torvalds · skx · Jun 2, 2017 · Jun 2, 2017 · Jun 2, 2017
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
@@ -1920,5 +1920,10 @@ void __init loadpin_add_hooks(void);
 #else
 static inline void loadpin_add_hooks(void) { };
 #endif
-
+#ifdef CONFIG_SECURITY_WHITELIST
+extern void __init whitelist_add_hooks(void);
+#else
+static inline void __init whitelist_add_hooks(void) { }
+#endif
+#
 #endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/Kconfig b/security/Kconfig
@@ -199,6 +199,7 @@ source security/tomoyo/Kconfig
 source security/apparmor/Kconfig
 source security/loadpin/Kconfig
 source security/yama/Kconfig
+source security/whitelist/Kconfig
 
 source security/integrity/Kconfig
 
@@ -208,6 +209,7 @@ choice
 	default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
 	default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
 	default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
+	default DEFAULT_SECURITY_WHITELIST if SECURITY_WHITELIST
 	default DEFAULT_SECURITY_DAC
 
 	help
@@ -226,6 +228,9 @@ choice
 	config DEFAULT_SECURITY_APPARMOR
 		bool "AppArmor" if SECURITY_APPARMOR=y
 
+	config DEFAULT_SECURITY_WHITELIST
+		bool "Whitelist" if SECURITY_WHITELIST=y
+
 	config DEFAULT_SECURITY_DAC
 		bool "Unix Discretionary Access Controls"
 
@@ -237,6 +242,7 @@ config DEFAULT_SECURITY
 	default "smack" if DEFAULT_SECURITY_SMACK
 	default "tomoyo" if DEFAULT_SECURITY_TOMOYO
 	default "apparmor" if DEFAULT_SECURITY_APPARMOR
+	default "whitelist" if DEFAULT_SECURITY_WHITELIST
 	default "" if DEFAULT_SECURITY_DAC
 
 endmenu

diff --git a/security/Makefile b/security/Makefile
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor
 subdir-$(CONFIG_SECURITY_YAMA)		+= yama
 subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin
+subdir-$(CONFIG_SECURITY_WHITELIST)	+= whitelist
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/
 obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/
 obj-$(CONFIG_SECURITY_YAMA)		+= yama/
 obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/
+obj-$(CONFIG_SECURITY_WHITELIST)	+= whitelist/
 obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 
 # Object integrity file lists

diff --git a/security/security.c b/security/security.c
@@ -62,6 +62,7 @@ int __init security_init(void)
 	capability_add_hooks();
 	yama_add_hooks();
 	loadpin_add_hooks();
+	whitelist_add_hooks();
 
 	/*
 	 * Load all the remaining security modules.

diff --git a/security/whitelist/Kconfig b/security/whitelist/Kconfig
@@ -0,0 +1,15 @@
+config SECURITY_WHITELIST
+	bool "Whitelist Security Module"
+	depends on SECURITY
+	depends on NET
+	select SECURITYFS
+	select SECURITY_PATH
+	select SECURITY_NETWORK
+	select SRCU
+	select BUILD_BIN2C
+	default n
+	help
+	  This selects an attr-based access control.
+          Binaries with a particular xattr setting will be
+          permitted to be executed by non-root users.
+
diff --git a/security/whitelist/Makefile b/security/whitelist/Makefile
@@ -0,0 +1,2 @@
+obj-y = whitelist_lsm.o
+
diff --git a/security/whitelist/whitelist_lsm.c b/security/whitelist/whitelist_lsm.c
@@ -0,0 +1,64 @@
+
+#include <linux/xattr.h>
+#include <linux/binfmts.h>
+#include <linux/lsm_hooks.h>
+#include <linux/sysctl.h>
+#include <linux/ptrace.h>
+#include <linux/prctl.h>
+#include <linux/ratelimit.h>
+#include <linux/workqueue.h>
+#include <linux/string_helpers.h>
+#include <linux/task_work.h>
+#include <linux/sched.h>
+#include <linux/spinlock.h>
+
+#include <linux/lsm_hooks.h>
+
+
+/*
+ * Perform a check of a program execution/map.
+ *
+ * Return 0 if it should be allowed, -EPERM on block.
+ */
+static int whitelist_bprm_check_security(struct linux_binprm *bprm)
+{
+       // The current task & the UID it is running as.
+       const struct task_struct *task = current;
+       kuid_t uid = task->cred->uid;
+
+       // The target we're checking
+       struct dentry *dentry = bprm->file->f_path.dentry;
+       struct inode *inode = d_backing_inode(dentry);
+       int size = 0;
+
+       // Root can access everything.
+       if ( uid.val == 0 )
+          return 0;
+
+       size = __vfs_getxattr(dentry, inode, "user.whitelisted", NULL, 0);
+       if ( size >= 0 )
+       {
+           printk(KERN_INFO "whitelist LSM check of %s resulted in %d bytes from 'user.whitelisted' - permitting access for UID %d\n", bprm->filename, size, uid.val );
+           return 0;
+       }
+
+       printk(KERN_INFO "whitelist LSM check of %s denying access for UID %d [ERRO:%d] \n", bprm->filename, uid.val, size );
+       return -EPERM;
+}
+
+/*
+ * The hooks we wish to be installed.
+ */
+static struct security_hook_list whitelist_hooks[] = {
+	LSM_HOOK_INIT(bprm_check_security, whitelist_bprm_check_security),
+};
+
+/*
+ * Initialize our module.
+ */
+void __init whitelist_add_hooks(void)
+{
+	/* register ourselves with the security framework */
+	security_add_hooks(whitelist_hooks, ARRAY_SIZE(whitelist_hooks), "whitelist");
+	printk(KERN_INFO "whitelist LSM initialized\n");
+}