| Message ID | 20230912205658.3432-6-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | LSM: Three basic syscalls | expand |
On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: > Create a system call to report the list of Linux Security Modules > that are active on the system. The list is provided as an array > of LSM ID numbers. > > The calling application can use this list determine what LSM > specific actions it might take. That might include choosing an > output format, determining required privilege or bypassing > security module specific behavior. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > Reviewed-by: Kees Cook <keescook@chromium.org> > Reviewed-by: Serge Hallyn <serge@hallyn.com> > Reviewed-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Mickaël Salaün <mic@digikod.net> > --- > Documentation/userspace-api/lsm.rst | 3 +++ > include/linux/syscalls.h | 1 + > kernel/sys_ni.c | 1 + > security/lsm_syscalls.c | 39 +++++++++++++++++++++++++++++ > 4 files changed, 44 insertions(+) > > diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst > index f8499f3e2826..a76da373841b 100644 > --- a/Documentation/userspace-api/lsm.rst > +++ b/Documentation/userspace-api/lsm.rst > @@ -63,6 +63,9 @@ Get the specified security attributes of the current process > .. kernel-doc:: security/lsm_syscalls.c > :identifiers: sys_lsm_get_self_attr > > +.. kernel-doc:: security/lsm_syscalls.c > + :identifiers: sys_lsm_list_modules > + > Additional documentation > ======================== > > diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h > index 8637287bd39d..323ef5e2667d 100644 > --- a/include/linux/syscalls.h > +++ b/include/linux/syscalls.h > @@ -945,6 +945,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int attr, struct lsm_ctx *ctx, > size_t *size, __u32 flags); > asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx *ctx, > size_t size, __u32 flags); > +asmlinkage long sys_lsm_list_modules(u64 *ids, size_t *size, u32 flags); > > /* > * Architecture-specific system calls > diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c > index f81f2468c0ce..738ca470fcce 100644 > --- a/kernel/sys_ni.c > +++ b/kernel/sys_ni.c > @@ -172,6 +172,7 @@ COND_SYSCALL(fadvise64_64); > COND_SYSCALL_COMPAT(fadvise64_64); > COND_SYSCALL(lsm_get_self_attr); > COND_SYSCALL(lsm_set_self_attr); > +COND_SYSCALL(lsm_list_modules); > > /* CONFIG_MMU only */ > COND_SYSCALL(swapon); > diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c > index 226ae80d9683..329aaca5efc0 100644 > --- a/security/lsm_syscalls.c > +++ b/security/lsm_syscalls.c > @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > { > return security_getselfattr(attr, ctx, size, flags); > } > + > +/** > + * sys_lsm_list_modules - Return a list of the active security modules > + * @ids: the LSM module ids > + * @size: pointer to size of @ids, updated on return > + * @flags: reserved for future use, must be zero > + * > + * Returns a list of the active LSM ids. On success this function > + * returns the number of @ids array elements. This value may be zero > + * if there are no LSMs active. If @size is insufficient to contain > + * the return data -E2BIG is returned and @size is set to the minimum > + * required size. In all other cases a negative value indicating the > + * error is returned. > + */ > +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > + u32, flags) > +{ > + size_t total_size = lsm_active_cnt * sizeof(*ids); > + size_t usize; > + int i; > + > + if (flags) > + return -EINVAL; > + > + if (get_user(usize, size)) > + return -EFAULT; > + > + if (put_user(total_size, size) != 0) > + return -EFAULT; > + > + if (usize < total_size) > + return -E2BIG; > + > + for (i = 0; i < lsm_active_cnt; i++) > + if (put_user(lsm_idlist[i]->id, ids++)) > + return -EFAULT; > + > + return lsm_active_cnt; > +} > -- > 2.41.0 >
Hi, On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: [...] > --- a/security/lsm_syscalls.c > +++ b/security/lsm_syscalls.c > @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > { > return security_getselfattr(attr, ctx, size, flags); > } > + > +/** > + * sys_lsm_list_modules - Return a list of the active security modules > + * @ids: the LSM module ids > + * @size: pointer to size of @ids, updated on return > + * @flags: reserved for future use, must be zero > + * > + * Returns a list of the active LSM ids. On success this function > + * returns the number of @ids array elements. This value may be zero > + * if there are no LSMs active. If @size is insufficient to contain > + * the return data -E2BIG is returned and @size is set to the minimum > + * required size. In all other cases a negative value indicating the > + * error is returned. > + */ > +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > + u32, flags) I'm sorry but the size of userspace size_t is different from the kernel one on 32-bit compat architectures. Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ...) now. Other two added lsm syscalls also have this issue.
