* [PATCH RFC] LSM: lsm_self_attr system call to get security module attributes
[not found] <5a9ff61e-cfe1-7385-aa17-5b800e489a9a.ref@schaufler-ca.com>
@ 2022-09-10 1:01 ` Casey Schaufler
2022-09-10 2:51 ` Serge E. Hallyn
2022-09-19 23:54 ` [PATCH v2 RFC] LSM: lsm_self_attr syscall for LSM self attributes Casey Schaufler
2022-09-14 18:14 ` [PATCH RFC] LSM: Specify which LSM to display Casey Schaufler
1 sibling, 2 replies; 4+ messages in thread
From: Casey Schaufler @ 2022-09-10 1:01 UTC (permalink / raw)
To: Paul Moore, LSM List
Cc: John Johansen, linux-audit, Mimi Zohar, James Morris, Kees Cook,
SElinux list, casey
This is probably a tin-man proposal for the first in a series of
system calls dealing with Linux security module data. It is based
on suggestions by Paul Moore, however the flaws in design and
implementation are all mine.
Create a system call lsm_self_attr() to provide the security
module maintained attributes of the current process. Historically
these attributes have been exposed to user space via entries in
procfs under /proc/self/attr.
Attributes are provided as a collection of lsm_ctx structures
which are placed into a user supplied buffer. Each structure
identifies the security module providing the attribute, which
of the possible attributes is provided, the size of the
attribute, and finally the attribute value as a nul terminated
string.
An LSM ID table is introduced to map IDs to security modules.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
--
arch/x86/entry/syscalls/syscall_64.tbl | 1 +
include/linux/syscalls.h | 1 +
include/uapi/asm-generic/unistd.h | 5 +-
include/uapi/linux/lsm.h | 67 +++++++++++++
kernel/sys_ni.c | 3 +
security/Makefile | 2 +-
security/lsm_syscalls.c | 166 +++++++++++++++++++++++++++++++++
7 files changed, 243 insertions(+), 2 deletions(-)
diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
index c84d12608cd2..56d5c5202fd0 100644
--- a/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/arch/x86/entry/syscalls/syscall_64.tbl
@@ -372,6 +372,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_self_attr sys_lsm_self_attr
#
# Due to a historical design error, certain syscalls are numbered differently
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index a34b0f9a9972..7f87ef8be546 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -1056,6 +1056,7 @@ asmlinkage long sys_memfd_secret(unsigned int flags);
asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len,
unsigned long home_node,
unsigned long flags);
+asmlinkage long sys_lsm_self_attr(struct lsm_ctx *ctx, size_t *size, int flags);
/*
* Architecture-specific system calls
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 45fa180cc56a..aa66718e1b48 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -886,8 +886,11 @@ __SYSCALL(__NR_futex_waitv, sys_futex_waitv)
#define __NR_set_mempolicy_home_node 450
__SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
+#define __NR_lsm_self_attr 451
+__SYSCALL(__NR_lsm_self_attr, sys_lsm_self_attr)
+
#undef __NR_syscalls
-#define __NR_syscalls 451
+#define __NR_syscalls 452
/*
* 32 bit systems traditionally used different
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
new file mode 100644
index 000000000000..ec7bb1a7b943
--- /dev/null
+++ b/include/uapi/linux/lsm.h
@@ -0,0 +1,67 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/*
+ * Linus Security Modules (LSM) - User space API
+ *
+ * Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) Intel Corporation
+ */
+
+#ifndef _UAPI_LINUX_LSM_H
+#define _UAPI_LINUX_LSM_H
+
+#include <linux/types.h>
+#include <linux/unistd.h>
+
+/**
+ * struct lsm_ctx - LSM context
+ * @id: the LSM id number, see LSM_ID_XXX
+ * @flags: context specifier and LSM specific flags
+ * @ctx_len: the size of @ctx
+ * @ctx: the LSM context, a nul terminated string
+ *
+ * @ctx in a nul terminated string.
+ * (strlen(@ctx) < @ctx_len) is always true.
+ * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
+ */
+struct lsm_ctx {
+ unsigned int id;
+ unsigned int flags;
+ __kernel_size_t ctx_len;
+ unsigned char ctx[];
+};
+
+/*
+ * ID values to identify security modules.
+ * A system may use more than one security module.
+ *
+ * LSM_ID_XXX values 32 and below are reserved for future use
+ */
+#define LSM_ID_SELINUX 33
+#define LSM_ID_SMACK 34
+#define LSM_ID_TOMOYO 35
+#define LSM_ID_IMA 36
+#define LSM_ID_APPARMOR 37
+#define LSM_ID_YAMA 38
+#define LSM_ID_LOADPIN 39
+#define LSM_ID_SAFESETID 40
+#define LSM_ID_LOCKDOWN 41
+#define LSM_ID_BPF 42
+#define LSM_ID_LANDLOCK 43
+
+/*
+ * Flag values.
+ *
+ * LSM_ATTR_XXX values identify the /proc/.../attr entry that the
+ * context represents. Not all security modules provide all of these
+ * values. Some security modules provide none of them.
+ */
+/* clang-format off */
+#define LSM_ATTR_CURRENT (1UL << 0)
+#define LSM_ATTR_EXEC (1UL << 1)
+#define LSM_ATTR_FSCREATE (1UL << 2)
+#define LSM_ATTR_KEYCREATE (1UL << 3)
+#define LSM_ATTR_PREV (1UL << 4)
+#define LSM_ATTR_SOCKCREATE (1UL << 5)
+/* clang-format on */
+
+#endif /* _UAPI_LINUX_LSM_H */
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
index a492f159624f..c579ffc50454 100644
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -262,6 +262,9 @@ COND_SYSCALL_COMPAT(recvmsg);
/* mm/nommu.c, also with MMU */
COND_SYSCALL(mremap);
+/* security/lsm_syscalls.c */
+COND_SYSCALL(lsm_attr_self);
+
/* security/keys/keyctl.c */
COND_SYSCALL(add_key);
COND_SYSCALL(request_key);
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..409c47a25fcf 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -6,7 +6,7 @@
obj-$(CONFIG_KEYS) += keys/
# always enable default capabilities
-obj-y += commoncap.o
+obj-y += commoncap.o lsm_syscalls.o
obj-$(CONFIG_MMU) += min_addr.o
# Object file lists
diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
new file mode 100644
index 000000000000..fba8aeea1a10
--- /dev/null
+++ b/security/lsm_syscalls.c
@@ -0,0 +1,166 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * System calls implementing the Linux Security Module API.
+ *
+ * Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) Intel Corporation
+ */
+
+#include <asm/current.h>
+#include <linux/compiler_types.h>
+#include <linux/err.h>
+#include <linux/errno.h>
+#include <linux/security.h>
+#include <linux/stddef.h>
+#include <linux/syscalls.h>
+#include <linux/types.h>
+#include <uapi/linux/lsm.h>
+
+struct id_map {
+ char *name;
+ int id;
+};
+
+static const struct id_map lsm_attr_names[] = {
+ { "current", LSM_ATTR_CURRENT, },
+ { "exec", LSM_ATTR_EXEC, },
+ { "fscreate", LSM_ATTR_FSCREATE, },
+ { "keycreate", LSM_ATTR_KEYCREATE, },
+ { "prev", LSM_ATTR_PREV, },
+ { "sockcreate", LSM_ATTR_SOCKCREATE, },
+};
+
+static const struct id_map lsm_names[] = {
+ { "selinux", LSM_ID_SELINUX, },
+ { "smack", LSM_ID_SMACK, },
+ { "tomoyo", LSM_ID_TOMOYO, },
+ { "ima", LSM_ID_IMA, },
+ { "apparmor", LSM_ID_APPARMOR, },
+ { "yama", LSM_ID_YAMA, },
+ { "loadpin", LSM_ID_LOADPIN, },
+ { "safesetid", LSM_ID_SAFESETID, },
+ { "lockdown", LSM_ID_LOCKDOWN, },
+ { "bpf", LSM_ID_BPF, },
+ { "landlock", LSM_ID_LANDLOCK, },
+};
+
+/**
+ * lsm_self_attr - Return current task's security module attributes
+ * @ctx: the LSM contexts
+ * @size: size of @ctx, updated on return
+ * @flags: reserved for future use, must be zero
+ *
+ * Returns the calling task's LSM contexts. On success this
+ * function returns the number of @ctx array elements. This value
+ * may be zero if there are no LSM contexts assigned. If @size is
+ * insufficient to contain the return data -E2BIG is returned and
+ * @size is set to the minimum required size. In all other cases
+ * a negative value indicating the error is returned.
