_alloc_security), - .sk_free_security = - LIST_HEAD_INIT(security_hook_heads.sk_free_security), - .sk_clone_security = - LIST_HEAD_INIT(security_hook_heads.sk_clone_security), - .sk_getsecid = LIST_HEAD_INIT(security_hook_heads.sk_getsecid), - .sock_graft = LIST_HEAD_INIT(security_hook_heads.sock_graft), - .inet_conn_request = - LIST_HEAD_INIT(security_hook_heads.inet_conn_request), - .inet_csk_clone = - LIST_HEAD_INIT(security_hook_heads.inet_csk_clone), - .inet_conn_established = - LIST_HEAD_INIT(security_hook_heads.inet_conn_established), - .secmark_relabel_packet = - LIST_HEAD_INIT(security_hook_heads.secmark_relabel_packet), - .secmark_refcount_inc = - LIST_HEAD_INIT(security_hook_heads.secmark_refcount_inc), - .secmark_refcount_dec = - LIST_HEAD_INIT(security_hook_heads.secmark_refcount_dec), - .req_classify_flow = - LIST_HEAD_INIT(security_hook_heads.req_classify_flow), - .tun_dev_alloc_security = - LIST_HEAD_INIT(security_hook_heads.tun_dev_alloc_security), - .tun_dev_free_security = - LIST_HEAD_INIT(security_hook_heads.tun_dev_free_security), - .tun_dev_create = - LIST_HEAD_INIT(security_hook_heads.tun_dev_create), - .tun_dev_attach_queue = - LIST_HEAD_INIT(security_hook_heads.tun_dev_attach_queue), - .tun_dev_attach = - LIST_HEAD_INIT(security_hook_heads.tun_dev_attach), - .tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open), -#endif /* CONFIG_SECURITY_NETWORK */ -#ifdef CONFIG_SECURITY_NETWORK_XFRM - .xfrm_policy_alloc_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security), - .xfrm_policy_clone_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_clone_security), - .xfrm_policy_free_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_free_security), - .xfrm_policy_delete_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_delete_security), - .xfrm_state_alloc = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc), - .xfrm_state_alloc_acquire = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc_acquire), - .xfrm_state_free_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_free_security), - .xfrm_state_delete_security = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_delete_security), - .xfrm_policy_lookup = - LIST_HEAD_INIT(security_hook_heads.xfrm_policy_lookup), - .xfrm_state_pol_flow_match = - LIST_HEAD_INIT(security_hook_heads.xfrm_state_pol_flow_match), - .xfrm_decode_session = - LIST_HEAD_INIT(security_hook_heads.xfrm_decode_session), -#endif /* CONFIG_SECURITY_NETWORK_XFRM */ -#ifdef CONFIG_KEYS - .key_alloc = LIST_HEAD_INIT(security_hook_heads.key_alloc), - .key_free = LIST_HEAD_INIT(security_hook_heads.key_free), - .key_permission = - LIST_HEAD_INIT(security_hook_heads.key_permission), - .key_getsecurity = - LIST_HEAD_INIT(security_hook_heads.key_getsecurity), -#endif /* CONFIG_KEYS */ -#ifdef CONFIG_AUDIT - .audit_rule_init = - LIST_HEAD_INIT(security_hook_heads.audit_rule_init), - .audit_rule_known = - LIST_HEAD_INIT(security_hook_heads.audit_rule_known), - .audit_rule_match = - LIST_HEAD_INIT(security_hook_heads.audit_rule_match), - .audit_rule_free = - LIST_HEAD_INIT(security_hook_heads.audit_rule_free), -#endif /* CONFIG_AUDIT */ -}; |