From: Felix Fu fuzhen5@huawei.com

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8SWXZ

--------------------------------

KABI reservation for LSM framework.

Signed-off-by: Felix Fu fuzhen5@huawei.com --- include/linux/lsm_audit.h | 2 ++ include/linux/lsm_hooks.h | 4 ++++ include/linux/security.h | 1 + 3 files changed, 7 insertions(+)

diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h index 97a8b21eb033..ea87eea2d3e1 100644 --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -10,6 +10,7 @@ */ #ifndef _LSM_COMMON_LOGGING_ #define _LSM_COMMON_LOGGING_ +#include <linux/kabi.h>

#include <linux/stddef.h> #include <linux/errno.h> @@ -111,6 +112,7 @@ struct common_audit_data { struct apparmor_audit_data *apparmor_audit_data; #endif }; /* per LSM data pointer union */ + KABI_RESERVE(0); };

#define v4info fam.v4 diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index dcb5e5b5eb13..92155dd5c028 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -29,6 +29,7 @@ #include <linux/init.h> #include <linux/rculist.h> #include <linux/xattr.h> +#include <linux/kabi.h>

union security_list_options { #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); @@ -65,6 +66,8 @@ struct lsm_blob_sizes { int lbs_msg_msg; int lbs_task; int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ + KABI_RESERVE(0); + KABI_RESERVE(1); };

/** @@ -113,6 +116,7 @@ enum lsm_order { LSM_ORDER_FIRST = -1, /* This is only for capabilities. */ LSM_ORDER_MUTABLE = 0, LSM_ORDER_LAST = 1, /* This is only for integrity. */ + KABI_RESERVE0, };

struct lsm_info { diff --git a/include/linux/security.h b/include/linux/security.h index 5f16eecde00b..634179fbc35e 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -135,6 +135,7 @@ enum lockdown_reason { LOCKDOWN_XMON_RW, LOCKDOWN_XFRM_SECRET, LOCKDOWN_CONFIDENTIALITY_MAX, + KABI_RESERVE0, };

extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];

From: Felix Fu fuzhen5@huawei.com

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8SWXZ

--------------------------------

KABI reservation for lsm stacking.

Signed-off-by: Felix Fu fuzhen5@huawei.com --- fs/ceph/super.h | 1 + fs/proc/internal.h | 1 + include/linux/lsm_hooks.h | 15 +++++++++++++++ include/linux/nfs4.h | 2 ++ include/linux/security.h | 23 +++++++++++++++++++++++ include/net/netlabel.h | 1 + kernel/audit.h | 11 +++++++++++ security/security.c | 1 + 8 files changed, 55 insertions(+)

diff --git a/fs/ceph/super.h b/fs/ceph/super.h index 51c7f2b14f6f..d0369a32f58c 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -1129,6 +1129,7 @@ struct ceph_acl_sec_ctx { #ifdef CONFIG_CEPH_FS_SECURITY_LABEL void *sec_ctx; u32 sec_ctxlen; + struct lsmconext lsmctx; //reserve for lsm stacking kabi #endif #ifdef CONFIG_FS_ENCRYPTION struct ceph_fscrypt_auth *fscrypt_auth; diff --git a/fs/proc/internal.h b/fs/proc/internal.h index 9a8f32f21ff5..f08a7516019a 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -93,6 +93,7 @@ union proc_op { struct pid_namespace *ns, struct pid *pid, struct task_struct *task); const char *lsm; + int lsmid; //reserve for lsm stacking kabi };

struct proc_inode { diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 92155dd5c028..e53ea5c7eb8a 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -43,6 +43,15 @@ struct security_hook_heads { #undef LSM_HOOK } __randomize_layout;

+/* + * reserve for lsm stacking kabi + */ +struct lsm_id { + const char *name; + u64 id; + bool lsmblob; +}; + /* * Security module hook list structure. * For use with generic list macros for common operations. @@ -52,6 +61,7 @@ struct security_hook_list { struct hlist_head *head; union security_list_options hook; const char *lsm; + const struct lsm_id *lsmid; //reserve for lsm stacking kabi } __randomize_layout;

