Add three system calls for the Linux Security Module ABI.
lsm_get_self_attr() provides the security module specific attributes
that have previously been visible in the /proc/self/attr directory.
For each security module that uses the specified attribute on the
current process the system call will return an LSM identifier and
the value of the attribute. The LSM and attribute identifier values
are defined in include/uapi/linux/lsm.h
LSM identifiers are simple integers and reflect the order in which
the LSM was added to the mainline kernel. This is a convention, not
a promise of the API. LSM identifiers below the value of 100 are
reserved for unspecified future uses. That could include information
about the security infrastructure itself, or about how multiple LSMs
might interact with each other.
lsm_module_list() provides the LSM identifiers, in order, of the
security modules that are active on the system. This has been
available in the securityfs file /sys/kernel/security/lsm.
lsm_set_self_attr() changes the specified LSM attribute. Only one
attribute can be changed at a time, and then only if the specified
security module allows the change.
Patch 0001 changes the LSM registration from passing the name
of the module to passing a lsm_id structure that contains the
name of the module, an LSM identifier number and an attribute
identifier.
Patch 0002 adds the registered lsm_ids to a table.
Patch 0003 changes security_[gs]etprocattr() to use LSM IDs instead
of LSM names.
Patch 0004 implements lsm_get_self_attr().
Patch 0005 implements lsm_module_list().
Patch 0006 implements lsm_set_self_attr().
Patch 0007 wires up the syscalls.
Patch 0008 implements selftests for the three new syscalls.
https://github.com/cschaufler/lsm-stacking.git#lsm-syscalls-6.2-rc2-v5
v5: Correct syscall parameter data types.
v4: Restore "reserved" LSM ID values. Add explaination.
Squash patches that introduce fields in lsm_id.
Correct a wireup error.
v3: Add lsm_set_self_attr().
Rename lsm_self_attr() to lsm_get_self_attr().
Provide the values only for a specifed attribute in
lsm_get_self_attr().
Add selftests for the three new syscalls.
Correct some parameter checking.
v2: Use user-interface safe data types.
Remove "reserved" LSM ID values.
Improve kerneldoc comments
Include copyright dates
Use more descriptive name for LSM counter
Add documentation
Correct wireup errors
Casey Schaufler (8):
LSM: Identify modules by more than name
LSM: Maintain a table of LSM attribute data
proc: Use lsmids instead of lsm names for attrs
LSM: lsm_get_self_attr syscall for LSM self attributes
LSM: Create lsm_module_list system call
LSM: lsm_set_self_attr syscall for LSM self attributes
LSM: wireup Linux Security Module syscalls
LSM: selftests for Linux Security Module syscalls
Documentation/userspace-api/index.rst | 1 +
Documentation/userspace-api/lsm.rst | 70 ++++
arch/alpha/kernel/syscalls/syscall.tbl | 3 +
arch/arm/tools/syscall.tbl | 3 +
arch/arm64/include/asm/unistd.h | 2 +-
arch/arm64/include/asm/unistd32.h | 6 +
arch/ia64/kernel/syscalls/syscall.tbl | 3 +
arch/m68k/kernel/syscalls/syscall.tbl | 3 +
arch/microblaze/kernel/syscalls/syscall.tbl | 3 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 3 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 3 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 3 +
arch/parisc/kernel/syscalls/syscall.tbl | 3 +
arch/powerpc/kernel/syscalls/syscall.tbl | 3 +
arch/s390/kernel/syscalls/syscall.tbl | 3 +
arch/sh/kernel/syscalls/syscall.tbl | 3 +
arch/sparc/kernel/syscalls/syscall.tbl | 3 +
