Re: [PATCH v9 07/11] LSM: Helpers for attribute names and filling an lsm_ctx
From: Kees Cook
Date: Fri Apr 21 2023 - 15:47:25 EST
On Fri, Apr 21, 2023 at 10:42:55AM -0700, Casey Schaufler wrote:
> Add lsm_name_to_attr(), which translates a text string to a
> LSM_ATTR value if one is available.
>
> Add lsm_fill_user_ctx(), which fills a struct lsm_ctx, including
> the trailing attribute value. The .len value is padded to a multiple
> of 64 bits
>
> All are used in module specific components of LSM system calls.
>
> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> ---
> include/linux/security.h | 13 ++++++++++++
> security/lsm_syscalls.c | 24 ++++++++++++++++++++++
> security/security.c | 43 ++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 80 insertions(+)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index f7292890b6a2..c96fb56159e3 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -263,6 +263,7 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb);
> /* prototypes */
> extern int security_init(void);
> extern int early_security_init(void);
> +extern u64 lsm_name_to_attr(const char *name);
>
> /* Security operations */
> int security_binder_set_context_mgr(const struct cred *mgr);
> @@ -491,6 +492,8 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
> int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
> int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
> int security_locked_down(enum lockdown_reason what);
> +int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context,
> + size_t context_size, u64 id, u64 flags);
> #else /* CONFIG_SECURITY */
>
> static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> @@ -508,6 +511,11 @@ static inline int unregister_blocking_lsm_notifier(struct notifier_block *nb)
> return 0;
> }
>
> +static inline u64 lsm_name_to_attr(const char *name)
> +{
> + return 0;
I think this should return LSM_ATTR_UNDEF instead of literal 0.
> +}
> +
> static inline void security_free_mnt_opts(void **mnt_opts)
> {
> }
> @@ -1420,6 +1428,11 @@ static inline int security_locked_down(enum lockdown_reason what)
> {
> return 0;
> }
> +static inline int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context,
> + size_t context_size, u64 id, u64 flags)
> +{
> + return 0;
Shouldn't this either error or fill in an empty context?
> +}
> #endif /* CONFIG_SECURITY */
>
> #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
> index 6efbe244d304..67106f642422 100644
> --- a/security/lsm_syscalls.c
> +++ b/security/lsm_syscalls.c
> @@ -17,6 +17,30 @@
> #include <linux/lsm_hooks.h>
> #include <uapi/linux/lsm.h>
>
> +/**
> + * lsm_name_to_attr - map an LSM attribute name to its ID
> + * @name: name of the attribute
> + *
> + * Returns the LSM attribute value associated with @name, or 0 if
> + * there is no mapping.
> + */
> +u64 lsm_name_to_attr(const char *name)
> +{
> + if (!strcmp(name, "current"))
> + return LSM_ATTR_CURRENT;
> + if (!strcmp(name, "exec"))
> + return LSM_ATTR_EXEC;
> + if (!strcmp(name, "fscreate"))
> + return LSM_ATTR_FSCREATE;
> + if (!strcmp(name, "keycreate"))
> + return LSM_ATTR_KEYCREATE;
> + if (!strcmp(name, "prev"))
> + return LSM_ATTR_PREV;
> + if (!strcmp(name, "sockcreate"))
> + return LSM_ATTR_SOCKCREATE;
> + return 0;
LSM_ATTR_UNDEF again?
> +}
> +
> /**
> * sys_lsm_set_self_attr - Set current task's security module attribute
> * @attr: which attribute to set
> diff --git a/security/security.c b/security/security.c
> index bc3f166b4bff..759f3d977d2e 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -752,6 +752,49 @@ static int lsm_superblock_alloc(struct super_block *sb)
> return 0;
> }
>
> +/**
> + * lsm_fill_user_ctx - Fill a user space lsm_ctx structure
> + * @ctx: an LSM context to be filled
> + * @context: the new context value
> + * @context_size: the size of the new context value
> + * @id: LSM id
> + * @flags: LSM defined flags
> + *
> + * Fill all of the fields in a user space lsm_ctx structure.
> + * Caller is assumed to have verified that @ctx has enough space
> + * for @context.
> + *
> + * The total length is padded to a multiple of 64 bits.
Why?
> + *
> + * Returns 0 on success, -EFAULT on a copyout error, -ENOMEM
> + * if memory can't be allocated.
> + */
> +int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context,
> + size_t context_size, u64 id, u64 flags)
> +{
> + struct lsm_ctx *lctx;
> + size_t locallen = ALIGN(context_size + sizeof(*lctx), 8);
Instead of the open-coded addition, since you're dealing with a flexible
array structure:
size_t locallen = ALIGN(struct_size(lctx, ctx, context_size), 8);
> + int rc = 0;
> +
> + lctx = kzalloc(locallen, GFP_KERNEL);
> + if (lctx == NULL)
> + return -ENOMEM;
> +
> + lctx->id = id;
> + lctx->flags = flags;
> + lctx->ctx_len = context_size;
> + lctx->len = locallen;
> +
> + memcpy(&lctx[1], context, context_size);
Eek, no: there is no "second struct lsm_ctx" -- this may trip memcpy
overflow checks under certain conditions. You're wanting to copy to
the flexible array at the end, so this should be explicitly performed so
the compiler knows what's going on:
memcpy(lctx->ctx, context, context_size);
> +
> + if (copy_to_user(ctx, lctx, locallen))
> + rc = -EFAULT;
> +
> + kfree(lctx);
> +
> + return rc;
> +}
> +
> /*
> * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and
> * can be accessed with:
> --
> 2.39.2
>
--
Kees Cook