Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit 2b980dbd77d229eb60588802162c9659726b11f4

Authored by Paul Moore
Committed by James Morris
1 parent d8e180dcd5
Exists in master and in 20 other branches dlt-processor-sdk-linux-03.00.00.04, newt-ti-linux-3.12.y, processor-sdk-linux-01.00.00, processor-sdk-linux-02.00.01, smarc-ti-linux-3.12.10, smarc-ti-linux-3.12.y, smarc-ti-linux-3.14.y, smarc-ti-linux-3.15.y, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04, ti-linux-3.12.y, ti-linux-3.14.y, ti-linux-3.15.y, ti-lsk-linux-4.1.y

lsm: Add hooks to the TUN driver 

The TUN driver lacks any LSM hooks which makes it difficult for LSM modules,
such as SELinux, to enforce access controls on network traffic generated by
TUN users; this is particularly problematic for virtualization apps such as
QEMU and KVM.  This patch adds three new LSM hooks designed to control the
creation and attachment of TUN devices, the hooks are:

 * security_tun_dev_create()
   Provides access control for the creation of new TUN devices

 * security_tun_dev_post_create()
   Provides the ability to create the necessary socket LSM state for newly
   created TUN devices

 * security_tun_dev_attach()
   Provides access control for attaching to existing, persistent TUN devices
   and the ability to update the TUN device's socket LSM state as necessary

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Eric Paris <eparis@parisplace.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: James Morris <jmorris@namei.org>