arch/x86/entry/syscalls/syscall_32.tbl | 3 +
arch/x86/entry/syscalls/syscall_64.tbl | 3 +
arch/xtensa/kernel/syscalls/syscall.tbl | 3 +
fs/proc/base.c | 29 +-
fs/proc/internal.h | 2 +-
include/linux/lsm_hooks.h | 18 +-
include/linux/security.h | 13 +-
include/linux/syscalls.h | 6 +
include/uapi/asm-generic/unistd.h | 11 +-
include/uapi/linux/lsm.h | 76 ++++
kernel/sys_ni.c | 5 +
security/Makefile | 1 +
security/apparmor/lsm.c | 9 +-
security/bpf/hooks.c | 13 +-
security/commoncap.c | 8 +-
security/landlock/cred.c | 2 +-
security/landlock/fs.c | 2 +-
security/landlock/ptrace.c | 2 +-
security/landlock/setup.c | 6 +
security/landlock/setup.h | 1 +
security/loadpin/loadpin.c | 9 +-
security/lockdown/lockdown.c | 8 +-
security/lsm_syscalls.c | 264 ++++++++++++++
security/safesetid/lsm.c | 9 +-
security/security.c | 63 +++-
security/selinux/hooks.c | 11 +-
security/smack/smack_lsm.c | 9 +-
security/tomoyo/tomoyo.c | 9 +-
security/yama/yama_lsm.c | 8 +-
.../arch/mips/entry/syscalls/syscall_n64.tbl | 3 +
.../arch/powerpc/entry/syscalls/syscall.tbl | 3 +
.../perf/arch/s390/entry/syscalls/syscall.tbl | 3 +
.../arch/x86/entry/syscalls/syscall_64.tbl | 3 +
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/lsm/Makefile | 12 +
tools/testing/selftests/lsm/config | 2 +
.../selftests/lsm/lsm_get_self_attr_test.c | 268 ++++++++++++++
.../selftests/lsm/lsm_module_list_test.c | 149 ++++++++
.../selftests/lsm/lsm_set_self_attr_test.c | 328 ++++++++++++++++++
56 files changed, 1438 insertions(+), 55 deletions(-)
create mode 100644 Documentation/userspace-api/lsm.rst
create mode 100644 include/uapi/linux/lsm.h
create mode 100644 security/lsm_syscalls.c
create mode 100644 tools/testing/selftests/lsm/Makefile
create mode 100644 tools/testing/selftests/lsm/config
create mode 100644 tools/testing/selftests/lsm/lsm_get_self_attr_test.c
create mode 100644 tools/testing/selftests/lsm/lsm_module_list_test.c
create mode 100644 tools/testing/selftests/lsm/lsm_set_self_attr_test.c
--
2.39.0
Create a system call lsm_get_self_attr() to provide the security
module maintained attributes of the current process. Historically
these attributes have been exposed to user space via entries in
procfs under /proc/self/attr.
Attributes are provided as a collection of lsm_ctx structures
which are placed into a user supplied buffer. Each structure
identifys the size of the attribute, and the attribute value.
The format of the attribute value is defined by the security
module, but will always be \0 terminated. The ctx_len value
will always be strlen(ctx)+1.
---------------------------
| __u32 id |
---------------------------
| __u64 flags |
---------------------------
| __kernel_size_t ctx_len |
---------------------------
| __u8 ctx[ctx_len] |
---------------------------
| __u32 id |
---------------------------
| __u64 flags |
---------------------------
| __kernel_size_t ctx_len |
---------------------------
| __u8 ctx[ctx_len] |
---------------------------
Signed-off-by: Casey Schaufler <[email protected]>
---
Documentation/userspace-api/lsm.rst | 9 ++
include/linux/syscalls.h | 3 +
include/uapi/linux/lsm.h | 21 ++++
kernel/sys_ni.c | 3 +
security/Makefile | 1 +
security/lsm_syscalls.c | 182 ++++++++++++++++++++++++++++
6 files changed, 219 insertions(+)
create mode 100644 security/lsm_syscalls.c
diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst
index 6ddf5506110b..98a0c191b499 100644
--- a/Documentation/userspace-api/lsm.rst
+++ b/Documentation/userspace-api/lsm.rst
@@ -48,6 +48,15 @@ creating socket objects.