On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: > On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: > [...] > > --- a/security/lsm_syscalls.c > > +++ b/security/lsm_syscalls.c > > @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > > { > > return security_getselfattr(attr, ctx, size, flags); > > } > > + > > +/** > > + * sys_lsm_list_modules - Return a list of the active security modules > > + * @ids: the LSM module ids > > + * @size: pointer to size of @ids, updated on return > > + * @flags: reserved for future use, must be zero > > + * > > + * Returns a list of the active LSM ids. On success this function > > + * returns the number of @ids array elements. This value may be zero > > + * if there are no LSMs active. If @size is insufficient to contain > > + * the return data -E2BIG is returned and @size is set to the minimum > > + * required size. In all other cases a negative value indicating the > > + * error is returned. > > + */ > > +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > > + u32, flags) > > I'm sorry but the size of userspace size_t is different from the kernel one > on 32-bit compat architectures. D'oh, yes, thanks for pointing that out. It would have been nice to have caught that before v6.8 was released, but I guess it's better than later. > Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ...) > now. Other two added lsm syscalls also have this issue. Considering that Linux v6.8, and by extension these syscalls, are only a few days old, I think I'd rather see us just modify the syscalls and avoid the compat baggage. I'm going to be shocked if anyone has shifted to using the new syscalls yet, and even if they have (!!), moving from a "size_t" type to a "u64" should be mostly transparent for the majority of native 64-bit systems. Those running the absolute latest kernels on 32-bit systems with custom or bleeding edge userspace *may* see a slight hiccup, but I think that user count is in the single digits, if not zero. Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the compat shim if we can. Casey, do you have time to put together a patch for this (you should fix the call chains below the syscalls too)? If not, please let me know and I'll get a patch out ASAP. Thanks all.
On 3/12/2024 6:25 AM, Paul Moore wrote: > On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: >> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: >> [...] >>> --- a/security/lsm_syscalls.c >>> +++ b/security/lsm_syscalls.c >>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, >>> { >>> return security_getselfattr(attr, ctx, size, flags); >>> } >>> + >>> +/** >>> + * sys_lsm_list_modules - Return a list of the active security modules >>> + * @ids: the LSM module ids >>> + * @size: pointer to size of @ids, updated on return >>> + * @flags: reserved for future use, must be zero >>> + * >>> + * Returns a list of the active LSM ids. On success this function >>> + * returns the number of @ids array elements. This value may be zero >>> + * if there are no LSMs active. If @size is insufficient to contain >>> + * the return data -E2BIG is returned and @size is set to the minimum >>> + * required size. In all other cases a negative value indicating the >>> + * error is returned. >>> + */ >>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, >>> + u32, flags) >> I'm sorry but the size of userspace size_t is different from the kernel one >> on 32-bit compat architectures. > D'oh, yes, thanks for pointing that out. It would have been nice to > have caught that before v6.8 was released, but I guess it's better > than later. > >> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ...) >> now. Other two added lsm syscalls also have this issue. > Considering that Linux v6.8, and by extension these syscalls, are only > a few days old, I think I'd rather see us just modify the syscalls and > avoid the compat baggage. I'm going to be shocked if anyone has > shifted to using the new syscalls yet, and even if they have (!!), > moving from a "size_t" type to a "u64" should be mostly transparent > for the majority of native 64-bit systems. Those running the absolute > latest kernels on 32-bit systems with custom or bleeding edge > userspace *may* see a slight hiccup, but I think that user count is in > the single digits, if not zero. > > Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the > compat shim if we can. > > Casey, do you have time to put together a patch for this (you should > fix the call chains below the syscalls too)? If not, please let me > know and I'll get a patch out ASAP. Grumble. Yes, I'll get right on it. > > Thanks all. >
On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 3/12/2024 6:25 AM, Paul Moore wrote: > > On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: > >> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: > >> [...] > >>> --- a/security/lsm_syscalls.c > >>> +++ b/security/lsm_syscalls.c > >>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > >>> { > >>> return security_getselfattr(attr, ctx, size, flags); > >>> } > >>> + > >>> +/** > >>> + * sys_lsm_list_modules - Return a list of the active security modules > >>> + * @ids: the LSM module ids > >>> + * @size: pointer to size of @ids, updated on return > >>> + * @flags: reserved for future use, must be zero > >>> + * > >>> + * Returns a list of the active LSM ids. On success this function > >>> + * returns the number of @ids array elements. This value may be zero > >>> + * if there are no LSMs active. If @size is insufficient to contain > >>> + * the return data -E2BIG is returned and @size is set to the minimum > >>> + * required size. In all other cases a negative value indicating the > >>> + * error is returned. > >>> + */ > >>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > >>> + u32, flags) > >> I'm sorry but the size of userspace size_t is different from the kernel one > >> on 32-bit compat architectures. > > D'oh, yes, thanks for pointing that out. It would have been nice to > > have caught that before v6.8 was released, but I guess it's better > > than later. > > > >> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ...) > >> now. Other two added lsm syscalls also have this issue. > > Considering that Linux v6.8, and by extension these syscalls, are only > > a few days old, I think I'd rather see us just modify the syscalls and > > avoid the compat baggage. I'm going to be shocked if anyone has > > shifted to using the new syscalls yet, and even if they have (!!), > > moving from a "size_t" type to a "u64" should be mostly transparent > > for the majority of native 64-bit systems. Those running the absolute > > latest kernels on 32-bit systems with custom or bleeding edge > > userspace *may* see a slight hiccup, but I think that user count is in > > the single digits, if not zero. > > > > Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the > > compat shim if we can. > > > > Casey, do you have time to put together a patch for this (you should > > fix the call chains below the syscalls too)? If not, please let me > > know and I'll get a patch out ASAP. > > Grumble. Yes, I'll get right on it. Great, thanks Casey.
