From: Paul Moore <paul@paul-moore.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: casey.schaufler@intel.com, linux-security-module@vger.kernel.org,
jmorris@namei.org, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, mic@digikod.net
Subject: Re: [PATCH v1 6/8] LSM: lsm_self_attr syscall for LSM self attributes
Date: Thu, 10 Nov 2022 18:36:17 -0500 [thread overview]
Message-ID: <CAHC9VhSCAM+xdKf_f210-M-ZFY9KBVgpK84nbuCcVF9Z3qs2eA@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhQ039=X+0edudy64-fpw4C2SwWV_MucbYfXwFKduwnbWA@mail.gmail.com>
On Wed, Nov 9, 2022 at 6:34 PM Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Oct 25, 2022 at 2:48 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >
> > Create a system call lsm_self_attr() to provide the security
> > module maintained attributes of the current process. Historically
> > these attributes have been exposed to user space via entries in
> > procfs under /proc/self/attr.
> >
> > Attributes are provided as a collection of lsm_ctx structures
> > which are placed into a user supplied buffer. Each structure
> > identifys the security module providing the attribute, which
> > of the possible attributes is provided, the size of the
> > attribute, and finally the attribute value. The format of the
> > attribute value is defined by the security module, but will
> > always be \0 terminated. The ctx_len value will be larger than
> > strlen(ctx).
> >
> > ------------------------------
> > | unsigned int id |
> > ------------------------------
> > | unsigned int flags |
> > ------------------------------
> > | __kernel_size_t ctx_len |
> > ------------------------------
> > | unsigned char ctx[ctx_len] |
> > ------------------------------
> > | unsigned int id |
> > ------------------------------
> > | unsigned int flags |
> > ------------------------------
> > | __kernel_size_t ctx_len |
> > ------------------------------
> > | unsigned char ctx[ctx_len] |
> > ------------------------------
> >
> > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> > ---
> > include/linux/syscalls.h | 2 +
> > include/uapi/linux/lsm.h | 21 ++++++
> > kernel/sys_ni.c | 3 +
> > security/Makefile | 1 +
> > security/lsm_syscalls.c | 156 +++++++++++++++++++++++++++++++++++++++
> > 5 files changed, 183 insertions(+)
> > create mode 100644 security/lsm_syscalls.c
...
> > +/**
> > + * lsm_self_attr - Return current task's security module attributes
> > + * @ctx: the LSM contexts
> > + * @size: size of @ctx, updated on return
> > + * @flags: reserved for future use, must be zero
> > + *
> > + * Returns the calling task's LSM contexts. On success this
> > + * function returns the number of @ctx array elements. This value
> > + * may be zero if there are no LSM contexts assigned. If @size is
> > + * insufficient to contain the return data -E2BIG is returned and
> > + * @size is set to the minimum required size. In all other cases
> > + * a negative value indicating the error is returned.
> > + */
> > +SYSCALL_DEFINE3(lsm_self_attr,
> > + struct lsm_ctx __user *, ctx,
> > + size_t __user *, size,
> > + int, flags)
>
> See my comments above about UAPI types, let's change this to something
> like this:
>
> [NOTE: I'm assuming it is safe to use __XXX types in syscall declarations?]
>
> SYSCALL_DEFINE3(lsm_self_attr,
> struct lsm_ctx __user *, ctx,
> __kernel_size_t __user *, size,
> __u32, flags)
>
I wanted to clarify how I originally envisioned this syscall/API, as
it looks like it behaves a bit differently than I originally intended.
My thought was that this syscall would be used to fetch one LSM
attribute context at a time, returning an array of lsm_ctx structs,
with one, and only one, for each LSM that supports that particular
attribute. If the LSM does not support that attribute, it must not
enter an entry to the array. Requesting more than one attribute
context per invocation is not allowed. The idea was to closely
resemble the familiar open("/proc/self/attr/current")/read()/close()
result without relying on procfs and supporting multiple LSMs with an
easy(ish) API. The new, single syscall should also be faster,
although none of this should be happening in a performance critical
section anyway.