The proc filesystem provides this value in ``/proc/self/attr/sockcreate``.
This is supported by the SELinux security module.
+Kernel interface
+================
+
+Get the security attributes of the current process
+--------------------------------------------------
+
+.. kernel-doc:: security/lsm_syscalls.c
+ :identifiers: sys_lsm_get_self_attr
+
Additional documentation
========================
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 33a0ee3bcb2e..a89205c70ffa 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -71,6 +71,7 @@ struct clone_args;
struct open_how;
struct mount_attr;
struct landlock_ruleset_attr;
+struct lsm_ctx;
enum landlock_rule_type;
#include <linux/types.h>
@@ -1058,6 +1059,8 @@ asmlinkage long sys_memfd_secret(unsigned int flags);
asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len,
unsigned long home_node,
unsigned long flags);
+asmlinkage long sys_lsm_get_self_attr(struct lsm_ctx *ctx, size_t *size,
+ int flags);
/*
* Architecture-specific system calls
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
index 61a91b7d946f..8674d8c6b326 100644
--- a/include/uapi/linux/lsm.h
+++ b/include/uapi/linux/lsm.h
@@ -9,6 +9,27 @@
#ifndef _UAPI_LINUX_LSM_H
#define _UAPI_LINUX_LSM_H
+#include <linux/types.h>
+#include <linux/unistd.h>
+
+/**
+ * struct lsm_ctx - LSM context
+ * @id: the LSM id number, see LSM_ID_XXX
+ * @flags: context specifier and LSM specific flags
+ * @ctx_len: the size of @ctx
+ * @ctx: the LSM context, a nul terminated string
+ *
+ * @ctx in a nul terminated string.
+ * (strlen(@ctx) < @ctx_len) is always true.
+ * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
+ */
+struct lsm_ctx {
+ __u32 id;
+ __u64 flags;
+ __kernel_size_t ctx_len;
+ __u8 ctx[];
+};
+
/*
* ID values to identify security modules.
* A system may use more than one security module.
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
index 860b2dcf3ac4..7b2513d5605d 100644
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -262,6 +262,9 @@ COND_SYSCALL_COMPAT(recvmsg);
/* mm/nommu.c, also with MMU */
COND_SYSCALL(mremap);
+/* security/lsm_syscalls.c */
+COND_SYSCALL(lsm_get_self_attr);
+
/* security/keys/keyctl.c */
COND_SYSCALL(add_key);
COND_SYSCALL(request_key);
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd..59f238490665 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -7,6 +7,7 @@ obj-$(CONFIG_KEYS) += keys/
# always enable default capabilities
obj-y += commoncap.o
+obj-$(CONFIG_SECURITY) += lsm_syscalls.o
obj-$(CONFIG_MMU) += min_addr.o
# Object file lists
diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
new file mode 100644
index 000000000000..55e8bf61ac8a
--- /dev/null
+++ b/security/lsm_syscalls.c
@@ -0,0 +1,182 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * System calls implementing the Linux Security Module API.
