LSM: Revive security_task_alloc() hook and per "struct task_struct" security blob.

We switched from "struct task_struct"->security to "struct cred"->security
in Linux 2.6.29. But not all LSM modules were happy with that change.
TOMOYO LSM module is an example which want to use per "struct task_struct"
security blob, for TOMOYO's security context is defined based on "struct
task_struct" rather than "struct cred". AppArmor LSM module is another
example which want to use it, for AppArmor is currently abusing the cred
a little bit to store the change_hat and setexeccon info. Although
security_task_free() hook was revived in Linux 3.4 because Yama LSM module
wanted to release per "struct task_struct" security blob,
security_task_alloc() hook and "struct task_struct"->security field were
not revived. Nowadays, we are getting proposals of lightweight LSM modules
which want to use per "struct task_struct" security blob.

We are already allowing multiple concurrent LSM modules (up to one fully
armored module which uses "struct cred"->security field or exclusive hooks
like security_xfrm_state_pol_flow_match(), plus unlimited number of
lightweight modules which do not use "struct cred"->security nor exclusive
hooks) as long as they are built into the kernel. But this patch does not
implement variable length "struct task_struct"->security field which will
become needed when multiple LSM modules want to use "struct task_struct"->
security field. Although it won't be difficult to implement variable length
"struct task_struct"->security field, let's think about it after we merged
this patch.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Tested-by: Djalal Harouni <tixxdz@gmail.com>
Acked-by: José Bollo <jobol@nonadev.net>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: James Morris <james.l.morris@oracle.com>
Cc: José Bollo <jobol@nonadev.net>
Signed-off-by: James Morris <james.l.morris@oracle.com>

diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index 91d9049f003938a77002d76f8a2f0b3313437294..926f2f553cc5bcf930a5bf1a9d6977b433d2069f 100644 (file)
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -210,6 +210,12 @@ extern struct cred init_cred;
 # define INIT_TASK_TI(tsk)
 #endif
 
+#ifdef CONFIG_SECURITY
+#define INIT_TASK_SECURITY .security = NULL,
+#else
+#define INIT_TASK_SECURITY
+#endif
+
 /*
  *  INIT_TASK is used to set up the first task table, touch at
  * your own risk!. Base=0, limit=0x1fffff (=2MB)
@@ -288,6 +294,7 @@ extern struct cred init_cred;
        INIT_VTIME(tsk)                                                 \
        INIT_NUMA_BALANCING(tsk)                                        \
        INIT_KASAN(tsk)                                                 \
+       INIT_TASK_SECURITY                                              \
 }
 
 

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 1aa63335de9ef3e5e2d6d344770460883c0eb463..080f34e66017a8299d10bc4276b1acfe8a1f94cc 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -533,8 +533,13 @@
  *     manual page for definitions of the @clone_flags.
  *     @clone_flags contains the flags indicating what should be shared.
  *     Return 0 if permission is granted.
+ * @task_alloc:
+ *     @task task being allocated.
+ *     @clone_flags contains the flags indicating what should be shared.
+ *     Handle allocation of task-related resources.
+ *     Returns a zero on success, negative values on failure.
  * @task_free:
- *     @task task being freed
+ *     @task task about to be freed.
  *     Handle release of task-related resources. (Note that this can be called
  *     from interrupt context.)
  * @cred_alloc_blank:
@@ -1482,6 +1487,7 @@ union security_list_options {
        int (*file_open)(struct file *file, const struct cred *cred);
 
        int (*task_create)(unsigned long clone_flags);
+       int (*task_alloc)(struct task_struct *task, unsigned long clone_flags);
        void (*task_free)(struct task_struct *task);
        int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp);
        void (*cred_free)(struct cred *cred);
@@ -1748,6 +1754,7 @@ struct security_hook_heads {
        struct list_head file_receive;
        struct list_head file_open;
        struct list_head task_create;
+       struct list_head task_alloc;
        struct list_head task_free;
        struct list_head cred_alloc_blank;
        struct list_head cred_free;

diff --git a/include/linux/sched.h b/include/linux/sched.h
index d67eee84fd430f3c44b77d4ba007ec5d2dcabb2b..71b8df306bb04f66229fc7f3e287d643f5174b26 100644 (file)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1037,6 +1037,10 @@ struct task_struct {
 #ifdef CONFIG_THREAD_INFO_IN_TASK
        /* A live task holds one reference: */
        atomic_t                        stack_refcount;
+#endif
+#ifdef CONFIG_SECURITY
+       /* Used by LSM modules for access restriction: */
+       void                            *security;
 #endif
        /* CPU-specific state of this task: */
        struct thread_struct            thread;

diff --git a/include/linux/security.h b/include/linux/security.h
index 97df7bac5b486d4c873c0b5379d3650fa8da2bfe..af675b57664592148e23691a5a3c15ade42ddd0f 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -308,6 +308,7 @@ int security_file_send_sigiotask(struct task_struct *tsk,
 int security_file_receive(struct file *file);
 int security_file_open(struct file *file, const struct cred *cred);
 int security_task_create(unsigned long clone_flags);
+int security_task_alloc(struct task_struct *task, unsigned long clone_flags);
 void security_task_free(struct task_struct *task);
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
 void security_cred_free(struct cred *cred);
@@ -861,6 +862,12 @@ static inline int security_task_create(unsigned long clone_flags)
        return 0;
 }
 
+static inline int security_task_alloc(struct task_struct *task,
+                                     unsigned long clone_flags)
+{
+       return 0;
+}
+
 static inline void security_task_free(struct task_struct *task)
 { }
 

diff --git a/kernel/fork.c b/kernel/fork.c
index 6c463c80e93de8c3be3180f3cbd8694b955a1ac3..3d32513d6c7308c295d62617c267ff74d5e7052b 100644 (file)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1679,9 +1679,12 @@ static __latent_entropy struct task_struct *copy_process(
                goto bad_fork_cleanup_perf;
        /* copy all the process information */
        shm_init_task(p);
-       retval = copy_semundo(clone_flags, p);
+       retval = security_task_alloc(p, clone_flags);
        if (retval)
                goto bad_fork_cleanup_audit;
+       retval = copy_semundo(clone_flags, p);
+       if (retval)
+               goto bad_fork_cleanup_security;
        retval = copy_files(clone_flags, p);
        if (retval)
                goto bad_fork_cleanup_semundo;
@@ -1903,6 +1906,8 @@ bad_fork_cleanup_files:
        exit_files(p); /* blocking */
 bad_fork_cleanup_semundo:
        exit_sem(p);
+bad_fork_cleanup_security:
+       security_task_free(p);
 bad_fork_cleanup_audit:
        audit_free(p);
 bad_fork_cleanup_perf:

diff --git a/security/security.c b/security/security.c
index 2f15488dc6bc3edf05490620a75ab5c31caefe69..549bddcc21164e2952b7c7b65b81e9ded525dd11 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -937,6 +937,11 @@ int security_task_create(unsigned long clone_flags)
        return call_int_hook(task_create, 0, clone_flags);
 }
 
+int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
+{
+       return call_int_hook(task_alloc, 0, task, clone_flags);
+}
+
 void security_task_free(struct task_struct *task)
 {
        call_void_hook(task_free, task);