From patchwork Wed Oct 18 10:50:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 154819 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp4703471vqb; Wed, 18 Oct 2023 03:57:43 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHrc0q7whj8MmD0YdWYdkLEQ2tdBJf8M1On3pO4oKacKFfwXK9Qh1/QiE6vuYHBZrk5DREB X-Received: by 2002:a05:6359:8001:b0:166:db65:af9a with SMTP id rc1-20020a056359800100b00166db65af9amr4182270rwb.2.1697626663137; Wed, 18 Oct 2023 03:57:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697626663; cv=none; d=google.com; s=arc-20160816; b=CoV+jKlE+3AmI5dP+Cj5V1TyJu42bCCqJ4vNJTXMLqw14cUwOPXw0TYBbymIC89+gH y9BfRJeAZQwZZX9R8RKCZDYpO9IXUHmSJxi4uJQ+yXjHSu+b5/8RCL+8sAi2UPw6U1y9 Bg/yh0/SFoLGryT8qSywgVHoonZqLuPktaerMtoCU8GGEveyIn/EMgKMUw1DEA8Bua/R HWkAxfZc1VZC+GvxKm8YkME57IYZYQNGKY8UcLFcKRuIcMoUG1Lrvt6ee088WPF3cmHO V9J2xSYt5aHscDbM9JpfLcpvYs1ilAviPudRG3+pfBUni2ME7Z0thgQRJIhJPI4/qPDg aqlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:ui-outboundreport:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=9B3vG4AqSkyndYqXFCb2qiY7Gja6nxIbjcaEafCQSuo=; fh=c4ql7d5QsFreQmYQr7ycbAsMayBEmNUOv2nmR/PVp9M=; b=PiYTK25c1gC0N/C4gHs3pBiTe0tbrmYk6m3Ow8xwy+4TbYmQoplIwmM8RM330SAfIA KBtRsSlwQOngAb4FpUQ4gIWpIXiejJMtzwS71U7FPW/7sU5YS1SfifFRyRYrLeNihA8z RLpZpU7g3GE8JgqjdEQLDHFu73M3dsDbnH4kryWUUb1fEcnpyDx0tCBVdYNSENSonMhG fU/D0Bo3kaWFB8uAeqxIiBHn6sLlJSfldwfGIzuRXJMc9bXZG3/wIyqaqRNsm04iBTBV b8Qfs+7Na8pY1vK9keeCc8Op3zHGeTrm+dITcuQ8axRpOKWSwSGm5sUyTZiK8SMzZRRs /lDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id m18-20020a056a00081200b0068fcf6fe22esi3964804pfk.306.2023.10.18.03.57.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 03:57:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aisec.fraunhofer.de Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 8AE7B8179070; Wed, 18 Oct 2023 03:57:40 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229853AbjJRK5Q (ORCPT + 24 others); Wed, 18 Oct 2023 06:57:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229957AbjJRK5H (ORCPT ); Wed, 18 Oct 2023 06:57:07 -0400 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F054D10F; Wed, 18 Oct 2023 03:57:00 -0700 (PDT) Received: from weisslap.aisec.fraunhofer.de ([91.67.186.133]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MMH2M-1r95ee1XaI-00JFRa; Wed, 18 Oct 2023 12:50:58 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Alexander Mikhalitsyn , Christian Brauner , Alexei Starovoitov , Paul Moore Cc: Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Quentin Monnet , Alexander Viro , Miklos Szeredi , Amir Goldstein , "Serge E. Hallyn" , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, gyroidos@aisec.fraunhofer.de, =?utf-8?q?Mich?= =?utf-8?q?ael_Wei=C3=9F?= Subject: [RFC PATCH v2 05/14] device_cgroup: Implement dev_permission() hook Date: Wed, 18 Oct 2023 12:50:24 +0200 Message-Id: <20231018105033.13669-6-michael.weiss@aisec.fraunhofer.