+ *
+ * Copyright (C) 2022 Casey Schaufler <[email protected]>
+ * Copyright (C) 2022 Intel Corporation
+ */
+
+#include <asm/current.h>
+#include <linux/compiler_types.h>
+#include <linux/err.h>
+#include <linux/errno.h>
+#include <linux/security.h>
+#include <linux/stddef.h>
+#include <linux/syscalls.h>
+#include <linux/types.h>
+#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
+
+struct attrs_used_map {
+ char *name;
+ int attrs_used;
+};
+
+static const struct attrs_used_map lsm_attr_names[] = {
+ { .name = "current", .attrs_used = LSM_ATTR_CURRENT, },
+ { .name = "exec", .attrs_used = LSM_ATTR_EXEC, },
+ { .name = "fscreate", .attrs_used = LSM_ATTR_FSCREATE, },
+ { .name = "keycreate", .attrs_used = LSM_ATTR_KEYCREATE, },
+ { .name = "prev", .attrs_used = LSM_ATTR_PREV, },
+ { .name = "sockcreate", .attrs_used = LSM_ATTR_SOCKCREATE, },
+};
+
+static int attr_used_index(u32 flags)
+{
+ int i;
+
+ if (flags == 0)
+ return -EINVAL;
+
+ for (i = 0; i < ARRAY_SIZE(lsm_attr_names); i++)
+ if ((lsm_attr_names[i].attrs_used & flags) == flags)
+ return i;
+
+ return -EINVAL;
+}
+
+/**
+ * sys_lsm_get_self_attr - Return current task's security module attributes
+ * @ctx: the LSM contexts
+ * @size: size of @ctx, updated on return
+ * @flags: which attribute to return
+ *
+ * Returns the calling task's LSM contexts. On success this
+ * function returns the number of @ctx array elements. This value
+ * may be zero if there are no LSM contexts assigned. If @size is
+ * insufficient to contain the return data -E2BIG is returned and
+ * @size is set to the minimum required size. In all other cases
+ * a negative value indicating the error is returned.
+ */
+SYSCALL_DEFINE3(lsm_get_self_attr,
+ struct lsm_ctx __user *, ctx,
+ size_t __user *, size,
+ u32, flags)
+{
+ int i;
+ int rc = 0;
+ int len;
+ int attr;
+ int count = 0;
+ void *curr;
+ char *cp;
+ char *np;
+ char **interum_ctx;
+ size_t total_size = 0;
+ struct lsm_ctx *ip;
+ struct lsm_ctx *interum;
+ struct lsm_ctx *final = NULL;
+
+ attr = attr_used_index(flags);
+ if (attr < 0)
+ return attr;
+
+ interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
+ sizeof(*interum), GFP_KERNEL);
+ if (interum == NULL)
+ return -ENOMEM;
+ ip = interum;
+
+ interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
+ sizeof(*interum_ctx), GFP_KERNEL);
+ if (interum_ctx == NULL) {
+ kfree(interum);
+ return -ENOMEM;
+ }
+
+ for (i = 0; i < lsm_active_cnt; i++) {
+ if ((lsm_idlist[i]->attrs_used &
+ lsm_attr_names[attr].attrs_used) == 0)
+ continue;
+
+ len = security_getprocattr(current, lsm_idlist[i]->id,
+ lsm_attr_names[attr].name,
+ &cp);
+ if (len <= 0)
+ continue;
+
+ ip->id = lsm_idlist[i]->id;
+ ip->flags = lsm_attr_names[attr].attrs_used;
+ interum_ctx[count] = cp;
+
+ /*
+ * A security module that returns a binary attribute
+ * will need to identify itself to prevent string
+ * processing.
+ *
+ * At least one security module adds a \n at the
+ * end of a context to make it look nicer. Change
+ * that to a \0 so that user space doesn't have to
+ * work around it.
+ *
+ * Security modules have been inconsistent about
+ * including the \0 terminator in the size. If it's
+ * not there make space for it.
+ *
+ * The length returned will reflect the length of
+ * the string provided by the security module, which
+ * may not match what getprocattr returned.
