Re: [PATCH v15 00/11] LSM: Three basic syscalls

From: Paul Moore
Date: Sun Nov 12 2023 - 23:03:46 EST

Next message: Xiaoyao Li: "Re: [PATCH v2 2/2] KVM: selftests: Add logic to detect if ioctl() failed because VM was killed"
Previous message: John Hubbard: "Re: [PATCH v6 0/9] variable-order, large folios for anonymous memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Sep 12, 2023 at 4:57 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
>
> Add three system calls for the Linux Security Module ABI.
>
> lsm_get_self_attr() provides the security module specific attributes
> that have previously been visible in the /proc/self/attr directory.
> For each security module that uses the specified attribute on the
> current process the system call will return an LSM identifier and
> the value of the attribute. The LSM and attribute identifier values
> are defined in include/uapi/linux/lsm.h
>
> LSM identifiers are simple integers and reflect the order in which
> the LSM was added to the mainline kernel. This is a convention, not
> a promise of the API. LSM identifiers below the value of 100 are
> reserved for unspecified future uses. That could include information
> about the security infrastructure itself, or about how multiple LSMs
> might interact with each other.
>
> A new LSM hook security_getselfattr() is introduced to get the
> required information from the security modules. This is similar
> to the existing security_getprocattr() hook, but specifies the
> format in which string data is returned and requires the module
> to put the information into a userspace destination.
>
> lsm_set_self_attr() changes the specified LSM attribute. Only one
> attribute can be changed at a time, and then only if the specified
> security module allows the change.
>
> A new LSM hook security_setselfattr() is introduced to set the
> required information in the security modules. This is similar
> to the existing security_setprocattr() hook, but specifies the
> format in which string data is presented and requires the module
> to get the information from a userspace destination.
>
> lsm_list_modules() provides the LSM identifiers, in order, of the
> security modules that are active on the system. This has been
> available in the securityfs file /sys/kernel/security/lsm.
>
> Patch 0001 changes the LSM registration from passing the name
> of the module to passing a lsm_id structure that contains the
> name of the module, an LSM identifier number and an attribute
> identifier.
> Patch 0002 adds the registered lsm_ids to a table.
> Patch 0003 changes security_[gs]etprocattr() to use LSM IDs instead
> of LSM names.
> Patch 0004 implements lsm_get_self_attr() and lsm_set_self_attr().
> New LSM hooks security_getselfattr() and security_setselfattr() are
> defined.
> Patch 0005 implements lsm_list_modules().
> Patch 0006 wires up the syscalls.
> Patch 0007 implements helper functions to make it easier for
> security modules to use lsm_ctx structures.
> Patch 0008 provides the Smack implementation for [gs]etselfattr().
> Patch 0009 provides the AppArmor implementation for [gs]etselfattr().
> Patch 0010 provides the SELinux implementation for [gs]etselfattr().
> Patch 0011 implements selftests for the three new syscalls.
>
> https://github.com/cschaufler/lsm-stacking.git#syscalls-6.5-rc7-v14
>
> v15: Rebased on 6.6-rc1.
> Adopt suggested improvements to security_getprocattr,
> making the code easier to read.
> Squash a code fix from 0011 to 0004.
> v14: Make the handling of LSM_FLAG_SINGLE easier to understand.
> Tighten the comments and documentation.
> Better use of const, static, and __ro_after_init.
> Add selftests for LSM_FLAG_SINGLE cases.
> v13: Change the setselfattr code to do a single user copy.
> Make the self tests more robust.
> Improve use of const.
> Change syscall numbers to reflect upstream additions.
> v12: Repair a registration time overflow check.
> v11: Remove redundent alignment code
> Improve a few comments.
> Use LSM_ATTR_UNDEF in place of 0 in a few places.
> Correct a return of -EINVAL to -E2BIG.
> v10: Correct use of __user.
> Improve a few comments.
> Revert unnecessary changes in module initialization.
> v9: Support a flag LSM_FLAG_SINGLE in lsm_get_self_attr() that
> instructs the call to provide only the attribute for the LSM
> identified in the referenced lsm_ctx structure.
> Fix a typing error.
> Change some coding style.
> v8: Allow an LSM to provide more than one instance of an attribute,
> even though none of the existing modules do so.
> Pad the data returned by lsm_get_self_attr() to the size of
> the struct lsm_ctx.
> Change some displeasing varilable names.
> v7: Pass the attribute desired to lsm_[gs]et_self_attr in its own
> parameter rather than encoding it in the flags.
> Change the flags parameters to u32.
> Don't shortcut out of calling LSM specific code in the
> infrastructure, let the LSM report that doesn't support an
> attribute instead. With that it is not necessary to maintain
> a set of supported attributes in the lsm_id structure.
> Fix a typing error.
