From: Thiébaud Weksteen <tweek@google.com>
Introduce a new permission "setup_report" to the "binder" class.
This persmission controls the ability to set up the binder generic
netlink driver to report certain binder transactions.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Signed-off-by: Li Li <dualli@google.com>
---
include/linux/lsm_hook_defs.h | 1 +
include/linux/security.h | 6 ++++++
security/security.c | 13 +++++++++++++
security/selinux/hooks.c | 7 +++++++
security/selinux/include/classmap.h | 3 ++-
5 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index bf3bbac4e02a..795a507db537 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -33,6 +33,7 @@ LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from,
const struct cred *to)
LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from,
const struct cred *to, const struct file *file)
+LSM_HOOK(int, 0, binder_setup_report, const struct cred *to)
LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child,
unsigned int mode)
LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent)
diff --git a/include/linux/security.h b/include/linux/security.h
index cc9b54d95d22..fe600fb37c98 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -338,6 +338,7 @@ int security_binder_transfer_binder(const struct cred *from,
const struct cred *to);
int security_binder_transfer_file(const struct cred *from,
const struct cred *to, const struct file *file);
+int security_binder_setup_report(const struct cred *to);
int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
int security_ptrace_traceme(struct task_struct *parent);
int security_capget(const struct task_struct *target,
@@ -657,6 +658,11 @@ static inline int security_binder_transfer_file(const struct cred *from,
return 0;
}
+static inline int security_binder_setup_report(const struct cred *to)
+{
+ return 0;
+}
+
static inline int security_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
diff --git a/security/security.c b/security/security.c
index fb57e8fddd91..5acf364e610f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1043,6 +1043,19 @@ int security_binder_transfer_file(const struct cred *from,
return call_int_hook(binder_transfer_file, from, to, file);
}
+/**
+ * security_binder_setup_report() - Check if binder report is allowed
+ * @to: receiving process
+ *
+ * Check whether @to is allowed to set up binder reports.
+ *
+ * Return: Returns 0 if permission is granted.
+ */
+int security_binder_setup_report(const struct cred *to)
+{
+ return call_int_hook(binder_setup_report, to);
+}
+
/**
* security_ptrace_access_check() - Check if tracing is allowed
* @child: target process
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 595ceb314aeb..f02249345c4b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2103,6 +2103,12 @@ static int selinux_binder_transfer_file(const struct cred *from,
&ad);
}
+static int selinux_binder_setup_report(const struct cred *to)
+{
+ return avc_has_perm(current_sid(), cred_sid(to), SECCLASS_BINDER,
+ BINDER__SETUP_REPORT, NULL);
+}
+
static int selinux_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
@@ -7295,6 +7301,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
LSM_HOOK_INIT(binder_transfer_file, selinux_binder_transfer_file),
+ LSM_HOOK_INIT(binder_setup_report, selinux_binder_setup_report),
LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 5665aa5e7853..de7e28572fda 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -133,7 +133,8 @@ const struct security_class_mapping secclass_map[] = {
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket", { COMMON_SOCK_PERMS, "attach_queue", NULL } },
{ "binder",
- { "impersonate", "call", "set_context_mgr", "transfer", NULL } },
+ { "impersonate", "call", "set_context_mgr", "transfer",
+ "setup_report", NULL } },
{ "cap_userns", { COMMON_CAP_PERMS, NULL } },
{ "cap2_userns", { COMMON_CAP2_PERMS, NULL } },
{ "sctp_socket",
--
2.49.0.805.g082f7c87e0-goog
On Apr 16, 2025 Li Li <dualli@chromium.org> wrote: > > Introduce a new permission "setup_report" to the "binder" class. > This persmission controls the ability to set up the binder generic > netlink driver to report certain binder transactions. > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > Signed-off-by: Li Li <dualli@google.com> > --- > include/linux/lsm_hook_defs.h | 1 + > include/linux/security.h | 6 ++++++ > security/security.c | 13 +++++++++++++ > security/selinux/hooks.c | 7 +++++++ > security/selinux/include/classmap.h | 3 ++- > 5 files changed, 29 insertions(+), 1 deletion(-) When possible, it is helpful to include at least one caller in the patch which adds a new LSM hook as it helps put the hook in context. With that in mind, I think it would be best to reorder this patchset so that patch 2/3 comes first and this patch comes second, with this patch including the change to binder_nl_report_setup_doit() which adds the call to the new LSM hook. -- paul-moore.com
On Tue, May 20, 2025 at 05:15:59PM -0400, Paul Moore wrote: > On Apr 16, 2025 Li Li <dualli@chromium.org> wrote: > > > > Introduce a new permission "setup_report" to the "binder" class. > > This persmission controls the ability to set up the binder generic > > netlink driver to report certain binder transactions. > > > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > > Signed-off-by: Li Li <dualli@google.com> > > --- > > include/linux/lsm_hook_defs.h | 1 + > > include/linux/security.h | 6 ++++++ > > security/security.c | 13 +++++++++++++ > > security/selinux/hooks.c | 7 +++++++ > > security/selinux/include/classmap.h | 3 ++- > > 5 files changed, 29 insertions(+), 1 deletion(-) > > When possible, it is helpful to include at least one caller in the patch > which adds a new LSM hook as it helps put the hook in context. With that > in mind, I think it would be best to reorder this patchset so that patch > 2/3 comes first and this patch comes second, with this patch including > the change to binder_nl_report_setup_doit() which adds the call to the > new LSM hook. Ok, I can take care for this. I'll be taking over Li's patchset now, so next version I'll reorder the series and add the caller. Thanks! -- Carlos Llamas
On Wed, Apr 16, 2025 at 05:20:02PM -0700, Li Li wrote:
> From: Thiébaud Weksteen <tweek@google.com>
>
> Introduce a new permission "setup_report" to the "binder" class.
> This persmission controls the ability to set up the binder generic
nit: permission
Flagged by checkpatch.pl --codespell
> netlink driver to report certain binder transactions.
>
> Signed-off-by: Thiébaud Weksteen <tweek@google.com>
> Signed-off-by: Li Li <dualli@google.com>
...
On Mon, Apr 21, 2025 at 8:18 AM Simon Horman <horms@kernel.org> wrote: > > On Wed, Apr 16, 2025 at 05:20:02PM -0700, Li Li wrote: > > From: Thiébaud Weksteen <tweek@google.com> > > > > Introduce a new permission "setup_report" to the "binder" class. > > This persmission controls the ability to set up the binder generic > > nit: permission > > Flagged by checkpatch.pl --codespell > Would fix this typo along with other changes in the next version. Thank you for catching this! > > netlink driver to report certain binder transactions. > > > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > > Signed-off-by: Li Li <dualli@google.com> > > ...
© 2016 - 2025 Red Hat, Inc.