+ */
+ np = strnchr(cp, len, '\n');
+ if (np != NULL)
+ *np = '\0';
+ ip->ctx_len = strnlen(cp, len) + 1;
+ total_size += sizeof(*interum) + ip->ctx_len;
+ ip++;
+ count++;
+ }
+
+ if (count == 0)
+ goto free_out;
+
+ final = kzalloc(total_size, GFP_KERNEL);
+ if (final == NULL) {
+ rc = -ENOMEM;
+ goto free_out;
+ }
+
+ curr = final;
+ ip = interum;
+ for (i = 0; i < count; i++) {
+ memcpy(curr, ip, sizeof(*interum));
+ curr += sizeof(*interum);
+ if (ip->ctx_len > 1)
+ memcpy(curr, interum_ctx[i], ip->ctx_len - 1);
+ curr += ip->ctx_len;
+ ip++;
+ }
+
+ if (get_user(len, size)) {
+ rc = -EFAULT;
+ goto free_out;
+ }
+ if (total_size > len) {
+ rc = -ERANGE;
+ if (put_user(total_size, size) != 0)
+ rc = -EFAULT;
+ goto free_out;
+ }
+ if (copy_to_user(ctx, final, total_size) != 0 ||
+ put_user(total_size, size) != 0)
+ rc = -EFAULT;
+ else
+ rc = count;
+
+free_out:
+ for (i = 0; i < count; i++)
+ kfree(interum_ctx[i]);
+ kfree(interum_ctx);
+ kfree(interum);
+ kfree(final);
+ return rc;
+}
--
2.39.0
On Mon, Jan 9, 2023 at 1:09 PM Casey Schaufler <[email protected]> wrote:
>
> Create a system call lsm_get_self_attr() to provide the security
> module maintained attributes of the current process. Historically
> these attributes have been exposed to user space via entries in
> procfs under /proc/self/attr.
>
> Attributes are provided as a collection of lsm_ctx structures
> which are placed into a user supplied buffer. Each structure
> identifys the size of the attribute, and the attribute value.
^^^
identifies
> The format of the attribute value is defined by the security
> module, but will always be \0 terminated. The ctx_len value
> will always be strlen(ctx)+1.
I don't want to limit ourselves to only sending string values as
attributes as who knows what we might need to do in the future, and
the struct was originally designed to support both strings and binary
data. I would suggest changing the sentences above to something like
this:
The format of the attribute value is defined by the individual LSM,
with the attribute itself stored in @ctx and the length of the
attribute stored in @ctx_len. Both strings and arbitrary binary
attributes are supported, but strings should be NULL terminated and
@ctx_len should be equal to `strlen(@ctx) + 1`.
> ---------------------------
> | __u32 id |
> ---------------------------
> | __u64 flags |
> ---------------------------
> | __kernel_size_t ctx_len |
> ---------------------------
> | __u8 ctx[ctx_len] |
> ---------------------------
> | __u32 id |
> ---------------------------
> | __u64 flags |
> ---------------------------
> | __kernel_size_t ctx_len |
> ---------------------------
> | __u8 ctx[ctx_len] |
> ---------------------------
Don't repeat the structure layout in memory twice here, it's
confusing. I also think it would be easier to read, and arguably more
useful, to simply copy the struct definition into the description
instead of the ASCII art column.
Although, this has got me wondering if we should think about aligning
the lsm_ctx structs when we are populating them in the kernel; more on
this below ...
> ---
> Documentation/userspace-api/lsm.rst | 9 ++
> include/linux/syscalls.h | 3 +
> include/uapi/linux/lsm.h | 21 ++++
> kernel/sys_ni.c | 3 +
> security/Makefile | 1 +
> security/lsm_syscalls.c | 182 ++++++++++++++++++++++++++++
> 6 files changed, 219 insertions(+)
> create mode 100644 security/lsm_syscalls.c
...
> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
> index 33a0ee3bcb2e..a89205c70ffa 100644
> --- a/include/linux/syscalls.h
> +++ b/include/linux/syscalls.h
> @@ -71,6 +71,7 @@ struct clone_args;
> struct open_how;
> struct mount_attr;
> struct landlock_ruleset_attr;
> +struct lsm_ctx;
> enum landlock_rule_type;
>
> #include <linux/types.h>
> @@ -1058,6 +1059,8 @@ asmlinkage long sys_memfd_secret(unsigned int flags);
> asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len,
> unsigned long home_node,
> unsigned long flags);
> +asmlinkage long sys_lsm_get_self_attr(struct lsm_ctx *ctx, size_t *size,
> + int flags);
>
> /*
> * Architecture-specific system calls
> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> index 61a91b7d946f..8674d8c6b326 100644
> --- a/include/uapi/linux/lsm.h
> +++ b/include/uapi/linux/lsm.h
> @@ -9,6 +9,27 @@
> #ifndef _UAPI_LINUX_LSM_H
> #define _UAPI_LINUX_LSM_H
>
> +#include <linux/types.h>
> +#include <linux/unistd.h>
> +
> +/**
> + * struct lsm_ctx - LSM context
> + * @id: the LSM id number, see LSM_ID_XXX
As mentioned above, it occurred to me that we might want want to pad
out the lsm_ctx struct to ensure that the "array" of lsm_ctx is nicely
aligned. I know some systems used to complain about unaligned
accesses, and even on those that don't complain tend to be faster when
access are aligned. We can either implicitly align the individual
lsm_ctx structs or we can add a total length field (in addition to the
@ctx_len field) so that the padding/alignment is explicit.
Adding an explicit total length field could have some other advantages
in that it, in conjunction with the existing @flags field, would allow
an individual LSM to "extend" the lsm_ctx struct to provide additional
LSM specific information in the case where the single @ctx field was
not sufficient. Think of it as some additional future proofing in
addition to explicit padding.
> + * @flags: context specifier and LSM specific flags
* @flags: LSM specific flags
Only the individual LSM specified in @id should ever interpret @flags or @ctx.
> + * @ctx_len: the size of @ctx
> + * @ctx: the LSM context, a nul terminated string
* @ctx: the LSM context value
> + * @ctx in a nul terminated string.
> + * (strlen(@ctx) < @ctx_len) is always true.
> + * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
> + */
Let's rework the extra description too based on the comments above.
For the sake of clarity, here is what I'm currently thinking (comments
and feedback are encouraged):
/**
* struct lsm_ctx - LSM context information
* @id: the LSM ID token, see LSM_ID_XXX
* @flags: LSM specific flags
* @len: length of the lsm_ctx struct + extra (?) + padding
* @ctx_len: the size of @ctx
* @ctx: the LSM context value
*
* The @len field MUST be equal to size of the lsm_ctx struct
* plus any additional padding and/or data placed after @ctx.
*
* In all cases @ctx_len MUST be equal to length of @ctx. If
* @ctx is a string value, it should be nul terminated with
* @ctx_len equal to `strlen(@ctx) + 1`. Binary @ctx values
* are supported.
*
* The @flags and @ctx fields SHOULD only be interpreted by the
* LSM specified by @id; they MUST be set to zero/0 when not used.
*/
struct lsm_ctx {
__u32 id;
__u64 flags;
__kernel_size_t len;
__kernel_size_t ctx_len;
__u8 ctx[];
};
> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
> new file mode 100644
> index 000000000000..55e8bf61ac8a
> --- /dev/null
> +++ b/security/lsm_syscalls.c
> @@ -0,0 +1,182 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * System calls implementing the Linux Security Module API.
> + *
> + * Copyright (C) 2022 Casey Schaufler <[email protected]>
> + * Copyright (C) 2022 Intel Corporation
> + */
> +
> +#include <asm/current.h>
> +#include <linux/compiler_types.h>
> +#include <linux/err.h>
> +#include <linux/errno.h>
> +#include <linux/security.h>
> +#include <linux/stddef.h>
> +#include <linux/syscalls.h>
> +#include <linux/types.h>
> +#include <linux/lsm_hooks.h>
> +#include <uapi/linux/lsm.h>
> +
> +struct attrs_used_map {
> + char *name;
> + int attrs_used;
Based on the usage below it really seems like @attrs_used should just
be @attr, yes? That said, I'm not too bothered by it either way so if
you really love @attrs_used that's fine.
