On Tue, Sep 12, 2023 at 4:57 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > > Add three system calls for the Linux Security Module ABI. > > lsm_get_self_attr() provides the security module specific attributes > that have previously been visible in the /proc/self/attr directory. > For each security module that uses the specified attribute on the > current process the system call will return an LSM identifier and > the value of the attribute. The LSM and attribute identifier values > are defined in include/uapi/linux/lsm.h > > LSM identifiers are simple integers and reflect the order in which > the LSM was added to the mainline kernel. This is a convention, not > a promise of the API. LSM identifiers below the value of 100 are > reserved for unspecified future uses. That could include information > about the security infrastructure itself, or about how multiple LSMs > might interact with each other. > > A new LSM hook security_getselfattr() is introduced to get the > required information from the security modules. This is similar > to the existing security_getprocattr() hook, but specifies the > format in which string data is returned and requires the module > to put the information into a userspace destination. > > lsm_set_self_attr() changes the specified LSM attribute. Only one > attribute can be changed at a time, and then only if the specified > security module allows the change. > > A new LSM hook security_setselfattr() is introduced to set the > required information in the security modules. This is similar > to the existing security_setprocattr() hook, but specifies the > format in which string data is presented and requires the module > to get the information from a userspace destination. > > lsm_list_modules() provides the LSM identifiers, in order, of the > security modules that are active on the system. This has been > available in the securityfs file /sys/kernel/security/lsm. > > Patch 0001 changes the LSM registration from passing the name > of the module to passing a lsm_id structure that contains the > name of the module, an LSM identifier number and an attribute > identifier. > Patch 0002 adds the registered lsm_ids to a table. > Patch 0003 changes security_[gs]etprocattr() to use LSM IDs instead > of LSM names. > Patch 0004 implements lsm_get_self_attr() and lsm_set_self_attr(). > New LSM hooks security_getselfattr() and security_setselfattr() are > defined. > Patch 0005 implements lsm_list_modules(). > Patch 0006 wires up the syscalls. > Patch 0007 implements helper functions to make it easier for > security modules to use lsm_ctx structures. > Patch 0008 provides the Smack implementation for [gs]etselfattr(). > Patch 0009 provides the AppArmor implementation for [gs]etselfattr(). > Patch 0010 provides the SELinux implementation for [gs]etselfattr(). > Patch 0011 implements selftests for the three new syscalls. > > https://github.com/cschaufler/lsm-stacking.git#syscalls-6.5-rc7-v14 > > v15: Rebased on 6.6-rc1. > Adopt suggested improvements to security_getprocattr, > making the code easier to read. > Squash a code fix from 0011 to 0004. > v14: Make the handling of LSM_FLAG_SINGLE easier to understand. > Tighten the comments and documentation. > Better use of const, static, and __ro_after_init. > Add selftests for LSM_FLAG_SINGLE cases. > v13: Change the setselfattr code to do a single user copy. > Make the self tests more robust. > Improve use of const. > Change syscall numbers to reflect upstream additions. > v12: Repair a registration time overflow check. > v11: Remove redundent alignment code > Improve a few comments. > Use LSM_ATTR_UNDEF in place of 0 in a few places. > Correct a return of -EINVAL to -E2BIG. > v10: Correct use of __user. > Improve a few comments. > Revert unnecessary changes in module initialization. > v9: Support a flag LSM_FLAG_SINGLE in lsm_get_self_attr() that > instructs the call to provide only the attribute for the LSM > identified in the referenced lsm_ctx structure. > Fix a typing error. > Change some coding style. > v8: Allow an LSM to provide more than one instance of an attribute, > even though none of the existing modules do so. > Pad the data returned by lsm_get_self_attr() to the size of > the struct lsm_ctx. > Change some displeasing varilable names. > v7: Pass the attribute desired to lsm_[gs]et_self_attr in its own > parameter rather than encoding it in the flags. > Change the flags parameters to u32. > Don't shortcut out of calling LSM specific code in the > infrastructure, let the LSM report that doesn't support an > attribute instead. With that it is not necessary to maintain > a set of supported attributes in the lsm_id structure. > Fix a typing error. > v6: Switch from reusing