security: Add hooks to rule on setting a watch

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add security hooks that will allow an LSM to rule on whether or not a watch
may be set. More than one hook is required as the watches watch different
types of object.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jamorris@linux.microsoft.com>
cc: Casey Schaufler <casey@schaufler-ca.com>
cc: Stephen Smalley <sds@tycho.nsa.gov>
cc: linux-security-module@vger.kernel.org

David Howells 5 years ago 998f5040 c73be61c

+25

4 changed files

expand all

include

linux

lsm_hook_defs.h

lsm_hooks.h

security.h

security

security.c

include/linux/lsm_hook_defs.h

··· 256 256 #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) 257 257 LSM_HOOK(int, 0, post_notification, const struct cred *w_cred, 258 258 const struct cred *cred, struct watch_notification *n) 259 + #endif /* CONFIG_SECURITY && CONFIG_WATCH_QUEUE */ 260 + 261 + #if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS) 262 + LSM_HOOK(int, 0, watch_key, struct key *key) 259 263 #endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */ 260 264 261 265 #ifdef CONFIG_SECURITY_NETWORK

include/linux/lsm_hooks.h

··· 1446 1446 * @cred: The event-triggerer's credentials 1447 1447 * @n: The notification being posted 1448 1448 * 1449 + * @watch_key: 1450 + * Check to see if a process is allowed to watch for event notifications 1451 + * from a key or keyring. 1452 + * @key: The key to watch. 1453 + * 1449 1454 * Security hooks for using the eBPF maps and programs functionalities through 1450 1455 * eBPF syscalls. 1451 1456 *

include/linux/security.h

··· 1290 1290 } 1291 1291 #endif 1292 1292 1293 + #if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS) 1294 + int security_watch_key(struct key *key); 1295 + #else 1296 + static inline int security_watch_key(struct key *key) 1297 + { 1298 + return 0; 1299 + } 1300 + #endif 1301 + 1293 1302 #ifdef CONFIG_SECURITY_NETWORK 1294 1303 1295 1304 int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk);

security/security.c

··· 2016 2016 } 2017 2017 #endif /* CONFIG_WATCH_QUEUE */ 2018 2018 2019 + #ifdef CONFIG_KEY_NOTIFICATIONS 2020 + int security_watch_key(struct key *key) 2021 + { 2022 + return call_int_hook(watch_key, 0, key); 2023 + } 2024 + #endif 2025 + 2019 2026 #ifdef CONFIG_SECURITY_NETWORK 2020 2027 2021 2028 int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)