> +};
> +
> +static const struct attrs_used_map lsm_attr_names[] = {
We can probably just call this "attr_map" right? I mean the "used"
portion is pretty inherent in the fact that we're defining a mapping
:)
> + { .name = "current", .attrs_used = LSM_ATTR_CURRENT, },
> + { .name = "exec", .attrs_used = LSM_ATTR_EXEC, },
> + { .name = "fscreate", .attrs_used = LSM_ATTR_FSCREATE, },
> + { .name = "keycreate", .attrs_used = LSM_ATTR_KEYCREATE, },
> + { .name = "prev", .attrs_used = LSM_ATTR_PREV, },
> + { .name = "sockcreate", .attrs_used = LSM_ATTR_SOCKCREATE, },
> +};
> +
> +static int attr_used_index(u32 flags)
Since you can only return one index value at a time in this function
you can't really support multiple attribute bits set in the @flags
parameter so why not change the prototype to better match the required
usage, example:
static int attr_index(u32 attr)
> +{
> + int i;
> +
> + if (flags == 0)
> + return -EINVAL;
> +
> + for (i = 0; i < ARRAY_SIZE(lsm_attr_names); i++)
> + if ((lsm_attr_names[i].attrs_used & flags) == flags)
> + return i;
Given the above, why not simplify the above test to this:
if (lsm_attr_name[i].attr == attr)
return i;
If we don't care about failing fast in the case of being passed 0 (why
would we?) we can define this function as follows:
static int attr_index(u32 attr)
{
int i;
for (i = 0; i < ARRAY_SIZE(lsm_attr_names); i++)
if (lsm_attr_names[i].attr == attr)
return i;
return -EINVAL;
}
If we wanted to streamline things even further we could define
attr_map a bit differently and drop the loop in attr_index(). Yes, it
does waste attr_map[0], but I don't think anyone is going to be too
upset about one wasted index if it scales better.
static const struct attr_map[] = {
[LSM_ATTR_CURRENT] = { .name = "current", .attr = LSM_ATTR_CURRENT },
[LSM_ATTR_EXEC] = { .name = "exec", .attr = LSM_ATTR_EXEC },
...
};
static int attr_index(u32 attr)
{
if (attr == 0 || attr >= ARRAY_SIZE(attr_map))
return -EINVAL;
return attr;
}
If you did this you could probably also convert attr_map from a struct
to a simple array of strings as the attribute value would be the
associated index.
> +/**
> + * sys_lsm_get_self_attr - Return current task's security module attributes
> + * @ctx: the LSM contexts
> + * @size: size of @ctx, updated on return
> + * @flags: which attribute to return
> + *
> + * Returns the calling task's LSM contexts. On success this
> + * function returns the number of @ctx array elements. This value
> + * may be zero if there are no LSM contexts assigned. If @size is
> + * insufficient to contain the return data -E2BIG is returned and
> + * @size is set to the minimum required size. In all other cases
> + * a negative value indicating the error is returned.
> + */
> +SYSCALL_DEFINE3(lsm_get_self_attr,
> + struct lsm_ctx __user *, ctx,
> + size_t __user *, size,
> + u32, flags)
> +{
> + int i;
> + int rc = 0;
> + int len;
> + int attr;
> + int count = 0;
> + void *curr;
> + char *cp;
> + char *np;
> + char **interum_ctx;
> + size_t total_size = 0;
> + struct lsm_ctx *ip;
> + struct lsm_ctx *interum;
> + struct lsm_ctx *final = NULL;
> +
> + attr = attr_used_index(flags);
> + if (attr < 0)
> + return attr;
> +
> + interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
> + sizeof(*interum), GFP_KERNEL);
> + if (interum == NULL)
> + return -ENOMEM;
> + ip = interum;
> +
> + interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
> + sizeof(*interum_ctx), GFP_KERNEL);
> + if (interum_ctx == NULL) {
> + kfree(interum);
> + return -ENOMEM;
> + }
> +
> + for (i = 0; i < lsm_active_cnt; i++) {
> + if ((lsm_idlist[i]->attrs_used &
> + lsm_attr_names[attr].attrs_used) == 0)
> + continue;
> +
> + len = security_getprocattr(current, lsm_idlist[i]->id,
> + lsm_attr_names[attr].name,
> + &cp);
> + if (len <= 0)
> + continue;
> +
> + ip->id = lsm_idlist[i]->id;
> + ip->flags = lsm_attr_names[attr].attrs_used;
> + interum_ctx[count] = cp;
> +
> + /*
> + * A security module that returns a binary attribute
> + * will need to identify itself to prevent string
> + * processing.