+ */
+SYSCALL_DEFINE3(lsm_self_attr,
+ struct lsm_ctx __user *, ctx,
+ size_t __user *, size,
+ int, flags)
+{
+ struct lsm_ctx *final = NULL;
+ struct lsm_ctx *interum;
+ struct lsm_ctx *ip;
+ void *curr;
+ char **interum_ctx;
+ char *cp;
+ size_t total_size = 0;
+ int count = 0;
+ int attr;
+ int lsm;
+ int len;
+ int rc = 0;
+ int i;
+
+ interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * ARRAY_SIZE(lsm_names) *
+ sizeof(*interum), GFP_KERNEL);
+ if (interum == NULL)
+ return -ENOMEM;
+ ip = interum;
+
+ interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) *
+ ARRAY_SIZE(lsm_names) * sizeof(*interum_ctx),
+ GFP_KERNEL);
+ if (interum_ctx == NULL) {
+ kfree(interum);
+ return -ENOMEM;
+ }
+
+ for (attr = 0; attr < ARRAY_SIZE(lsm_attr_names); attr++) {
+ for (lsm = 0; lsm < ARRAY_SIZE(lsm_names); lsm++) {
+ len = security_getprocattr(current,
+ lsm_names[lsm].name,
+ lsm_attr_names[attr].name,
+ &cp);
+ if (len <= 0)
+ continue;
+
+ ip->id = lsm_names[lsm].id;
+ ip->flags = lsm_attr_names[attr].id;
+ ip->ctx_len = len;
+ interum_ctx[count] = cp;
+ /*
+ * Security modules have been inconsistent about
+ * including the \0 terminator in the size. Add
+ * space for it from an abundance of caution.
+ * At least one security module adds a \n at the
+ * end of a context to make it look nicer. Change
+ * that to a \0 so that user space does't have to
+ * work around it. Because of this meddling it is
+ * safe to assume that lsm_ctx.name is terminated
+ * and that strlen(lsm_ctx.name) < lsm.ctx_len.
+ */
+ total_size += sizeof(*interum) + len + 1;
+ cp = strnchr(cp, len, '\n');
+ if (cp != NULL)
+ *cp = '\0';
+ ip++;
+ count++;
+ }
+ }
+
+ if (count == 0)
+ goto free_out;
+
+ final = kzalloc(total_size, GFP_KERNEL);
+ if (final == NULL) {
+ rc = -ENOMEM;
+ goto free_out;
+ }
+
+ curr = final;
+ ip = interum;
+ for (i = 0; i < count; i++) {
+ memcpy(curr, ip, sizeof(*interum));
+ curr += sizeof(*interum);
+ memcpy(curr, interum_ctx[i], ip->ctx_len);
+ curr += interum[i].ctx_len;
+ ip++;
+ }
+
+ if (get_user(len, size)) {
+ rc = -EFAULT;
+ goto free_out;
+ }
+ if (total_size > len) {
+ rc = -ERANGE;
+ goto free_out;
+ }
+ if (copy_to_user(ctx, final, total_size) != 0 ||
+ put_user(total_size, size) != 0)
+ rc = -EFAULT;
+ else
+ rc = count;
+
+free_out:
+ for (i = 0; i < count; i++)
+ kfree(interum_ctx[i]);
+ kfree(interum_ctx);
+ kfree(interum);
+ kfree(final);
+ return rc;
+}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH RFC] LSM: lsm_self_attr system call to get security module attributes
2022-09-10 1:01 ` [PATCH RFC] LSM: lsm_self_attr system call to get security module attributes Casey Schaufler
@ 2022-09-10 2:51 ` Serge E. Hallyn
2022-09-19 23:54 ` [PATCH v2 RFC] LSM: lsm_self_attr syscall for LSM self attributes Casey Schaufler
1 sibling, 0 replies; 4+ messages in thread
From: Serge E. Hallyn @ 2022-09-10 2:51 UTC (permalink / raw)
To: Casey Schaufler
Cc: Paul Moore, LSM List, John Johansen, linux-audit, Mimi Zohar,
James Morris, Kees Cook, SElinux list
On Fri, Sep 09, 2022 at 06:01:33PM -0700, Casey Schaufler wrote:
> This is probably a tin-man proposal for the first in a series of
> system calls dealing with Linux security module data. It is based
> on suggestions by Paul Moore, however the flaws in design and
> implementation are all mine.
>
> Create a system call lsm_self_attr() to provide the security
> module maintained attributes of the current process. Historically
> these attributes have been exposed to user space via entries in
> procfs under /proc/self/attr.
>
> Attributes are provided as a collection of lsm_ctx structures
> which are placed into a user supplied buffer. Each structure
> identifies the security module providing the attribute, which
> of the possible attributes is provided, the size of the
> attribute, and finally the attribute value as a nul terminated
> string.
>
> An LSM ID table is introduced to map IDs to security modules.
Probably best to cc: linux-api right off the bat, right?
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>
> --
> arch/x86/entry/syscalls/syscall_64.tbl | 1 +
> include/linux/syscalls.h | 1 +
> include/uapi/asm-generic/unistd.h | 5 +-
> include/uapi/linux/lsm.h | 67 +++++++++++++
> kernel/sys_ni.c | 3 +
> security/Makefile | 2 +-
> security/lsm_syscalls.c | 166 +++++++++++++++++++++++++++++++++
> 7 files changed, 243 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
> index c84d12608cd2..56d5c5202fd0 100644
> --- a/arch/x86/entry/syscalls/syscall_64.tbl
> +++ b/arch/x86/entry/syscalls/syscall_64.tbl
> @@ -372,6 +372,7 @@
> 448 common process_mrelease sys_process_mrelease
> 449 common futex_waitv sys_futex_waitv
> 450 common set_mempolicy_home_node sys_set_mempolicy_home_node
> +451 common lsm_self_attr sys_lsm_self_attr
>
> #
> # Due to a historical design error, certain syscalls are numbered differently
> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
> index a34b0f9a9972..7f87ef8be546 100644
> --- a/include/linux/syscalls.h
> +++ b/include/linux/syscalls.h
> @@ -1056,6 +1056,7 @@ asmlinkage long sys_memfd_secret(unsigned int flags);
> asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len,
> unsigned long home_node,
> unsigned long flags);
> +asmlinkage long sys_lsm_self_attr(struct lsm_ctx *ctx, size_t *size, int flags);
>
> /*
> * Architecture-specific system calls
> diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
> index 45fa180cc56a..aa66718e1b48 100644
> --- a/include/uapi/asm-generic/unistd.h
> +++ b/include/uapi/asm-generic/unistd.h
> @@ -886,8 +886,11 @@ __SYSCALL(__NR_futex_waitv, sys_futex_waitv)
> #define __NR_set_mempolicy_home_node 450
> __SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
>
> +#define __NR_lsm_self_attr 451
> +__SYSCALL(__NR_lsm_self_attr, sys_lsm_self_attr)
> +
> #undef __NR_syscalls
> -#define __NR_syscalls 451
> +#define __NR_syscalls 452
>
> /*
> * 32 bit systems traditionally used different
> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> new file mode 100644
> index 000000000000..ec7bb1a7b943
> --- /dev/null
> +++ b/include/uapi/linux/lsm.h
> @@ -0,0 +1,67 @@
> +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +/*
> + * Linus Security Modules (LSM) - User space API
> + *
> + * Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
> + * Copyright (C) Intel Corporation
> + */
> +
> +#ifndef _UAPI_LINUX_LSM_H
> +#define _UAPI_LINUX_LSM_H
> +
> +#include <linux/types.h>
> +#include <linux/unistd.h>
> +
> +/**
> + * struct lsm_ctx - LSM context
> + * @id: the LSM id number, see LSM_ID_XXX
> + * @flags: context specifier and LSM specific flags
> + * @ctx_len: the size of @ctx
> + * @ctx: the LSM context, a nul terminated string
> + *
> + * @ctx in a nul terminated string.
> + * (strlen(@ctx) < @ctx_len) is always true.
> + * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
> + */
> +struct lsm_ctx {
> + unsigned int id;
> + unsigned int flags;
> + __kernel_size_t ctx_len;
> + unsigned char ctx[];
> +};
> +
> +/*
> + * ID values to identify security modules.
> + * A system may use more than one security module.
> + *
> + * LSM_ID_XXX values 32 and below are reserved for future use
> + */
> +#define LSM_ID_SELINUX 33
> +#define LSM_ID_SMACK 34
> +#define LSM_ID_TOMOYO 35
> +#define LSM_ID_IMA 36
> +#define LSM_ID_APPARMOR 37
> +#define LSM_ID_YAMA 38
> +#define LSM_ID_LOADPIN 39
> +#define LSM_ID_SAFESETID 40
> +#define LSM_ID_LOCKDOWN 41
> +#define LSM_ID_BPF 42
> +#define LSM_ID_LANDLOCK 43
> +
> +/*
> + * Flag values.
> + *
> + * LSM_ATTR_XXX values identify the /proc/.../attr entry that the
> + * context represents. Not all security modules provide all of these
> + * values. Some security modules provide none of them.
