diff options
| -rw-r--r-- | .mailmap | 2 | ||||
| -rw-r--r-- | MAINTAINERS | 10 | ||||
| -rw-r--r-- | arch/x86/events/amd/ibs.c | 2 | ||||
| -rw-r--r-- | arch/x86/events/intel/bts.c | 2 | ||||
| -rw-r--r-- | arch/x86/events/intel/core.c | 2 | ||||
| -rw-r--r-- | arch/x86/events/intel/p4.c | 2 | ||||
| -rw-r--r-- | drivers/perf/arm_spe_pmu.c | 4 | ||||
| -rw-r--r-- | include/linux/lsm_audit.h | 2 | ||||
| -rw-r--r-- | include/linux/lsm_hook_defs.h | 3 | ||||
| -rw-r--r-- | include/linux/perf_event.h | 10 | ||||
| -rw-r--r-- | include/linux/security.h | 10 | ||||
| -rw-r--r-- | io_uring/io_uring.c | 21 | ||||
| -rw-r--r-- | kernel/events/core.c | 14 | ||||
| -rw-r--r-- | kernel/trace/trace_event_perf.c | 4 | ||||
| -rw-r--r-- | rust/kernel/cred.rs | 5 | ||||
| -rw-r--r-- | rust/kernel/security.rs | 12 | ||||
| -rw-r--r-- | security/lsm_audit.c | 2 | ||||
| -rw-r--r-- | security/security.c | 17 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 16 | ||||
| -rw-r--r-- | security/selinux/include/classmap.h | 2 |
20 files changed, 100 insertions, 42 deletions
@@ -685,6 +685,8 @@ Stephen Hemminger <stephen@networkplumber.org> <shemminger@linux-foundation.org> Stephen Hemminger <stephen@networkplumber.org> <shemminger@osdl.org> Stephen Hemminger <stephen@networkplumber.org> <sthemmin@microsoft.com> Stephen Hemminger <stephen@networkplumber.org> <sthemmin@vyatta.com> +Stephen Smalley <stephen.smalley.work@gmail.com> <sds@epoch.ncsc.mil> +Stephen Smalley <stephen.smalley.work@gmail.com> <sds@tycho.nsa.gov> Steve Wise <larrystevenwise@gmail.com> <swise@chelsio.com> Steve Wise <larrystevenwise@gmail.com> <swise@opengridcomputing.com> Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com> <subashab@codeaurora.org> diff --git a/MAINTAINERS b/MAINTAINERS index 49e2d1d7aecf..5fa62f61851e 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -6154,6 +6154,16 @@ L: linux-input@vger.kernel.org S: Maintained F: drivers/hid/hid-creative-sb0540.c +CREDENTIALS +M: Paul Moore <paul@paul-moore.com> +R: Serge Hallyn <sergeh@kernel.org> +L: linux-security-module@vger.kernel.org +S: Supported +T: git https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git +F: include/linux/cred.h +F: kernel/cred.c +F: Documentation/security/credentials.rst + INTEL CRPS COMMON REDUNDANT PSU DRIVER M: Ninad Palsule <ninad@linux.ibm.com> L: linux-hwmon@vger.kernel.org diff --git a/arch/x86/events/amd/ibs.c b/arch/x86/events/amd/ibs.c index 66f981865091..0252b7ea8bca 100644 --- a/arch/x86/events/amd/ibs.c +++ b/arch/x86/events/amd/ibs.c @@ -1343,7 +1343,7 @@ fail: * unprivileged users. */ if ((event->attr.sample_type & PERF_SAMPLE_RAW) && - perf_allow_kernel(&event->attr)) { + perf_allow_kernel()) { perf_ibs_phyaddr_clear(perf_ibs, &ibs_data); } diff --git a/arch/x86/events/intel/bts.c b/arch/x86/events/intel/bts.c index 39a987d5eb6e..a95e6c91c4d7 100644 --- a/arch/x86/events/intel/bts.c +++ b/arch/x86/events/intel/bts.c @@ -574,7 +574,7 @@ static int bts_event_init(struct perf_event *event) * to the user in a zero-copy fashion. */ if (event->attr.exclude_kernel) { - ret = perf_allow_kernel(&event->attr); + ret = perf_allow_kernel(); if (ret) return ret; } diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c index 1ac39611fea8..09d2d66c9f21 100644 --- a/arch/x86/events/intel/core.c +++ b/arch/x86/events/intel/core.c @@ -4297,7 +4297,7 @@ static int intel_pmu_hw_config(struct perf_event *event) if (x86_pmu.version < 3) return -EINVAL; - ret = perf_allow_cpu(&event->attr); + ret = perf_allow_cpu(); if (ret) return ret; diff --git a/arch/x86/events/intel/p4.c b/arch/x86/events/intel/p4.c index fb726c6fc6e7..c85a9fc44355 100644 --- a/arch/x86/events/intel/p4.c +++ b/arch/x86/events/intel/p4.c @@ -777,7 +777,7 @@ static int p4_validate_raw_event(struct perf_event *event) * the user needs special permissions to be able to use it */ if (p4_ht_active() && p4_event_bind_map[v].shared) { - v = perf_allow_cpu(&event->attr); + v = perf_allow_cpu(); if (v) return v; } diff --git a/drivers/perf/arm_spe_pmu.c b/drivers/perf/arm_spe_pmu.c index f5e6878db9d6..3efed8839a4e 100644 --- a/drivers/perf/arm_spe_pmu.c +++ b/drivers/perf/arm_spe_pmu.c @@ -50,7 +50,7 @@ static_assert((PERF_EVENT_FLAG_ARCH & SPE_PMU_HW_FLAGS_CX) == SPE_PMU_HW_FLAGS_C static void set_spe_event_has_cx(struct perf_event *event) { - if (IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR) && !perf_allow_kernel(&event->attr)) + if (IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR) && !perf_allow_kernel()) event->hw.flags |= SPE_PMU_HW_FLAGS_CX; } @@ -765,7 +765,7 @@ static int arm_spe_pmu_event_init(struct perf_event *event) set_spe_event_has_cx(event); reg = arm_spe_event_to_pmscr(event); if (reg & (PMSCR_EL1_PA | PMSCR_EL1_PCT)) - return perf_allow_kernel(&event->attr); + return perf_allow_kernel(); return 0; } diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index e13d2f947b51..7283bc4cf413 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -5,7 +5,7 @@ * * Author : Etienne BASSET <etienne.basset@ensta.org> * - * All credits to : Stephen Smalley, <sds@tycho.nsa.gov> + * All credits to : Stephen Smalley * All BUGS to : Etienne BASSET <etienne.basset@ensta.org> */ #ifndef _LSM_COMMON_LOGGING_ diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index e2f1ce37c41e..2bf909fa3394 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -445,7 +445,7 @@ LSM_HOOK(int, 0, bpf_token_capable, const struct bpf_token *token, int cap) LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) #ifdef CONFIG_PERF_EVENTS -LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) +LSM_HOOK(int, 0, perf_event_open, int type) LSM_HOOK(int, 0, perf_event_alloc, struct perf_event *event) LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) @@ -455,6 +455,7 @@ LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) +LSM_HOOK(int, 0, uring_allowed, void) #endif /* CONFIG_IO_URING */ LSM_HOOK(void, LSM_RET_VOID, initramfs_populated, void) diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index 63dddb3b54f0..5a9bf15d4461 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -1698,22 +1698,22 @@ static inline int perf_is_paranoid(void) return sysctl_perf_event_paranoid > -1; } -int perf_allow_kernel(struct perf_event_attr *attr); +int perf_allow_kernel(void); -static inline int perf_allow_cpu(struct perf_event_attr *attr) +static inline int perf_allow_cpu(void) { if (sysctl_perf_event_paranoid > 0 && !perfmon_capable()) return -EACCES; - return security_perf_event_open(attr, PERF_SECURITY_CPU); + return security_perf_event_open(PERF_SECURITY_CPU); } -static inline int perf_allow_tracepoint(struct perf_event_attr *attr) +static inline int perf_allow_tracepoint(void) { if (sysctl_perf_event_paranoid > -1 && !perfmon_capable()) return -EPERM; - return security_perf_event_open(attr, PERF_SECURITY_TRACEPOINT); + return security_perf_event_open(PERF_SECURITY_TRACEPOINT); } extern int perf_exclude_event(struct perf_event *event, struct pt_regs *regs); diff --git a/include/linux/security.h b/include/linux/security.h index 980b6c207cad..1545d515a66b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -2324,14 +2324,13 @@ struct perf_event_attr; struct perf_event; #ifdef CONFIG_SECURITY -extern int security_perf_event_open(struct perf_event_attr *attr, int type); +extern int security_perf_event_open(int type); extern int security_perf_event_alloc(struct perf_event *event); extern void security_perf_event_free(struct