Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Wed, 20 Jul 2016, John Stultz wrote: > On Tue, Jul 19, 2016 at 11:12 PM, James Morriswrote: > > On Mon, 18 Jul 2016, John Stultz wrote: > > > >> As requested, this patch implements a task_settimerslack and > >> task_gettimerslack LSM hooks so that the /proc//timerslack_ns > >> interface can have finer grained security policies applied to it. > >> > >> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > >> functions, as hiding it in the LSM hook seems too opaque, and doesn't > >> seem like a widely enough adopted practice. > >> > > > > I may have missed something in the earlier discussion, but why do we need > > new LSM hooks here vs. calling the existing set/getscheduler hooks? > > Mostly since adding a new hook was suggested originally. I don't think > there's much difference as it stands, but I guess more fine grained > checks could be added on the slack amounts, etc. > > I can rework it, so let me know if using the existing hooks would be > preferred, but otherwise I'll be sending out the non-rfc patches > tomorrow. I'd prefer to re-use the existing hooks, unless there is a specific need for the extra granularity. -- James Morris
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Wed, 20 Jul 2016, John Stultz wrote: > On Tue, Jul 19, 2016 at 11:12 PM, James Morris wrote: > > On Mon, 18 Jul 2016, John Stultz wrote: > > > >> As requested, this patch implements a task_settimerslack and > >> task_gettimerslack LSM hooks so that the /proc//timerslack_ns > >> interface can have finer grained security policies applied to it. > >> > >> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > >> functions, as hiding it in the LSM hook seems too opaque, and doesn't > >> seem like a widely enough adopted practice. > >> > > > > I may have missed something in the earlier discussion, but why do we need > > new LSM hooks here vs. calling the existing set/getscheduler hooks? > > Mostly since adding a new hook was suggested originally. I don't think > there's much difference as it stands, but I guess more fine grained > checks could be added on the slack amounts, etc. > > I can rework it, so let me know if using the existing hooks would be > preferred, but otherwise I'll be sending out the non-rfc patches > tomorrow. I'd prefer to re-use the existing hooks, unless there is a specific need for the extra granularity. -- James Morris
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Tue, Jul 19, 2016 at 11:12 PM, James Morriswrote: > On Mon, 18 Jul 2016, John Stultz wrote: > >> As requested, this patch implements a task_settimerslack and >> task_gettimerslack LSM hooks so that the /proc//timerslack_ns >> interface can have finer grained security policies applied to it. >> >> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show >> functions, as hiding it in the LSM hook seems too opaque, and doesn't >> seem like a widely enough adopted practice. >> > > I may have missed something in the earlier discussion, but why do we need > new LSM hooks here vs. calling the existing set/getscheduler hooks? Mostly since adding a new hook was suggested originally. I don't think there's much difference as it stands, but I guess more fine grained checks could be added on the slack amounts, etc. I can rework it, so let me know if using the existing hooks would be preferred, but otherwise I'll be sending out the non-rfc patches tomorrow. thanks -john
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Tue, Jul 19, 2016 at 11:12 PM, James Morris wrote: > On Mon, 18 Jul 2016, John Stultz wrote: > >> As requested, this patch implements a task_settimerslack and >> task_gettimerslack LSM hooks so that the /proc//timerslack_ns >> interface can have finer grained security policies applied to it. >> >> I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show >> functions, as hiding it in the LSM hook seems too opaque, and doesn't >> seem like a widely enough adopted practice. >> > > I may have missed something in the earlier discussion, but why do we need > new LSM hooks here vs. calling the existing set/getscheduler hooks? Mostly since adding a new hook was suggested originally. I don't think there's much difference as it stands, but I guess more fine grained checks could be added on the slack amounts, etc. I can rework it, so let me know if using the existing hooks would be preferred, but otherwise I'll be sending out the non-rfc patches tomorrow. thanks -john
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Mon, 18 Jul 2016, John Stultz wrote: > As requested, this patch implements a task_settimerslack and > task_gettimerslack LSM hooks so that the /proc//timerslack_ns > interface can have finer grained security policies applied to it. > > I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > functions, as hiding it in the LSM hook seems too opaque, and doesn't > seem like a widely enough adopted practice. > I may have missed something in the earlier discussion, but why do we need new LSM hooks here vs. calling the existing set/getscheduler hooks? -- James Morris