> + */
> +/* clang-format off */
> +#define LSM_ATTR_CURRENT (1UL << 0)
> +#define LSM_ATTR_EXEC (1UL << 1)
> +#define LSM_ATTR_FSCREATE (1UL << 2)
> +#define LSM_ATTR_KEYCREATE (1UL << 3)
> +#define LSM_ATTR_PREV (1UL << 4)
> +#define LSM_ATTR_SOCKCREATE (1UL << 5)
> +/* clang-format on */
> +
> +#endif /* _UAPI_LINUX_LSM_H */
> diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
> index a492f159624f..c579ffc50454 100644
> --- a/kernel/sys_ni.c
> +++ b/kernel/sys_ni.c
> @@ -262,6 +262,9 @@ COND_SYSCALL_COMPAT(recvmsg);
> /* mm/nommu.c, also with MMU */
> COND_SYSCALL(mremap);
>
> +/* security/lsm_syscalls.c */
> +COND_SYSCALL(lsm_attr_self);
> +
> /* security/keys/keyctl.c */
> COND_SYSCALL(add_key);
> COND_SYSCALL(request_key);
> diff --git a/security/Makefile b/security/Makefile
> index 18121f8f85cd..409c47a25fcf 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -6,7 +6,7 @@
> obj-$(CONFIG_KEYS) += keys/
>
> # always enable default capabilities
> -obj-y += commoncap.o
> +obj-y += commoncap.o lsm_syscalls.o
> obj-$(CONFIG_MMU) += min_addr.o
>
> # Object file lists
> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
> new file mode 100644
> index 000000000000..fba8aeea1a10
> --- /dev/null
> +++ b/security/lsm_syscalls.c
> @@ -0,0 +1,166 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * System calls implementing the Linux Security Module API.
> + *
> + * Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
> + * Copyright (C) Intel Corporation
> + */
> +
> +#include <asm/current.h>
> +#include <linux/compiler_types.h>
> +#include <linux/err.h>
> +#include <linux/errno.h>
> +#include <linux/security.h>
> +#include <linux/stddef.h>
> +#include <linux/syscalls.h>
> +#include <linux/types.h>
> +#include <uapi/linux/lsm.h>
> +
> +struct id_map {
> + char *name;
> + int id;
> +};
> +
> +static const struct id_map lsm_attr_names[] = {
> + { "current", LSM_ATTR_CURRENT, },
> + { "exec", LSM_ATTR_EXEC, },
> + { "fscreate", LSM_ATTR_FSCREATE, },
> + { "keycreate", LSM_ATTR_KEYCREATE, },
> + { "prev", LSM_ATTR_PREV, },
> + { "sockcreate", LSM_ATTR_SOCKCREATE, },
> +};
> +
> +static const struct id_map lsm_names[] = {
> + { "selinux", LSM_ID_SELINUX, },
> + { "smack", LSM_ID_SMACK, },
> + { "tomoyo", LSM_ID_TOMOYO, },
> + { "ima", LSM_ID_IMA, },
> + { "apparmor", LSM_ID_APPARMOR, },
> + { "yama", LSM_ID_YAMA, },
> + { "loadpin", LSM_ID_LOADPIN, },
> + { "safesetid", LSM_ID_SAFESETID, },
> + { "lockdown", LSM_ID_LOCKDOWN, },
> + { "bpf", LSM_ID_BPF, },
> + { "landlock", LSM_ID_LANDLOCK, },
> +};
> +
> +/**
> + * lsm_self_attr - Return current task's security module attributes
> + * @ctx: the LSM contexts
> + * @size: size of @ctx, updated on return
> + * @flags: reserved for future use, must be zero
> + *
> + * Returns the calling task's LSM contexts. On success this
> + * function returns the number of @ctx array elements. This value
> + * may be zero if there are no LSM contexts assigned. If @size is
> + * insufficient to contain the return data -E2BIG is returned and
> + * @size is set to the minimum required size. In all other cases
> + * a negative value indicating the error is returned.
> + */
> +SYSCALL_DEFINE3(lsm_self_attr,
> + struct lsm_ctx __user *, ctx,
> + size_t __user *, size,
> + int, flags)
> +{
> + struct lsm_ctx *final = NULL;
> + struct lsm_ctx *interum;
> + struct lsm_ctx *ip;
> + void *curr;
> + char **interum_ctx;
> + char *cp;
> + size_t total_size = 0;
> + int count = 0;
> + int attr;
> + int lsm;
> + int len;
> + int rc = 0;
> + int i;
> +
> + interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * ARRAY_SIZE(lsm_names) *
> + sizeof(*interum), GFP_KERNEL);
> + if (interum == NULL)
> + return -ENOMEM;
> + ip = interum;
> +
> + interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) *
> + ARRAY_SIZE(lsm_names) * sizeof(*interum_ctx),
> + GFP_KERNEL);
> + if (interum_ctx == NULL) {
> + kfree(interum);
> + return -ENOMEM;
> + }
> +
> + for (attr = 0; attr < ARRAY_SIZE(lsm_attr_names); attr++) {
> + for (lsm = 0; lsm < ARRAY_SIZE(lsm_names); lsm++) {
> + len = security_getprocattr(current,
> + lsm_names[lsm].name,
> + lsm_attr_names[attr].name,
> + &cp);
> + if (len <= 0)
> + continue;
> +
> + ip->id = lsm_names[lsm].id;
> + ip->flags = lsm_attr_names[attr].id;
> + ip->ctx_len = len;
> + interum_ctx[count] = cp;
> + /*
> + * Security modules have been inconsistent about
> + * including the \0 terminator in the size. Add
> + * space for it from an abundance of caution.
> + * At least one security module adds a \n at the
> + * end of a context to make it look nicer. Change
> + * that to a \0 so that user space does't have to
> + * work around it. Because of this meddling it is
> + * safe to assume that lsm_ctx.name is terminated
> + * and that strlen(lsm_ctx.name) < lsm.ctx_len.
> + */
> + total_size += sizeof(*interum) + len + 1;
> + cp = strnchr(cp, len, '\n');
> + if (cp != NULL)
> + *cp = '\0';
> + ip++;
> + count++;
> + }
> + }
> +
> + if (count == 0)
> + goto free_out;
> +
> + final = kzalloc(total_size, GFP_KERNEL);
> + if (final == NULL) {
> + rc = -ENOMEM;
> + goto free_out;
> + }
> +
> + curr = final;
> + ip = interum;
> + for (i = 0; i < count; i++) {
> + memcpy(curr, ip, sizeof(*interum));
> + curr += sizeof(*interum);
> + memcpy(curr, interum_ctx[i], ip->ctx_len);
> + curr += interum[i].ctx_len;
> + ip++;
> + }
> +
> + if (get_user(len, size)) {
> + rc = -EFAULT;
> + goto free_out;
> + }
> + if (total_size > len) {
> + rc = -ERANGE;
> + goto free_out;
> + }
> + if (copy_to_user(ctx, final, total_size) != 0 ||
> + put_user(total_size, size) != 0)
> + rc = -EFAULT;
> + else
> + rc = count;
> +
> +free_out:
> + for (i = 0; i < count; i++)
> + kfree(interum_ctx[i]);
> + kfree(interum_ctx);
> + kfree(interum);
> + kfree(final);
> + return rc;
> +}
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH RFC] LSM: Specify which LSM to display
[not found] <5a9ff61e-cfe1-7385-aa17-5b800e489a9a.ref@schaufler-ca.com>
2022-09-10 1:01 ` [PATCH RFC] LSM: lsm_self_attr system call to get security module attributes Casey Schaufler
@ 2022-09-14 18:14 ` Casey Schaufler
1 sibling, 0 replies; 4+ messages in thread
From: Casey Schaufler @ 2022-09-14 18:14 UTC (permalink / raw)
To: Paul Moore, LSM List
Cc: John Johansen, linux-audit, Mimi Zohar, James Morris, Kees Cook,
SElinux list, casey
Create two new prctl() options PR_LSM_ATTR_SET and PR_LSM_ATTR_GET
which change and report the Interface LSM respectively.
The LSM ID number of an active LSM that supplies hooks for
human readable data may be passed in the arg2 value with the
PR_LSM_ATTR_SET option. The PR_LSM_ATT_GET option returns the
LSM ID currently in use. At this point there can only be one LSM
capable of display active. A helper function lsm_task_ilsm() is
provided to get the interface lsm slot for a task_struct.
Security modules that wish to restrict this action may provide
a task_prctl hook to do so. Each such security module is
responsible for defining its policy.
AppArmor hook initially provided by John Johansen
<john.johansen@canonical.com>. SELinux hook initially provided by
Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 17 ++++
include/uapi/linux/prctl.h | 4 +
security/apparmor/include/apparmor.h | 3 +-
security/apparmor/lsm.c | 42 +++++++++
security/security.c | 126 +++++++++++++++++++++++----
security/selinux/hooks.c | 21 +++++
security/selinux/include/classmap.h | 3 +-
7 files changed, 197 insertions(+), 19 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 5140dfec76d5..28f8895203be 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -240,6 +240,23 @@ static inline u32 lsmblob_first(const struct lsmblob *blob)
#endif
}
+/**
+ * lsm_task_ilsm - the "interface_lsm" for this task
+ * @task: The task to report on
+ *
+ * Returns the task's interface LSM slot.