perf_event *event); extern int security_perf_event_read(struct perf_event *event); extern int security_perf_event_write(struct perf_event *event); #else -static inline int security_perf_event_open(struct perf_event_attr *attr, - int type) +static inline int security_perf_event_open(int type) { return 0; } @@ -2362,6 +2361,7 @@ static inline int security_perf_event_write(struct perf_event *event) extern int security_uring_override_creds(const struct cred *new); extern int security_uring_sqpoll(void); extern int security_uring_cmd(struct io_uring_cmd *ioucmd); +extern int security_uring_allowed(void); #else static inline int security_uring_override_creds(const struct cred *new) { @@ -2375,6 +2375,10 @@ static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) { return 0; } +static inline int security_uring_allowed(void) +{ + return 0; +} #endif /* CONFIG_SECURITY */ #endif /* CONFIG_IO_URING */ diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 6427d71c773b..01d75e5c47aa 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -3793,29 +3793,36 @@ static long io_uring_setup(u32 entries, struct io_uring_params __user *params) return io_uring_create(entries, &p, params); } -static inline bool io_uring_allowed(void) +static inline int io_uring_allowed(void) { int disabled = READ_ONCE(sysctl_io_uring_disabled); kgid_t io_uring_group; if (disabled == 2) - return false; + return -EPERM; if (disabled == 0 || capable(CAP_SYS_ADMIN)) - return true; + goto allowed_lsm; io_uring_group = make_kgid(&init_user_ns, sysctl_io_uring_group); if (!gid_valid(io_uring_group)) - return false; + return -EPERM; + + if (!in_group_p(io_uring_group)) + return -EPERM; - return in_group_p(io_uring_group); +allowed_lsm: + return security_uring_allowed(); } SYSCALL_DEFINE2(io_uring_setup, u32, entries, struct io_uring_params __user *, params) { - if (!io_uring_allowed()) - return -EPERM; + int ret; + + ret = io_uring_allowed(); + if (ret) + return ret; return io_uring_setup(entries, params); } diff --git a/kernel/events/core.c b/kernel/events/core.c index 5d2221ec6d7c..0bb21659e252 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -4886,7 +4886,7 @@ find_get_context(struct task_struct *task, struct perf_event *event) if (!task) { /* Must be root to operate on a CPU event: */ - err = perf_allow_cpu(&event->attr); + err = perf_allow_cpu(); if (err) return ERR_PTR(err); @@ -12848,7 +12848,7 @@ static int perf_copy_attr(struct perf_event_attr __user *uattr, } /* privileged levels capture (kernel, hv): check permissions */ if (mask & PERF_SAMPLE_BRANCH_PERM_PLM) { - ret = perf_allow_kernel(attr); + ret = perf_allow_kernel(); if (ret) return ret; } @@ -13105,12 +13105,12 @@ SYSCALL_DEFINE5(perf_event_open, return err; /* Do we allow access to perf_event_open(2) ? */ - err = security_perf_event_open(&attr, PERF_SECURITY_OPEN); + err = security_perf_event_open(PERF_SECURITY_OPEN); if (err) return err; if (!attr.exclude_kernel) { - err = perf_allow_kernel(&attr); + err = perf_allow_kernel(); if (err) return err; } @@ -13130,7 +13130,7 @@ SYSCALL_DEFINE5(perf_event_open, /* Only privileged users can get physical addresses */ if ((attr.sample_type & PERF_SAMPLE_PHYS_ADDR)) { - err = perf_allow_kernel(&attr); + err = perf_allow_kernel(); if (err) return err; } @@ -13969,12 +13969,12 @@ const struct perf_event_attr *perf_event_attrs(struct perf_event *event) return &event->attr; } -int perf_allow_kernel(struct perf_event_attr *attr) +int perf_allow_kernel(void) { if (sysctl_perf_event_paranoid > 1 && !perfmon_capable()) return -EACCES; - return security_perf_event_open(attr, PERF_SECURITY_KERNEL); + return security_perf_event_open(PERF_SECURITY_KERNEL); } EXPORT_SYMBOL_GPL(perf_allow_kernel); diff --git a/kernel/trace/trace_event_perf.c b/kernel/trace/trace_event_perf.c index 3ff9caa4a71b..a6bb7577e8c5 100644 --- a/kernel/trace/trace_event_perf.c +++ b/kernel/trace/trace_event_perf.c @@ -49,7 +49,7 @@ static int perf_trace_event_perm(struct trace_event_call *tp_event, /* The ftrace function trace is allowed only for root. */ if (ftrace_event_is_function(tp_event)) { - ret = perf_allow_tracepoint(&p_event->attr); + ret = perf_allow_tracepoint(); if (ret) return ret; @@ -86,7 +86,7 @@ static int perf_trace_event_perm(struct trace_event_call *tp_event, * ...otherwise raw tracepoint data can be a severe data leak, * only allow root to have these. */ - ret = perf_allow_tracepoint(&p_event->attr); + ret = perf_allow_tracepoint(); if (ret) return ret; diff --git a/rust/kernel/cred.rs b/rust/kernel/cred.rs index 81d67789b16f..2599f01e8b28 100644 --- a/rust/kernel/cred.rs +++ b/rust/kernel/cred.rs @@ -47,6 +47,7 @@ impl Credential { /// /// The caller must ensure that `ptr` is valid and remains valid for the lifetime of the /// returned [`Credential`] reference. + #[inline] pub unsafe fn from_ptr<'a>(ptr: *const bindings::cred) -> &'a Credential { // SAFETY: The safety requirements guarantee the validity of the dereference, while the // `Credential` type being transparent makes the cast ok. @@ -54,6 +55,7 @@ impl Credential { } /// Get the id for this security context. + #[inline] pub fn get_secid(&self) -> u32 { let mut secid = 0; // SAFETY: The invariants of this type ensures that the pointer is valid. @@ -62,6 +64,7 @@ impl Credential { } /// Returns the effective UID of the given credential. + #[inline] pub fn euid(&self) -> Kuid { // SAFETY: By the type invariant, we know that `self.0` is valid. Furthermore, the `euid` // field of a credential is never changed after initialization, so there is no potential @@ -72,11 +75,13 @@ impl Credential { // SAFETY: The type invariants guarantee that `Credential` is always ref-counted. unsafe impl AlwaysRefCounted for Credential { + #[inline] fn inc_ref(&self) { // SAFETY: The existence of a shared reference means that the refcount is nonzero. unsafe { bindings::get_cred(self.0.get()) }; } + #[inline] unsafe fn dec_ref(obj: core::ptr::NonNull<Credential>) { // SAFETY: The safety requirements guarantee that the refcount is nonzero. The cast is okay // because `Credential` has the same representation as `struct cred`. diff --git a/rust/kernel/security.rs b/rust/kernel/security.rs index 25d2b1ac3833..0c63e9e7e564 100644 --- a/rust/kernel/security.rs +++ b/rust/kernel/security.rs @@ -16,13 +16,14 @@ use crate::{ /// # Invariants /// /// The `ctx` field corresponds to a valid security context as returned by a successful call to -/// `security_secid_to_secctx`, that has not yet been destroyed by `security_release_secctx`. +/// `security_secid_to_secctx`, that has not yet been released by `security_release_secctx`. pub struct SecurityCtx { ctx: bindings::lsm_context, } impl SecurityCtx { /// Get the security context given its id. + #[inline] pub fn from_secid(secid: u32) -> Result<Self> { // SAFETY: `struct lsm_context` can be initialized to all zeros. let mut ctx: bindings::lsm_context = unsafe { core::mem::zeroed() }; @@ -35,16 +36,19 @@ impl SecurityCtx { } /// Returns whether the security context is empty. + #[inline] pub fn is_empty(&self) -> bool { self.ctx.len == 0 } /// Returns the length of this security context. + #[inline] pub fn len(&self) -> usize { self.ctx.len as usize } /// Returns the bytes for this security context. + #[inline] pub fn as_bytes(&self) -> &[u8] { let ptr = self.ctx.context; if ptr.is_null() { @@ -61,10 +65,10 @@ impl SecurityCtx { } impl Drop for SecurityCtx { + #[inline] fn