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Mon, 18 Jul 2016, John Stultz wrote: > As requested, this patch implements a task_settimerslack and > task_gettimerslack LSM hooks so that the /proc//timerslack_ns > interface can have finer grained security policies applied to it. > > I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > functions, as hiding it in the LSM hook seems too opaque, and doesn't > seem like a widely enough adopted practice. > I may have missed something in the earlier discussion, but why do we need new LSM hooks here vs. calling the existing set/getscheduler hooks? -- James Morris
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Mon, Jul 18, 2016 at 1:11 PM, John Stultzwrote: > As requested, this patch implements a task_settimerslack and > task_gettimerslack LSM hooks so that the /proc//timerslack_ns > interface can have finer grained security policies applied to it. > > I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > functions, as hiding it in the LSM hook seems too opaque, and doesn't > seem like a widely enough adopted practice. Yeah, I think this does make it more readable in the end. > > Don't really know what I'm doing here, so close review would be > appreciated! > > Cc: Kees Cook > Cc: "Serge E. Hallyn" > Cc: Andrew Morton > Cc: Thomas Gleixner > CC: Arjan van de Ven > Cc: Oren Laadan > Cc: Ruchi Kandoi > Cc: Rom Lemarchand > Cc: Todd Kjos > Cc: Colin Cross > Cc: Nick Kralevich > Cc: Dmitry Shmidt > Cc: Elliott Hughes > Cc: Android Kernel Team > Cc: linux-security-mod...@vger.kernel.org > Cc: seli...@tycho.nsa.gov > Signed-off-by: John Stultz Acked-by: Kees Cook -Kees > --- > v2: > * Initial swing at adding settimerslack LSM hook > v3: > * Fix current/p switchup bug noted by NickK > * Add gettimerslack hook suggested by NickK > > fs/proc/base.c| 10 ++ > include/linux/lsm_hooks.h | 13 + > include/linux/security.h | 12 > security/security.c | 14 ++ > security/selinux/hooks.c | 12 > 5 files changed, 61 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index c94abae..cc66aa8 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, > const char __user *buf, > goto out; > } > > + err = security_task_settimerslack(p, slack_ns); > + if (err) { > + count = err; > + goto out; > + } > + > task_lock(p); > if (slack_ns == 0) > p->timer_slack_ns = p->default_timer_slack_ns; > @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void > *v) > goto out; > } > > + ret = security_task_gettimerslack(p); > + if (ret) > + goto out; > + > task_lock(p); > seq_printf(m, "%llu\n", p->timer_slack_ns); > task_unlock(p); > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 7ae3976..290483e 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -627,6 +627,15 @@ > * Check permission before moving memory owned by process @p. > * @p contains the task_struct for process. > * Return 0 if permission is granted. > + * @task_settimerslack: > + * Check permission before setting timerslack value of @p to @slack. > + * @p contains the task_struct of a process. > + * @slack contains the new slack value. > + * Return 0 if permission is granted. > + * @task_gettimerslack: > + * Check permission before returning the timerslack value of @p. > + * @p contains the task_struct of a process. > + * Return 0 if permission is granted. > * @task_kill: > * Check permission before sending signal @sig to @p. @info can be NULL, > * the constant 1, or a pointer to a siginfo structure. If @info is 1 or > @@ -1473,6 +1482,8 @@ union security_list_options { > int (*task_setscheduler)(struct task_struct *p); > int (*task_getscheduler)(struct task_struct *p); > int (*task_movememory)(struct task_struct *p); > + int (*task_settimerslack)(struct task_struct *p, u64 slack); > + int (*task_gettimerslack)(struct task_struct *p); > int (*task_kill)(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int (*task_wait)(struct task_struct *p); > @@ -1732,6 +1743,8 @@ struct security_hook_heads { > struct list_head task_setscheduler; > struct list_head task_getscheduler; > struct list_head task_movememory; > + struct list_head task_settimerslack; > + struct list_head task_gettimerslack; > struct list_head task_kill; > struct list_head task_wait; > struct list_head task_prctl; > diff --git a/include/linux/security.h b/include/linux/security.h > index 14df373..ab70f47 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, > unsigned int resource, > int security_task_setscheduler(struct task_struct *p); > int security_task_getscheduler(struct task_struct *p); > int