On 3/12/2024 10:06 AM, Paul Moore wrote: > On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: >> On 3/12/2024 6:25 AM, Paul Moore wrote: >>> On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: >>>> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: >>>> [...] >>>>> --- a/security/lsm_syscalls.c >>>>> +++ b/security/lsm_syscalls.c >>>>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, >>>>> { >>>>> return security_getselfattr(attr, ctx, size, flags); >>>>> } >>>>> + >>>>> +/** >>>>> + * sys_lsm_list_modules - Return a list of the active security modules >>>>> + * @ids: the LSM module ids >>>>> + * @size: pointer to size of @ids, updated on return >>>>> + * @flags: reserved for future use, must be zero >>>>> + * >>>>> + * Returns a list of the active LSM ids. On success this function >>>>> + * returns the number of @ids array elements. This value may be zero >>>>> + * if there are no LSMs active. If @size is insufficient to contain >>>>> + * the return data -E2BIG is returned and @size is set to the minimum >>>>> + * required size. In all other cases a negative value indicating the >>>>> + * error is returned. >>>>> + */ >>>>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, >>>>> + u32, flags) >>>> I'm sorry but the size of userspace size_t is different from the kernel one >>>> on 32-bit compat architectures. >>> D'oh, yes, thanks for pointing that out. It would have been nice to >>> have caught that before v6.8 was released, but I guess it's better >>> than later. >>> >>>> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ..) >>>> now. Other two added lsm syscalls also have this issue. >>> Considering that Linux v6.8, and by extension these syscalls, are only >>> a few days old, I think I'd rather see us just modify the syscalls and >>> avoid the compat baggage. I'm going to be shocked if anyone has >>> shifted to using the new syscalls yet, and even if they have (!!), >>> moving from a "size_t" type to a "u64" should be mostly transparent >>> for the majority of native 64-bit systems. Those running the absolute >>> latest kernels on 32-bit systems with custom or bleeding edge >>> userspace *may* see a slight hiccup, but I think that user count is in >>> the single digits, if not zero. >>> >>> Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the >>> compat shim if we can. >>> >>> Casey, do you have time to put together a patch for this (you should >>> fix the call chains below the syscalls too)? If not, please let me >>> know and I'll get a patch out ASAP. >> Grumble. Yes, I'll get right on it. > Great, thanks Casey. Look like lsm_get_self_attr() needs the same change. lsm_set_self_attr() doesn't, need it, but I'm tempted to change it as well for consistency. Thoughts? >
On Tue, Mar 12, 2024 at 1:44 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 3/12/2024 10:06 AM, Paul Moore wrote: > > On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > >> On 3/12/2024 6:25 AM, Paul Moore wrote: > >>> On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: > >>>> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: > >>>> [...] > >>>>> --- a/security/lsm_syscalls.c > >>>>> +++ b/security/lsm_syscalls.c > >>>>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > >>>>> { > >>>>> return security_getselfattr(attr, ctx, size, flags); > >>>>> } > >>>>> + > >>>>> +/** > >>>>> + * sys_lsm_list_modules - Return a list of the active security modules > >>>>> + * @ids: the LSM module ids > >>>>> + * @size: pointer to size of @ids, updated on return > >>>>> + * @flags: reserved for future use, must be zero > >>>>> + * > >>>>> + * Returns a list of the active LSM ids. On success this function > >>>>> + * returns the number of @ids array elements. This value may be zero > >>>>> + * if there are no LSMs active. If @size is insufficient to contain > >>>>> + * the return data -E2BIG is returned and @size is set to the minimum > >>>>> + * required size. In all other cases a negative value indicating the > >>>>> + * error is returned. > >>>>> + */ > >>>>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > >>>>> + u32, flags) > >>>> I'm sorry but the size of userspace size_t is different from the kernel one > >>>> on 32-bit compat architectures. > >>> D'oh, yes, thanks for pointing that out. It would have been nice to > >>> have caught that before v6.8 was released, but I guess it's better > >>> than later. > >>> > >>>> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ..) > >>>> now. Other two added lsm syscalls also have this issue. > >>> Considering that Linux v6.8, and by extension these syscalls, are only > >>> a few days old, I think I'd rather see us just modify the syscalls and > >>> avoid the compat baggage. I'm going to be shocked if anyone has > >>> shifted to using the new syscalls yet, and even if they have (!!), > >>> moving from a "size_t" type to a "u64" should be mostly transparent > >>> for the majority of native 64-bit systems. Those running the absolute > >>> latest kernels on 32-bit systems with custom or bleeding edge > >>> userspace *may* see a slight hiccup, but I think that user count is in > >>> the single digits, if not zero. > >>> > >>> Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the > >>> compat shim if we can. > >>> > >>> Casey, do you have time to put together a patch for this (you should > >>> fix the call chains below the syscalls too)? If not, please let me > >>> know and I'll get a patch out ASAP. > >> Grumble. Yes, I'll get right on it. > > Great, thanks Casey. > > Look like lsm_get_self_attr() needs the same change. lsm_set_self_attr() > doesn't, need it, but I'm tempted to change it as well for consistency. > Thoughts? I'd suggest changing both.