Showing 4 changed files with 83 additions and 7 deletions Side-by-side Diff

... ... @@ -130,17 +130,10 @@
130 130 static int tun_attach(struct tun_struct *tun, struct file *file)
131 131 {
132 132 struct tun_file *tfile = file->private_data;
133   - const struct cred *cred = current_cred();
134 133 int err;
135 134  
136 135 ASSERT_RTNL();
137 136  
138   - /* Check permissions */
139   - if (((tun->owner != -1 && cred->euid != tun->owner) ||
140   - (tun->group != -1 && !in_egroup_p(tun->group))) &&
141   - !capable(CAP_NET_ADMIN))
142   - return -EPERM;
143   -
144 137 netif_tx_lock_bh(tun->dev);
145 138  
146 139 err = -EINVAL;
... ... @@ -926,6 +919,8 @@
926 919  
927 920 dev = __dev_get_by_name(net, ifr->ifr_name);
928 921 if (dev) {
  922 + const struct cred *cred = current_cred();
  923 +
929 924 if (ifr->ifr_flags & IFF_TUN_EXCL)
930 925 return -EBUSY;
931 926 if ((ifr->ifr_flags & IFF_TUN) && dev->netdev_ops == &tun_netdev_ops)
... ... @@ -935,6 +930,14 @@
935 930 else
936 931 return -EINVAL;
937 932  
  933 + if (((tun->owner != -1 && cred->euid != tun->owner) ||
  934 + (tun->group != -1 && !in_egroup_p(tun->group))) &&
  935 + !capable(CAP_NET_ADMIN))
  936 + return -EPERM;
  937 + err = security_tun_dev_attach(tun->sk);
  938 + if (err < 0)
  939 + return err;
  940 +
938 941 err = tun_attach(tun, file);
939 942 if (err < 0)
940 943 return err;
... ... @@ -947,6 +950,9 @@
947 950  
948 951 if (!capable(CAP_NET_ADMIN))
949 952 return -EPERM;
  953 + err = security_tun_dev_create();
  954 + if (err < 0)
  955 + return err;
950 956  
951 957 /* Set dev type */
952 958 if (ifr->ifr_flags & IFF_TUN) {
... ... @@ -988,6 +994,8 @@
988 994  
989 995 tun->sk = sk;
990 996 container_of(sk, struct tun_sock, sk)->tun = tun;
  997 +
  998 + security_tun_dev_post_create(sk);
991 999  
992 1000 tun_net_init(dev);
993 1001  
include/linux/security.h
Diff comments   View file @ 2b980db
... ... @@ -998,6 +998,17 @@
998 998 * Sets the connection's peersid to the secmark on skb.
999 999 * @req_classify_flow:
1000 1000 * Sets the flow's sid to the openreq sid.
  1001 + * @tun_dev_create:
  1002 + * Check permissions prior to creating a new TUN device.
  1003 + * @tun_dev_post_create:
  1004 + * This hook allows a module to update or allocate a per-socket security
  1005 + * structure.
  1006 + * @sk contains the newly created sock structure.
  1007 + * @tun_dev_attach:
  1008 + * Check permissions prior to attaching to a persistent TUN device. This
  1009 + * hook can also be used by the module to update any security state
  1010 + * associated with the TUN device's sock structure.
  1011 + * @sk contains the existing sock structure.
1001 1012 *
1002 1013 * Security hooks for XFRM operations.
1003 1014 *
... ... @@ -1597,6 +1608,9 @@
1597 1608 void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req);
1598 1609 void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb);
1599 1610 void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl);
  1611 + int (*tun_dev_create)(void);
  1612 + void (*tun_dev_post_create)(struct sock *sk);
  1613 + int (*tun_dev_attach)(struct sock *sk);
1600 1614 #endif /* CONFIG_SECURITY_NETWORK */
1601 1615  
1602 1616 #ifdef CONFIG_SECURITY_NETWORK_XFRM
... ... @@ -2586,6 +2600,9 @@
2586 2600 const struct request_sock *req);
2587 2601 void security_inet_conn_established(struct sock *sk,
2588 2602 struct sk_buff *skb);
  2603 +int security_tun_dev_create(void);
  2604 +void security_tun_dev_post_create(struct sock *sk);
  2605 +int security_tun_dev_attach(struct sock *sk);
2589 2606  
2590 2607 #else /* CONFIG_SECURITY_NETWORK */
2591 2608 static inline int security_unix_stream_connect(struct socket *sock,
... ... @@ -2735,6 +2752,20 @@
2735 2752 static inline void security_inet_conn_established(struct sock *sk,
2736 2753 struct sk_buff *skb)
2737 2754 {
  2755 +}
  2756 +
  2757 +static inline int security_tun_dev_create(void)
  2758 +{
  2759 + return 0;
  2760 +}
  2761 +
  2762 +static inline void security_tun_dev_post_create(struct sock *sk)
  2763 +{
  2764 +}
  2765 +
  2766 +static inline int security_tun_dev_attach(struct sock *sk)
  2767 +{
  2768 + return 0;
2738 2769 }
2739 2770 #endif /* CONFIG_SECURITY_NETWORK */
2740 2771  
security/capability.c
Diff comments   View file @ 2b980db
... ... @@ -706,10 +706,26 @@
706 706 {
707 707 }
708 708  
  709 +
  710 +
709 711 static void cap_req_classify_flow(const struct request_sock *req,
710 712 struct flowi *fl)
711 713 {
712 714 }
  715 +
  716 +static int cap_tun_dev_create(void)
  717 +{
  718 + return 0;
  719 +}
  720 +
  721 +static void cap_tun_dev_post_create(struct sock *sk)
  722 +{
  723 +}
  724 +
  725 +static int cap_tun_dev_attach(struct sock *sk)
  726 +{
  727 + return 0;
  728 +}
713 729 #endif /* CONFIG_SECURITY_NETWORK */
714 730  
715 731 #ifdef CONFIG_SECURITY_NETWORK_XFRM
... ... @@ -1026,6 +1042,9 @@
1026 1042 set_to_cap_if_null(ops, inet_csk_clone);
1027 1043 set_to_cap_if_null(ops, inet_conn_established);
1028 1044 set_to_cap_if_null(ops, req_classify_flow);
  1045 + set_to_cap_if_null(ops, tun_dev_create);
  1046 + set_to_cap_if_null(ops, tun_dev_post_create);
  1047 + set_to_cap_if_null(ops, tun_dev_attach);
1029 1048 #endif /* CONFIG_SECURITY_NETWORK */
1030 1049 #ifdef CONFIG_SECURITY_NETWORK_XFRM
1031 1050 set_to_cap_if_null(ops, xfrm_policy_alloc_security);
... ... @@ -1117,6 +1117,24 @@
1117 1117 security_ops->inet_conn_established(sk, skb);
1118 1118 }
1119 1119  
  1120 +int security_tun_dev_create(void)
  1121 +{
  1122 + return security_ops->tun_dev_create();
  1123 +}
  1124 +EXPORT_SYMBOL(security_tun_dev_create);
  1125 +
  1126 +void security_tun_dev_post_create(struct sock *sk)
  1127 +{
  1128 + return security_ops->tun_dev_post_create(sk);
  1129 +}
  1130 +EXPORT_SYMBOL(security_tun_dev_post_create);
  1131 +
  1132 +int security_tun_dev_attach(struct sock *sk)
  1133 +{
  1134 + return security_ops->tun_dev_attach(sk);
  1135 +}
  1136 +EXPORT_SYMBOL(security_tun_dev_attach);
  1137 +
1120 1138 #endif /* CONFIG_SECURITY_NETWORK */
1121 1139  
1122 1140 #ifdef CONFIG_SECURITY_NETWORK_XFRM