drop(&mut self) { - // SAFETY: By the invariant of `Self`, this frees a context that came from a successful - // call to `security_secid_to_secctx` and has not yet been destroyed by - // `security_release_secctx`. + // SAFETY: By the invariant of `Self`, this releases an lsm context that came from a + // successful call to `security_secid_to_secctx` and has not yet been released. unsafe { bindings::security_release_secctx(&mut self.ctx) }; } } diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 52db886dbba8..d45651eaefa4 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c @@ -3,7 +3,7 @@ * common LSM auditing functions * * Based on code written for SELinux by : - * Stephen Smalley, <sds@tycho.nsa.gov> + * Stephen Smalley * James Morris <jmorris@redhat.com> * Author : Etienne Basset, <etienne.basset@ensta.org> */ diff --git a/security/security.c b/security/security.c index 143561ebc3e8..8aa839232c73 100644 --- a/security/security.c +++ b/security/security.c @@ -5883,16 +5883,15 @@ EXPORT_SYMBOL(security_bdev_setintegrity); #ifdef CONFIG_PERF_EVENTS /** * security_perf_event_open() - Check if a perf event open is allowed - * @attr: perf event attribute * @type: type of event * * Check whether the @type of perf_event_open syscall is allowed. * * Return: Returns 0 if permission is granted. */ -int security_perf_event_open(struct perf_event_attr *attr, int type) +int security_perf_event_open(int type) { - return call_int_hook(perf_event_open, attr, type); + return call_int_hook(perf_event_open, type); } /** @@ -5999,6 +5998,18 @@ int security_uring_cmd(struct io_uring_cmd *ioucmd) { return call_int_hook(uring_cmd, ioucmd); } + +/** + * security_uring_allowed() - Check if io_uring_setup() is allowed + * + * Check whether the current task is allowed to call io_uring_setup(). + * + * Return: Returns 0 if permission is granted. + */ +int security_uring_allowed(void) +{ + return call_int_hook(uring_allowed); +} #endif /* CONFIG_IO_URING */ /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 212cdead2b52..60b1cbd5046f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7043,7 +7043,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { }; #ifdef CONFIG_PERF_EVENTS -static int selinux_perf_event_open(struct perf_event_attr *attr, int type) +static int selinux_perf_event_open(int type) { u32 requested, sid = current_sid(); @@ -7140,6 +7140,19 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) return avc_has_perm(current_sid(), isec->sid, SECCLASS_IO_URING, IO_URING__CMD, &ad); } + +/** + * selinux_uring_allowed - check if io_uring_setup() can be called + * + * Check to see if the current task is allowed to call io_uring_setup(). + */ +static int selinux_uring_allowed(void) +{ + u32 sid = current_sid(); + + return avc_has_perm(sid, sid, SECCLASS_IO_URING, IO_URING__ALLOWED, + NULL); +} #endif /* CONFIG_IO_URING */ static const struct lsm_id selinux_lsmid = { @@ -7393,6 +7406,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(uring_override_creds, selinux_uring_override_creds), LSM_HOOK_INIT(uring_sqpoll, selinux_uring_sqpoll), LSM_HOOK_INIT(uring_cmd, selinux_uring_cmd), + LSM_HOOK_INIT(uring_allowed, selinux_uring_allowed), #endif /* diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index f9b5ca92a825..f897095c14d8 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -177,7 +177,7 @@ const struct security_class_mapping secclass_map[] = { { "perf_event", { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, { "anon_inode", { COMMON_FILE_PERMS, NULL } }, - { "io_uring", { "override_creds", "sqpoll", "cmd", NULL } }, + { "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } }, { "user_namespace", { "create", NULL } }, /* last one */ { NULL, {} } }; |