NotificationsYou must be signed in to change notification settings
Fork0
Star2

Commit344fa64

committed

security: Add a hook for the point of notification insertion

Add a security hook that allows an LSM to rule on whether a notificationmessage is allowed to be inserted into a particular watch queue.The hook is given the following information: (1) The credentials of the triggerer (which may be init_cred for a system notification, eg. a hardware error). (2) The credentials of the whoever set the watch. (3) The notification message.Signed-off-by: David Howells <dhowells@redhat.com>Acked-by: James Morris <jamorris@linux.microsoft.com>cc: Casey Schaufler <casey@schaufler-ca.com>cc: Stephen Smalley <sds@tycho.nsa.gov>cc: linux-security-module@vger.kernel.org

1 parent0858caa commit344fa64Copy full SHA for 344fa64

File tree

4 files changed

+38

-0

lines changed

include/linux
security
- security.c

4 files changed

+38

-0

lines changed

`‎include/linux/lsm_hook_defs.h‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -253,6 +253,11 @@ LSM_HOOK(int, 0, inode_setsecctx, struct dentry dentry, void ctx, u32 ctxlen)`
`253`	`253`	`LSM_HOOK(int,0,inode_getsecctx,structinodeinode,void*ctx,`
`254`	`254`	`u32*ctxlen)`
`255`	`255`
	`256`	`+#if defined(CONFIG_SECURITY)&& defined(CONFIG_WATCH_QUEUE)`
	`257`	`+LSM_HOOK(int,0,post_notification,conststructcred*w_cred,`
	`258`	`+conststructcredcred,structwatch_notificationn)`
	`259`	`+#endif/* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */`
	`260`	`+`
`256`	`261`	`#ifdefCONFIG_SECURITY_NETWORK`
`257`	`262`	`LSM_HOOK(int,0,unix_stream_connect,structsocksock,structsockother,`
`258`	`263`	`structsock*newsk)`

`‎include/linux/lsm_hooks.h‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1437,6 +1437,15 @@`
`1437`	`1437`	`*@ctx is a pointer in which to place the allocated security context.`
`1438`	`1438`	`*@ctxlen points to the place to put the length of @ctx.`
`1439`	`1439`	`*`
	`1440`	`+ * Security hooks for the general notification queue:`
	`1441`	`+ *`
	`1442`	`+ * @post_notification:`
	`1443`	`+ *Check to see if a watch notification can be posted to a particular`
	`1444`	`+ *queue.`
	`1445`	`+ *@w_cred: The credentials of the whoever set the watch.`
	`1446`	`+ *@cred: The event-triggerer's credentials`
	`1447`	`+ *@n: The notification being posted`
	`1448`	`+ *`
`1440`	`1449`	`* Security hooks for using the eBPF maps and programs functionalities through`
`1441`	`1450`	`* eBPF syscalls.`
`1442`	`1451`	`*`

`‎include/linux/security.h‎`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,8 @@ struct mm_struct;`
`56`	`56`	`structfs_context;`
`57`	`57`	`structfs_parameter;`
`58`	`58`	`enumfs_value_type;`
	`59`	`+structwatch;`
	`60`	`+structwatch_notification;`
`59`	`61`
`60`	`62`	`/* Default (no) options for the capable function */`
`61`	`63`	`#defineCAP_OPT_NONE 0x0`
`@@ -1275,6 +1277,19 @@ static inline int security_locked_down(enum lockdown_reason what)`
`1275`	`1277`	`}`
`1276`	`1278`	`#endif/* CONFIG_SECURITY */`
`1277`	`1279`
	`1280`	`+#if defined(CONFIG_SECURITY)&& defined(CONFIG_WATCH_QUEUE)`
	`1281`	`+intsecurity_post_notification(conststructcred*w_cred,`
	`1282`	`+conststructcred*cred,`
	`1283`	`+structwatch_notification*n);`
	`1284`	`+#else`
	`1285`	`+staticinlineintsecurity_post_notification(conststructcred*w_cred,`
	`1286`	`+conststructcred*cred,`
	`1287`	`+structwatch_notification*n)`
	`1288`	`+{`
	`1289`	`+return0;`
	`1290`	`+}`
	`1291`	`+#endif`
	`1292`	`+`
`1278`	`1293`	`#ifdefCONFIG_SECURITY_NETWORK`
`1279`	`1294`
`1280`	`1295`	`intsecurity_unix_stream_connect(structsocksock,structsockother,structsock*newsk);`

`‎security/security.c‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2007,6 +2007,15 @@ int security_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)`
`2007`	`2007`	`}`
`2008`	`2008`	`EXPORT_SYMBOL(security_inode_getsecctx);`
`2009`	`2009`
	`2010`	`+#ifdefCONFIG_WATCH_QUEUE`
	`2011`	`+intsecurity_post_notification(conststructcred*w_cred,`
	`2012`	`+conststructcred*cred,`
	`2013`	`+structwatch_notification*n)`
	`2014`	`+{`
	`2015`	`+returncall_int_hook(post_notification,0,w_cred,cred,n);`
	`2016`	`+}`
	`2017`	`+#endif/* CONFIG_WATCH_QUEUE */`
	`2018`	`+`
`2010`	`2019`	`#ifdefCONFIG_SECURITY_NETWORK`
`2011`	`2020`
`2012`	`2021`	`intsecurity_unix_stream_connect(structsocksock,structsockother,structsock*newsk)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit344fa64

File tree

4 files changed

4 files changed

`‎include/linux/lsm_hook_defs.h‎`

`‎include/linux/lsm_hooks.h‎`

`‎include/linux/security.h‎`

`‎security/security.c‎`

0 commit comments