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20231018105033.13669-1-michael.weiss@aisec.fraunhofer.de> References: <20231018105033.13669-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:6fQpbyJ4yqJDdtOE6U4o2qVRNJKIJVyBf29udf+uc+/N6tF9IoH 8t1C1cC3mS3KGqZ/fM8NSuVnL6Vku/6d75OreD1W+PTZyYWT+AMUoZD8nvd5WUkz4It8oYV mgBzW/YuC1VAn4JxY8EG2yvXiiH+neM+67Kx7SQvAdbY4iqGXZEZfndLZ2yjmFqmQKH7x7O WCKWWnxi80y53tE+xJeDQ== UI-OutboundReport: notjunk:1;M01:P0:KPld94mI8N4=;N5vkTOFrb90fmkbkDDAVyBwDY1S iSSlHRHjf4q3fcYpQi2uV4atpZakxYxRd5K/nnE5ZtC5OHztPnS+HrvCIicEdHDg0+dFvoP10 9+osU9/vMqFSITdyeVzNKkDAcnG1s+80I0sonWh4ew4v/+uO9NOcfPV41jbKxk9finPj+wCYx Kf/R8sfgSSQdwc5WD7Jf912gqMx8ZJCk832N1cOv1dJta18N5Fp5zugPTrbgJ4nBN8VF1Dp34 deE1sQxseptMz9Nu/2Jaq/FgSikZltEcyTYxvgLdpjKrCgt0yAzYk0mRp6qzZxldPIhp72DqE oCmYvd15SWqbRtsAk8Kosrwm2aOsaf63lOBgYL3TwYACa6U6jA/RlGVr7/0zNrLqJGSfXOHew Fija+0MTBFjwPztpJjjuRe/UV5oVpRqo+R/RpPbX6ZVtZlIJNO0j7V2HUqqGIvXDHqKDdhBDV 0+qNsqdffVqcNUEzfM2SFk/ldpy6XAwm/rtuqhLPN8eDNdAGThTMVwHZrv1Tk2UiZ+ITMhjU+ 54q4O5fgJvI1Z/m3dfpahcZNyaPh9rJp+4EkzdtRthcZbK+aNpVtL2+3GQPYeuXNwzjMqS3+j 0uL1A59J6xyLXFa0hBymQ7mB7SyOMUDCbwK9HxPrxBW3v3Q/E+d39PNe1+l/TKGp8a3nTEMVg ENSiswgiFJ0GYnRIDO85VWmEue6ZDo0jLMR0+vJOOJNY7+wGCpawu+w1R1VYSVhhto1BWjz9d 1I99ijX+DKqk0YMLZchWWuaUpjODgCG4U2v/OEhdR74RUTdLqtIapgRVU5F5+zBjHm2QlrYC2 SbQE1DWntVeHqDajVQJBuN4lODsT3u+riJIlOMK7El+bDwq+ZtxUxaweSmGRJYJYYa8ut2Y01 Y1xFRIGWq0aAocm8sER2aELs2LbzJwq4bxJw= X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 18 Oct 2023 03:57:40 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1780090576096828997 X-GMAIL-MSGID: 1780090576096828997 Wrap devcgroup_check_permission() by implementing the new security hook dev_permission(). Signed-off-by: Michael Weiß --- security/device_cgroup/lsm.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/security/device_cgroup/lsm.c b/security/device_cgroup/lsm.c index ef30cff1f610..987d2c20a577 100644 --- a/security/device_cgroup/lsm.c +++ b/security/device_cgroup/lsm.c @@ -14,29 +14,32 @@ #include #include -static int devcg_inode_permission(struct inode *inode, int mask) +static int devcg_dev_permission(umode_t mode, dev_t dev, int mask) { short type, access = 0; - if (likely(!inode->i_rdev)) - return 0; - - if (S_ISBLK(inode->i_mode)) + if (S_ISBLK(mode)) type = DEVCG_DEV_BLOCK; - else if (S_ISCHR(inode->i_mode)) - type = DEVCG_DEV_CHAR; else - return 0; + type = DEVCG_DEV_CHAR; if (mask & MAY_WRITE) access |= DEVCG_ACC_WRITE; if (mask & MAY_READ) access |= DEVCG_ACC_READ; - return devcgroup_check_permission(type, imajor(inode), iminor(inode), + return devcgroup_check_permission(type, MAJOR(dev), MINOR(dev), access); } +static int devcg_inode_permission(struct inode *inode, int mask) +{ + if (likely(!inode->i_rdev)) + return 0; + + return devcg_dev_permission(inode->i_mode, inode->i_rdev, mask); +} + static int __devcg_inode_mknod(int mode, dev_t dev, short access) { short type; @@ -65,6 +68,7 @@ static int devcg_inode_mknod(struct inode *dir, struct dentry *dentry, static struct security_hook_list devcg_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_permission, devcg_inode_permission), LSM_HOOK_INIT(inode_mknod, devcg_inode_mknod), + LSM_HOOK_INIT(dev_permission, devcg_dev_permission), }; static int __init devcgroup_init(void)