introduce a new hook to query LSM for functionality

Add a new hook func_query_vfs to query an LSM module (such as SELinux) with the intention of finding whether or not it is enabled or perhaps supports some functionality. NFS stores security labels for file system objects and SElinux or any other LSM module can query those objects. But it's wasteful to do so when no security enforcement is taking place. Using a new API call of security_func_query_vfs() and asking if Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
0day-ci · Nov 5, 2020 · 0a59499b0fcef78631c9a8619f330ae47802742f · 0a59499
1 parent 3650b22
commit 0a59499b0fcef78631c9a8619f330ae47802742f
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 0 deletions.
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
@@ -257,6 +257,7 @@ LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen)
 LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen)
 LSM_HOOK(int, 0, inode_getsecctx, struct inode *inode, void **ctx,
 	 u32 *ctxlen)
+LSM_HOOK(int, 0, func_query_vfs, unsigned int)
 
 #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
 LSM_HOOK(int, 0, post_notification, const struct cred *w_cred,

diff --git a/include/linux/security.h b/include/linux/security.h
@@ -456,6 +456,10 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
 int security_locked_down(enum lockdown_reason what);
+#define LSM_FQUERY_VFS_NONE     0x00000000
+#define LSM_FQUERY_VFS_XATTRS   0x00000001
+int security_func_query_vfs(unsigned int flags);
+
 #else /* CONFIG_SECURITY */
 
 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)

diff --git a/security/security.c b/security/security.c
@@ -2067,6 +2067,12 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
 }
 EXPORT_SYMBOL(security_inode_getsecctx);
 
+int security_func_query_vfs(unsigned int flags)
+{
+	return call_int_hook(func_query_vfs, 0, flags);
+}
+EXPORT_SYMBOL(security_func_query_vfs);
+
 #ifdef CONFIG_WATCH_QUEUE
 int security_post_notification(const struct cred *w_cred,
 			       const struct cred *cred,

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
@@ -92,6 +92,7 @@
 #include <uapi/linux/mount.h>
 #include <linux/fsnotify.h>
 #include <linux/fanotify.h>
+#include <linux/security.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -6502,6 +6503,11 @@ static void selinux_inode_invalidate_secctx(struct inode *inode)
 	spin_unlock(&isec->lock);
 }
 
+static int selinux_func_query_vfs(unsigned int flags)
+{
+	return !!(flags & LSM_FQUERY_VFS_XATTRS);
+}
+
 /*
  *	called with inode->i_mutex locked
  */
@@ -7085,6 +7091,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(inode_invalidate_secctx, selinux_inode_invalidate_secctx),
 	LSM_HOOK_INIT(inode_notifysecctx, selinux_inode_notifysecctx),
 	LSM_HOOK_INIT(inode_setsecctx, selinux_inode_setsecctx),
+	LSM_HOOK_INIT(func_query_vfs, selinux_func_query_vfs),
 
 	LSM_HOOK_INIT(unix_stream_connect, selinux_socket_unix_stream_connect),
 	LSM_HOOK_INIT(unix_may_send, selinux_socket_unix_may_send),