From: Casey Schaufler <casey@schaufler-ca.com>
To: Christoph Hellwig <hch@infradead.org>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-security-module@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com,
linux-kernel@vger.kernel.org,
Greg KH <gregkh@linuxfoundation.org>,
Igor Stoppa <igor.stoppa@huawei.com>,
James Morris <james.l.morris@oracle.com>,
Kees Cook <keescook@chromium.org>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] LSM: Make security_hook_heads a local variable.
Date: Mon, 22 May 2017 08:09:12 -0700 [thread overview]
Message-ID: <d98f4cd5-3f21-3f7b-2842-12b9a009e453@schaufler-ca.com> (raw)
In-Reply-To: <20170522140306.GA3907@infradead.org>
On 5/22/2017 7:03 AM, Christoph Hellwig wrote:
> On Sun, May 21, 2017 at 08:14:05PM +0900, Tetsuo Handa wrote:
>> A sealable memory allocator patch was proposed at
>> http://lkml.kernel.org/r/20170519103811.2183-1-igor.stoppa@huawei.com ,
>> and is waiting for a follow-on patch showing how any of the kernel
>> can be changed to use this new subsystem. So, here it is for LSM hooks.
>>
>> The LSM hooks ("struct security_hook_heads security_hook_heads" and
>> "struct security_hook_list ...[]") will benefit from this allocator via
>> protection using set_memory_ro()/set_memory_rw(), and it will remove
>> CONFIG_SECURITY_WRITABLE_HOOKS config option.
>>
>> This means that these structures will be allocated at run time using
>> smalloc(), and therefore the address of these structures will be
>> determined at run time rather than compile time.
>>
>> But currently, LSM_HOOK_INIT() macro depends on the address of
>> security_hook_heads being known at compile time. But we already
>> initialize security_hook_heads as an array of "struct list_head".
>>
>> Therefore, let's use index number (or relative offset from the head
>> of security_hook_heads) instead of absolute address of
>> security_hook_heads so that LSM_HOOK_INIT() macro does not need to
>> know absolute address of security_hook_heads. Then, security_add_hooks()
>> will be able to allocate and copy "struct security_hook_list ...[]" using
>> smalloc().
>>
>> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Paul Moore <paul@paul-moore.com>
>> Cc: Stephen Smalley <sds@tycho.nsa.gov>
>> Cc: Casey Schaufler <casey@schaufler-ca.com>
>> Cc: James Morris <james.l.morris@oracle.com>
>> Cc: Igor Stoppa <igor.stoppa@huawei.com>
>> Cc: Greg KH <gregkh@linuxfoundation.org>
>> ---
>> include/linux/lsm_hooks.h | 6 +++---
>> security/security.c | 10 ++++++++--
>> 2 files changed, 11 insertions(+), 5 deletions(-)
>>
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index 080f34e..865c11d 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -1884,8 +1884,8 @@ struct security_hook_heads {
>> */
>> struct security_hook_list {
>> struct list_head list;
>> - struct list_head *head;
>> union security_list_options hook;
>> + const unsigned int idx;
>> char *lsm;
>> };
>>
>> @@ -1896,9 +1896,9 @@ struct security_hook_list {
>> * text involved.
>> */
>> #define LSM_HOOK_INIT(HEAD, HOOK) \
>> - { .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }
>> + { .idx = offsetof(struct security_hook_heads, HEAD) / \
>> + sizeof(struct list_head), .hook = { .HEAD = HOOK } }
>>
>> -extern struct security_hook_heads security_hook_heads;
>> extern char *lsm_names;
>>
>> extern void security_add_hooks(struct security_hook_list *hooks, int count,
>> diff --git a/security/security.c b/security/security.c
>> index 54b1e39..d6883ce 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -33,7 +33,7 @@
>> /* Maximum number of letters for an LSM name string */
>> #define SECURITY_NAME_MAX 10
>>
>> -struct security_hook_heads security_hook_heads __lsm_ro_after_init;
>> +static struct security_hook_heads security_hook_heads __lsm_ro_after_init;
>> char *lsm_names;
>> /* Boot-time LSM user choice */
>> static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
>> @@ -152,10 +152,16 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
>> char *lsm)
>> {
>> int i;
>> + struct list_head *list = (struct list_head *) &security_hook_heads;
> Eww, struct casts. This whole security_hook_heads scheme stink,
> even with the slight improvements from Tetsuo. It has everything we
> shouldn't do - function pointers in structures that are not hard
> read-only, structure casts, etc.
>
> What's the reason why can't just have good old const function tables?
The set of hooks used by most security modules are sparse.
> Yeah, stackable LSM make that a little harder, but they should not be
> enable by default anyway.
With the number of security modules queued up behind full stacking
I can't say that I agree with your assertion.
> But even with those we can still chain
> them together with a list with external linkage.
I gave up that approach in 2012. Too many unnecessary calls to
null functions, and massive function vectors with a tiny number
of non-null entries. From a data structure standpoint, it was
just wrong. The list scheme is exactly right for the task at
hand.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-05-22 15:09 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 10:38 [RFC v3]mm: ro protection for data allocated dynamically Igor Stoppa
2017-05-19 10:38 ` [PATCH 1/1] Sealable memory support Igor Stoppa
2017-05-20 8:51 ` [kernel-hardening] " Greg KH
2017-05-21 11:14 ` [PATCH] LSM: Make security_hook_heads a local variable Tetsuo Handa
2017-05-22 14:03 ` Christoph Hellwig
2017-05-22 15:09 ` Casey Schaufler [this message]
2017-05-22 19:50 ` Igor Stoppa
2017-05-22 20:32 ` Casey Schaufler
2017-05-22 20:43 ` Tetsuo Handa
2017-05-22 19:45 ` [kernel-hardening] [PATCH 1/1] Sealable memory support Igor Stoppa
2017-05-22 21:38 ` Kees Cook
2017-05-23 9:43 ` Igor Stoppa
2017-05-23 20:11 ` Kees Cook
2017-05-24 17:45 ` Igor Stoppa
2017-05-28 18:23 ` Kees Cook
2017-05-28 18:56 ` [kernel-hardening] " Boris Lukashev
2017-05-28 21:32 ` Kees Cook
2017-05-29 6:04 ` Boris Lukashev
2017-05-31 21:22 ` Igor Stoppa
2017-05-31 13:55 ` kbuild test robot
2017-06-04 2:18 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d98f4cd5-3f21-3f7b-2842-12b9a009e453@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=igor.stoppa@huawei.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox