Module security

starnix_core

Module security 

Source
Expand description

This module provides types and hook APIs supporting Linux Security Modules functionality in Starnix. LSM provides a generic set of hooks, and opaque types, used to decouple the rest of the kernel from the details of any specific security enforcement subsystem (e.g. SELinux, POSIX.1e, etc).

Although this module is hard-wired to the SELinux implementation, callers should treat the types as opaque; hook implementations necessarily have access to kernel structures, but not the other way around.

Modules§

testing
yama
YAMA hook implementations used to restirct ptrace access. This module implements the YAMA LSM functionality, used to lock down ptrace access.

Structs§

AuditLogger
Audit logging structure.
AuditMessage
Audit message structure.
BinderConnectionState
Opaque structure holding security state for a [binderfs::BinderConnection].
BpfMapState
Opaque structure holding security state for a bpf [ebpf_api::maps::Map].
BpfProgState
Opaque structure holding security state for a bpf crate::bpf::program::Program.
FileObjectState
Opaque structure holding security state for a crate::vfs::FileObject.
FileSystemState
Opaque structure holding security state for a crate::vfs::FileSystem.
FsNodeSecurityXattr
Used to return an extended attribute name and value to apply to a crate::vfs::FsNode.
FsNodeState
The opaque type used by crate::vfs::FsNodeInfo to store security state.
KernelState
Opaque structure encapsulating security subsystem state for the whole system.
PerfEventState
Opaque structure holding security state for a PerfEventFileState.
PermissionFlags
The flags about which permissions should be checked when opening an FsNode. Used in the fs_node_permission() hook.
ResolvedElfState
Structure holding security state associated with a ResolvedElf instance. TODO(https://fxbug.dev/378835222): Consider restructuring hook calls so that the kernel does not need to depend on the contents of this struct.
SocketState
Opaque structure holding security state for a crate::vfs::socket::Socket.
TaskState
Opaque structure encapsulating active security state for a Task.

Enums§

AuditRequest
Supported requests that manipulate the AuditLogger
Auditable
Container for a reference to kernel state from which to include details when emitting audit logging. Auditable instances are created from references to objects via into(), e.g:
PerfEventType
The flags about the PerfEvent types.
ProcAttr
Identifies one of the Security Context attributes associated with a task.
TargetTaskType
The target task type. Used in the check_perf_event_open_access LSM hook.

Functions§

binder_connection_alloc
Returns the security context to be assigned to a BinderConnection, based on the task that creates it.
binder_get_context
Returns the serialized Security Context associated with the specified state. If the state’s SID cannot be resolved then None is returned.
binder_set_context_mgr
Checks whether the given current_task can become the binder context manager. Corresponds to the binder_set_context_mgr hook.
binder_transaction
Checks whether the given current_task can perform a transaction to target_task. Corresponds to the binder_transaction hook.
binder_transfer_binder
Checks whether the given current_task can transfer Binder objects to target_task. Corresponds to the binder_transfer_binder hook.
binder_transfer_file
Checks whether the given receiving_task can receive file in a Binder transaction. Corresponds to the binder_transfer_file hook.
bpf_map_alloc
Returns the security context to be assigned to a BPM map object, based on the task that creates it. Corresponds to the bpf_map_alloc_security() LSM hook.
bpf_prog_alloc
Returns the security context to be assigned to a BPM program object, based on the task that creates it. Corresponds to the bpf_prog_alloc_security() LSM hook.
bprm_creds_for_exec
Checks if exec is allowed and if so, checks permissions related to the transition (if any) from the pre-exec security context to the post-exec context.
check_bpf_access
Checks whether current_task can perform the given bpf cmd. This hook is called from the sys_bpf() syscall after the attribute is copied into the kernel. Corresponds to the bpf() LSM hook.
check_bpf_map_access
Checks whether current_task can create a bpf_map. This hook is called from the sys_bpf() syscall when the kernel tries to generate and return a file descriptor for maps. Corresponds to the bpf_map() LSM hook.
check_bpf_prog_access
Checks whether current_task can create a bpf_program. This hook is called from the sys_bpf() syscall when the kernel tries to generate and return a file descriptor for programs. Corresponds to the bpf_prog() LSM hook.
check_file_fcntl_access
Returns whether current_task has the permissions to execute this fcntl syscall. Corresponds to the file_fcntl() LSM hook.
check_file_ioctl_access
Returns whether current_task can issue an ioctl to file. Corresponds to the file_ioctl() LSM hook.
check_file_lock_access
This hook is called by the flock syscall. Returns whether current_task can perform a lock operation on the given file.
check_fs_node_create_access
Validate that current_task has permission to create a regular file in the parent directory, with the specified file mode. Corresponds to the inode_create() LSM hook.
check_fs_node_getattr_access
Checks if current_task has the permission to read file attributes for fs_node. Corresponds to the inode_getattr() hook.
check_fs_node_getxattr_access
Corresponds to the inode_getxattr() LSM hook.
check_fs_node_link_access
Validate that current_task has the permission to create a new hard link to a file. Corresponds to the inode_link() LSM hook.
check_fs_node_listxattr_access
Corresponds to the inode_listxattr() LSM hook.
check_fs_node_mkdir_access
Validate that current_task has permission to create a new directory in the parent directory, with the specified file mode. Corresponds to the inode_mkdir() LSM hook.
check_fs_node_mknod_access
Validate that current_task has permission to create a new special file, socket or pipe, in the parent directory, and with the specified file mode and device_id. For consistency any calls to mknod() with a file mode specifying a regular file will be validated by check_fs_node_create_access() rather than by this hook. Corresponds to the inode_mknod() LSM hook.
check_fs_node_read_link_access
Checks whether the current_task can read the symbolic link in fs_node. Corresponds to the inode_readlink() LSM hook.
check_fs_node_removexattr_access
Corresponds to the inode_removexattr() LSM hook.
check_fs_node_rename_access
Checks whether the current_task can rename the file or directory moving_node. If the rename replaces an existing node, replaced_node must contain a reference to the existing node. Corresponds to the inode_rename() LSM hook.
check_fs_node_rmdir_access
Validate that current_task has the permission to remove a directory. Corresponds to the inode_rmdir() LSM hook.
check_fs_node_setattr_access
Checks whether current_task can set attributes on node. Corresponds to the inode_setattr() LSM hook.
check_fs_node_setxattr_access
This is called by Starnix even for filesystems which support extended attributes, unlike Linux LSM. Partially corresponds to the inode_setxattr() LSM hook: It is equivalent to inode_setxattr() for non-security xattrs, while fs_node_setsecurity() is always called for security xattrs. See also fs_node_setsecurity().
check_fs_node_symlink_access
Validate that current_task has permission to create a symlink to old_path in the parent directory. Corresponds to the inode_symlink() LSM hook.
check_fs_node_unlink_access
Validate that current_task has the permission to remove a hard link to a file. Corresponds to the inode_unlink() LSM hook.
check_getcap_access
Called when the current task queries the Linux capabilities of the target task. Corresponds to the capget() LSM hook.
check_getpgid_access
Checks if getpgid is allowed. Corresponds to the task_getpgid() LSM hook.
check_getsched_access
Checks if source may exercise the “getsched” permission on target. Corresponds to the task_getscheduler() LSM hook.
check_netlink_send_access
Checks if the current_task is allowed to send a message of message_type on the Netlink socket. Corresponds to the netlink_send() LSM hook.
check_perf_event_open_access
Checks whether current_task has the correct permissions to monitor the given target task or tasks. Corresponds to the perf_event_open LSM hook.
check_perf_event_read_access
Checks whether current_task has the correct permissions to read the given perf_event_file Corresponds to the perf_event_read LSM hook.
check_perf_event_write_access
Checks whether current_task has the correct permissions to write to the given perf_event_file. Corresponds to the perf_event_write LSM hook.
check_setcap_access
Called when the current task attempts to set the Linux capabilities of the target task. Corresponds to the capset() LSM hook.
check_setpgid_access
Checks if setpgid is allowed. Corresponds to the task_setpgid() LSM hook.
check_setsched_access
Checks if setsched is allowed. Corresponds to the task_setscheduler() LSM hook.
check_signal_access
Checks if sending a signal is allowed. Corresponds to the task_kill() LSM hook.
check_socket_bind_access
Checks if the current_task is allowed to perform a bind operation for this socket. Corresponds to the socket_bind() LSM hook.
check_socket_connect_access
Checks if the current_task is allowed to initiate a connection with socket. Corresponds to the socket_connect() LSM hook.
check_socket_create_access
Checks if creating a socket is allowed. Corresponds to the socket_create() LSM hook.
check_socket_getpeername_access
Checks if the current_task is allowed to get the remote name of socket. Corresponds to the socket_getpeername() LSM hook.
check_socket_getsockname_access
Checks if the current_task is allowed to get the local name of socket. Corresponds to the socket_getsockname() LSM hook.
check_socket_getsockopt_access
Checks if the current_task is allowed to get socket options on socket. Corresponds to the socket_getsockopt() LSM hook.
check_socket_listen_access
Checks if the current_task is allowed to listen on socket_node. Corresponds to the socket_listen() LSM hook.
check_socket_recvmsg_access
Checks if the current_task is allowed to receive a message on socket. Corresponds to the socket_recvmsg() LSM hook.
check_socket_sendmsg_access
Checks if the current_task is allowed to send a message on socket. Corresponds to the socket_sendmsg() LSM hook.
check_socket_setsockopt_access
Checks if the current_task is allowed to set socket options on socket. Corresponds to the socket_getsockopt() LSM hook.
check_socket_shutdown_access
Checks if the current_task is allowed to shutdown socket. Corresponds to the socket_shutdown() LSM hook.
check_syslog_access
Checks if a particular syslog action is allowed. Corresponds to the task_syslog() LSM hook.
check_task_capable
Checks if a task has the specified capability. Corresponds to the capable() LSM hook.
check_task_create_access
Checks if creating a task is allowed. Directly maps to the selinux_task_create LSM hook from the original NSA white paper. Partially corresponds to the task_alloc() LSM hook. Compared to task_alloc(), this hook doesn’t actually modify the task’s label, but instead verifies whether the task has the “fork” permission on itself.
check_task_getsid
Called when the current task queries the session Id of the target task. Corresponds to the task_getsid() LSM hook.
check_tun_dev_create_access
Checks if the current_task has permission to create a new TUN device. Corresponds to the tun_dev_create() LSM hook.
creds_start_internal_operation
Marks the credentials as being used for an internal operation. All SELinux permission checks will be skipped on this task.
exec_binprm
Updates the SELinux thread group state on exec. Corresponds to the exec_binprm function described in the SELinux Notebook.
file_alloc_security
Returns the security state for a new file object created by current_task. Corresponds to the file_alloc_security() LSM hook.
file_mprotect
Checks whether current_task is allowed to request setting the memory protection of mapping to prot. Corresponds to the file_mprotect LSM hook.
file_permission
Checks whether the current_task has the specified permission_flags to the file. Corresponds to the file_permission() LSM hook.
file_receive
Returns whether the current_task can receive file via a socket IPC. Corresponds to the file_receive() LSM hook.
file_system_init_security
Returns security state to associate with a filesystem based on the supplied mount options. This sits somewhere between fs_context_parse_param() and sb_set_mnt_opts() in function.