On Tue, Mar 12, 2024 at 10:44:38AM -0700, Casey Schaufler wrote: > On 3/12/2024 10:06 AM, Paul Moore wrote: > > On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > >> On 3/12/2024 6:25 AM, Paul Moore wrote: > >>> On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: > >>>> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: > >>>> [...] > >>>>> --- a/security/lsm_syscalls.c > >>>>> +++ b/security/lsm_syscalls.c > >>>>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > >>>>> { > >>>>> return security_getselfattr(attr, ctx, size, flags); > >>>>> } > >>>>> + > >>>>> +/** > >>>>> + * sys_lsm_list_modules - Return a list of the active security modules > >>>>> + * @ids: the LSM module ids > >>>>> + * @size: pointer to size of @ids, updated on return > >>>>> + * @flags: reserved for future use, must be zero > >>>>> + * > >>>>> + * Returns a list of the active LSM ids. On success this function > >>>>> + * returns the number of @ids array elements. This value may be zero > >>>>> + * if there are no LSMs active. If @size is insufficient to contain > >>>>> + * the return data -E2BIG is returned and @size is set to the minimum > >>>>> + * required size. In all other cases a negative value indicating the > >>>>> + * error is returned. > >>>>> + */ > >>>>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > >>>>> + u32, flags) > >>>> I'm sorry but the size of userspace size_t is different from the kernel one > >>>> on 32-bit compat architectures. > >>> D'oh, yes, thanks for pointing that out. It would have been nice to > >>> have caught that before v6.8 was released, but I guess it's better > >>> than later. > >>> > >>>> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ..) > >>>> now. Other two added lsm syscalls also have this issue. > >>> Considering that Linux v6.8, and by extension these syscalls, are only > >>> a few days old, I think I'd rather see us just modify the syscalls and > >>> avoid the compat baggage. I'm going to be shocked if anyone has > >>> shifted to using the new syscalls yet, and even if they have (!!), > >>> moving from a "size_t" type to a "u64" should be mostly transparent > >>> for the majority of native 64-bit systems. Those running the absolute > >>> latest kernels on 32-bit systems with custom or bleeding edge > >>> userspace *may* see a slight hiccup, but I think that user count is in > >>> the single digits, if not zero. > >>> > >>> Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the > >>> compat shim if we can. > >>> > >>> Casey, do you have time to put together a patch for this (you should > >>> fix the call chains below the syscalls too)? If not, please let me > >>> know and I'll get a patch out ASAP. > >> Grumble. Yes, I'll get right on it. > > Great, thanks Casey. > > Look like lsm_get_self_attr() needs the same change. lsm_set_self_attr() > doesn't, need it, but I'm tempted to change it as well for consistency. > Thoughts? As lsm_get_self_attr() has the same issue, it needs the same treatment. lsm_set_self_attr() could be left unchanged. In fact, changing the type of syscall arguments from size_t to an explicit 64-bit type would be problematic because 32-bit syscalls cannot have 64-bit arguments.
