| Message ID | 20230109180717.58855-6-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | LSM: Three basic syscalls | expand |
On Mon, Jan 9, 2023 at 1:09 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > > Create a system call to report the list of Linux Security Modules > that are active on the system. The list is provided as an array > of LSM ID numbers. > > The calling application can use this list determine what LSM > specific actions it might take. That might include chosing an > output format, determining required privilege or bypassing > security module specific behavior. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > Documentation/userspace-api/lsm.rst | 3 +++ > include/linux/syscalls.h | 1 + > kernel/sys_ni.c | 1 + > security/lsm_syscalls.c | 41 +++++++++++++++++++++++++++++ > 4 files changed, 46 insertions(+) ... > diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c > index 55e8bf61ac8a..92af1fcaa654 100644 > --- a/security/lsm_syscalls.c > +++ b/security/lsm_syscalls.c > @@ -180,3 +180,44 @@ SYSCALL_DEFINE3(lsm_get_self_attr, > kfree(final); > return rc; > } > + > +/** > + * sys_lsm_module_list - Return a list of the active security modules > + * @ids: the LSM module ids > + * @size: size of @ids, updated on return > + * @flags: reserved for future use, must be zero > + * > + * Returns a list of the active LSM ids. On success this function > + * returns the number of @ids array elements. This value may be zero > + * if there are no LSMs active. If @size is insufficient to contain > + * the return data -E2BIG is returned and @size is set to the minimum > + * required size. In all other cases a negative value indicating the > + * error is returned. > + */ > +SYSCALL_DEFINE3(lsm_module_list, > + u32 __user *, ids, > + size_t __user *, size, > + u64, flags) > +{ > + size_t total_size = lsm_active_cnt * sizeof(*ids); > + size_t usize; > + int i; > + > + if (flags) > + return -EINVAL; > + > + if (get_user(usize, size)) > + return -EFAULT; > + > + if (put_user(total_size, size) != 0) > + return -EFAULT; > + > + if (usize < total_size) > + return -E2BIG; > + > + for (i = 0; i < lsm_active_cnt; i++) > + if (put_user(lsm_idlist[i]->id, ids++)) > + return -EFAULT; > + > + return lsm_active_cnt; > +} Similar to my comments in 4/8, I would probably create a new LSM hook for this syscall so that the lsm_ctx is passed through the LSM layer directly to the target LSM: int security_sys_setselfattr(u64 attr, struct lsm_ctx __user *ctx, size_t len); -- paul-moore.com
On 1/11/2023 1:07 PM, Paul Moore wrote: > On Mon, Jan 9, 2023 at 1:09 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >> Create a system call to report the list of Linux Security Modules >> that are active on the system. The list is provided as an array >> of LSM ID numbers. >> >> The calling application can use this list determine what LSM >> specific actions it might take. That might include chosing an >> output format, determining required privilege or bypassing >> security module specific behavior. >> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> >> --- >> Documentation/userspace-api/lsm.rst | 3 +++ >> include/linux/syscalls.h | 1 + >> kernel/sys_ni.c | 1 + >> security/lsm_syscalls.c | 41 +++++++++++++++++++++++++++++ >> 4 files changed, 46 insertions(+) > .. > >> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c >> index 55e8bf61ac8a..92af1fcaa654 100644 >> --- a/security/lsm_syscalls.c >> +++ b/security/lsm_syscalls.c >> @@ -180,3 +180,44 @@ SYSCALL_DEFINE3(lsm_get_self_attr, >> kfree(final); >> return rc; >> } >> + >> +/** >> + * sys_lsm_module_list - Return a list of the active security modules >> + * @ids: the LSM module ids >> + * @size: size of @ids, updated on return >> + * @flags: reserved for future use, must be zero >> + * >> + * Returns a list of the active LSM ids. On success this function >> + * returns the number of @ids array elements. This value may be zero >> + * if there are no LSMs active. If @size is insufficient to contain >> + * the return data -E2BIG is returned and @size is set to the minimum >> + * required size. In all other cases a negative value indicating the >> + * error is returned. >> + */ >> +SYSCALL_DEFINE3(lsm_module_list, >> + u32 __user *, ids, >> + size_t __user *, size, >> + u64, flags) >> +{ >> + size_t total_size = lsm_active_cnt * sizeof(*ids); >> + size_t usize; >> + int i; >> + >> + if (flags) >> + return -EINVAL; >> + >> + if (get_user(usize, size)) >> + return -EFAULT; >> + >> + if (put_user(total_size, size) != 0) >> + return -EFAULT; >> + >> + if (usize < total_size) >> + return -E2BIG; >> + >> + for (i = 0; i < lsm_active_cnt; i++) >> + if (put_user(lsm_idlist[i]->id, ids++)) >> + return -EFAULT; >> + >> + return lsm_active_cnt; >> +} > Similar to my comments in 4/8, I would probably create a new LSM hook > for this syscall so that the lsm_ctx is passed through the LSM layer > directly to the target LSM: > > int security_sys_setselfattr(u64 attr, struct lsm_ctx __user *ctx, > size_t len); That seems like a whole lot of work when you can just look it up in an existing table. > -- > paul-moore.com
On Wed, Jan 11, 2023 at 8:39 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 1/11/2023 1:07 PM, Paul Moore wrote: > > On Mon, Jan 9, 2023 at 1:09 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > >> Create a system call to report the list of Linux Security Modules > >> that are active on the system. The list is provided as an array > >> of LSM ID numbers. > >> > >> The calling application can use this list determine what LSM > >> specific actions it might take. That might include chosing an > >> output format, determining required privilege or bypassing > >> security module specific behavior. > >> > >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > >> --- > >> Documentation/userspace-api/lsm.rst | 3 +++ > >> include/linux/syscalls.h | 1 + > >> kernel/sys_ni.c | 1 + > >> security/lsm_syscalls.c | 41 +++++++++++++++++++++++++++++ > >> 4 files changed, 46 insertions(+) > > .. > > > >> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c > >> index 55e8bf61ac8a..92af1fcaa654 100644 > >> --- a/security/lsm_syscalls.c > >> +++ b/security/lsm_syscalls.c > >> @@ -180,3 +180,44 @@ SYSCALL_DEFINE3(lsm_get_self_attr, > >> kfree(final); > >> return rc; > >> } > >> + > >> +/** > >> + * sys_lsm_module_list - Return a list of the active security modules > >> + * @ids: the LSM module ids > >> + * @size: size of @ids, updated on return > >> + * @flags: reserved for future use, must be zero > >> + * > >> + * Returns a list of the active LSM ids. On success this function > >> + * returns the number of @ids array elements. This value may be zero > >> + * if there are no LSMs active. If @size is insufficient to contain > >> + * the return data -E2BIG is returned and @size is set to the minimum > >> + * required size. In all other cases a negative value indicating the > >> + * error is returned. > >> + */ > >> +SYSCALL_DEFINE3(lsm_module_list, > >> + u32 __user *, ids, > >> + size_t __user *, size, > >> + u64, flags) > >> +{ > >> + size_t total_size = lsm_active_cnt * sizeof(*ids); > >> + size_t usize; > >> + int i; > >> + > >> + if (flags) > >> + return -EINVAL; > >> + > >> + if (get_user(usize, size)) > >> + return -EFAULT; > >> + > >> + if (put_user(total_size, size) != 0) > >> + return -EFAULT; > >> + > >> + if (usize < total_size) > >> + return -E2BIG; > >> + > >> + for (i = 0; i < lsm_active_cnt; i++) > >> + if (put_user(lsm_idlist[i]->id, ids++)) > >> + return -EFAULT; > >> + > >> + return lsm_active_cnt; > >> +} > > Similar to my comments in 4/8, I would probably create a new LSM hook > > for this syscall so that the lsm_ctx is passed through the LSM layer > > directly to the target LSM: > > > > int security_sys_setselfattr(u64 attr, struct lsm_ctx __user *ctx, > > size_t len); > > That seems like a whole lot of work when you can just look it up > in an existing table. D'oh! Sorry, this comment was intended for patch 6/8, the lsm_set_self_attr() syscall patch. I agree, it would be very silly to have a dedicated hook for lsm_module_list() :)
diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst index 98a0c191b499..e342d75b99ab 100644 --- a/Documentation/userspace-api/lsm.rst +++ b/Documentation/userspace-api/lsm.rst @@ -57,6 +57,9 @@ Get the security attributes of the current process .. kernel-doc:: security/lsm_syscalls.c :identifiers: sys_lsm_get_self_attr +.. kernel-doc:: security/lsm_syscalls.c + :identifiers: sys_lsm_module_list + Additional documentation ======================== diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index a89205c70ffa..9eb4cb6bbeb1 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -1061,6 +1061,7 @@ asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long l unsigned long flags); asmlinkage long sys_lsm_get_self_attr(struct lsm_ctx *ctx, size_t *size, int flags); +asmlinkage long sys_lsm_module_list(u32 *ids, size_t *size, int flags); /* * Architecture-specific system calls diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index 7b2513d5605d..af1fd28c0420 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -264,6 +264,7 @@ COND_SYSCALL(mremap); /* security/lsm_syscalls.c */ COND_SYSCALL(lsm_get_self_attr); +COND_SYSCALL(lsm_module_list); /* security/keys/keyctl.c */ COND_SYSCALL(add_key); diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c index 55e8bf61ac8a..92af1fcaa654 100644 --- a/security/lsm_syscalls.c +++ b/security/lsm_syscalls.c @@ -180,3 +180,44 @@ SYSCALL_DEFINE3(lsm_get_self_attr, kfree(final); return rc; } + +/** + * sys_lsm_module_list - Return a list of the active security modules + * @ids: the LSM module ids + * @size: size of @ids, updated on return + * @flags: reserved for future use, must be zero + * + * Returns a list of the active LSM ids. On success this function + * returns the number of @ids array elements. This value may be zero + * if there are no LSMs active. If @size is insufficient to contain + * the return data -E2BIG is returned and @size is set to the minimum + * required size. In all other cases a negative value indicating the + * error is returned. + */ +SYSCALL_DEFINE3(lsm_module_list, + u32 __user *, ids, + size_t __user *, size, + u64, flags) +{ + size_t total_size = lsm_active_cnt * sizeof(*ids); + size_t usize; + int i; + + if (flags) + return -EINVAL; + + if (get_user(usize, size)) + return -EFAULT; + + if (put_user(total_size, size) != 0) + return -EFAULT; + + if (usize < total_size) + return -E2BIG; + + for (i = 0; i < lsm_active_cnt; i++) + if (put_user(lsm_idlist[i]->id, ids++)) + return -EFAULT; + + return lsm_active_cnt; +}
Create a system call to report the list of Linux Security Modules that are active on the system. The list is provided as an array of LSM ID numbers. The calling application can use this list determine what LSM specific actions it might take. That might include chosing an output format, determining required privilege or bypassing security module specific behavior. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- Documentation/userspace-api/lsm.rst | 3 +++ include/linux/syscalls.h | 1 + kernel/sys_ni.c | 1 + security/lsm_syscalls.c | 41 +++++++++++++++++++++++++++++ 4 files changed, 46 insertions(+)