security_[gs]procattr() to using new > security_[gs]selfattr() hooks. Use explicit sized data types > in the lsm_ctx structure. > > v5: Correct syscall parameter data types. > > v4: Restore "reserved" LSM ID values. Add explaination. > Squash patches that introduce fields in lsm_id. > Correct a wireup error. > > v3: Add lsm_set_self_attr(). > Rename lsm_self_attr() to lsm_get_self_attr(). > Provide the values only for a specifed attribute in > lsm_get_self_attr(). > Add selftests for the three new syscalls. > Correct some parameter checking. > > v2: Use user-interface safe data types. > Remove "reserved" LSM ID values. > Improve kerneldoc comments > Include copyright dates > Use more descriptive name for LSM counter > Add documentation > Correct wireup errors > > Casey Schaufler (11): > LSM: Identify modules by more than name > LSM: Maintain a table of LSM attribute data > proc: Use lsmids instead of lsm names for attrs > LSM: syscalls for current process attributes > LSM: Create lsm_list_modules system call > LSM: wireup Linux Security Module syscalls > LSM: Helpers for attribute names and filling lsm_ctx > Smack: implement setselfattr and getselfattr hooks > AppArmor: Add selfattr hooks > SELinux: Add selfattr hooks > LSM: selftests for Linux Security Module syscalls > > Documentation/userspace-api/index.rst | 1 + > Documentation/userspace-api/lsm.rst | 73 +++++ > MAINTAINERS | 2 + > arch/alpha/kernel/syscalls/syscall.tbl | 3 + > arch/arm/tools/syscall.tbl | 3 + > arch/arm64/include/asm/unistd.h | 2 +- > arch/arm64/include/asm/unistd32.h | 6 + > arch/ia64/kernel/syscalls/syscall.tbl | 3 + > arch/m68k/kernel/syscalls/syscall.tbl | 3 + > arch/microblaze/kernel/syscalls/syscall.tbl | 3 + > arch/mips/kernel/syscalls/syscall_n32.tbl | 3 + > arch/mips/kernel/syscalls/syscall_n64.tbl | 3 + > arch/mips/kernel/syscalls/syscall_o32.tbl | 3 + > arch/parisc/kernel/syscalls/syscall.tbl | 3 + > arch/powerpc/kernel/syscalls/syscall.tbl | 3 + > arch/s390/kernel/syscalls/syscall.tbl | 3 + > arch/sh/kernel/syscalls/syscall.tbl | 3 + > arch/sparc/kernel/syscalls/syscall.tbl | 3 + > arch/x86/entry/syscalls/syscall_32.tbl | 3 + > arch/x86/entry/syscalls/syscall_64.tbl | 3 + > arch/xtensa/kernel/syscalls/syscall.tbl | 3 + > fs/proc/base.c | 29 +- > fs/proc/internal.h | 2 +- > include/linux/lsm_hook_defs.h | 4 + > include/linux/lsm_hooks.h | 17 +- > include/linux/security.h | 46 ++- > include/linux/syscalls.h | 6 + > include/uapi/asm-generic/unistd.h | 9 +- > include/uapi/linux/lsm.h | 90 ++++++ > kernel/sys_ni.c | 3 + > security/Makefile | 1 + > security/apparmor/include/procattr.h | 2 +- > security/apparmor/lsm.c | 99 ++++++- > security/apparmor/procattr.c | 10 +- > security/bpf/hooks.c | 9 +- > security/commoncap.c | 8 +- > security/landlock/cred.c | 2 +- > security/landlock/fs.c | 2 +- > security/landlock/ptrace.c | 2 +- > security/landlock/setup.c | 6 + > security/landlock/setup.h | 1 + > security/loadpin/loadpin.c | 9 +- > security/lockdown/lockdown.c | 8 +- > security/lsm_syscalls.c | 120 ++++++++ > security/safesetid/lsm.c | 9 +- > security/security.c | 253 +++++++++++++++- > security/selinux/hooks.c | 143 +++++++-- > security/smack/smack_lsm.c | 103 ++++++- > security/tomoyo/tomoyo.c | 9 +- > security/yama/yama_lsm.c | 8 +- > .../arch/mips/entry/syscalls/syscall_n64.tbl | 3 + > .../arch/powerpc/entry/syscalls/syscall.tbl | 3 + > .../perf/arch/s390/entry/syscalls/syscall.tbl | 3 + > .../arch/x86/entry/syscalls/syscall_64.tbl | 3 + > tools/testing/selftests/Makefile | 1 + > tools/testing/selftests/lsm/.gitignore | 1 + > tools/testing/selftests/lsm/Makefile | 17 ++ > tools/testing/selftests/lsm/common.c | 89 ++++++ > tools/testing/selftests/lsm/common.h | 33 +++ > tools/testing/selftests/lsm/config | 3 + > .../selftests/lsm/lsm_get_self_attr_test.c | 275 ++++++++++++++++++ > .../selftests/lsm/lsm_list_modules_test.c | 140 +++++++++ > .../selftests/lsm/lsm_set_self_attr_test.c | 74 +++++ > 63 files changed, 1694 insertions(+), 93 deletions(-) > create mode 100644 Documentation/userspace-api/lsm.rst > create mode 100644 include/uapi/linux/lsm.h > create mode 100644 security/lsm_syscalls.c > create mode 100644 tools/testing/selftests/lsm/.gitignore > create mode 100644 tools/testing/selftests/lsm/Makefile > create mode 100644 tools/testing/selftests/lsm/common.c > create mode 100644 tools/testing/selftests/lsm/common.h > create mode 100644 tools/testing/selftests/lsm/config > create mode 100644 tools/testing/selftests/lsm/lsm_get_self_attr_test.c > create mode 100644 tools/testing/selftests/lsm/lsm_list_modules_test.c > create mode 100644 tools/testing/selftests/lsm/lsm_set_self_attr_test.c This patchset is now in lsm/dev, thanks everyone! -- paul-moore.com