On Tue, Mar 12, 2024 at 08:28:20PM +0200, Dmitry V. Levin wrote: > On Tue, Mar 12, 2024 at 10:44:38AM -0700, Casey Schaufler wrote: > > On 3/12/2024 10:06 AM, Paul Moore wrote: > > > On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > >> On 3/12/2024 6:25 AM, Paul Moore wrote: > > >>> On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: > > >>>> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: > > >>>> [...] > > >>>>> --- a/security/lsm_syscalls.c > > >>>>> +++ b/security/lsm_syscalls.c > > >>>>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > > >>>>> { > > >>>>> return security_getselfattr(attr, ctx, size, flags); > > >>>>> } > > >>>>> + > > >>>>> +/** > > >>>>> + * sys_lsm_list_modules - Return a list of the active security modules > > >>>>> + * @ids: the LSM module ids > > >>>>> + * @size: pointer to size of @ids, updated on return > > >>>>> + * @flags: reserved for future use, must be zero > > >>>>> + * > > >>>>> + * Returns a list of the active LSM ids. On success this function > > >>>>> + * returns the number of @ids array elements. This value may be zero > > >>>>> + * if there are no LSMs active. If @size is insufficient to contain > > >>>>> + * the return data -E2BIG is returned and @size is set to the minimum > > >>>>> + * required size. In all other cases a negative value indicating the > > >>>>> + * error is returned. > > >>>>> + */ > > >>>>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > > >>>>> + u32, flags) > > >>>> I'm sorry but the size of userspace size_t is different from the kernel one > > >>>> on 32-bit compat architectures. > > >>> D'oh, yes, thanks for pointing that out. It would have been nice to > > >>> have caught that before v6.8 was released, but I guess it's better > > >>> than later. > > >>> > > >>>> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ..) > > >>>> now. Other two added lsm syscalls also have this issue. > > >>> Considering that Linux v6.8, and by extension these syscalls, are only > > >>> a few days old, I think I'd rather see us just modify the syscalls and > > >>> avoid the compat baggage. I'm going to be shocked if anyone has > > >>> shifted to using the new syscalls yet, and even if they have (!!), > > >>> moving from a "size_t" type to a "u64" should be mostly transparent > > >>> for the majority of native 64-bit systems. Those running the absolute > > >>> latest kernels on 32-bit systems with custom or bleeding edge > > >>> userspace *may* see a slight hiccup, but I think that user count is in > > >>> the single digits, if not zero. > > >>> > > >>> Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the > > >>> compat shim if we can. > > >>> > > >>> Casey, do you have time to put together a patch for this (you should > > >>> fix the call chains below the syscalls too)? If not, please let me > > >>> know and I'll get a patch out ASAP. > > >> Grumble. Yes, I'll get right on it. > > > Great, thanks Casey. > > > > Look like lsm_get_self_attr() needs the same change. lsm_set_self_attr() > > doesn't, need it, but I'm tempted to change it as well for consistency. > > Thoughts? > > As lsm_get_self_attr() has the same issue, it needs the same treatment. > > lsm_set_self_attr() could be left unchanged. In fact, changing the type > of syscall arguments from size_t to an explicit 64-bit type would be > problematic because 32-bit syscalls cannot have 64-bit arguments. Using u32 should be totally fine for both. Nearly ever kernel internal limits sizes to INT_MAX anyway. :)
On 3/12/2024 2:50 PM, Kees Cook wrote: > On Tue, Mar 12, 2024 at 08:28:20PM +0200, Dmitry V. Levin wrote: >> On Tue, Mar 12, 2024 at 10:44:38AM -0700, Casey Schaufler wrote: >>> On 3/12/2024 10:06 AM, Paul Moore wrote: >>>> On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: >>>>> On 3/12/2024 6:25 AM, Paul Moore wrote: >>>>>> On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: >>>>>>> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: >>>>>>> [...] >>>>>>>> --- a/security/lsm_syscalls.c >>>>>>>> +++ b/security/lsm_syscalls.c >>>>>>>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, >>>>>>>> { >>>>>>>> return security_getselfattr(attr, ctx, size, flags); >>>>>>>> } >>>>>>>> + >>>>>>>> +/** >>>>>>>> + * sys_lsm_list_modules - Return a list of the active security modules >>>>>>>> + * @ids: the LSM module ids >>>>>>>> + * @size: pointer to size of @ids, updated on return >>>>>>>> + * @flags: reserved for future use, must be zero >>>>>>>> + * >>>>>>>> + * Returns a list of the active LSM ids. On success this function >>>>>>>> + * returns the number of @ids array elements. This value may be zero >>>>>>>> + * if there are no LSMs active. If @size is insufficient to contain >>>>>>>> + * the return data -E2BIG is returned and @size is set to the minimum >>>>>>>> + * required size. In all other cases a negative value indicating the >>>>>>>> + * error is returned. >>>>>>>> + */ >>>>>>>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, >>>>>>>> + u32, flags) >>>>>>> I'm sorry but the size of userspace size_t is different from the kernel one >>>>>>> on 32-bit compat architectures. >>>>>> D'oh, yes, thanks for pointing that out. It would have been nice to >>>>>> have caught that before v6.8 was released, but I guess it's better >>>>>> than later. >>>>>> >>>>>>> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ..) >>>>>>> now. Other two added lsm syscalls also have this issue. >>>>>> Considering that Linux v6.8, and by extension these syscalls, are only >>>>>> a few days old, I think I'd rather see us just modify the syscalls and >>>>>> avoid the compat baggage. I'm going to be shocked if anyone has >>>>>> shifted to using the new syscalls yet, and even if they have (!!), >>>>>> moving from a "size_t" type to a "u64" should be mostly transparent >>>>>> for the majority of native 64-bit systems. Those running the absolute >>>>>> latest kernels on 32-bit systems with custom or bleeding edge >>>>>> userspace *may* see a slight hiccup, but I think that user count is in >>>>>> the single digits, if not zero. >>>>>> >>>>>> Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the >>>>>> compat shim if we can. >>>>>> >>>>>> Casey, do you have time to put together a patch for this (you should >>>>>> fix the call chains below the syscalls too)? If not, please let me >>>>>> know and I'll get a patch out ASAP. >>>>> Grumble. Yes, I'll get right on it. >>>> Great, thanks Casey. >>> Look like lsm_get_self_attr() needs the same change. lsm_set_self_attr() >>> doesn't, need it, but I'm tempted to change it as well for consistency. >>> Thoughts? >> As lsm_get_self_attr() has the same issue, it needs the same treatment. >> >> lsm_set_self_attr() could be left unchanged. In fact, changing the type >> of syscall arguments from size_t to an explicit 64-bit type would be >> problematic because 32-bit syscalls cannot have 64-bit arguments. > Using u32 should be totally fine for both. Nearly ever kernel internal > limits sizes to INT_MAX anyway. :) My initial patch changes the size_t pointers in lsm_list_modules() and lsm_get_self_attr() to __u64 pointers. I could change them to __u32 pointers and include lsm_set_self_attr() as well. Let's see who screams how loudly.