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Mon, Jul 18, 2016 at 1:11 PM, John Stultz wrote: > As requested, this patch implements a task_settimerslack and > task_gettimerslack LSM hooks so that the /proc//timerslack_ns > interface can have finer grained security policies applied to it. > > I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > functions, as hiding it in the LSM hook seems too opaque, and doesn't > seem like a widely enough adopted practice. Yeah, I think this does make it more readable in the end. > > Don't really know what I'm doing here, so close review would be > appreciated! > > Cc: Kees Cook > Cc: "Serge E. Hallyn" > Cc: Andrew Morton > Cc: Thomas Gleixner > CC: Arjan van de Ven > Cc: Oren Laadan > Cc: Ruchi Kandoi > Cc: Rom Lemarchand > Cc: Todd Kjos > Cc: Colin Cross > Cc: Nick Kralevich > Cc: Dmitry Shmidt > Cc: Elliott Hughes > Cc: Android Kernel Team > Cc: linux-security-mod...@vger.kernel.org > Cc: seli...@tycho.nsa.gov > Signed-off-by: John Stultz Acked-by: Kees Cook -Kees > --- > v2: > * Initial swing at adding settimerslack LSM hook > v3: > * Fix current/p switchup bug noted by NickK > * Add gettimerslack hook suggested by NickK > > fs/proc/base.c| 10 ++ > include/linux/lsm_hooks.h | 13 + > include/linux/security.h | 12 > security/security.c | 14 ++ > security/selinux/hooks.c | 12 > 5 files changed, 61 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index c94abae..cc66aa8 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, > const char __user *buf, > goto out; > } > > + err = security_task_settimerslack(p, slack_ns); > + if (err) { > + count = err; > + goto out; > + } > + > task_lock(p); > if (slack_ns == 0) > p->timer_slack_ns = p->default_timer_slack_ns; > @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void > *v) > goto out; > } > > + ret = security_task_gettimerslack(p); > + if (ret) > + goto out; > + > task_lock(p); > seq_printf(m, "%llu\n", p->timer_slack_ns); > task_unlock(p); > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 7ae3976..290483e 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -627,6 +627,15 @@ > * Check permission before moving memory owned by process @p. > * @p contains the task_struct for process. > * Return 0 if permission is granted. > + * @task_settimerslack: > + * Check permission before setting timerslack value of @p to @slack. > + * @p contains the task_struct of a process. > + * @slack contains the new slack value. > + * Return 0 if permission is granted. > + * @task_gettimerslack: > + * Check permission before returning the timerslack value of @p. > + * @p contains the task_struct of a process. > + * Return 0 if permission is granted. > * @task_kill: > * Check permission before sending signal @sig to @p. @info can be NULL, > * the constant 1, or a pointer to a siginfo structure. If @info is 1 or > @@ -1473,6 +1482,8 @@ union security_list_options { > int (*task_setscheduler)(struct task_struct *p); > int (*task_getscheduler)(struct task_struct *p); > int (*task_movememory)(struct task_struct *p); > + int (*task_settimerslack)(struct task_struct *p, u64 slack); > + int (*task_gettimerslack)(struct task_struct *p); > int (*task_kill)(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int (*task_wait)(struct task_struct *p); > @@ -1732,6 +1743,8 @@ struct security_hook_heads { > struct list_head task_setscheduler; > struct list_head task_getscheduler; > struct list_head task_movememory; > + struct list_head task_settimerslack; > + struct list_head task_gettimerslack; > struct list_head task_kill; > struct list_head task_wait; > struct list_head task_prctl; > diff --git a/include/linux/security.h b/include/linux/security.h > index 14df373..ab70f47 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, > unsigned int resource, > int security_task_setscheduler(struct task_struct *p); > int security_task_getscheduler(struct task_struct *p); > int security_task_movememory(struct task_struct *p); > +int security_task_settimerslack(struct task_struct *p, u64 slack); > +int security_task_gettimerslack(struct task_struct *p); > int security_task_kill(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int security_task_wait(struct task_struct *p); > @@ -950,6 +952,16
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
Quoting John Stultz (john.stu...@linaro.org): > As requested, this patch implements a task_settimerslack and > task_gettimerslack LSM hooks so that the /proc//timerslack_ns > interface can have finer grained security policies applied to it. > > I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > functions, as hiding it in the LSM hook seems too opaque, and doesn't > seem like a widely enough adopted practice. > > Don't really know what I'm doing here, so close review would be > appreciated! > > Cc: Kees Cook> Cc: "Serge E. Hallyn" Acked-by: Serge Hallyn > Cc: Andrew Morton > Cc: Thomas Gleixner > CC: Arjan van de Ven > Cc: Oren Laadan > Cc: Ruchi Kandoi > Cc: Rom Lemarchand > Cc: Todd Kjos > Cc: Colin Cross > Cc: Nick Kralevich > Cc: Dmitry Shmidt > Cc: Elliott Hughes > Cc: Android Kernel Team > Cc: linux-security-mod...@vger.kernel.org > Cc: seli...@tycho.nsa.gov > Signed-off-by: John Stultz > --- > v2: > * Initial swing at adding settimerslack LSM hook > v3: > * Fix current/p switchup bug noted by NickK > * Add gettimerslack hook suggested by NickK > > fs/proc/base.c| 10 ++ > include/linux/lsm_hooks.h | 13 + > include/linux/security.h | 12 > security/security.c | 14 ++ > security/selinux/hooks.c | 12 > 5 files changed, 61 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index c94abae..cc66aa8 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, > const char __user *buf, > goto out; > } > > + err = security_task_settimerslack(p, slack_ns); > + if (err) { > + count = err; > + goto out; > + } > + > task_lock(p); > if (slack_ns == 0) > p->timer_slack_ns = p->default_timer_slack_ns; > @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void > *v) > goto out; > } > > + ret = security_task_gettimerslack(p); > + if (ret) > + goto out; > + > task_lock(p); > seq_printf(m, "%llu\n", p->timer_slack_ns); > task_unlock(p); > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 7ae3976..290483e 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -627,6 +627,15 @@ > * Check permission before moving memory owned by process @p. > * @p contains the task_struct for process. > * Return 0 if permission is granted. > + * @task_settimerslack: > + * Check permission before setting timerslack value of @p to @slack. > + * @p contains the task_struct of a process. > + * @slack contains the new slack value. > + * Return 0 if permission is granted. > + * @task_gettimerslack: > + * Check permission before returning the timerslack value of @p. > + * @p contains the task_struct of a process. > + * Return 0 if permission is granted. > * @task_kill: > * Check permission before sending signal @sig to @p. @info can be NULL, > * the constant 1, or a pointer to a siginfo structure. If @info is 1 or > @@ -1473,6 +1482,8 @@ union security_list_options { > int (*task_setscheduler)(struct task_struct *p); > int (*task_getscheduler)(struct task_struct *p); > int (*task_movememory)(struct task_struct *p); > + int (*task_settimerslack)(struct task_struct *p, u64 slack); > + int (*task_gettimerslack)(struct task_struct *p); > int (*task_kill)(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int (*task_wait)(struct task_struct *p); > @@ -1732,6 +1743,8 @@ struct security_hook_heads { > struct list_head task_setscheduler; > struct list_head task_getscheduler; > struct list_head task_movememory; > + struct list_head task_settimerslack; > + struct list_head task_gettimerslack; > struct list_head task_kill; > struct list_head task_wait; > struct list_head task_prctl; > diff --git a/include/linux/security.h b/include/linux/security.h > index 14df373..ab70f47 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, > unsigned int resource, > int security_task_setscheduler(struct task_struct *p); > int security_task_getscheduler(struct task_struct *p); > int security_task_movememory(struct task_struct *p); > +int security_task_settimerslack(struct task_struct *p, u64 slack); > +int security_task_gettimerslack(struct task_struct *p); > int
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
Quoting John Stultz (john.stu...@linaro.org): > As requested, this patch implements a task_settimerslack and > task_gettimerslack LSM hooks so that the /proc//timerslack_ns > interface can have finer grained security policies applied to it. > > I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > functions, as hiding it in the LSM hook seems too opaque, and doesn't > seem like a widely enough adopted practice. > > Don't really know what I'm doing here, so close review would be > appreciated! > > Cc: Kees Cook > Cc: "Serge E. Hallyn" Acked-by: Serge Hallyn > Cc: Andrew Morton > Cc: Thomas Gleixner > CC: Arjan van de Ven > Cc: Oren Laadan > Cc: Ruchi Kandoi > Cc: Rom Lemarchand > Cc: Todd Kjos > Cc: Colin Cross > Cc: Nick Kralevich > Cc: Dmitry Shmidt > Cc: Elliott Hughes > Cc: Android Kernel Team > Cc: linux-security-mod...@vger.kernel.org > Cc: seli...