From: Paul Osmialowski <p.osmialowsk@samsung.com>
Date: Tue, 26 May 2015 09:58:06 +0000 (+0200)
Subject: lsm: kdbus security hooks
X-Git-Tag: submit/tizen/20151029.055133~9
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5196ee43b72a31a5b5ba31382a7991d34454c4a1;p=platform%2Fkernel%2Flinux-exynos.git

lsm: kdbus security hooks

This is combination of work by Karol Lewandowski and Paul Moore
on LSM hooks for kdbus.

Originates from:

git://git.infradead.org/users/pcmoore/selinux (branch: working-kdbus)
commit: 7050f206a79564886938d0edc4e1e9da5972c72d

https://github.com/lmctl/linux.git (branch: kdbus-lsm-v4.for-systemd-v212)
commit: a9fe4c33b6e5ab25a243e0590df406aabb6add12

Change-Id: Ie55cd3eb6427542856d15ded7ba986712c2b9453
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Paul Osmialowski <p.osmialowsk@samsung.com>
---

diff --git a/include/linux/security.h b/include/linux/security.h
index a1b7dbd127ff..ae80d583f83b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,6 +53,7 @@ struct msg_queue;
 struct xattr;
 struct xfrm_sec_ctx;
 struct mm_struct;
+struct kdbus_conn;
 
 /* Maximum number of letters for an LSM name string */
 #define SECURITY_NAME_MAX	10
@@ -1455,6 +1456,20 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  * 	@inode we wish to get the security context of.
  *	@ctx is a pointer in which to place the allocated security context.
  *	@ctxlen points to the place to put the length of @ctx.
+ *
+ * Security hooks for kdbus
+ *
+ * @kdbus_conn_alloc:
+ *	Allocate and initialize security related part of kdbus connection.
+ *	Return 0 on success.
+ *
+ * @kdbus_conn_free:
+ *	Deallocate security related part of kdbus connection.
+ *
+ * @kdbus_talk:
+ *	Check if peers can talk to each other.
+ *	Return 0 if permission is granted.
+ *
  * This is the main security structure.
  */
 struct security_operations {
@@ -1672,6 +1687,13 @@ struct security_operations {
 	int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
 	int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
 
+#ifdef CONFIG_KDBUS
+	int (*kdbus_conn_alloc)(struct kdbus_conn *conn);
+	void (*kdbus_conn_free)(struct kdbus_conn *conn);
+	int (*kdbus_talk)(const struct kdbus_conn *src,
+			  const struct kdbus_conn *dst);
+#endif /* CONFIG_KDBUS */
+
 #ifdef CONFIG_SECURITY_NETWORK
 	int (*unix_stream_connect) (struct sock *sock, struct sock *other, struct sock *newsk);
 	int (*unix_may_send) (struct socket *sock, struct socket *other);
@@ -3103,6 +3125,34 @@ static inline int security_path_chroot(struct path *path)
 }
 #endif	/* CONFIG_SECURITY_PATH */
 
+#ifdef CONFIG_KDBUS
+#ifdef CONFIG_SECURITY
+
+int security_kdbus_conn_alloc(struct kdbus_conn *conn);
+void security_kdbus_conn_free(struct kdbus_conn *conn);
+int security_kdbus_talk(const struct kdbus_conn *src,
+			const struct kdbus_conn *dst);
+
+#else /* CONFIG_SECURITY */
+
+static inline int security_kdbus_conn_alloc(struct kdbus_conn *conn)
+{
+	return 0;
+}
+
+static inline void security_kdbus_conn_free(struct kdbus_conn *conn)
+{
+}
+
+static inline int security_kdbus_talk(const struct kdbus_conn *src,
+				      const struct kdbus_conn *dst)
+{
+	return 0;
+}
+
+#endif /* CONFIG_SECURITY */
+#endif /* CONFIG_KDBUS */
+
 #ifdef CONFIG_KEYS
 #ifdef CONFIG_SECURITY
 
diff --git a/security/capability.c b/security/capability.c
index 070dd46f62f4..83960f28b87e 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -595,6 +595,25 @@ static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops,
 	return 0;
 }
 
+#ifdef CONFIG_KDBUS
+
+static int cap_kdbus_conn_alloc(struct kdbus_conn *conn)
+{
+	return 0;
+}
+
+static void cap_kdbus_conn_free(struct kdbus_conn *conn)
+{
+}
+
+static int cap_kdbus_talk(const struct kdbus_conn *src,
+			  const struct kdbus_conn *dst)
+{
+	return 0;
+}
+
+#endif /* CONFIG_KDBUS */
+
 #ifdef CONFIG_SECURITY_NETWORK
 static int cap_unix_stream_connect(struct sock *sock, struct sock *other,
 				   struct sock *newsk)
@@ -1097,6 +1116,11 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, inode_notifysecctx);
 	set_to_cap_if_null(ops, inode_setsecctx);
 	set_to_cap_if_null(ops, inode_getsecctx);
+#ifdef CONFIG_KDBUS
+	set_to_cap_if_null(ops, kdbus_conn_alloc);
+	set_to_cap_if_null(ops, kdbus_conn_free);
+	set_to_cap_if_null(ops, kdbus_talk);
+#endif /* CONFIG_KDBUS */
 #ifdef CONFIG_SECURITY_NETWORK
 	set_to_cap_if_null(ops, unix_stream_connect);
 	set_to_cap_if_null(ops, unix_may_send);
diff --git a/security/security.c b/security/security.c
index 4d647c78ac6c..469e0868fcfa 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1153,6 +1153,29 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
 }
 EXPORT_SYMBOL(security_inode_getsecctx);
 
+#ifdef CONFIG_KDBUS
+
+int security_kdbus_conn_alloc(struct kdbus_conn *conn)
+{
+	return security_ops->kdbus_conn_alloc(conn);
+}
+EXPORT_SYMBOL(security_kdbus_conn_alloc);
+
+void security_kdbus_conn_free(struct kdbus_conn *conn)
+{
+	security_ops->kdbus_conn_free(conn);
+}
+EXPORT_SYMBOL(security_kdbus_conn_free);
+
+int security_kdbus_talk(const struct kdbus_conn *src,
+			const struct kdbus_conn *dst)
+{
+	return security_ops->kdbus_talk(src, dst);
+}
+EXPORT_SYMBOL(security_kdbus_talk);
+
+#endif /* CONFIG_KDBUS */
+
 #ifdef CONFIG_SECURITY_NETWORK
 
 int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)