file_system_post_init_security
Gives the hooks subsystem an opportunity to note that the new file_system needs labeling, if SELinux is enabled, but no policy has yet been loaded.
file_system_resolve_security
Resolves the labeling scheme and arguments for the file_system, based on the loaded policy. If no policy has yet been loaded then no work is done, and the file_system will instead be labeled when a policy is first loaded. If the file_system was already labeled then no further work is done.
fs_is_xattr_labeled
Returns true if SELinux is enabled on the kernel for this task.
fs_node_copy_up
Sets the security context of CurrentTask to be appropriate for a copy up operation on fs_node, then call do_copy_up. The task’s security context will be reset before returning.
fs_node_getsecurity
Returns the value of the specified “security.*” attribute for fs_node. If SELinux is enabled then requests for the “security.selinux” attribute will return the Security Context corresponding to the SID with which fs_node has been labeled, even if the node’s file system does not generally support extended attributes. If SELinux is not enabled, or the node is not labeled with a SID, then the call is delegated to the crate::vfs::FsNodeOps, so the returned value may not be a valid Security Context. Corresponds to the inode_getsecurity() LSM hook.
fs_node_init_anon
Called on creation of anonymous crate::vfs::FsNodes. APIs that create file-descriptors that are not linked into any filesystem directory structure create anonymous nodes, labeled by this hook rather than fs_node_init_on_create() above. Corresponds to the inode_init_security_anon() LSM hook.
fs_node_init_memfd
Called on creation of mem-FD crate::vfs::FsNodes. Corresponds to the inode_init_security_anon() LSM hook, called with the mem-FD node-type.
fs_node_init_on_create
Called by file-system implementations when creating the FsNode for a new file, to determine the correct label based on the CurrentTask and parent node, and the policy-defined transition rules, and to initialize the FsNode’s security state accordingly. If no policy has yet been loaded then this is a no-op; if the FsNode corresponds to an xattr- labeled file then it will receive the file-system’s “default” label once a policy is loaded. Returns an extended attribute value to set on the newly-created file if the labeling scheme is fs_use_xattr. For other labeling schemes (e.g. fs_use_trans, mountpoint-labeling) a label is set on the FsNode security state, but no extended attribute is set nor returned. The name with which the new node is being created allows name-conditional type_transition rules to be applied when determining the label for the new_node. Corresponds to the inode_init_security() LSM hook.
fs_node_init_with_dentry
Called by the VFS to initialize the security state for an FsNode that is being linked at dir_entry. If the FsNode security state had already been initialized, or no policy is yet loaded, then this is a no-op. Corresponds to the d_instantiate() LSM hook.
fs_node_init_with_dentry_deferred
fs_node_init_with_dentry_no_xattr
fs_node_listsecurity
If SELinux is enabled and fs_node is in a filesystem without xattr support, returns the xattr name for the security label associated with inode. Otherwise returns None.
fs_node_notify_security_context
Applies the given label to the given node without checking any permissions. Used by file-system implementations to set the label for a node, for example when it has prefetched the label in the xattr rather than letting it get fetched by fs_node_init_with_dentry later. Calling this doesn’t need to exclude the use of fs_node_init_with_dentry, it will just turn that call into a fast no-op. Corresponds to the inode_notifysecctx LSM hook.
fs_node_permission
Checks whether the current_task can access an inode. Corresponds to the inode_permission() LSM hook.
fs_node_setsecurity
Called when an extended attribute with “security.”-prefixed name is being set, after having passed the discretionary and check_fs_node_setxattr_access() permission-checks. This allows the LSM (e.g. SELinux) to update internal state as necessary for xattr changes.
fs_node_xattr_skipcap
Returns true if the security subsystem should skip capability checks on access to the named attribute, false otherwise.
get_procattr
Returns the Security Context associated with the nameed entry for the specified target task. Corresponds to the getprocattr() LSM hook.
has_dontaudit_access
Returns true if there exits a dontaudit rule for current_task access to fs_node, which includes the audit_access pseudo-permission. This appears to be handled via additional options & flags in other hooks, by LSM.
is_task_capable_noaudit
Returns true if a task has the specified capability. Corresponds to the capable() LSM hook invoked with a no-audit flag set.
kernel_init_security
Returns the security state structure for the kernel, based on the supplied “selinux” argument contents.
mmap_file