+ */
+static inline int lsm_task_ilsm(struct task_struct *task)
+{
+#ifdef CONFIG_SECURITY
+ int *ilsm = task->security;
+
+ if (ilsm)
+ return *ilsm;
+#endif
+ return LSMBLOB_INVALID;
+}
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
index a5e06dcbba13..531c6e8d2d18 100644
--- a/include/uapi/linux/prctl.h
+++ b/include/uapi/linux/prctl.h
@@ -281,6 +281,10 @@ struct prctl_mm_map {
# define PR_SME_VL_LEN_MASK 0xffff
# define PR_SME_VL_INHERIT (1 << 17) /* inherit across exec */
+/* Set/get the active security module for /proc/self/attr */
+#define PR_LSM_ATTR_SET 65 /* Set the display LSM ID */
+#define PR_LSM_ATTR_GET 66 /* Get the display LSM ID */
+
#define PR_SET_VMA 0x53564d41
# define PR_SET_VMA_ANON_NAME 0
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index 9c3fc36a0702..c9e08102c96f 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -28,8 +28,9 @@
#define AA_CLASS_SIGNAL 10
#define AA_CLASS_NET 14
#define AA_CLASS_LABEL 16
+#define AA_CLASS_DISPLAY_LSM 17
-#define AA_CLASS_LAST AA_CLASS_LABEL
+#define AA_CLASS_LAST AA_CLASS_DISPLAY_LSM
/* Control parameters settable through module/boot flags */
extern enum audit_mode aa_g_audit;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index eccba6667458..183004c864ac 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -15,6 +15,7 @@
#include <linux/mount.h>
#include <linux/namei.h>
#include <linux/ptrace.h>
+#include <linux/prctl.h>
#include <linux/ctype.h>
#include <linux/sysctl.h>
#include <linux/audit.h>
@@ -642,6 +643,46 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
return error;
}
+
+static int profile_interface_lsm(struct aa_profile *profile,
+ struct common_audit_data *sa)
+{
+ struct aa_perms perms = { };
+ unsigned int state;
+
+ state = PROFILE_MEDIATES(profile, AA_CLASS_DISPLAY_LSM);
+ if (state) {
+ aa_compute_perms(profile->policy.dfa, state, &perms);
+ aa_apply_modes_to_perms(profile, &perms);
+ aad(sa)->label = &profile->label;
+
+ return aa_check_perms(profile, &perms, AA_MAY_WRITE, sa, NULL);
+ }
+
+ return 0;
+}
+
+static int apparmor_task_prctl(int option, unsigned long arg2,
+ unsigned long arg3, unsigned long arg4,
+ unsigned long arg5)
+{
+ struct aa_profile *profile;
+ struct aa_label *label;
+ int error;
+ DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
+
+ if (option != PR_LSM_ATTR_SET)
+ return 0;
+
+ /* LSM infrastructure does actual setting of interface_lsm if allowed */
+ aad(&sa)->info = "set interface lsm";
+ label = begin_current_label_crit_section();
+ error = fn_for_each_confined(label, profile,
+ profile_interface_lsm(profile, &sa));
+ end_current_label_crit_section(label);
+ return error;
+}
+
static int apparmor_setprocattr(const char *name, void *value,
size_t size)
{
@@ -1195,6 +1236,7 @@ static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
+ LSM_HOOK_INIT(task_prctl, apparmor_task_prctl),
LSM_HOOK_INIT(capget, apparmor_capget),
LSM_HOOK_INIT(capable, apparmor_capable),
diff --git a/security/security.c b/security/security.c
index ca3b1216e5f6..b29145de891f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -28,6 +28,7 @@
#include <linux/backing-dev.h>
#include <linux/string.h>
#include <linux/msg.h>
+#include <linux/prctl.h>
#include <net/flow.h>
#include <net/sock.h>
@@ -80,7 +81,16 @@ static struct kmem_cache *lsm_file_cache;
static struct kmem_cache *lsm_inode_cache;
char *lsm_names;
-static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init;
+
+/*
+ * The task blob includes the "interface_lsm" slot used for
+ * chosing which module presents contexts.
+ * Using a long to avoid potential alignment issues with
+ * module assigned task blobs.
+ */
+static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init = {
+ .lbs_task = sizeof(long),
+};
/* Boot-time LSM user choice */
static __initdata const char *chosen_lsm_order;
@@ -673,6 +683,8 @@ int lsm_inode_alloc(struct inode *inode)
*/
static int lsm_task_alloc(struct task_struct *task)
{
+ int *ilsm;
+
if (blob_sizes.lbs_task == 0) {
task->security = NULL;
return 0;
@@ -681,6 +693,15 @@ static int lsm_task_alloc(struct task_struct *task)
task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
if (task->security == NULL)
return -ENOMEM;
+
+ /*
+ * The start of the task blob contains the "interface" LSM slot number.
+ * Start with it set to the invalid slot number, indicating that the
+ * default first registered LSM be displayed.
+ */
+ ilsm = task->security;
+ *ilsm = LSMBLOB_INVALID;
+
return 0;
}
@@ -1747,14 +1768,26 @@ int security_file_open(struct file *file)
int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
{
+ int *oilsm = current->security;
+ int *nilsm;
int rc = lsm_task_alloc(task);
- if (rc)
+ if (unlikely(rc))
return rc;
+
rc = call_int_hook(task_alloc, 0, task, clone_flags);
- if (unlikely(rc))
+ if (unlikely(rc)) {
security_task_free(task);
- return rc;
+ return rc;
+ }
+
+ if (oilsm) {
+ nilsm = task->security;
+ if (nilsm)
+ *nilsm = *oilsm;
+ }
+
+ return 0;
}
void security_task_free(struct task_struct *task)
@@ -2013,10 +2046,15 @@ int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
+ int *ilsm = current->security;
int thisrc;
+ int slot;
int rc = LSM_RET_DEFAULT(task_prctl);
struct security_hook_list *hp;
+ if (lsm_slot == 0)
+ return -EINVAL;
+
hlist_for_each_entry(hp, &security_hook_heads.task_prctl, list) {
thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5);
if (thisrc != LSM_RET_DEFAULT(task_prctl)) {
@@ -2025,6 +2063,25 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
break;
}
}
+
+ switch (option) {
+ case PR_LSM_ATTR_SET:
+ if (rc && rc != LSM_RET_DEFAULT(task_prctl))
+ return rc;
+ for (slot = 0; slot < lsm_slot; slot++)
+ if (lsm_slotlist[slot]->id == arg2) {
+ *ilsm = lsm_slotlist[slot]->slot;
+ return 0;
+ }
+ return -EINVAL;
+ case PR_LSM_ATTR_GET:
+ if (rc && rc != LSM_RET_DEFAULT(task_prctl))
+ return rc;
+ if (*ilsm != LSMBLOB_INVALID)
+ return lsm_slotlist[*ilsm]->id;
+ return lsm_slotlist[0]->id;
+ }
+
return rc;
}
@@ -2191,23 +2248,45 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
char **value)
{
struct security_hook_list *hp;
+ int ilsm = lsm_task_ilsm(current);
hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
continue;
+ if (lsm == NULL && ilsm != LSMBLOB_INVALID &&
+ ilsm != hp->lsmid->slot)
+ continue;
return hp->hook.getprocattr(p, name, value);
}
return LSM_RET_DEFAULT(getprocattr);
}
+/**
+ * security_setprocattr - Set process attributes via /proc
+ * @lsm: name of module involved, or NULL
+ * @name: name of the attribute
+ * @value: value to set the attribute to
+ * @size: size of the value
+ *
+ * Set the process attribute for the specified security module
+ * to the specified value. Note that this can only be used to set
+ * the process attributes for the current, or "self" process.
+ * The /proc code has already done this check.
+ *
+ * Returns 0 on success, an appropriate code otherwise.
+ */
int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size)
{
struct security_hook_list *hp;
+ int *ilsm = current->security;
hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
continue;
+ if (lsm == NULL && *ilsm != LSMBLOB_INVALID &&
+ *ilsm != hp->lsmid->slot)
+ continue;
return hp->hook.setprocattr(name, value, size);
}
return LSM_RET_DEFAULT(setprocattr);
@@ -2227,15 +2306,15 @@ EXPORT_SYMBOL(security_ismaclabel);
int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen)
{
struct security_hook_list *hp;
- int rc;
+ int ilsm = lsm_task_ilsm(current);
hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
- rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot],
- secdata, seclen);
- if (rc != LSM_RET_DEFAULT(secid_to_secctx))
- return rc;
+ if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot)
+ return hp->hook.secid_to_secctx(
+ blob->secid[hp->lsmid->slot],
+ secdata, seclen);
}
return LSM_RET_DEFAULT(secid_to_secctx);
@@ -2246,16 +2325,15 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsmblob *blob)
{
struct security_hook_list *hp;
- int rc;
+ int ilsm = lsm_task_ilsm(current);
lsmblob_init(blob, 0);
hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
continue;
- rc = hp->hook.secctx_to_secid(secdata, seclen,
- &blob->secid[hp->lsmid->slot]);
- if (rc != 0)
- return rc;
+ if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot)
+ return hp->hook.secctx_to_secid(secdata, seclen,
+ &blob->secid[hp->lsmid->slot]);
}
return 0;
}
@@ -2263,7 +2341,14 @@ EXPORT_SYMBOL(security_secctx_to_secid);
void security_release_secctx(char *secdata, u32 seclen)
{
- call_void_hook(release_secctx, secdata, seclen);
+ struct security_hook_list *hp;
+ int ilsm = lsm_task_ilsm(current);
+
+ hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list)
+ if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) {
+ hp->hook.release_secctx(secdata, seclen);
+ return;
+ }
}
EXPORT_SYMBOL(security_release_secctx);
@@ -2404,8 +2489,15 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len)
{
- return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
- optval, optlen, len);
+ int ilsm = lsm_task_ilsm(current);
+ struct security_hook_list *hp;
+
+ hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream,
+ list)
+ if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot)
+ return hp->hook.socket_getpeersec_stream(sock, optval,
+ optlen, len);
+ return -ENOPROTOOPT;
}
int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f03b98b35ef4..56ad1fd62df7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -92,6 +92,7 @@
#include <linux/fsnotify.h>
#include <linux/fanotify.h>
#include <linux/io_uring.h>
+#include <linux/prctl.h>
#include <uapi/linux/lsm.h>
#include "avc.h"
@@ -6373,6 +6374,24 @@ static int selinux_getprocattr(struct task_struct *p,
return error;
}
+static int selinux_task_prctl(int option, unsigned long arg2,
+ unsigned long arg3, unsigned long arg4,
+ unsigned long arg5)
+{
+ u32 mysid = current_sid();
+
+ if (option != PR_LSM_ATTR_SET)
+ return -ENOSYS;
+
+ /*
+ * For setting interface_lsm, we only perform a permission check;
+ * the actual update to the interface_lsm value is handled by the
+ * LSM framework.
