mirror of
https://github.com/torvalds/linux.git
synced 2024-12-29 22:31:32 +00:00
f3b8788cde
Create a struct lsm_id to contain identifying information about Linux Security Modules (LSMs). At inception this contains the name of the module and an identifier associated with the security module. Change the security_add_hooks() interface to use this structure. Change the individual modules to maintain their own struct lsm_id and pass it to security_add_hooks(). The values are for LSM identifiers are defined in a new UAPI header file linux/lsm.h. Each existing LSM has been updated to include it's LSMID in the lsm_id. The LSM ID values are sequential, with the oldest module LSM_ID_CAPABILITY being the lowest value and the existing modules numbered in the order they were included in the main line kernel. This is an arbitrary convention for assigning the values, but none better presents itself. The value 0 is defined as being invalid. The values 1-99 are reserved for any special case uses which may arise in the future. This may include attributes of the LSM infrastructure itself, possibly related to namespacing or network attribute management. A special range is identified for such attributes to help reduce confusion for developers unfamiliar with LSMs. LSM attribute values are defined for the attributes presented by modules that are available today. As with the LSM IDs, The value 0 is defined as being invalid. The values 1-99 are reserved for any special case uses which may arise in the future. Cc: linux-security-module <linux-security-module@vger.kernel.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: Mickael Salaun <mic@digikod.net> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Nacked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> [PM: forward ported beyond v6.6 due merge window changes] Signed-off-by: Paul Moore <paul@paul-moore.com>
121 lines
3.2 KiB
C
121 lines
3.2 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Landlock LSM - Ptrace hooks
|
|
*
|
|
* Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
|
|
* Copyright © 2019-2020 ANSSI
|
|
*/
|
|
|
|
#include <asm/current.h>
|
|
#include <linux/cred.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/lsm_hooks.h>
|
|
#include <linux/rcupdate.h>
|
|
#include <linux/sched.h>
|
|
|
|
#include "common.h"
|
|
#include "cred.h"
|
|
#include "ptrace.h"
|
|
#include "ruleset.h"
|
|
#include "setup.h"
|
|
|
|
/**
|
|
* domain_scope_le - Checks domain ordering for scoped ptrace
|
|
*
|
|
* @parent: Parent domain.
|
|
* @child: Potential child of @parent.
|
|
*
|
|
* Checks if the @parent domain is less or equal to (i.e. an ancestor, which
|
|
* means a subset of) the @child domain.
|
|
*/
|
|
static bool domain_scope_le(const struct landlock_ruleset *const parent,
|
|
const struct landlock_ruleset *const child)
|
|
{
|
|
const struct landlock_hierarchy *walker;
|
|
|
|
if (!parent)
|
|
return true;
|
|
if (!child)
|
|
return false;
|
|
for (walker = child->hierarchy; walker; walker = walker->parent) {
|
|
if (walker == parent->hierarchy)
|
|
/* @parent is in the scoped hierarchy of @child. */
|
|
return true;
|
|
}
|
|
/* There is no relationship between @parent and @child. */
|
|
return false;
|
|
}
|
|
|
|
static bool task_is_scoped(const struct task_struct *const parent,
|
|
const struct task_struct *const child)
|
|
{
|
|
bool is_scoped;
|
|
const struct landlock_ruleset *dom_parent, *dom_child;
|
|
|
|
rcu_read_lock();
|
|
dom_parent = landlock_get_task_domain(parent);
|
|
dom_child = landlock_get_task_domain(child);
|
|
is_scoped = domain_scope_le(dom_parent, dom_child);
|
|
rcu_read_unlock();
|
|
return is_scoped;
|
|
}
|
|
|
|
static int task_ptrace(const struct task_struct *const parent,
|
|
const struct task_struct *const child)
|
|
{
|
|
/* Quick return for non-landlocked tasks. */
|
|
if (!landlocked(parent))
|
|
return 0;
|
|
if (task_is_scoped(parent, child))
|
|
return 0;
|
|
return -EPERM;
|
|
}
|
|
|
|
/**
|
|
* hook_ptrace_access_check - Determines whether the current process may access
|
|
* another
|
|
*
|
|
* @child: Process to be accessed.
|
|
* @mode: Mode of attachment.
|
|
*
|
|
* If the current task has Landlock rules, then the child must have at least
|
|
* the same rules. Else denied.
|
|
*
|
|
* Determines whether a process may access another, returning 0 if permission
|
|
* granted, -errno if denied.
|
|
*/
|
|
static int hook_ptrace_access_check(struct task_struct *const child,
|
|
const unsigned int mode)
|
|
{
|
|
return task_ptrace(current, child);
|
|
}
|
|
|
|
/**
|
|
* hook_ptrace_traceme - Determines whether another process may trace the
|
|
* current one
|
|
*
|
|
* @parent: Task proposed to be the tracer.
|
|
*
|
|
* If the parent has Landlock rules, then the current task must have the same
|
|
* or more rules. Else denied.
|
|
*
|
|
* Determines whether the nominated task is permitted to trace the current
|
|
* process, returning 0 if permission is granted, -errno if denied.
|
|
*/
|
|
static int hook_ptrace_traceme(struct task_struct *const parent)
|
|
{
|
|
return task_ptrace(parent, current);
|
|
}
|
|
|
|
static struct security_hook_list landlock_hooks[] __ro_after_init = {
|
|
LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check),
|
|
LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
|
|
};
|
|
|
|
__init void landlock_add_ptrace_hooks(void)
|
|
{
|
|
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
|
|
&landlock_lsmid);
|
|
}
|