| Message ID | 20230629195535.2590-6-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | LSM: Three basic syscalls | expand |
On 29/06/2023 21:55, Casey Schaufler wrote: > Create a system call to report the list of Linux Security Modules > that are active on the system. The list is provided as an array > of LSM ID numbers. > > The calling application can use this list determine what LSM > specific actions it might take. That might include choosing an > output format, determining required privilege or bypassing > security module specific behavior. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Reviewed-by: Serge Hallyn <serge@hallyn.com> > --- > Documentation/userspace-api/lsm.rst | 3 +++ > include/linux/syscalls.h | 1 + > kernel/sys_ni.c | 1 + > security/lsm_syscalls.c | 39 +++++++++++++++++++++++++++++ > 4 files changed, 44 insertions(+) > > diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst > index e6c3f262addc..9edae18a2688 100644 > --- a/Documentation/userspace-api/lsm.rst > +++ b/Documentation/userspace-api/lsm.rst > @@ -63,6 +63,9 @@ Get the specified security attributes of the current process > .. kernel-doc:: security/lsm_syscalls.c > :identifiers: sys_lsm_get_self_attr > > +.. kernel-doc:: security/lsm_syscalls.c > + :identifiers: sys_lsm_list_modules > + > Additional documentation > ======================== > > diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h > index 9a94c31bf6b6..ddbcc333f3c3 100644 > --- a/include/linux/syscalls.h > +++ b/include/linux/syscalls.h > @@ -1063,6 +1063,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int attr, struct lsm_ctx *ctx, > size_t *size, __u32 flags); > asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx *ctx, > size_t size, __u32 flags); > +asmlinkage long sys_lsm_list_modules(u64 *ids, size_t *size, u32 flags); > > /* > * Architecture-specific system calls > diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c > index d03c78ef1562..ceb3d21a62d0 100644 > --- a/kernel/sys_ni.c > +++ b/kernel/sys_ni.c > @@ -265,6 +265,7 @@ COND_SYSCALL(mremap); > /* security/lsm_syscalls.c */ > COND_SYSCALL(lsm_get_self_attr); > COND_SYSCALL(lsm_set_self_attr); > +COND_SYSCALL(lsm_list_modules); > > /* security/keys/keyctl.c */ > COND_SYSCALL(add_key); > diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c > index ee3881159241..f03f2d17ab49 100644 > --- a/security/lsm_syscalls.c > +++ b/security/lsm_syscalls.c > @@ -53,3 +53,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > { > return security_getselfattr(attr, ctx, size, flags); > } > + > +/** > + * sys_lsm_list_modules - Return a list of the active security modules > + * @ids: the LSM module ids > + * @size: pointer to size of @ids, updated on return > + * @flags: reserved for future use, must be zero > + * > + * Returns a list of the active LSM ids. On success this function > + * returns the number of @ids array elements. This value may be zero > + * if there are no LSMs active. If @size is insufficient to contain > + * the return data -E2BIG is returned and @size is set to the minimum > + * required size. In all other cases a negative value indicating the > + * error is returned. > + */ > +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, As explained in patch 4/12, it would be more flexible to return a list of: struct lsm_entry { __u64 id; __u64 flags; }; > + u32, flags) > +{ > + size_t total_size = lsm_active_cnt * sizeof(*ids); > + size_t usize; > + int i; > + > + if (flags) > + return -EINVAL; > + > + if (get_user(usize, size)) > + return -EFAULT; > + > + if (put_user(total_size, size) != 0) > + return -EFAULT; > + > + if (usize < total_size) > + return -E2BIG; > + > + for (i = 0; i < lsm_active_cnt; i++) > + if (put_user(lsm_idlist[i]->id, ids++)) What about putting the returned fixed-size list on the stack and only call copy_to_user() once? > + return -EFAULT; > + > + return lsm_active_cnt; > +}
On 7/11/2023 8:36 AM, Mickaël Salaün wrote: > > On 29/06/2023 21:55, Casey Schaufler wrote: >> Create a system call to report the list of Linux Security Modules >> that are active on the system. The list is provided as an array >> of LSM ID numbers. >> >> The calling application can use this list determine what LSM >> specific actions it might take. That might include choosing an >> output format, determining required privilege or bypassing >> security module specific behavior. >> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> >> Reviewed-by: Kees Cook <keescook@chromium.org> >> Reviewed-by: Serge Hallyn <serge@hallyn.com> >> --- >> Documentation/userspace-api/lsm.rst | 3 +++ >> include/linux/syscalls.h | 1 + >> kernel/sys_ni.c | 1 + >> security/lsm_syscalls.c | 39 +++++++++++++++++++++++++++++ >> 4 files changed, 44 insertions(+) >> >> diff --git a/Documentation/userspace-api/lsm.rst >> b/Documentation/userspace-api/lsm.rst >> index e6c3f262addc..9edae18a2688 100644 >> --- a/Documentation/userspace-api/lsm.rst >> +++ b/Documentation/userspace-api/lsm.rst >> @@ -63,6 +63,9 @@ Get the specified security attributes of the >> current process >> .. kernel-doc:: security/lsm_syscalls.c >> :identifiers: sys_lsm_get_self_attr >> +.. kernel-doc:: security/lsm_syscalls.c >> + :identifiers: sys_lsm_list_modules >> + >> Additional documentation >> ======================== >> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h >> index 9a94c31bf6b6..ddbcc333f3c3 100644 >> --- a/include/linux/syscalls.h >> +++ b/include/linux/syscalls.h >> @@ -1063,6 +1063,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned >> int attr, struct lsm_ctx *ctx, >> size_t *size, __u32 flags); >> asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct >> lsm_ctx *ctx, >> size_t size, __u32 flags); >> +asmlinkage long sys_lsm_list_modules(u64 *ids, size_t *size, u32 >> flags); >> /* >> * Architecture-specific system calls >> diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c >> index d03c78ef1562..ceb3d21a62d0 100644 >> --- a/kernel/sys_ni.c >> +++ b/kernel/sys_ni.c >> @@ -265,6 +265,7 @@ COND_SYSCALL(mremap); >> /* security/lsm_syscalls.c */ >> COND_SYSCALL(lsm_get_self_attr); >> COND_SYSCALL(lsm_set_self_attr); >> +COND_SYSCALL(lsm_list_modules); >> /* security/keys/keyctl.c */ >> COND_SYSCALL(add_key); >> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c >> index ee3881159241..f03f2d17ab49 100644 >> --- a/security/lsm_syscalls.c >> +++ b/security/lsm_syscalls.c >> @@ -53,3 +53,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, >> attr, struct lsm_ctx __user *, >> { >> return security_getselfattr(attr, ctx, size, flags); >> } >> + >> +/** >> + * sys_lsm_list_modules - Return a list of the active security modules >> + * @ids: the LSM module ids >> + * @size: pointer to size of @ids, updated on return >> + * @flags: reserved for future use, must be zero >> + * >> + * Returns a list of the active LSM ids. On success this function >> + * returns the number of @ids array elements. This value may be zero >> + * if there are no LSMs active. If @size is insufficient to contain >> + * the return data -E2BIG is returned and @size is set to the minimum >> + * required size. In all other cases a negative value indicating the >> + * error is returned. >> + */ >> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user >> *, size, > > As explained in patch 4/12, it would be more flexible to return a list > of: > > struct lsm_entry { > __u64 id; > __u64 flags; > }; Any additional information should be obtained using lsm_get_self_attr(). If there's a "flag" value if should be provided as a LSM_FLAG there. > > >> + u32, flags) >> +{ >> + size_t total_size = lsm_active_cnt * sizeof(*ids); >> + size_t usize; >> + int i; >> + >> + if (flags) >> + return -EINVAL; >> + >> + if (get_user(usize, size)) >> + return -EFAULT; >> + >> + if (put_user(total_size, size) != 0) >> + return -EFAULT; >> + >> + if (usize < total_size) >> + return -E2BIG; >> + >> + for (i = 0; i < lsm_active_cnt; i++) >> + if (put_user(lsm_idlist[i]->id, ids++)) > > What about putting the returned fixed-size list on the stack and only > call copy_to_user() once? There are objections to using the stack, doing an allocation, and doing multiple put_user() calls. I just picked one. There's usually only going to be one call, so this is the best in most cases. > > >> + return -EFAULT; >> + >> + return lsm_active_cnt; >> +}
diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst index e6c3f262addc..9edae18a2688 100644 --- a/Documentation/userspace-api/lsm.rst +++ b/Documentation/userspace-api/lsm.rst @@ -63,6 +63,9 @@ Get the specified security attributes of the current process .. kernel-doc:: security/lsm_syscalls.c :identifiers: sys_lsm_get_self_attr +.. kernel-doc:: security/lsm_syscalls.c + :identifiers: sys_lsm_list_modules + Additional documentation ======================== diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 9a94c31bf6b6..ddbcc333f3c3 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -1063,6 +1063,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int attr, struct lsm_ctx *ctx, size_t *size, __u32 flags); asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx *ctx, size_t size, __u32 flags); +asmlinkage long sys_lsm_list_modules(u64 *ids, size_t *size, u32 flags); /* * Architecture-specific system calls diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index d03c78ef1562..ceb3d21a62d0 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -265,6 +265,7 @@ COND_SYSCALL(mremap); /* security/lsm_syscalls.c */ COND_SYSCALL(lsm_get_self_attr); COND_SYSCALL(lsm_set_self_attr); +COND_SYSCALL(lsm_list_modules); /* security/keys/keyctl.c */ COND_SYSCALL(add_key); diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c index ee3881159241..f03f2d17ab49 100644 --- a/security/lsm_syscalls.c +++ b/security/lsm_syscalls.c @@ -53,3 +53,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, { return security_getselfattr(attr, ctx, size, flags); } + +/** + * sys_lsm_list_modules - Return a list of the active security modules + * @ids: the LSM module ids + * @size: pointer to size of @ids, updated on return + * @flags: reserved for future use, must be zero + * + * Returns a list of the active LSM ids. On success this function + * returns the number of @ids array elements. This value may be zero + * if there are no LSMs active. If @size is insufficient to contain + * the return data -E2BIG is returned and @size is set to the minimum + * required size. In all other cases a negative value indicating the + * error is returned. + */ +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, + u32, flags) +{ + size_t total_size = lsm_active_cnt * sizeof(*ids); + size_t usize; + int i; + + if (flags) + return -EINVAL; + + if (get_user(usize, size)) + return -EFAULT; + + if (put_user(total_size, size) != 0) + return -EFAULT; + + if (usize < total_size) + return -E2BIG; + + for (i = 0; i < lsm_active_cnt; i++) + if (put_user(lsm_idlist[i]->id, ids++)) + return -EFAULT; + + return lsm_active_cnt; +}