+ */
+ return avc_has_perm(&selinux_state, mysid, mysid, SECCLASS_PROCESS2,
+ PROCESS2__SETINTERFACE_LSM, NULL);
+}
+
static int selinux_setprocattr(const char *name, void *value, size_t size)
{
struct task_security_struct *tsec;
@@ -6384,6 +6403,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
/*
* Basic control over ability to set these attributes at all.
*/
+
if (!strcmp(name, "exec"))
error = avc_has_perm(&selinux_state,
mysid, mysid, SECCLASS_PROCESS,
@@ -7038,6 +7058,7 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, selinux_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, selinux_ptrace_traceme),
+ LSM_HOOK_INIT(task_prctl, selinux_task_prctl),
LSM_HOOK_INIT(capget, selinux_capget),
LSM_HOOK_INIT(capset, selinux_capset),
LSM_HOOK_INIT(capable, selinux_capable),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 1c2f41ff4e55..6b8569347bc0 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -53,7 +53,8 @@ const struct security_class_mapping secclass_map[] = {
"execmem", "execstack", "execheap", "setkeycreate",
"setsockcreate", "getrlimit", NULL } },
{ "process2",
- { "nnp_transition", "nosuid_transition", NULL } },
+ { "nnp_transition", "nosuid_transition", "setinterface_lsm",
+ NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod",
"syslog_console", "module_request", "module_load", NULL } },
--
2.36.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 RFC] LSM: lsm_self_attr syscall for LSM self attributes
2022-09-10 1:01 ` [PATCH RFC] LSM: lsm_self_attr system call to get security module attributes Casey Schaufler
2022-09-10 2:51 ` Serge E. Hallyn
@ 2022-09-19 23:54 ` Casey Schaufler
1 sibling, 0 replies; 4+ messages in thread
From: Casey Schaufler @ 2022-09-19 23:54 UTC (permalink / raw)
To: Paul Moore, LSM List
Cc: John Johansen, linux-audit, Mimi Zohar, James Morris, Kees Cook,
SElinux list, casey
Create a system call lsm_self_attr() to provide the security
module maintained attributes of the current process. Historically
these attributes have been exposed to user space via entries in
procfs under /proc/self/attr.
Attributes are provided as a collection of lsm_ctx structures
which are placed into a user supplied buffer. Each structure
identifys the security module providing the attribute, which
of the possible attributes is provided, the size of the
attribute, and finally the attribute value. The format of the
attribute value is defined by the security module, but will
always be \0 terminated. The ctx_len value will be larger than
strlen(ctx).
------------------------------
| unsigned int id |
------------------------------
| unsigned int flags |
------------------------------
| __kernel_size_t ctx_len |
------------------------------
| unsigned char ctx[ctx_len] |
------------------------------
| unsigned int id |
------------------------------
| unsigned int flags |
------------------------------
| __kernel_size_t ctx_len |
------------------------------
| unsigned char ctx[ctx_len] |
------------------------------
The individual security modules have been updated to report
which security attributes they can provide. That information
is collected in a table managed by the LSM infrastructure.
As this is the first system call interface provided by the
LSM infrastructure the uapi header file is added. It includes
LSM ID values for each of the up-stream security modules.
As these values are required for the API they can also be
leveraged to improve the performance of the /proc attribute
processing for security_[gs]etprocattr().
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
arch/x86/entry/syscalls/syscall_64.tbl | 1 +
fs/proc/base.c | 29 ++---
fs/proc/internal.h | 2 +-
include/linux/lsm_hooks.h | 13 ++-
include/linux/security.h | 28 ++++-
include/linux/syscalls.h | 1 +
include/uapi/asm-generic/unistd.h | 5 +-
include/uapi/linux/lsm.h | 69 +++++++++++
kernel/sys_ni.c | 3 +
security/Makefile | 2 +-
security/apparmor/lsm.c | 9 +-
security/bpf/hooks.c | 14 ++-
security/commoncap.c | 9 +-
security/landlock/cred.c | 2 +-
security/landlock/fs.c | 2 +-
security/landlock/ptrace.c | 2 +-
security/landlock/setup.c | 7 ++
security/landlock/setup.h | 1 +
security/loadpin/loadpin.c | 10 +-
security/lockdown/lockdown.c | 9 +-
security/lsm_syscalls.c | 156 +++++++++++++++++++++++++
security/safesetid/lsm.c | 10 +-
security/security.c | 39 +++++--
security/selinux/hooks.c | 11 +-
security/smack/smack_lsm.c | 9 +-
security/tomoyo/tomoyo.c | 10 +-
security/yama/yama_lsm.c | 9 +-
27 files changed, 414 insertions(+), 48 deletions(-)
create mode 100644 include/uapi/linux/lsm.h
create mode 100644 security/lsm_syscalls.c
diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
index c84d12608cd2..56d5c5202fd0 100644
--- a/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/arch/x86/entry/syscalls/syscall_64.tbl
@@ -372,6 +372,7 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_self_attr sys_lsm_self_attr
#
# Due to a historical design error, certain syscalls are numbered differently
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 93f7e3d971e4..b2bda7d0619f 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -96,6 +96,7 @@
#include <linux/time_namespace.h>
#include <linux/resctrl.h>
#include <linux/cn_proc.h>
+#include <uapi/linux/lsm.h>
#include <trace/events/oom.h>
#include "internal.h"
#include "fd.h"
@@ -145,10 +146,10 @@ struct pid_entry {
NOD(NAME, (S_IFREG|(MODE)), \
NULL, &proc_single_file_operations, \
{ .proc_show = show } )
-#define ATTR(LSM, NAME, MODE) \
+#define ATTR(LSMID, NAME, MODE) \
NOD(NAME, (S_IFREG|(MODE)), \
NULL, &proc_pid_attr_operations, \
- { .lsm = LSM })
+ { .lsmid = LSMID })
/*
* Count the number of hardlinks for the pid_entry table, excluding the .
@@ -2727,7 +2728,7 @@ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
if (!task)
return -ESRCH;
- length = security_getprocattr(task, PROC_I(inode)->op.lsm,
+ length = security_getprocattr(task, PROC_I(inode)->op.lsmid,
(char*)file->f_path.dentry->d_name.name,
&p);
put_task_struct(task);
@@ -2785,7 +2786,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
if (rv < 0)
goto out_free;
- rv = security_setprocattr(PROC_I(inode)->op.lsm,
+ rv = security_setprocattr(PROC_I(inode)->op.lsmid,
file->f_path.dentry->d_name.name, page,
count);
mutex_unlock(¤t->signal->cred_guard_mutex);
@@ -2834,27 +2835,27 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \
#ifdef CONFIG_SECURITY_SMACK
static const struct pid_entry smack_attr_dir_stuff[] = {
- ATTR("smack", "current", 0666),
+ ATTR(LSM_ID_SMACK, "current", 0666),
};
LSM_DIR_OPS(smack);
#endif
#ifdef CONFIG_SECURITY_APPARMOR
static const struct pid_entry apparmor_attr_dir_stuff[] = {
- ATTR("apparmor", "current", 0666),
- ATTR("apparmor", "prev", 0444),
- ATTR("apparmor", "exec", 0666),
+ ATTR(LSM_ID_APPARMOR, "current", 0666),
+ ATTR(LSM_ID_APPARMOR, "prev", 0444),
+ ATTR(LSM_ID_APPARMOR, "exec", 0666),
};
LSM_DIR_OPS(apparmor);
#endif
static const struct pid_entry attr_dir_stuff[] = {
- ATTR(NULL, "current", 0666),
- ATTR(NULL, "prev", 0444),
- ATTR(NULL, "exec", 0666),
- ATTR(NULL, "fscreate", 0666),
- ATTR(NULL, "keycreate", 0666),
- ATTR(NULL, "sockcreate", 0666),
+ ATTR(LSM_ID_INVALID, "current", 0666),
+ ATTR(LSM_ID_INVALID, "prev", 0444),
+ ATTR(LSM_ID_INVALID, "exec", 0666),
+ ATTR(LSM_ID_INVALID, "fscreate", 0666),
+ ATTR(LSM_ID_INVALID, "keycreate", 0666),
+ ATTR(LSM_ID_INVALID, "sockcreate", 0666),
#ifdef CONFIG_SECURITY_SMACK
DIR("smack", 0555,
proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
index 06a80f78433d..3f6f4a7a1498 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -87,7 +87,7 @@ union proc_op {
int (*proc_show)(struct seq_file *m,
struct pid_namespace *ns, struct pid *pid,
struct task_struct *task);
- const char *lsm;
+ int lsmid;
};
struct proc_inode {
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 3aa6030302f5..ded76db3f523 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1598,6 +1598,15 @@ struct security_hook_heads {
#undef LSM_HOOK
} __randomize_layout;
+/*
+ * Information that identifies a security module.