On Tue, Mar 12, 2024 at 2:28 PM Dmitry V. Levin <ldv@strace.io> wrote: > On Tue, Mar 12, 2024 at 10:44:38AM -0700, Casey Schaufler wrote: > > On 3/12/2024 10:06 AM, Paul Moore wrote: > > > On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > > >> On 3/12/2024 6:25 AM, Paul Moore wrote: > > >>> On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: > > >>>> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: > > >>>> [...] > > >>>>> --- a/security/lsm_syscalls.c > > >>>>> +++ b/security/lsm_syscalls.c > > >>>>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > > >>>>> { > > >>>>> return security_getselfattr(attr, ctx, size, flags); > > >>>>> } > > >>>>> + > > >>>>> +/** > > >>>>> + * sys_lsm_list_modules - Return a list of the active security modules > > >>>>> + * @ids: the LSM module ids > > >>>>> + * @size: pointer to size of @ids, updated on return > > >>>>> + * @flags: reserved for future use, must be zero > > >>>>> + * > > >>>>> + * Returns a list of the active LSM ids. On success this function > > >>>>> + * returns the number of @ids array elements. This value may be zero > > >>>>> + * if there are no LSMs active. If @size is insufficient to contain > > >>>>> + * the return data -E2BIG is returned and @size is set to the minimum > > >>>>> + * required size. In all other cases a negative value indicating the > > >>>>> + * error is returned. > > >>>>> + */ > > >>>>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > > >>>>> + u32, flags) > > >>>> I'm sorry but the size of userspace size_t is different from the kernel one > > >>>> on 32-bit compat architectures. > > >>> D'oh, yes, thanks for pointing that out. It would have been nice to > > >>> have caught that before v6.8 was released, but I guess it's better > > >>> than later. > > >>> > > >>>> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ..) > > >>>> now. Other two added lsm syscalls also have this issue. > > >>> Considering that Linux v6.8, and by extension these syscalls, are only > > >>> a few days old, I think I'd rather see us just modify the syscalls and > > >>> avoid the compat baggage. I'm going to be shocked if anyone has > > >>> shifted to using the new syscalls yet, and even if they have (!!), > > >>> moving from a "size_t" type to a "u64" should be mostly transparent > > >>> for the majority of native 64-bit systems. Those running the absolute > > >>> latest kernels on 32-bit systems with custom or bleeding edge > > >>> userspace *may* see a slight hiccup, but I think that user count is in > > >>> the single digits, if not zero. > > >>> > > >>> Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the > > >>> compat shim if we can. > > >>> > > >>> Casey, do you have time to put together a patch for this (you should > > >>> fix the call chains below the syscalls too)? If not, please let me > > >>> know and I'll get a patch out ASAP. > > >> Grumble. Yes, I'll get right on it. > > > Great, thanks Casey. > > > > Look like lsm_get_self_attr() needs the same change. lsm_set_self_attr() > > doesn't, need it, but I'm tempted to change it as well for consistency. > > Thoughts? > > As lsm_get_self_attr() has the same issue, it needs the same treatment. > > lsm_set_self_attr() could be left unchanged. In fact, changing the type > of syscall arguments from size_t to an explicit 64-bit type would be > problematic because 32-bit syscalls cannot have 64-bit arguments. You might as well convert all of the size_t parameters, pointers or otherwise, in the three syscalls to u32 Casey. I'd leave the lsm_ctx struct alone, the individual fields are nicely aligned on both 32-bit and 64-bit systems and worst case we have some unused bits. The 64-bit LSM IDs are perhaps a bit more problematic, but I believe we are okay and I don't think we should change that. With one of the primary motivations behind the LSM syscalls being support for multiple LSMs, I suspect any future LSMs will use an array of LSM IDs (the u64 is hidden behind a pointer) as we do in lsm_list_modules() or the LSM ID will be part of a larger struct like lsm_ctx. -- paul-moore.com