/* @@ -61,11 +71,16 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_sock; //reserve for lsm stacking kabi int lbs_superblock; int lbs_ipc; + int lbs_key; //reserve for lsm stacking kabi int lbs_msg_msg; int lbs_task; int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ + int lbs_mnt_opts; //reserve for lsm stacking kabi + bool lbs_secmark; //reserve for lsm stacking kabi + bool lbs_netlabel; //reserve for lsm stacking kabi KABI_RESERVE(0); KABI_RESERVE(1); }; diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h index 730003c4f4af..4bb1533ea5e0 100644 --- a/include/linux/nfs4.h +++ b/include/linux/nfs4.h @@ -15,6 +15,7 @@

#include <linux/list.h> #include <linux/uidgid.h> +#include <linux/security.h> #include <uapi/linux/nfs4.h> #include <linux/sunrpc/msg_prot.h>

@@ -48,6 +49,7 @@ struct nfs4_label { uint32_t pi; u32 len; char *label; + struct lsmcontext lsmctx; //reserve for lsm stacking kabi };

typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier; diff --git a/include/linux/security.h b/include/linux/security.h index 634179fbc35e..c5b9ed540f5b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -32,6 +32,10 @@ #include <linux/string.h> #include <linux/mm.h> #include <linux/sockptr.h> +#include <linux/lsm/selinux.h> +#include <linux/lsm/smack.h> +#include <linux/lsm/apparmor.h> +#include <linux/lsm/bpf.h>

struct linux_binprm; struct cred; @@ -138,6 +142,25 @@ enum lockdown_reason { KABI_RESERVE0, };

+/* + * reserve for lsm stacking kabi + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int id; /* Identifies the module */ +}; + +/* + * reserve for lsm stacking kabi + */ +struct lsmblob { + struct lsmblob_selinux selinux; + struct lsmblob_smack smack; + struct lsmblob_apparmor apparmor; + struct lsmblob_bpf bpf; +}; + extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];

/* These functions are in security/commoncap.c */ diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 43ae50337685..34a288eb715d 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -98,6 +98,7 @@ struct calipso_doi; /* NetLabel audit information */ struct netlbl_audit { u32 secid; + struct lsmblob blob; //reserve for lsm stacking kabi kuid_t loginuid; unsigned int sessionid; }; diff --git a/kernel/audit.h b/kernel/audit.h index 81e241039fd6..409c0515187f 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -11,6 +11,7 @@

#include <linux/fs.h> #include <linux/audit.h> +#include <linux/security.h> #include <linux/skbuff.h> #include <uapi/linux/mqueue.h> #include <linux/tty.h> @@ -83,6 +84,7 @@ struct audit_names { kgid_t gid; dev_t rdev; u32 osid; + struct lsmblob oblob; //reserve for lsm stacking kabi struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ @@ -98,6 +100,13 @@ struct audit_proctitle { int len; /* length of the cmdline field. */ char *value; /* the cmdline field */ }; +/* + * reserve for lsm stacking kabi + */ +struct audit_stamp { + struct timespec64 ctime; + unsigned int serial; +};

/* The per-task audit context. */ struct audit_context { @@ -108,6 +117,7 @@ struct audit_context { AUDIT_CTX_URING, /* in use by io_uring */ } context; enum audit_state state, current_state; + struct audit_stamp stamp; //reserve for lsm stacking kabi unsigned int serial; /* serial number for record */ int major; /* syscall number */ int uring_op; /* uring operation */ @@ -145,6 +155,7 @@ struct audit_context { kuid_t target_uid; unsigned int target_sessionid; u32 target_sid; + struct lsmblob target_blob; //reserve for lsm stacking kabi char target_comm[TASK_COMM_LEN];

struct audit_tree_refs *trees, *first_trees; diff --git a/security/security.c b/security/security.c index 23b129d482a7..0ea03c241d1f 100644 --- a/security/security.c +++ b/security/security.c @@ -30,6 +30,7 @@ #include <linux/string.h> #include <linux/msg.h> #include <net/flow.h> +#include <net/sock.h>

/* How many LSMs were built into the kernel? */ #define LSM_COUNT (__end_lsm_info - __start_lsm_info)