+ */
+struct lsm_id {
+ const char *lsm; /* Name of the LSM */
+ int id; /* LSM ID */
+ int features; /* Set of LSM features */
+};
+
/*
* Security module hook list structure.
* For use with generic list macros for common operations.
@@ -1606,7 +1615,7 @@ struct security_hook_list {
struct hlist_node list;
struct hlist_head *head;
union security_list_options hook;
- const char *lsm;
+ struct lsm_id *lsmid;
} __randomize_layout;
/*
@@ -1641,7 +1650,7 @@ extern struct security_hook_heads security_hook_heads;
extern char *lsm_names;
extern void security_add_hooks(struct security_hook_list *hooks, int count,
- const char *lsm);
+ struct lsm_id *lsmid);
#define LSM_FLAG_LEGACY_MAJOR BIT(0)
#define LSM_FLAG_EXCLUSIVE BIT(1)
diff --git a/include/linux/security.h b/include/linux/security.h
index 7bd0c490703d..c4696f14daac 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -136,6 +136,23 @@ enum lockdown_reason {
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
+#define LSMID_ENTRIES ( \
+ 1 + /* capabilities */ \
+ (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_IMA) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \
+ (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0))
+
+extern int lsm_id;
+extern struct lsm_id *lsm_idlist[];
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
@@ -461,10 +478,9 @@ int security_sem_semctl(struct kern_ipc_perm *sma, int cmd);
int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
unsigned nsops, int alter);
void security_d_instantiate(struct dentry *dentry, struct inode *inode);
-int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+int security_getprocattr(struct task_struct *p, int lsmid, char *name,
char **value);
-int security_setprocattr(const char *lsm, const char *name, void *value,
- size_t size);
+int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
@@ -1300,14 +1316,14 @@ static inline void security_d_instantiate(struct dentry *dentry,
struct inode *inode)
{ }
-static inline int security_getprocattr(struct task_struct *p, const char *lsm,
+static inline int security_getprocattr(struct task_struct *p, int lsmid,
char *name, char **value)
{
return -EINVAL;
}
-static inline int security_setprocattr(const char *lsm, char *name,
- void *value, size_t size)
+static inline int security_setprocattr(int lsmid, char *name, void *value,
+ size_t size)
{
return -EINVAL;
}
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index a34b0f9a9972..7f87ef8be546 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -1056,6 +1056,7 @@ asmlinkage long sys_memfd_secret(unsigned int flags);
asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len,
unsigned long home_node,
unsigned long flags);
+asmlinkage long sys_lsm_self_attr(struct lsm_ctx *ctx, size_t *size, int flags);
/*
* Architecture-specific system calls
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 45fa180cc56a..aa66718e1b48 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -886,8 +886,11 @@ __SYSCALL(__NR_futex_waitv, sys_futex_waitv)
#define __NR_set_mempolicy_home_node 450
__SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
+#define __NR_lsm_self_attr 451
+__SYSCALL(__NR_lsm_self_attr, sys_lsm_self_attr)
+
#undef __NR_syscalls
-#define __NR_syscalls 451
+#define __NR_syscalls 452
/*
* 32 bit systems traditionally used different
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
new file mode 100644
index 000000000000..832a4d700ff1
--- /dev/null
+++ b/include/uapi/linux/lsm.h
@@ -0,0 +1,69 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/*
+ * Linus Security Modules (LSM) - User space API
+ *
+ * Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) Intel Corporation
+ */
+
+#ifndef _UAPI_LINUX_LSM_H
+#define _UAPI_LINUX_LSM_H
+
+#include <linux/types.h>
+#include <linux/unistd.h>
+
+/**
+ * struct lsm_ctx - LSM context
+ * @id: the LSM id number, see LSM_ID_XXX
+ * @flags: context specifier and LSM specific flags
+ * @ctx_len: the size of @ctx
+ * @ctx: the LSM context, a nul terminated string
+ *
+ * @ctx in a nul terminated string.
+ * (strlen(@ctx) < @ctx_len) is always true.
+ * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
+ */
+struct lsm_ctx {
+ unsigned int id;
+ unsigned int flags;
+ __kernel_size_t ctx_len;
+ unsigned char ctx[];
+};
+
+/*
+ * ID values to identify security modules.
+ * A system may use more than one security module.
+ *
+ * LSM_ID_XXX values 32 and below are reserved for future use
+ */
+#define LSM_ID_INVALID -1
+#define LSM_ID_SELINUX 33
+#define LSM_ID_SMACK 34
+#define LSM_ID_TOMOYO 35
+#define LSM_ID_IMA 36
+#define LSM_ID_APPARMOR 37
+#define LSM_ID_YAMA 38
+#define LSM_ID_LOADPIN 39
+#define LSM_ID_SAFESETID 40
+#define LSM_ID_LOCKDOWN 41
+#define LSM_ID_BPF 42
+#define LSM_ID_LANDLOCK 43
+#define LSM_ID_CAPABILITY 44
+
+/*
+ * Flag values.
+ *
+ * LSM_ATTR_XXX values identify the /proc/.../attr entry that the
+ * context represents. Not all security modules provide all of these
+ * values. Some security modules provide none of them.
+ */
+/* clang-format off */
+#define LSM_ATTR_CURRENT (1UL << 0)
+#define LSM_ATTR_EXEC (1UL << 1)
+#define LSM_ATTR_FSCREATE (1UL << 2)
+#define LSM_ATTR_KEYCREATE (1UL << 3)
+#define LSM_ATTR_PREV (1UL << 4)
+#define LSM_ATTR_SOCKCREATE (1UL << 5)
+/* clang-format on */
+
+#endif /* _UAPI_LINUX_LSM_H */
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
index 860b2dcf3ac4..99bf07e64409 100644
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -262,6 +262,9 @@ COND_SYSCALL_COMPAT(recvmsg);
/* mm/nommu.c, also with MMU */
COND_SYSCALL(mremap);
+/* security/lsm_syscalls.c */
+COND_SYSCALL(lsm_attr_self);
+
/* security/keys/keyctl.c */
COND_SYSCALL(add_key);
COND_SYSCALL(request_key);
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..409c47a25fcf 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -6,7 +6,7 @@
obj-$(CONFIG_KEYS) += keys/
# always enable default capabilities
-obj-y += commoncap.o
+obj-y += commoncap.o lsm_syscalls.o
obj-$(CONFIG_MMU) += min_addr.o
# Object file lists
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e29cade7b662..40266cc4866c 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -24,6 +24,7 @@
#include <linux/zlib.h>
#include <net/sock.h>
#include <uapi/linux/mount.h>
+#include <uapi/linux/lsm.h>
#include "include/apparmor.h"
#include "include/apparmorfs.h"
@@ -1202,6 +1203,12 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
.lbs_task = sizeof(struct aa_task_ctx),
};
+static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
+ .lsm = "apparmor",
+ .id = LSM_ID_APPARMOR,
+ .features = LSM_ATTR_CURRENT | LSM_ATTR_PREV | LSM_ATTR_EXEC,
+};
+
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
@@ -1897,7 +1904,7 @@ static int __init apparmor_init(void)
goto buffers_out;
}
security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
- "apparmor");
+ &apparmor_lsmid);
/* Report that AppArmor successfully initialized */
apparmor_initialized = 1;
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index e5971fa74fd7..ad75ffd17319 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -5,6 +5,7 @@
*/
#include <linux/lsm_hooks.h>
#include <linux/bpf_lsm.h>
+#include <uapi/linux/lsm.h>
static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
@@ -15,9 +16,20 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(task_free, bpf_task_storage_free),
};
+/*
+ * slot has to be LSMBLOB_NEEDED because some of the hooks
+ * supplied by this module require a slot.
