CHROMIUM: kernel: Initial chromiumos security module.

Initially the chromiumos security module only prevents symlinks in mount paths. Future versions will be more restrictive and will be configurable using a driver interface. BUG=chromium-os:21954 TEST=Use a mount path with a symlink and observe mount failure. Change-Id: I47ade3b7be684ab9e0533ce5ffd1e81009eaebfe Signed-off-by: Stephan Uphoff <ups@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/10581 Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Mandeep Singh Baines <msb@chromium.org>
astarasikov · Nov 3, 2011 · 220ac37 · 220ac37
1 parent 4093e61
commit 220ac37
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 0 deletions.
diff --git a/security/Kconfig b/security/Kconfig
@@ -202,6 +202,7 @@ source security/selinux/Kconfig
 source security/smack/Kconfig
 source security/tomoyo/Kconfig
 source security/apparmor/Kconfig
+source security/chromiumos/Kconfig
 
 source security/integrity/ima/Kconfig
 
@@ -211,6 +212,7 @@ choice
 	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
+	default DEFAULT_SECURITY_CHROMIUMOS if SECURITY_CHROMIUMOS
 	default DEFAULT_SECURITY_DAC
 
 	help
@@ -229,6 +231,9 @@ choice
 	config DEFAULT_SECURITY_APPARMOR
 		bool "AppArmor" if SECURITY_APPARMOR=y
 
+	config DEFAULT_SECURITY_CHROMIUMOS
+		bool "Chromium OS" if SECURITY_CHROMIUMOS=y
+
 	config DEFAULT_SECURITY_DAC
 		bool "Unix Discretionary Access Controls"
 
@@ -240,6 +245,7 @@ config DEFAULT_SECURITY
 	default "smack" if DEFAULT_SECURITY_SMACK
 	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
 	default "apparmor" if DEFAULT_SECURITY_APPARMOR
+	default "chromiumos" if DEFAULT_SECURITY_CHROMIUMOS
 	default "" if DEFAULT_SECURITY_DAC
 
 endmenu

diff --git a/security/Makefile b/security/Makefile
@@ -7,6 +7,7 @@ subdir-$(CONFIG_SECURITY_SELINUX)	+= selinux
 subdir-$(CONFIG_SECURITY_SMACK)		+= smack
 subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor
+subdir-$(CONFIG_SECURITY_CHROMIUMOS)	+= chromiumos
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -21,6 +22,7 @@ obj-$(CONFIG_SECURITY_SMACK)		+= smack/built-in.o
 obj-$(CONFIG_AUDIT)			+= lsm_audit.o
 obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/built-in.o
 obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/built-in.o
+obj-$(CONFIG_SECURITY_CHROMIUMOS)	+= chromiumos/built-in.o
 obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 
 # Object integrity file lists

diff --git a/security/chromiumos/Kconfig b/security/chromiumos/Kconfig
@@ -0,0 +1,10 @@
+config SECURITY_CHROMIUMOS
+	tristate "Chromium OS Security Module"
+	depends on SECURITY
+	help
+	  The purpose of the Chromium OS security module is to reduce attacking
+	  surface by preventing access to general purpose access modes not required
+	  by Chromium OS.
+	  Currently only the mount operation is restricted by requiring a mount point
+	  path without symbolic links.
+
diff --git a/security/chromiumos/Makefile b/security/chromiumos/Makefile
@@ -0,0 +1 @@
+obj-$(CONFIG_SECURITY_CHROMIUMOS) += lsm.o
diff --git a/security/chromiumos/lsm.c b/security/chromiumos/lsm.c
@@ -0,0 +1,54 @@
+/*
+ * Linux Security Module for Chromium OS
+ *
+ * Copyright 2011 Google Inc. All Rights Reserved
+ *
+ * Author:
+ *      Stephan Uphoff  <ups@google.com>
+ *
+ * This software is licensed under the terms of the GNU General Public
+ * License version 2, as published by the Free Software Foundation, and
+ * may be copied, distributed, and modified under those terms.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <linux/module.h>
+#include <linux/security.h>
+
+static int chromiumos_security_sb_mount(char *dev_name, struct path *path,
+			 char *type, unsigned long flags, void *data)
+{
+	int error = current->total_link_count ? -ELOOP : 0;
+
+	if (error) {
+		char name[sizeof(current->comm)];
+		printk(KERN_NOTICE "Chromium OS LSM: Mount path with symlinks"
+			" prohibited - Task %s (pid = %d)\n",
+			get_task_comm(name, current), task_pid_nr(current));
+	}
+
+	return error;
+}
+
+static struct security_operations chromiumos_security_ops = {
+	.name	= "chromiumos",
+	.sb_mount = chromiumos_security_sb_mount,
+};
+
+
+static int __init chromiumos_security_init(void)
+{
+	int error;
+
+	error = register_security(&chromiumos_security_ops);
+
+	if (error)
+		panic("Could not register chromiumos security module");
+
+	return error;
+}
+security_initcall(chromiumos_security_init);