@tycho.nsa.gov > Signed-off-by: John Stultz > --- > v2: > * Initial swing at adding settimerslack LSM hook > v3: > * Fix current/p switchup bug noted by NickK > * Add gettimerslack hook suggested by NickK > > fs/proc/base.c| 10 ++ > include/linux/lsm_hooks.h | 13 + > include/linux/security.h | 12 > security/security.c | 14 ++ > security/selinux/hooks.c | 12 > 5 files changed, 61 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index c94abae..cc66aa8 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, > const char __user *buf, > goto out; > } > > + err = security_task_settimerslack(p, slack_ns); > + if (err) { > + count = err; > + goto out; > + } > + > task_lock(p); > if (slack_ns == 0) > p->timer_slack_ns = p->default_timer_slack_ns; > @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void > *v) > goto out; > } > > + ret = security_task_gettimerslack(p); > + if (ret) > + goto out; > + > task_lock(p); > seq_printf(m, "%llu\n", p->timer_slack_ns); > task_unlock(p); > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 7ae3976..290483e 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -627,6 +627,15 @@ > * Check permission before moving memory owned by process @p. > * @p contains the task_struct for process. > * Return 0 if permission is granted. > + * @task_settimerslack: > + * Check permission before setting timerslack value of @p to @slack. > + * @p contains the task_struct of a process. > + * @slack contains the new slack value. > + * Return 0 if permission is granted. > + * @task_gettimerslack: > + * Check permission before returning the timerslack value of @p. > + * @p contains the task_struct of a process. > + * Return 0 if permission is granted. > * @task_kill: > * Check permission before sending signal @sig to @p. @info can be NULL, > * the constant 1, or a pointer to a siginfo structure. If @info is 1 or > @@ -1473,6 +1482,8 @@ union security_list_options { > int (*task_setscheduler)(struct task_struct *p); > int (*task_getscheduler)(struct task_struct *p); > int (*task_movememory)(struct task_struct *p); > + int (*task_settimerslack)(struct task_struct *p, u64 slack); > + int (*task_gettimerslack)(struct task_struct *p); > int (*task_kill)(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int (*task_wait)(struct task_struct *p); > @@ -1732,6 +1743,8 @@ struct security_hook_heads { > struct list_head task_setscheduler; > struct list_head task_getscheduler; > struct list_head task_movememory; > + struct list_head task_settimerslack; > + struct list_head task_gettimerslack; > struct list_head task_kill; > struct list_head task_wait; > struct list_head task_prctl; > diff --git a/include/linux/security.h b/include/linux/security.h > index 14df373..ab70f47 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, > unsigned int resource, > int security_task_setscheduler(struct task_struct *p); > int security_task_getscheduler(struct task_struct *p); > int security_task_movememory(struct task_struct *p); > +int security_task_settimerslack(struct task_struct *p, u64 slack); > +int security_task_gettimerslack(struct task_struct *p); > int security_task_kill(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int security_task_wait(struct task_struct *p); > @@ -950,6 +952,16 @@ static inline int security_task_movememory(struct > task_struct *p) > return 0; > } > > +static inline int security_task_settimerslack(struct
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Mon, Jul 18, 2016 at 1:11 PM, John Stultzwrote: > As requested, this patch implements a task_settimerslack and > task_gettimerslack LSM hooks so that the /proc//timerslack_ns > interface can have finer grained security policies applied to it. > > I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > functions, as hiding it in the LSM hook seems too opaque, and doesn't > seem like a widely enough adopted practice. > > Don't really know what I'm doing here, so close review would be > appreciated! Looks good. Thanks! Reviewed-by: Nick Kralevich > > Cc: Kees Cook > Cc: "Serge E. Hallyn" > Cc: Andrew Morton > Cc: Thomas Gleixner > CC: Arjan van de Ven > Cc: Oren Laadan > Cc: Ruchi Kandoi > Cc: Rom Lemarchand > Cc: Todd Kjos > Cc: Colin Cross > Cc: Nick Kralevich > Cc: Dmitry Shmidt > Cc: Elliott Hughes > Cc: Android Kernel Team > Cc: linux-security-mod...@vger.kernel.org > Cc: seli...@tycho.nsa.gov > Signed-off-by: John Stultz > --- > v2: > * Initial swing at adding settimerslack LSM hook > v3: > * Fix current/p switchup bug noted by NickK > * Add gettimerslack hook suggested by NickK > > fs/proc/base.c| 10 ++ > include/linux/lsm_hooks.h | 13 + > include/linux/security.h | 12 > security/security.c | 14 ++ > security/selinux/hooks.c | 12 > 5 files changed, 61 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index c94abae..cc66aa8 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, > const char __user *buf, > goto out; > } > > + err = security_task_settimerslack(p, slack_ns); > + if (err) { > + count = err; > + goto out; > + } > + > task_lock(p); > if (slack_ns == 0) > p->timer_slack_ns = p->default_timer_slack_ns; > @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void > *v) > goto out; > } > > + ret = security_task_gettimerslack(p); > + if (ret) > + goto out; > + > task_lock(p); > seq_printf(m, "%llu\n", p->timer_slack_ns); > task_unlock(p); > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 7ae3976..290483e 