+ */
+struct lsm_id bpf_lsmid __lsm_ro_after_init = {
+ .lsm = "bpf",
+ .id = LSM_ID_BPF,
+ .features = 0,
+};
+
static int __init bpf_lsm_init(void)
{
- security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf");
+ security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks),
+ &bpf_lsmid);
pr_info("LSM support for eBPF active\n");
return 0;
}
diff --git a/security/commoncap.c b/security/commoncap.c
index 5fc8986c3c77..1ef9e2cc2c31 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -25,6 +25,7 @@
#include <linux/binfmts.h>
#include <linux/personality.h>
#include <linux/mnt_idmapping.h>
+#include <uapi/linux/lsm.h>
/*
* If a non-root user executes a setuid-root binary in
@@ -1446,6 +1447,12 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
#ifdef CONFIG_SECURITY
+static struct lsm_id capability_lsmid __lsm_ro_after_init = {
+ .lsm = "capability",
+ .id = LSM_ID_CAPABILITY,
+ .features = 0,
+};
+
static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(capable, cap_capable),
LSM_HOOK_INIT(settime, cap_settime),
@@ -1470,7 +1477,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
static int __init capability_init(void)
{
security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
- "capability");
+ &capability_lsmid);
return 0;
}
diff --git a/security/landlock/cred.c b/security/landlock/cred.c
index ec6c37f04a19..2eb1d65f10d6 100644
--- a/security/landlock/cred.c
+++ b/security/landlock/cred.c
@@ -42,5 +42,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
__init void landlock_add_cred_hooks(void)
{
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
- LANDLOCK_NAME);
+ &landlock_lsmid);
}
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index a9dbd99d9ee7..b1515fc67d57 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1201,5 +1201,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
__init void landlock_add_fs_hooks(void)
{
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
- LANDLOCK_NAME);
+ &landlock_lsmid);
}
diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c
index 4c5b9cd71286..eab35808f395 100644
--- a/security/landlock/ptrace.c
+++ b/security/landlock/ptrace.c
@@ -116,5 +116,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
__init void landlock_add_ptrace_hooks(void)
{
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
- LANDLOCK_NAME);
+ &landlock_lsmid);
}
diff --git a/security/landlock/setup.c b/security/landlock/setup.c
index f8e8e980454c..237b49cf5ab6 100644
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -8,6 +8,7 @@
#include <linux/init.h>
#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
#include "common.h"
#include "cred.h"
@@ -23,6 +24,12 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
.lbs_superblock = sizeof(struct landlock_superblock_security),
};
+struct lsm_id landlock_lsmid __lsm_ro_after_init = {
+ .lsm = LANDLOCK_NAME,
+ .id = LSM_ID_LANDLOCK,
+ .features = 0,
+};
+
static int __init landlock_init(void)
{
landlock_add_cred_hooks();
diff --git a/security/landlock/setup.h b/security/landlock/setup.h
index 1daffab1ab4b..38bce5b172dc 100644
--- a/security/landlock/setup.h
+++ b/security/landlock/setup.h
@@ -14,5 +14,6 @@
extern bool landlock_initialized;
extern struct lsm_blob_sizes landlock_blob_sizes;
+extern struct lsm_id landlock_lsmid;
#endif /* _SECURITY_LANDLOCK_SETUP_H */
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index 44521582dcba..1d526ea5d996 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -20,6 +20,7 @@
#include <linux/string_helpers.h>
#include <linux/dm-verity-loadpin.h>
#include <uapi/linux/loadpin.h>
+#include <uapi/linux/lsm.h>
static void report_load(const char *origin, struct file *file, char *operation)
{
@@ -195,6 +196,12 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
return loadpin_read_file(NULL, (enum kernel_read_file_id) id, contents);
}
+static struct lsm_id loadpin_lsmid __lsm_ro_after_init = {
+ .lsm = "loadpin",
+ .id = LSM_ID_LOADPIN,
+ .features = 0,
+};
+
static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
@@ -242,7 +249,8 @@ static int __init loadpin_init(void)
pr_info("ready to pin (currently %senforcing)\n",
enforce ? "" : "not ");
parse_exclude();
- security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
+ security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks),
+ &loadpin_lsmid);
return 0;
}
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index 87cbdc64d272..8871b4e0900c 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -13,6 +13,7 @@
#include <linux/security.h>
#include <linux/export.h>
#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
static enum lockdown_reason kernel_locked_down;
@@ -75,6 +76,12 @@ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
};
+static struct lsm_id lockdown_lsmid __lsm_ro_after_init = {
+ .lsm = "lockdown",
+ .id = LSM_ID_LOCKDOWN,
+ .features = 0,
+};
+
static int __init lockdown_lsm_init(void)
{
#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY)
@@ -83,7 +90,7 @@ static int __init lockdown_lsm_init(void)
lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX);
#endif
security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks),
- "lockdown");
+ &lockdown_lsmid);
return 0;
}
diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
new file mode 100644
index 000000000000..da0fab7065e2
--- /dev/null
+++ b/security/lsm_syscalls.c
@@ -0,0 +1,156 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * System calls implementing the Linux Security Module API.
+ *
+ * Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) Intel Corporation
+ */
+
+#include <asm/current.h>
+#include <linux/compiler_types.h>
+#include <linux/err.h>
+#include <linux/errno.h>
+#include <linux/security.h>
+#include <linux/stddef.h>
+#include <linux/syscalls.h>
+#include <linux/types.h>
+#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
+
+struct feature_map {
+ char *name;
+ int feature;
+};
+
+static const struct feature_map lsm_attr_names[] = {
+ { .name = "current", .feature = LSM_ATTR_CURRENT, },
+ { .name = "exec", .feature = LSM_ATTR_EXEC, },
+ { .name = "fscreate", .feature = LSM_ATTR_FSCREATE, },
+ { .name = "keycreate", .feature = LSM_ATTR_KEYCREATE, },
+ { .name = "prev", .feature = LSM_ATTR_PREV, },
+ { .name = "sockcreate", .feature = LSM_ATTR_SOCKCREATE, },
+};
+
+/**
+ * lsm_self_attr - Return current task's security module attributes
+ * @ctx: the LSM contexts
+ * @size: size of @ctx, updated on return
+ * @flags: reserved for future use, must be zero
+ *
+ * Returns the calling task's LSM contexts. On success this
+ * function returns the number of @ctx array elements. This value
+ * may be zero if there are no LSM contexts assigned. If @size is
+ * insufficient to contain the return data -E2BIG is returned and
+ * @size is set to the minimum required size. In all other cases
+ * a negative value indicating the error is returned.
+ */
+SYSCALL_DEFINE3(lsm_self_attr,
+ struct lsm_ctx __user *, ctx,
+ size_t __user *, size,
+ int, flags)
+{
+ struct lsm_ctx *final = NULL;
+ struct lsm_ctx *interum;
+ struct lsm_ctx *ip;
+ void *curr;
+ char **interum_ctx;
+ char *cp;
+ size_t total_size = 0;
+ int count = 0;
+ int attr;
+ int len;
+ int rc = 0;
+ int i;
+
+ interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_id *
+ sizeof(*interum), GFP_KERNEL);
+ if (interum == NULL)
+ return -ENOMEM;
+ ip = interum;
+
+ interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_id *
+ sizeof(*interum_ctx), GFP_KERNEL);
+ if (interum_ctx == NULL) {
+ kfree(interum);
+ return -ENOMEM;
+ }
+
+ for (attr = 0; attr < ARRAY_SIZE(lsm_attr_names); attr++) {
+ for (i = 0; i < lsm_id; i++) {
+ if ((lsm_idlist[i]->features &
+ lsm_attr_names[attr].feature) == 0)
+ continue;
+
+ len = security_getprocattr(current, lsm_idlist[i]->id,
+ lsm_attr_names[attr].name,
+ &cp);
+ if (len <= 0)
+ continue;
+
+ ip->id = lsm_idlist[i]->id;
+ ip->flags = lsm_attr_names[attr].feature;
+ /* space for terminating \0 is allocated below */
+ ip->ctx_len = len + 1;
+ interum_ctx[count] = cp;
+ /*
+ * Security modules have been inconsistent about
+ * including the \0 terminator in the size. The
+ * context len has been adjusted to ensure there
+ * is one.
+ * At least one security module adds a \n at the
+ * end of a context to make it look nicer. Change
+ * that to a \0 so that user space doesn't have to
+ * work around it. Because of this meddling it is
+ * safe to assume that lsm_ctx.name is terminated
+ * and that strlen(lsm_ctx.name) < lsm.ctx_len.