> v6: Switch from reusing security_[gs]procattr() to using new
> security_[gs]selfattr() hooks. Use explicit sized data types
> in the lsm_ctx structure.
>
> v5: Correct syscall parameter data types.
>
> v4: Restore "reserved" LSM ID values. Add explaination.
> Squash patches that introduce fields in lsm_id.
> Correct a wireup error.
>
> v3: Add lsm_set_self_attr().
> Rename lsm_self_attr() to lsm_get_self_attr().
> Provide the values only for a specifed attribute in
> lsm_get_self_attr().
> Add selftests for the three new syscalls.
> Correct some parameter checking.
>
> v2: Use user-interface safe data types.
> Remove "reserved" LSM ID values.
> Improve kerneldoc comments
> Include copyright dates
> Use more descriptive name for LSM counter
> Add documentation
> Correct wireup errors
>
> Casey Schaufler (11):
> LSM: Identify modules by more than name
> LSM: Maintain a table of LSM attribute data
> proc: Use lsmids instead of lsm names for attrs
> LSM: syscalls for current process attributes
> LSM: Create lsm_list_modules system call
> LSM: wireup Linux Security Module syscalls
> LSM: Helpers for attribute names and filling lsm_ctx
> Smack: implement setselfattr and getselfattr hooks
> AppArmor: Add selfattr hooks
> SELinux: Add selfattr hooks
> LSM: selftests for Linux Security Module syscalls
>
> Documentation/userspace-api/index.rst | 1 +
> Documentation/userspace-api/lsm.rst | 73 +++++
> MAINTAINERS | 2 +
> arch/alpha/kernel/syscalls/syscall.tbl | 3 +
> arch/arm/tools/syscall.tbl | 3 +
> arch/arm64/include/asm/unistd.h | 2 +-
> arch/arm64/include/asm/unistd32.h | 6 +
> arch/ia64/kernel/syscalls/syscall.tbl | 3 +
> arch/m68k/kernel/syscalls/syscall.tbl | 3 +
> arch/microblaze/kernel/syscalls/syscall.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_n32.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_n64.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_o32.tbl | 3 +
> arch/parisc/kernel/syscalls/syscall.tbl | 3 +
> arch/powerpc/kernel/syscalls/syscall.tbl | 3 +
> arch/s390/kernel/syscalls/syscall.tbl | 3 +
> arch/sh/kernel/syscalls/syscall.tbl | 3 +
> arch/sparc/kernel/syscalls/syscall.tbl | 3 +
> arch/x86/entry/syscalls/syscall_32.tbl | 3 +
> arch/x86/entry/syscalls/syscall_64.tbl | 3 +
> arch/xtensa/kernel/syscalls/syscall.tbl | 3 +
> fs/proc/base.c | 29 +-
> fs/proc/internal.h | 2 +-
> include/linux/lsm_hook_defs.h | 4 +
> include/linux/lsm_hooks.h | 17 +-
> include/linux/security.h | 46 ++-
> include/linux/syscalls.h | 6 +
> include/uapi/asm-generic/unistd.h | 9 +-
> include/uapi/linux/lsm.h | 90 ++++++
> kernel/sys_ni.c | 3 +
> security/Makefile | 1 +
> security/apparmor/include/procattr.h | 2 +-
> security/apparmor/lsm.c | 99 ++++++-
> security/apparmor/procattr.c | 10 +-
> security/bpf/hooks.c | 9 +-
> security/commoncap.c | 8 +-
> security/landlock/cred.c | 2 +-
> security/landlock/fs.c | 2 +-
> security/landlock/ptrace.c | 2 +-
> security/landlock/setup.c | 6 +
> security/landlock/setup.h | 1 +
> security/loadpin/loadpin.c | 9 +-
> security/lockdown/lockdown.c | 8 +-
> security/lsm_syscalls.c | 120 ++++++++
> security/safesetid/lsm.c | 9 +-
> security/security.c | 253 +++++++++++++++-
> security/selinux/hooks.c | 143 +++++++--
> security/smack/smack_lsm.c | 103 ++++++-
> security/tomoyo/tomoyo.c | 9 +-
> security/yama/yama_lsm.c | 8 +-
> .../arch/mips/entry/syscalls/syscall_n64.tbl | 3 +
> .../arch/powerpc/entry/syscalls/syscall.tbl | 3 +
> .../perf/arch/s390/entry/syscalls/syscall.tbl | 3 +
> .../arch/x86/entry/syscalls/syscall_64.tbl | 3 +
> tools/testing/selftests/Makefile | 1 +
> tools/testing/selftests/lsm/.gitignore | 1 +
> tools/testing/selftests/lsm/Makefile | 17 ++
> tools/testing/selftests/lsm/common.c | 89 ++++++
> tools/testing/selftests/lsm/common.h | 33 +++
> tools/testing/selftests/lsm/config | 3 +
> .../selftests/lsm/lsm_get_self_attr_test.c | 275 ++++++++++++++++++
> .../selftests/lsm/lsm_list_modules_test.c | 140 +++++++++
> .../selftests/lsm/lsm_set_self_attr_test.c | 74 +++++
> 63 files changed, 1694 insertions(+), 93 deletions(-)
> create mode 100644 Documentation/userspace-api/lsm.rst
> create mode 100644 include/uapi/linux/lsm.h
> create mode 100644 security/lsm_syscalls.c
> create mode 100644 tools/testing/selftests/lsm/.gitignore
> create mode 100644 tools/testing/selftests/lsm/Makefile
> create mode 100644 tools/testing/selftests/lsm/common.c
> create mode 100644 tools/testing/selftests/lsm/common.h
> create mode 100644 tools/testing/selftests/lsm/config
> create mode 100644 tools/testing/selftests/lsm/lsm_get_self_attr_test.c
> create mode 100644 tools/testing/selftests/lsm/lsm_list_modules_test.c
> create mode 100644 tools/testing/selftests/lsm/lsm_set_self_attr_test.c

This patchset is now in lsm/dev, thanks everyone!

--
paul-moore.com

Next message: Xiaoyao Li: "Re: [PATCH v2 2/2] KVM: selftests: Add logic to detect if ioctl() failed because VM was killed"
Previous message: John Hubbard: "Re: [PATCH v6 0/9] variable-order, large folios for anonymous memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]