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -627,6 +627,15 @@ > * Check permission before moving memory owned by process @p. > * @p contains the task_struct for process. > * Return 0 if permission is granted. > + * @task_settimerslack: > + * Check permission before setting timerslack value of @p to @slack. > + * @p contains the task_struct of a process. > + * @slack contains the new slack value. > + * Return 0 if permission is granted. > + * @task_gettimerslack: > + * Check permission before returning the timerslack value of @p. > + * @p contains the task_struct of a process. > + * Return 0 if permission is granted. > * @task_kill: > * Check permission before sending signal @sig to @p. @info can be NULL, > * the constant 1, or a pointer to a siginfo structure. If @info is 1 or > @@ -1473,6 +1482,8 @@ union security_list_options { > int (*task_setscheduler)(struct task_struct *p); > int (*task_getscheduler)(struct task_struct *p); > int (*task_movememory)(struct task_struct *p); > + int (*task_settimerslack)(struct task_struct *p, u64 slack); > + int (*task_gettimerslack)(struct task_struct *p); > int (*task_kill)(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int (*task_wait)(struct task_struct *p); > @@ -1732,6 +1743,8 @@ struct security_hook_heads { > struct list_head task_setscheduler; > struct list_head task_getscheduler; > struct list_head task_movememory; > + struct list_head task_settimerslack; > + struct list_head task_gettimerslack; > struct list_head task_kill; > struct list_head task_wait; > struct list_head task_prctl; > diff --git a/include/linux/security.h b/include/linux/security.h > index 14df373..ab70f47 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, > unsigned int resource, > int security_task_setscheduler(struct task_struct *p); > int security_task_getscheduler(struct task_struct *p); > int security_task_movememory(struct task_struct
Re: [RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
On Mon, Jul 18, 2016 at 1:11 PM, John Stultz wrote: > As requested, this patch implements a task_settimerslack and > task_gettimerslack LSM hooks so that the /proc//timerslack_ns > interface can have finer grained security policies applied to it. > > I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show > functions, as hiding it in the LSM hook seems too opaque, and doesn't > seem like a widely enough adopted practice. > > Don't really know what I'm doing here, so close review would be > appreciated! Looks good. Thanks! Reviewed-by: Nick Kralevich > > Cc: Kees Cook > Cc: "Serge E. Hallyn" > Cc: Andrew Morton > Cc: Thomas Gleixner > CC: Arjan van de Ven > Cc: Oren Laadan > Cc: Ruchi Kandoi > Cc: Rom Lemarchand > Cc: Todd Kjos > Cc: Colin Cross > Cc: Nick Kralevich > Cc: Dmitry Shmidt > Cc: Elliott Hughes > Cc: Android Kernel Team > Cc: linux-security-mod...@vger.kernel.org > Cc: seli...@tycho.nsa.gov > Signed-off-by: John Stultz > --- > v2: > * Initial swing at adding settimerslack LSM hook > v3: > * Fix current/p switchup bug noted by NickK > * Add gettimerslack hook suggested by NickK > > fs/proc/base.c| 10 ++ > include/linux/lsm_hooks.h | 13 + > include/linux/security.h | 12 > security/security.c | 14 ++ > security/selinux/hooks.c | 12 > 5 files changed, 61 insertions(+) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index c94abae..cc66aa8 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, > const char __user *buf, > goto out; > } > > + err = security_task_settimerslack(p, slack_ns); > + if (err) { > + count = err; > + goto out; > + } > + > task_lock(p); > if (slack_ns == 0) > p->timer_slack_ns = p->default_timer_slack_ns; > @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void > *v) > goto out; > } > > + ret = security_task_gettimerslack(p); > + if (ret) > + goto out; > + > task_lock(p); > seq_printf(m, "%llu\n", p->timer_slack_ns); > task_unlock(p); > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index 7ae3976..290483e 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -627,6 +627,15 @@ > * Check permission before moving memory owned by process @p. > * @p contains the task_struct for process. > * Return 0 if permission is granted. > + * @task_settimerslack: > + * Check permission before setting timerslack value of @p to @slack. > + * @p contains the task_struct of a process. > + * @slack contains the new slack value. > + * Return 0 if permission is granted. > + * @task_gettimerslack: > + * Check permission before returning the timerslack value of @p. > + * @p contains the task_struct of a process. > + * Return 0 if permission is granted. > * @task_kill: > * Check permission before sending signal @sig to @p. @info can be NULL, > * the constant 1, or a pointer to a siginfo structure. If @info is 1 or > @@ -1473,6 +1482,8 @@ union security_list_options { > int (*task_setscheduler)(struct