+ */
+ total_size += sizeof(*interum) + ip->ctx_len;
+ cp = strnchr(cp, len, '\n');
+ if (cp != NULL)
+ *cp = '\0';
+ ip++;
+ count++;
+ }
+ }
+
+ if (count == 0)
+ goto free_out;
+
+ final = kzalloc(total_size, GFP_KERNEL);
+ if (final == NULL) {
+ rc = -ENOMEM;
+ goto free_out;
+ }
+
+ curr = final;
+ ip = interum;
+ for (i = 0; i < count; i++) {
+ memcpy(curr, ip, sizeof(*interum));
+ curr += sizeof(*interum);
+ memcpy(curr, interum_ctx[i], ip->ctx_len);
+ curr += ip->ctx_len;
+ ip++;
+ }
+
+ if (get_user(len, size)) {
+ rc = -EFAULT;
+ goto free_out;
+ }
+ if (total_size > len) {
+ rc = -ERANGE;
+ goto free_out;
+ }
+ if (copy_to_user(ctx, final, total_size) != 0 ||
+ put_user(total_size, size) != 0)
+ rc = -EFAULT;
+ else
+ rc = count;
+
+free_out:
+ for (i = 0; i < count; i++)
+ kfree(interum_ctx[i]);
+ kfree(interum_ctx);
+ kfree(interum);
+ kfree(final);
+ return rc;
+}
diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c
index e806739f7868..fc8255a22836 100644
--- a/security/safesetid/lsm.c
+++ b/security/safesetid/lsm.c
@@ -19,6 +19,7 @@
#include <linux/ptrace.h>
#include <linux/sched/task_stack.h>
#include <linux/security.h>
+#include <uapi/linux/lsm.h>
#include "lsm.h"
/* Flag indicating whether initialization completed */
@@ -261,6 +262,12 @@ static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old
return 0;
}
+static struct lsm_id safesetid_lsmid __lsm_ro_after_init = {
+ .lsm = "safesetid",
+ .id = LSM_ID_SAFESETID,
+ .features = 0,
+};
+
static struct security_hook_list safesetid_security_hooks[] = {
LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid),
LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid),
@@ -271,7 +278,8 @@ static struct security_hook_list safesetid_security_hooks[] = {
static int __init safesetid_security_init(void)
{
security_add_hooks(safesetid_security_hooks,
- ARRAY_SIZE(safesetid_security_hooks), "safesetid");
+ ARRAY_SIZE(safesetid_security_hooks),
+ &safesetid_lsmid);
/* Report that SafeSetID successfully initialized */
safesetid_initialized = 1;
diff --git a/security/security.c b/security/security.c
index 4b95de24bc8d..faf99e1600b3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -28,6 +28,7 @@
#include <linux/backing-dev.h>
#include <linux/string.h>
#include <linux/msg.h>
+#include <uapi/linux/lsm.h>
#include <net/flow.h>
#define MAX_LSM_EVM_XATTR 2
@@ -318,6 +319,13 @@ static void __init lsm_early_task(struct task_struct *task);
static int lsm_append(const char *new, char **result);
+/*
+ * Current index to use while initializing the lsm id list.
+ */
+int lsm_id __lsm_ro_after_init;
+struct lsm_id *lsm_idlist[LSMID_ENTRIES] __lsm_ro_after_init;
+
+
static void __init ordered_lsm_init(void)
{
struct lsm_info **lsm;
@@ -362,6 +370,8 @@ static void __init ordered_lsm_init(void)
for (lsm = ordered_lsms; *lsm; lsm++)
initialize_lsm(*lsm);
+ init_debug("lsm count = %d\n", lsm_id);
+
kfree(ordered_lsms);
}
@@ -474,17 +484,27 @@ static int lsm_append(const char *new, char **result)
* security_add_hooks - Add a modules hooks to the hook lists.
* @hooks: the hooks to add
* @count: the number of hooks to add
- * @lsm: the name of the security module
+ * @lsmid: the identification information for the security module
*
* Each LSM has to register its hooks with the infrastructure.
*/
void __init security_add_hooks(struct security_hook_list *hooks, int count,
- const char *lsm)
+ struct lsm_id *lsmid)
{
int i;
+ /*
+ * A security module may call security_add_hooks() more
+ * than once. Landlock is one such case.
+ */
+ if (lsm_id == 0 || lsm_idlist[lsm_id - 1] != lsmid)
+ lsm_idlist[lsm_id++] = lsmid;
+
+ if (lsm_id > LSMID_ENTRIES)
+ panic("%s Too many LSMs registered.\n", __func__);
+
for (i = 0; i < count; i++) {
- hooks[i].lsm = lsm;
+ hooks[i].lsmid = lsmid;
hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
}
@@ -493,7 +513,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
* and fix this up afterwards.
*/
if (slab_is_available()) {
- if (lsm_append(lsm, &lsm_names) < 0)
+ if (lsm_append(lsmid->lsm, &lsm_names) < 0)
panic("%s - Cannot get early memory.\n", __func__);
}
}
@@ -2057,26 +2077,25 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode)
}
EXPORT_SYMBOL(security_d_instantiate);
-int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
- char **value)
+int security_getprocattr(struct task_struct *p, int lsmid, char *name,
+ char **value)
{
struct security_hook_list *hp;
hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
+ if (lsmid != LSM_ID_INVALID && lsmid != hp->lsmid->id)
continue;
return hp->hook.getprocattr(p, name, value);
}
return LSM_RET_DEFAULT(getprocattr);
}
-int security_setprocattr(const char *lsm, const char *name, void *value,
- size_t size)
+int security_setprocattr(int lsmid, const char *name, void *value, size_t size)
{
struct security_hook_list *hp;
hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
+ if (lsmid != LSM_ID_INVALID && lsmid != hp->lsmid->id)
continue;
return hp->hook.setprocattr(name, value, size);
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 03bca97c8b29..625cc791c440 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -92,6 +92,7 @@
#include <linux/fsnotify.h>
#include <linux/fanotify.h>
#include <linux/io_uring.h>
+#include <uapi/linux/lsm.h>
#include "avc.h"
#include "objsec.h"
@@ -7012,6 +7013,13 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
}
#endif /* CONFIG_IO_URING */
+static struct lsm_id selinux_lsmid __lsm_ro_after_init = {
+ .lsm = "selinux",
+ .id = LSM_ID_SELINUX,
+ .features = LSM_ATTR_CURRENT | LSM_ATTR_EXEC | LSM_ATTR_FSCREATE |
+ LSM_ATTR_KEYCREATE | LSM_ATTR_PREV | LSM_ATTR_SOCKCREATE,
+};
+
/*
* IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
* 1. any hooks that don't belong to (2.) or (3.) below,
@@ -7331,7 +7339,8 @@ static __init int selinux_init(void)
hashtab_cache_init();
- security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
+ security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
+ &selinux_lsmid);
if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC netcache callback\n");
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index bffccdc494cb..e79640a6bfd7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -43,6 +43,7 @@
#include <linux/fs_parser.h>
#include <linux/watch_queue.h>
#include <linux/io_uring.h>
+#include <uapi/linux/lsm.h>
#include "smack.h"
#define TRANS_TRUE "TRUE"
@@ -4774,6 +4775,12 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
.lbs_superblock = sizeof(struct superblock_smack),
};
+static struct lsm_id smack_lsmid __lsm_ro_after_init = {
+ .lsm = "smack",
+ .id = LSM_ID_SMACK,
+ .features = LSM_ATTR_CURRENT,
+};
+
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4976,7 +4983,7 @@ static __init int smack_init(void)
/*
* Register with LSM
*/
- security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
+ security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid);
smack_enabled = 1;
pr_info("Smack: Initializing.\n");
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 71e82d855ebf..9304487d4577 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -6,6 +6,7 @@
*/
#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
#include "common.h"
/**
@@ -530,6 +531,12 @@ static void tomoyo_task_free(struct task_struct *task)
}
}
+static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = {
+ .lsm = "tomoyo",
+ .id = LSM_ID_TOMOYO,
+ .features = 0,
+};
+
/*
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
@@ -582,7 +589,8 @@ static int __init tomoyo_init(void)
struct tomoyo_task *s = tomoyo_task(current);
/* register ourselves with the security framework */
- security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
+ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks),
+ &tomoyo_lsmid);
pr_info("TOMOYO Linux initialized\n");
s->domain_info = &tomoyo_kernel_domain;
atomic_inc(&tomoyo_kernel_domain.users);
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 06e226166aab..8a9a0d407647 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -18,6 +18,7 @@
#include <linux/task_work.h>
#include <linux/sched.h>
#include <linux/spinlock.h>
+#include <uapi/linux/lsm.h>
#define YAMA_SCOPE_DISABLED 0
#define YAMA_SCOPE_RELATIONAL 1
@@ -421,6 +422,12 @@ static int yama_ptrace_traceme(struct task_struct *parent)
return rc;
}
+static struct lsm_id yama_lsmid __lsm_ro_after_init = {
+ .lsm = "yama",
+ .id = LSM_ID_YAMA,
+ .features = 0,
+};
+
static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
@@ -477,7 +484,7 @@ static inline void yama_init_sysctl(void) { }
static int __init yama_init(void)
{
pr_info("Yama: becoming mindful.\n");
- security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama");
+ security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid);
yama_init_sysctl();
return 0;
}
--
2.36.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-09-19 23:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <5a9ff61e-cfe1-7385-aa17-5b800e489a9a.ref@schaufler-ca.com>
2022-09-10 1:01 ` [PATCH RFC] LSM: lsm_self_attr system call to get security module attributes Casey Schaufler
2022-09-10 2:51 ` Serge E. Hallyn
2022-09-19 23:54 ` [PATCH v2 RFC] LSM: lsm_self_attr syscall for LSM self attributes Casey Schaufler
2022-09-14 18:14 ` [PATCH RFC] LSM: Specify which LSM to display Casey Schaufler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).