mbox series

[v1,0/8] LSM: Two basic syscalls

Message ID 20221025184519.13231-1-casey@schaufler-ca.com (mailing list archive)
Headers show
Series LSM: Two basic syscalls | expand

Message

Casey Schaufler Oct. 25, 2022, 6:45 p.m. UTC
Add two system calls for the Linux Security Module ABI.

lsm_self_attr() provides the security module specific attributes
that have previously been visible in the /proc/self/attr directory.
For each attribute that is set on the current process the system
call will return an LSM identifier, an attribute identifier and
the value of the attribute. The LSM and attribute identifier values
are defined in include/uapi/linux/lsm.h

lsm_module_list() provides the LSM identifiers, in order, of the
security modules that are active on the system. This has been
available in the securityfs file /sys/kernel/security/lsm.

Patch 0001 changes the LSM registration from passing the name
of the module to passing a lsm_id structure that contains the
name of the module.
Patch 0002 adds an LSM identifier number to the lsm_id structure.
Patch 0003 adds an attribute identifier to the lsm_id.
Patch 0004 adds the registered lsm_ids to a table.
Patch 0005 changes security_[gs]etprocattr() to use LSM IDs instead
of LSM names.
Patch 0006 implements lsm_self_attr().
Patch 0007 implements lsm_module_list().
Patch 0008 wires up the two syscalls.

Casey Schaufler (8):
  LSM: Identify modules by more than name
  LSM: Add an LSM identifier for external use
  LSM: Identify the process attributes for each module
  LSM: Maintain a table of LSM attribute data
  proc: Use lsmids instead of lsm names for attrs
  LSM: lsm_self_attr syscall for LSM self attributes
  LSM: Create lsm_module_list system call
  lsm: wireup syscalls lsm_self_attr and lsm_module_list

 arch/alpha/kernel/syscalls/syscall.tbl        |   2 +
 arch/arm/tools/syscall.tbl                    |   2 +
 arch/arm64/include/asm/unistd32.h             |   2 +
 arch/ia64/kernel/syscalls/syscall.tbl         |   2 +
 arch/m68k/kernel/syscalls/syscall.tbl         |   2 +
 arch/microblaze/kernel/syscalls/syscall.tbl   |   2 +
 arch/mips/kernel/syscalls/syscall_n32.tbl     |   2 +
 arch/mips/kernel/syscalls/syscall_n64.tbl     |   2 +
 arch/mips/kernel/syscalls/syscall_o32.tbl     |   2 +
 arch/parisc/kernel/syscalls/syscall.tbl       |   2 +
 arch/powerpc/kernel/syscalls/syscall.tbl      |   2 +
 arch/s390/kernel/syscalls/syscall.tbl         |   2 +
 arch/sh/kernel/syscalls/syscall.tbl           |   2 +
 arch/sparc/kernel/syscalls/syscall.tbl        |   2 +
 arch/x86/entry/syscalls/syscall_32.tbl        |   2 +
 arch/x86/entry/syscalls/syscall_64.tbl        |   2 +
 arch/xtensa/kernel/syscalls/syscall.tbl       |   2 +
 fs/proc/base.c                                |  29 +--
 fs/proc/internal.h                            |   2 +-
 include/linux/lsm_hooks.h                     |  13 +-
 include/linux/security.h                      |  28 ++-
 include/linux/syscalls.h                      |   3 +
 include/uapi/asm-generic/unistd.h             |   5 +-
 include/uapi/linux/lsm.h                      |  67 ++++++
 kernel/sys_ni.c                               |   4 +
 security/Makefile                             |   1 +
 security/apparmor/lsm.c                       |   9 +-
 security/bpf/hooks.c                          |  13 +-
 security/commoncap.c                          |   8 +-
 security/landlock/cred.c                      |   2 +-
 security/landlock/fs.c                        |   2 +-
 security/landlock/ptrace.c                    |   2 +-
 security/landlock/setup.c                     |   6 +
 security/landlock/setup.h                     |   1 +
 security/loadpin/loadpin.c                    |   9 +-
 security/lockdown/lockdown.c                  |   8 +-
 security/lsm_syscalls.c                       | 194 ++++++++++++++++++
 security/safesetid/lsm.c                      |   9 +-
 security/security.c                           |  37 +++-
 security/selinux/hooks.c                      |  11 +-
 security/smack/smack_lsm.c                    |   9 +-
 security/tomoyo/tomoyo.c                      |   9 +-
 security/yama/yama_lsm.c                      |   8 +-
 .../arch/mips/entry/syscalls/syscall_n64.tbl  |   2 +
 .../arch/powerpc/entry/syscalls/syscall.tbl   |   2 +
 .../perf/arch/s390/entry/syscalls/syscall.tbl |   2 +
 .../arch/x86/entry/syscalls/syscall_64.tbl    |   2 +
 47 files changed, 484 insertions(+), 47 deletions(-)
 create mode 100644 include/uapi/linux/lsm.h
 create mode 100644 security/lsm_syscalls.c


base-commit: 247f34f7b80357943234f93f247a1ae6b6c3a740