task_struct *p); > int (*task_getscheduler)(struct task_struct *p); > int (*task_movememory)(struct task_struct *p); > + int (*task_settimerslack)(struct task_struct *p, u64 slack); > + int (*task_gettimerslack)(struct task_struct *p); > int (*task_kill)(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int (*task_wait)(struct task_struct *p); > @@ -1732,6 +1743,8 @@ struct security_hook_heads { > struct list_head task_setscheduler; > struct list_head task_getscheduler; > struct list_head task_movememory; > + struct list_head task_settimerslack; > + struct list_head task_gettimerslack; > struct list_head task_kill; > struct list_head task_wait; > struct list_head task_prctl; > diff --git a/include/linux/security.h b/include/linux/security.h > index 14df373..ab70f47 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, > unsigned int resource, > int security_task_setscheduler(struct task_struct *p); > int security_task_getscheduler(struct task_struct *p); > int security_task_movememory(struct task_struct *p); > +int security_task_settimerslack(struct task_struct *p, u64 slack); > +int security_task_gettimerslack(struct task_struct *p); > int security_task_kill(struct task_struct *p, struct siginfo *info, > int sig, u32 secid); > int security_task_wait(struct task_struct *p); > @@ -950,6 +952,16 @@ static inline int
[RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
As requested, this patch implements a task_settimerslack and task_gettimerslack LSM hooks so that the /proc//timerslack_ns interface can have finer grained security policies applied to it. I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show functions, as hiding it in the LSM hook seems too opaque, and doesn't seem like a widely enough adopted practice. Don't really know what I'm doing here, so close review would be appreciated! Cc: Kees CookCc: "Serge E. Hallyn" Cc: Andrew Morton Cc: Thomas Gleixner CC: Arjan van de Ven Cc: Oren Laadan Cc: Ruchi Kandoi Cc: Rom Lemarchand Cc: Todd Kjos Cc: Colin Cross Cc: Nick Kralevich Cc: Dmitry Shmidt Cc: Elliott Hughes Cc: Android Kernel Team Cc: linux-security-mod...@vger.kernel.org Cc: seli...@tycho.nsa.gov Signed-off-by: John Stultz --- v2: * Initial swing at adding settimerslack LSM hook v3: * Fix current/p switchup bug noted by NickK * Add gettimerslack hook suggested by NickK fs/proc/base.c| 10 ++ include/linux/lsm_hooks.h | 13 + include/linux/security.h | 12 security/security.c | 14 ++ security/selinux/hooks.c | 12 5 files changed, 61 insertions(+) diff --git a/fs/proc/base.c b/fs/proc/base.c index c94abae..cc66aa8 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, goto out; } + err = security_task_settimerslack(p, slack_ns); + if (err) { + count = err; + goto out; + } + task_lock(p); if (slack_ns == 0) p->timer_slack_ns = p->default_timer_slack_ns; @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void *v) goto out; } + ret = security_task_gettimerslack(p); + if (ret) + goto out; + task_lock(p); seq_printf(m, "%llu\n", p->timer_slack_ns); task_unlock(p); diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7ae3976..290483e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -627,6 +627,15 @@ * Check permission before moving memory owned by process @p. * @p contains the task_struct for process. * Return 0 if permission is granted. + * @task_settimerslack: + * Check permission before setting timerslack value of @p to @slack. + * @p contains the task_struct of a process. + * @slack contains the new slack value. + * Return 0 if permission is granted. + * @task_gettimerslack: + * Check permission before returning the timerslack value of @p. + * @p contains the task_struct of a process. + * Return 0 if permission is granted. * @task_kill: * Check permission before sending signal @sig to @p. @info can be NULL, * the constant 1, or a pointer to a siginfo structure. If @info is 1 or @@ -1473,6 +1482,8 @@ union security_list_options { int (*task_setscheduler)(struct task_struct *p); int (*task_getscheduler)(struct task_struct *p); int (*task_movememory)(struct task_struct *p); + int (*task_settimerslack)(struct task_struct *p, u64 slack); + int (*task_gettimerslack)(struct task_struct *p); int (*task_kill)(struct task_struct *p, struct siginfo *info, int sig, u32 secid); int (*task_wait)(struct task_struct *p); @@ -1732,6 +1743,8 @@ struct security_hook_heads { struct list_head task_setscheduler; struct list_head task_getscheduler; struct list_head task_movememory; + struct list_head task_settimerslack; + struct list_head task_gettimerslack; struct list_head task_kill; struct list_head task_wait; struct list_head task_prctl; diff --git a/include/linux/security.h b/include/linux/security.h index 14df373..ab70f47 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, unsigned int resource, int security_task_setscheduler(struct task_struct *p); int security_task_getscheduler(struct task_struct *p); int security_task_movememory(struct task_struct *p); +int security_task_settimerslack(struct task_struct *p, u64 slack); +int security_task_gettimerslack(struct task_struct *p); int security_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid); int security_task_wait(struct task_struct *p); @@ -950,6 +952,16 @@ static inline int security_task_movememory(struct task_struct
[RFC][PATCH 2/2 v3] security: Add task_settimerslack/task_gettimerslack LSM hook
As requested, this patch implements a task_settimerslack and task_gettimerslack LSM hooks so that the /proc//timerslack_ns interface can have finer grained security policies applied to it. I've kept the CAP_SYS_NICE check in the timerslack_ns_write/show functions, as hiding it in the LSM hook seems too opaque, and doesn't seem like a widely enough adopted practice. Don't really know what I'm doing here, so close review would be appreciated! Cc: Kees Cook Cc: "Serge E. Hallyn" Cc: Andrew Morton Cc: Thomas Gleixner CC: Arjan van de Ven Cc: Oren Laadan Cc: Ruchi Kandoi Cc: Rom Lemarchand Cc: Todd Kjos Cc: Colin Cross Cc: Nick Kralevich Cc: Dmitry Shmidt Cc: Elliott Hughes Cc: Android Kernel Team Cc: linux-security-mod...@vger.kernel.org Cc: seli...@tycho.nsa.gov Signed-off-by: John Stultz --- v2: * Initial swing at adding settimerslack LSM hook v3: * Fix current/p switchup bug noted by NickK * Add gettimerslack hook suggested by NickK fs/proc/base.c| 10 ++ include/linux/lsm_hooks.h | 13 + include/linux/security.h | 12 security/security.c | 14 ++ security/selinux/hooks.c | 12 5 files changed, 61 insertions(+) diff --git a/fs/proc/base.c b/fs/proc/base.c index c94abae..cc66aa8 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2286,6 +2286,12 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, goto out; } + err = security_task_settimerslack(p, slack_ns); + if (err) { + count = err; + goto out; + } + task_lock(p); if (slack_ns == 0) p->timer_slack_ns = p->default_timer_slack_ns; @@ -2314,6 +2320,10 @@ static int timerslack_ns_show(struct seq_file *m, void *v) goto out; } + ret = security_task_gettimerslack(p); + if (ret) + goto out; + task_lock(p); seq_printf(m, "%llu\n", p->timer_slack_ns); task_unlock(p); diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7ae3976..290483e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -627,6 +627,15 @@ * Check permission before moving memory owned by process @p. * @p contains the task_struct for process. * Return 0 if permission is granted. + * @task_settimerslack: + * Check permission before setting timerslack value of @p to @slack. + * @p contains the task_struct of a process. + * @slack contains the new slack value. + * Return 0 if permission is granted. + * @task_gettimerslack: + * Check permission before returning the timerslack value of @p. + * @p contains the task_struct of a process. + * Return 0 if permission is granted. * @task_kill: * Check permission before sending signal @sig to @p. @info can be NULL, * the constant 1, or a pointer to a siginfo structure. If @info is 1 or @@ -1473,6 +1482,8 @@ union security_list_options { int (*task_setscheduler)(struct task_struct *p); int (*task_getscheduler)(struct task_struct *p); int (*task_movememory)(struct task_struct *p); + int (*task_settimerslack)(struct task_struct *p, u64 slack); + int (*task_gettimerslack)(struct task_struct *p); int (*task_kill)(struct task_struct *p, struct siginfo *info, int sig, u32 secid); int (*task_wait)(struct task_struct *p); @@ -1732,6 +1743,8 @@ struct security_hook_heads { struct list_head task_setscheduler; struct list_head task_getscheduler; struct list_head task_movememory; + struct list_head task_settimerslack; + struct list_head task_gettimerslack; struct list_head task_kill; struct list_head task_wait; struct list_head task_prctl; diff --git a/include/linux/security.h b/include/linux/security.h index 14df373..ab70f47 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -325,6 +325,8 @@ int security_task_setrlimit(struct task_struct *p, unsigned int resource, int security_task_setscheduler(struct task_struct *p); int security_task_getscheduler(struct task_struct *p); int security_task_movememory(struct task_struct *p); +int security_task_settimerslack(struct task_struct *p, u64 slack); +int security_task_gettimerslack(struct task_struct *p); int security_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid); int security_task_wait(struct task_struct *p); @@ -950,6 +952,16 @@ static inline int security_task_movememory(struct task_struct *p) return 0; } +static inline int security_task_settimerslack(struct task_struct *p, u64 slack) +{ + return 0; +} + +static inline int security_task_gettimerslack(struct task_struct *p) +{ + return 0; +} + static inline int security_task_kill(struct task_struct *p,