On 1/24/20 2:28 PM, Casey Schaufler wrote:
On 1/24/2020 8:20 AM, Stephen Smalley wrote:
On 1/24/20 9:42 AM, Stephen Smalley wrote:
On 1/23/20 7:23 PM, Casey Schaufler wrote:
Add an entry /proc/.../attr/context which displays the full
process security "context" in compound format:'
lsm1\0value\0lsm2\0value\0...
This entry is not writable.
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Cc: linux-api@xxxxxxxxxxxxxxx
As previously discussed, there are issues with AppArmor's implementation of getprocattr() particularly around the trailing newline that dbus-daemon and perhaps others would like to see go away in any new interface. Hence, I don't think we should implement this new API using the existing getprocattr() hook lest it also be locked into the current behavior forever.
Also, it would be good if whatever hook is introduced to support /proc/pid/attr/context could also be leveraged by the SO_PEERCONTEXT implementation in the future so that we are guaranteed a consistent result between the two interfaces, unlike the current situation for /proc/self/attr/current versus SO_PEERSEC.
I don't believe that a new hook is necessary, and that introducing one
just to deal with a '\n' would be pedantic. We really have two rational
options. AppArmor could drop the '\n' from their "context". Or, we can
simply document that the /proc/pid/attr/context interface will trim any
trailing whitespace. I understand that this would be a break from the
notion that the LSM infrastructure does not constrain what a module uses
for its own data. On the other hand, we have been saying that "context"s
are strings, and ignoring trailing whitespace is usual behavior for
strings.
Well, you can either introduce a new common underlying hook for use by
/proc/pid/attr/context and SO_PEERCONTEXT to produce the string that is
to be returned to userspace (in order to guarantee consistency in format
and allowing them to be directly compared, which I think is what the
dbus maintainers wanted), or you can modify every security module to
provide that guarantee in its existing getprocattr and getpeersec* hook
functions (SELinux already provides this guarantee; Smack and AppArmor
produce slightly different results with respect to \0 and/or \n), or you
can have the framework trim the values it gets from the security modules
before composing them. But you need to do one of those things before
this interface gets merged upstream.
Aside from the trailing newline and \0 issues, AppArmor also has a
whitespace-separated (mode) field that may or may not be present in the
contexts it presently returns, ala "/usr/sbin/cupsd (enforce)". Not
sure what they want for the new interfaces.