Checks whether the current_task is allowed to mmap file or memory using the given ProtectionFlags and MappingOptions. Corresponds to the mmap_file() LSM hook.
perf_event_alloc
Returns the security context to be assigned to a PerfEventFileState, based on the task that creates it. Corresponds to the perf_event_alloc LSM hook.
ptrace_access_check
Checks whether the current current_task is allowed to trace tracee_task. Corresponds to the ptrace_access_check() LSM hook.
ptrace_traceme
Checks whether the parent_tracer_task is allowed to trace the current_task. Corresponds to the ptrace_traceme() LSM hook.
sb_eat_lsm_opts
Consumes the mount options from the supplied MountParams and returns the security mount options for the given MountParams. Corresponds to the sb_eat_lsm_opts hook.
sb_kern_mount
Check permission before mounting fs. Corresponds to the sb_kern_mount() LSM hook.
sb_mount
Check permission before mounting to path. flags contains the mount flags that determine the kind of mount operation done, and therefore the permissions that the caller requires. Corresponds to the sb_mount() LSM hook.
sb_remount
Checks permission before remounting mount with new_mount_params. Corresponds to the sb_remount() LSM hook.
sb_show_options
Writes the LSM mount options of mount into buf. Corresponds to the sb_show_options LSM hook.
sb_statfs
Checks if current_task has the permission to get the filesystem statistics of fs. Corresponds to the sb_statfs() LSM hook.
sb_umount
Checks if current_task has the permission to unmount the filesystem mounted on node using the unmount flags flags. Corresponds to the sb_umount() LSM hook.
selinuxfs_check_access
Used by the “selinuxfs” module to perform checks on SELinux API file accesses.
selinuxfs_get_admin_api
Used by the “selinuxfs” module to access the SELinux administration API, if enabled.
selinuxfs_init_null
Stashes a reference to the selinuxfs null file for later use by hooks that remap inaccessible file descriptors to null.
selinuxfs_policy_loaded
Called by the “selinuxfs” when a policy has been successfully loaded, to allow policy-dependent initialization to be completed. This includes resolving labeling schemes and state for file-systems mounted prior to policy load (e.g. the “selinuxfs” itself), and initializing security state for any file nodes they may already contain.
set_procattr
Sets the Security Context associated with the nameed entry for the current task. Corresponds to the setprocattr() LSM hook.
socket_accept
Checks if the current_task is allowed to accept connections on listening_socket. Sets the security label and SID for the accepted socket to match those of the listening socket. Corresponds to the socket_accept() LSM hook.
socket_getpeersec_dgram
Returns the Security Context with which the [crate::vfs::Socket]’s is labeled, to return to the recipient via SCM_SECURITY auxiliary data, if SO_PASSSEC is set. Corresponds to the socket_getpeersec_dgram() LSM hook.
socket_getpeersec_stream
Returns the Security Context with which the [crate::vfs::Socket]’s peer is labeled. Corresponds to the socket_getpeersec_stream() LSM hook.
socket_post_create
Computes and updates the socket security class associated with a new socket. Corresponds to the socket_post_create() LSM hook.
socket_socketpair
Sets the peer security context for each socket in the pair. Corresponds to the socket_socketpair() LSM hook.
task_alloc
Returns TaskState for a new Task, based on that of current_task, and the specified clone flags. Corresponds to the task_alloc() LSM hook.
task_alloc_for_kernel
Return the default initial TaskState for kernel tasks. Corresponds to the task_alloc() LSM hook, in the special case when current_task is null.
task_for_context
Returns TaskState for a new Task, based on that of the provided context. The effect is similar to combining the task_alloc() and setprocattr() LSM hooks, with the difference that no access-checks are performed, and the “#” syntax may be used to have the Task assigned one of the “initial” Security Contexts, to allow components to be run prior to a policy being loaded.
task_prlimit
Called when the current task calls prlimit on a different task. Corresponds to the task_prlimit() LSM hook.
task_setrlimit
Called before source sets the resource limits of target from old_limit to new_limit. Corresponds to the security_task_setrlimit hook.
task_to_fs_node
Labels an crate::vfs::FsNode, by attaching a pseudo-label to the fs_node, which allows indirect resolution of the effective label. Makes the security attributes of fs_node track the task’s security attributes, even if the task’s security attributes change. Called for the /proc/ FsNodes when they are created. Corresponds to the task_to_inode LSM hook.
unix_may_send
Checks if the Unix domain sending_socket is allowed to send a message to the receiving_socket. Corresponds to the unix_may_send() LSM hook.
unix_stream_connect
Checks if the Unix domain client_socket is allowed to connect to listening_socket, and initialises the peer information in the client and server sockets. Corresponds to the unix_stream_connect() LSM hook.