On 3/12/2024 3:06 PM, Paul Moore wrote: > On Tue, Mar 12, 2024 at 2:28 PM Dmitry V. Levin <ldv@strace.io> wrote: >> On Tue, Mar 12, 2024 at 10:44:38AM -0700, Casey Schaufler wrote: >>> On 3/12/2024 10:06 AM, Paul Moore wrote: >>>> On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: >>>>> On 3/12/2024 6:25 AM, Paul Moore wrote: >>>>>> On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: >>>>>>> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: >>>>>>> [...] >>>>>>>> --- a/security/lsm_syscalls.c >>>>>>>> +++ b/security/lsm_syscalls.c >>>>>>>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, >>>>>>>> { >>>>>>>> return security_getselfattr(attr, ctx, size, flags); >>>>>>>> } >>>>>>>> + >>>>>>>> +/** >>>>>>>> + * sys_lsm_list_modules - Return a list of the active security modules >>>>>>>> + * @ids: the LSM module ids >>>>>>>> + * @size: pointer to size of @ids, updated on return >>>>>>>> + * @flags: reserved for future use, must be zero >>>>>>>> + * >>>>>>>> + * Returns a list of the active LSM ids. On success this function >>>>>>>> + * returns the number of @ids array elements. This value may be zero >>>>>>>> + * if there are no LSMs active. If @size is insufficient to contain >>>>>>>> + * the return data -E2BIG is returned and @size is set to the minimum >>>>>>>> + * required size. In all other cases a negative value indicating the >>>>>>>> + * error is returned. >>>>>>>> + */ >>>>>>>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, >>>>>>>> + u32, flags) >>>>>>> I'm sorry but the size of userspace size_t is different from the kernel one >>>>>>> on 32-bit compat architectures. >>>>>> D'oh, yes, thanks for pointing that out. It would have been nice to >>>>>> have caught that before v6.8 was released, but I guess it's better >>>>>> than later. >>>>>> >>>>>>> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ..) >>>>>>> now. Other two added lsm syscalls also have this issue. >>>>>> Considering that Linux v6.8, and by extension these syscalls, are only >>>>>> a few days old, I think I'd rather see us just modify the syscalls and >>>>>> avoid the compat baggage. I'm going to be shocked if anyone has >>>>>> shifted to using the new syscalls yet, and even if they have (!!), >>>>>> moving from a "size_t" type to a "u64" should be mostly transparent >>>>>> for the majority of native 64-bit systems. Those running the absolute >>>>>> latest kernels on 32-bit systems with custom or bleeding edge >>>>>> userspace *may* see a slight hiccup, but I think that user count is in >>>>>> the single digits, if not zero. >>>>>> >>>>>> Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the >>>>>> compat shim if we can. >>>>>> >>>>>> Casey, do you have time to put together a patch for this (you should >>>>>> fix the call chains below the syscalls too)? If not, please let me >>>>>> know and I'll get a patch out ASAP. >>>>> Grumble. Yes, I'll get right on it. >>>> Great, thanks Casey. >>> Look like lsm_get_self_attr() needs the same change. lsm_set_self_attr() >>> doesn't, need it, but I'm tempted to change it as well for consistency. >>> Thoughts? >> As lsm_get_self_attr() has the same issue, it needs the same treatment. >> >> lsm_set_self_attr() could be left unchanged. In fact, changing the type >> of syscall arguments from size_t to an explicit 64-bit type would be >> problematic because 32-bit syscalls cannot have 64-bit arguments. > You might as well convert all of the size_t parameters, pointers or > otherwise, in the three syscalls to u32 Casey. Well, nuts. So much for that coin flip. V2 coming real soon.
On Tue, Mar 12, 2024 at 6:18 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 3/12/2024 3:06 PM, Paul Moore wrote: > > On Tue, Mar 12, 2024 at 2:28 PM Dmitry V. Levin <ldv@strace.io> wrote: > >> On Tue, Mar 12, 2024 at 10:44:38AM -0700, Casey Schaufler wrote: > >>> On 3/12/2024 10:06 AM, Paul Moore wrote: > >>>> On Tue, Mar 12, 2024 at 11:27 AM Casey Schaufler <casey@schaufler-ca.com> wrote: > >>>>> On 3/12/2024 6:25 AM, Paul Moore wrote: > >>>>>> On Tue, Mar 12, 2024 at 6:16 AM Dmitry V. Levin <ldv@strace.io> wrote: > >>>>>>> On Tue, Sep 12, 2023 at 01:56:50PM -0700, Casey Schaufler wrote: > >>>>>>> [...] > >>>>>>>> --- a/security/lsm_syscalls.c > >>>>>>>> +++ b/security/lsm_syscalls.c > >>>>>>>> @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, > >>>>>>>> { > >>>>>>>> return security_getselfattr(attr, ctx, size, flags); > >>>>>>>> } > >>>>>>>> + > >>>>>>>> +/** > >>>>>>>> + * sys_lsm_list_modules - Return a list of the active security modules > >>>>>>>> + * @ids: the LSM module ids > >>>>>>>> + * @size: pointer to size of @ids, updated on return > >>>>>>>> + * @flags: reserved for future use, must be zero > >>>>>>>> + * > >>>>>>>> + * Returns a list of the active LSM ids. On success this function > >>>>>>>> + * returns the number of @ids array elements. This value may be zero > >>>>>>>> + * if there are no LSMs active. If @size is insufficient to contain > >>>>>>>> + * the return data -E2BIG is returned and @size is set to the minimum > >>>>>>>> + * required size. In all other cases a negative value indicating the > >>>>>>>> + * error is returned. > >>>>>>>> + */ > >>>>>>>> +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, > >>>>>>>> + u32, flags) > >>>>>>> I'm sorry but the size of userspace size_t is different from the kernel one > >>>>>>> on 32-bit compat