In addition, the lsm_ctx::flags field is intended to convey
information specific to the given LSM, i.e. it should not repeat any
of the flag information specified in the syscall parameters. I don't
believe any of the currently in-tree LSMs would require any special
flags for their contexts, so this should always be zero/clear in this
initial patchset, but it is something to keep in mind for the future.
Thoughts?
--
paul-moore.com
next prev parent reply other threads:[~2022-11-10 23:36 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20221025184519.13231-1-casey.ref@schaufler-ca.com>
2022-10-25 18:45 ` [PATCH v1 0/8] LSM: Two basic syscalls Casey Schaufler
2022-10-25 18:45 ` [PATCH v1 1/8] LSM: Identify modules by more than name Casey Schaufler
2022-10-26 5:56 ` Greg KH
2022-10-25 18:45 ` [PATCH v1 2/8] LSM: Add an LSM identifier for external use Casey Schaufler
2022-10-26 5:58 ` Greg KH
2022-10-26 19:36 ` Casey Schaufler
2022-10-27 0:11 ` Tetsuo Handa
2022-10-27 6:31 ` Greg KH
2022-10-28 16:54 ` Casey Schaufler
2022-11-09 23:33 ` Paul Moore
2022-11-10 0:57 ` Casey Schaufler
2022-11-10 2:37 ` Paul Moore
2022-11-09 23:33 ` Paul Moore
2022-11-10 0:46 ` Casey Schaufler
2022-10-25 18:45 ` [PATCH v1 3/8] LSM: Identify the process attributes for each module Casey Schaufler
2022-10-26 5:59 ` Greg KH
2022-11-09 23:34 ` Paul Moore
2022-11-10 1:03 ` Casey Schaufler
2022-11-10 2:39 ` Paul Moore
2022-10-25 18:45 ` [PATCH v1 4/8] LSM: Maintain a table of LSM attribute data Casey Schaufler
2022-10-26 6:00 ` Greg KH
2022-10-27 0:38 ` Casey Schaufler
2022-10-27 6:29 ` Greg KH
2022-10-27 17:08 ` Casey Schaufler
2022-10-27 17:13 ` Greg KH
2022-11-09 23:34 ` Paul Moore
2022-10-25 18:45 ` [PATCH v1 5/8] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2022-10-25 18:45 ` [PATCH v1 6/8] LSM: lsm_self_attr syscall for LSM self attributes Casey Schaufler
2022-10-26 6:03 ` Greg KH
2022-10-26 7:01 ` kernel test robot
2022-10-26 8:14 ` kernel test robot
2022-10-26 9:33 ` kernel test robot
2022-11-09 23:34 ` Paul Moore
2022-11-10 1:32 ` Casey Schaufler
2022-11-10 3:02 ` Paul Moore
2022-11-10 23:36 ` Paul Moore [this message]
2022-11-11 0:36 ` Casey Schaufler
2022-11-11 3:16 ` Paul Moore
2022-10-25 18:45 ` [PATCH v1 7/8] LSM: Create lsm_module_list system call Casey Schaufler
2022-10-26 6:02 ` Greg KH
2022-10-26 12:07 ` kernel test robot
2022-11-09 23:35 ` Paul Moore
2022-11-10 1:37 ` Casey Schaufler
2022-11-10 3:17 ` Paul Moore
2022-10-25 18:45 ` [PATCH v1 8/8] lsm: wireup syscalls lsm_self_attr and lsm_module_list Casey Schaufler
2022-10-26 8:07 ` Geert Uytterhoeven
2022-11-23 19:57 [PATCH v1 0/8] LSM: Two basic syscalls Casey Schaufler
2022-11-23 19:57 ` [PATCH v1 6/8] LSM: lsm_self_attr syscall for LSM self attributes Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhSCAM+xdKf_f210-M-ZFY9KBVgpK84nbuCcVF9Z3qs2eA@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).