From: "Maxime Bélair" <maxime.belair@canonical.com>
To: linux-security-module@vger.kernel.org
Cc: john.johansen@canonical.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, mic@digikod.net,
kees@kernel.org, stephen.smalley.work@gmail.com,
casey@schaufler-ca.com, takedakn@nttdata.co.jp,
penguin-kernel@I-love.SAKURA.ne.jp, song@kernel.org,
rdunlap@infradead.org, linux-api@vger.kernel.org,
apparmor@lists.ubuntu.com, linux-kernel@vger.kernel.org,
"Maxime Bélair" <maxime.belair@canonical.com>
Subject: [PATCH v6 5/5] Smack: add support for lsm_config_self_policy and lsm_config_system_policy
Date: Fri, 10 Oct 2025 15:25:32 +0200 [thread overview]
Message-ID: <20251010132610.12001-6-maxime.belair@canonical.com> (raw)
In-Reply-To: <20251010132610.12001-1-maxime.belair@canonical.com>
Enable users to manage Smack policies through the new hooks
lsm_config_self_policy and lsm_config_system_policy.
lsm_config_self_policy allows adding Smack policies for the current cred.
For now it remains restricted to CAP_MAC_ADMIN.
lsm_config_system_policy allows adding globabl Smack policies. This is
restricted to CAP_MAC_ADMIN.
Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
---
security/smack/smack.h | 8 +++++
security/smack/smack_lsm.c | 73 ++++++++++++++++++++++++++++++++++++++
security/smack/smackfs.c | 2 +-
3 files changed, 82 insertions(+), 1 deletion(-)
diff --git a/security/smack/smack.h b/security/smack/smack.h
index bf6a6ed3946c..3e3d30dfdcf7 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -275,6 +275,14 @@ struct smk_audit_info {
#endif
};
+/*
+ * This function is in smackfs.c
+ */
+ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos,
+ struct list_head *rule_list,
+ struct mutex *rule_lock, int format);
+
/*
* These functions are in smack_access.c
*/
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 99833168604e..bf4bb2242768 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -5027,6 +5027,76 @@ static int smack_uring_cmd(struct io_uring_cmd *ioucmd)
#endif /* CONFIG_IO_URING */
+/**
+ * smack_lsm_config_system_policy - Configure a system smack policy
+ * @op: operation to perform. Currently, only LSM_POLICY_LOAD is supported
+ * @buf: User-supplied buffer in the form "<fmt><policy>"
+ * <fmt> is the 1-byte format of <policy>
+ * <policy> is the policy to load
+ * @size: size of @buf
+ * @flags: reserved for future use; must be zero
+ *
+ * Returns: number of written rules on success, negative value on error
+ */
+static int smack_lsm_config_system_policy(u32 op, void __user *buf, size_t size,
+ u32 flags)
+{
+ loff_t pos = 0;
+ u8 fmt;
+
+ if (op != LSM_POLICY_LOAD || flags)
+ return -EOPNOTSUPP;
+
+ if (size < 2)
+ return -EINVAL;
+
+ if (get_user(fmt, (uint8_t *)buf))
+ return -EFAULT;
+
+ return smk_write_rules_list(NULL, buf + 1, size - 1, &pos, NULL, NULL, fmt);
+}
+
+/**
+ * smack_lsm_config_self_policy - Configure a smack policy for the current cred
+ * @op: operation to perform. Currently, only LSM_POLICY_LOAD is supported
+ * @buf: User-supplied buffer in the form "<fmt><policy>"
+ * <fmt> is the 1-byte format of <policy>
+ * <policy> is the policy to load
+ * @size: size of @buf
+ * @flags: reserved for future use; must be zero
+ *
+ * Returns: number of written rules on success, negative value on error
+ */
+static int smack_lsm_config_self_policy(u32 op, void __user *buf, size_t size,
+ u32 flags)
+{
+ loff_t pos = 0;
+ u8 fmt;
+ struct task_smack *tsp;
+
+ if (op != LSM_POLICY_LOAD || flags)
+ return -EOPNOTSUPP;
+
+ if (size < 2)
+ return -EINVAL;
+
+ if (get_user(fmt, (uint8_t *)buf))
+ return -EFAULT;
+ /**
+ * smk_write_rules_list could be used to gain privileges.
+ * This function is thus restricted to CAP_MAC_ADMIN.
+ * TODO: Ensure that the new rule does not give extra privileges
+ * before dropping this CAP_MAC_ADMIN check.
+ */
+ if (!capable(CAP_MAC_ADMIN))
+ return -EPERM;
+
+
+ tsp = smack_cred(current_cred());
+ return smk_write_rules_list(NULL, buf + 1, size - 1, &pos, &tsp->smk_rules,
+ &tsp->smk_rules_lock, fmt);
+}
+
struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct task_smack),
.lbs_file = sizeof(struct smack_known *),
@@ -5203,6 +5273,9 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll),
LSM_HOOK_INIT(uring_cmd, smack_uring_cmd),
#endif
+ LSM_HOOK_INIT(lsm_config_self_policy, smack_lsm_config_self_policy),
+ LSM_HOOK_INIT(lsm_config_system_policy, smack_lsm_config_system_policy),
+
};
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 90a67e410808..ed1814588d56 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -441,7 +441,7 @@ static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule,
* "subject<whitespace>object<whitespace>
* acc_enable<whitespace>acc_disable[<whitespace>...]"
*/
-static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
+ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
size_t count, loff_t *ppos,
struct list_head *rule_list,
struct mutex *rule_lock, int format)
--
2.48.1
next prev parent reply other threads:[~2025-10-10 13:27 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 13:25 [PATCH v6 0/5] lsm: introduce lsm_config_self_policy() and lsm_config_system_policy() syscalls Maxime Bélair
2025-10-10 13:25 ` [PATCH v6 1/5] Wire up lsm_config_self_policy and lsm_config_system_policy syscalls Maxime Bélair
2025-10-10 18:06 ` Song Liu
2025-10-10 21:13 ` Casey Schaufler
2025-10-11 12:07 ` kernel test robot
2025-10-10 13:25 ` [PATCH v6 2/5] lsm: introduce security_lsm_config_*_policy hooks Maxime Bélair
2025-10-10 13:25 ` [PATCH v6 3/5] AppArmor: add support for lsm_config_self_policy and lsm_config_system_policy Maxime Bélair
2025-10-10 13:25 ` [PATCH v6 4/5] SELinux: add support for lsm_config_system_policy Maxime Bélair
2025-10-10 13:58 ` Stephen Smalley
2025-10-10 14:42 ` Stephen Smalley
2025-10-10 14:57 ` Paul Moore
2025-10-10 13:25 ` Maxime Bélair [this message]
2025-10-10 15:15 ` [PATCH v6 5/5] Smack: add support for lsm_config_self_policy and lsm_config_system_policy Casey Schaufler
2025-11-04 14:41 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251010132610.12001-6-maxime.belair@canonical.com \
--to=maxime.belair@canonical.com \
--cc=apparmor@lists.ubuntu.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kees@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=rdunlap@infradead.org \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=takedakn@nttdata.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).