architectures. > >>>>>> D'oh, yes, thanks for pointing that out. It would have been nice to > >>>>>> have caught that before v6.8 was released, but I guess it's better > >>>>>> than later. > >>>>>> > >>>>>>> Looks like there has to be a COMPAT_SYSCALL_DEFINE3(lsm_list_modules, ..) > >>>>>>> now. Other two added lsm syscalls also have this issue. > >>>>>> Considering that Linux v6.8, and by extension these syscalls, are only > >>>>>> a few days old, I think I'd rather see us just modify the syscalls and > >>>>>> avoid the compat baggage. I'm going to be shocked if anyone has > >>>>>> shifted to using the new syscalls yet, and even if they have (!!), > >>>>>> moving from a "size_t" type to a "u64" should be mostly transparent > >>>>>> for the majority of native 64-bit systems. Those running the absolute > >>>>>> latest kernels on 32-bit systems with custom or bleeding edge > >>>>>> userspace *may* see a slight hiccup, but I think that user count is in > >>>>>> the single digits, if not zero. > >>>>>> > >>>>>> Let's fix this quickly with /size_t/u64/ in v6.8.1 and avoid the > >>>>>> compat shim if we can. > >>>>>> > >>>>>> Casey, do you have time to put together a patch for this (you should > >>>>>> fix the call chains below the syscalls too)? If not, please let me > >>>>>> know and I'll get a patch out ASAP. > >>>>> Grumble. Yes, I'll get right on it. > >>>> Great, thanks Casey. > >>> Look like lsm_get_self_attr() needs the same change. lsm_set_self_attr() > >>> doesn't, need it, but I'm tempted to change it as well for consistency. > >>> Thoughts? > >> As lsm_get_self_attr() has the same issue, it needs the same treatment. > >> > >> lsm_set_self_attr() could be left unchanged. In fact, changing the type > >> of syscall arguments from size_t to an explicit 64-bit type would be > >> problematic because 32-bit syscalls cannot have 64-bit arguments. > > You might as well convert all of the size_t parameters, pointers or > > otherwise, in the three syscalls to u32 Casey. > > Well, nuts. So much for that coin flip. V2 coming real soon. Yeah, sorry for the false starts today ...
diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst index f8499f3e2826..a76da373841b 100644 --- a/Documentation/userspace-api/lsm.rst +++ b/Documentation/userspace-api/lsm.rst @@ -63,6 +63,9 @@ Get the specified security attributes of the current process .. kernel-doc:: security/lsm_syscalls.c :identifiers: sys_lsm_get_self_attr +.. kernel-doc:: security/lsm_syscalls.c + :identifiers: sys_lsm_list_modules + Additional documentation ======================== diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 8637287bd39d..323ef5e2667d 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -945,6 +945,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int attr, struct lsm_ctx *ctx, size_t *size, __u32 flags); asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx *ctx, size_t size, __u32 flags); +asmlinkage long sys_lsm_list_modules(u64 *ids, size_t *size, u32 flags); /* * Architecture-specific system calls diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index f81f2468c0ce..738ca470fcce 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -172,6 +172,7 @@ COND_SYSCALL(fadvise64_64); COND_SYSCALL_COMPAT(fadvise64_64); COND_SYSCALL(lsm_get_self_attr); COND_SYSCALL(lsm_set_self_attr); +COND_SYSCALL(lsm_list_modules); /* CONFIG_MMU only */ COND_SYSCALL(swapon); diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c index 226ae80d9683..329aaca5efc0 100644 --- a/security/lsm_syscalls.c +++ b/security/lsm_syscalls.c @@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, { return security_getselfattr(attr, ctx, size, flags); } + +/** + * sys_lsm_list_modules - Return a list of the active security modules + * @ids: the LSM module ids + * @size: pointer to size of @ids, updated on return + * @flags: reserved for future use, must be zero + * + * Returns a list of the active LSM ids. On success this function + * returns the number of @ids array elements. This value may be zero + * if there are no LSMs active. If @size is insufficient to contain + * the return data -E2BIG is returned and @size is set to the minimum + * required size. In all other cases a negative value indicating the + * error is returned. + */ +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, + u32, flags) +{ + size_t total_size = lsm_active_cnt * sizeof(*ids); + size_t usize; + int i; + + if (flags) + return -EINVAL; + + if (get_user(usize, size)) + return -EFAULT; + + if (put_user(total_size, size) != 0) + return -EFAULT; + + if (usize < total_size) + return -E2BIG; + + for (i = 0; i < lsm_active_cnt; i++) + if (put_user(lsm_idlist[i]->id, ids++)) + return -EFAULT; + + return lsm_active_cnt; +}