> + *
> + * At least one security module adds a \n at the
> + * end of a context to make it look nicer. Change
> + * that to a \0 so that user space doesn't have to
> + * work around it.
> + *
> + * Security modules have been inconsistent about
> + * including the \0 terminator in the size. If it's
> + * not there make space for it.
> + *
> + * The length returned will reflect the length of
> + * the string provided by the security module, which
> + * may not match what getprocattr returned.
> + */
> + np = strnchr(cp, len, '\n');
> + if (np != NULL)
> + *np = '\0';
> + ip->ctx_len = strnlen(cp, len) + 1;
> + total_size += sizeof(*interum) + ip->ctx_len;
> + ip++;
> + count++;
> + }
> +
> + if (count == 0)
> + goto free_out;
> +
> + final = kzalloc(total_size, GFP_KERNEL);
> + if (final == NULL) {
> + rc = -ENOMEM;
> + goto free_out;
> + }
> +
> + curr = final;
> + ip = interum;
> + for (i = 0; i < count; i++) {
> + memcpy(curr, ip, sizeof(*interum));
> + curr += sizeof(*interum);
> + if (ip->ctx_len > 1)
> + memcpy(curr, interum_ctx[i], ip->ctx_len - 1);
> + curr += ip->ctx_len;
> + ip++;
> + }
> +
> + if (get_user(len, size)) {
> + rc = -EFAULT;
> + goto free_out;
> + }
> + if (total_size > len) {
> + rc = -ERANGE;
> + if (put_user(total_size, size) != 0)
> + rc = -EFAULT;
> + goto free_out;
> + }
> + if (copy_to_user(ctx, final, total_size) != 0 ||
> + put_user(total_size, size) != 0)
> + rc = -EFAULT;
> + else
> + rc = count;
> +
> +free_out:
> + for (i = 0; i < count; i++)
> + kfree(interum_ctx[i]);
> + kfree(interum_ctx);
> + kfree(interum);
> + kfree(final);
> + return rc;
> +}
Hmm. That's all kinda painful isn't it? I think trying to reuse
security_getprocattr() is doing more harm than good with all the
awkward handling necessary to ensure consistent output. While it's
nice to be able to reuse existing interfaces, one of the main
motivations behind the LSM syscall effort is to create a cleaner
interface that was designed from the beginning to support multiple
LSMs and provide a level of extensibility that we do not currently
have with the procfs interface. Hacking together all our old crap to
make this happen seems very wrong to me.
With that in mind I would like to propose we introduce a new LSM hook
to populate a lsm_ctx struct based on a LSM_ATTR_XXX value:
int security_sys_getselfattr(u64 attr, struct lsm_ctx __user *ctx,
size_t *len);
The individual LSMs would be responsible for fully populating their
lsm_ctx struct specified by @ctx (note the __user tagging) and would
return 0 on success or negative values on failure. The maximum size
of the @ctx buffer would be passed in via @len and the used size would
be returned in @len; in the case of an too-small @ctx, -E2BIG would be
returned and the necessary size would be returned in @len (just as
discussed for the syscall itself). This way the LSM layer syscall
function would not need to worry about properly terminating the
lsm_ctx::ctx field, setting any LSM specific flags, etc. Passing the
__user pointer directly not only greatly simplifies the LSM layer, it
also has the potential to reduce the number of allocations/copies.
Taking this approach should shrink the LSM layer syscall function to
simply needing to validate the passed @flags before looping through
the LSMs calling security_sys_getselfattr(). The lsm_ctx pointer
would need to be incremented appropriately for each call, and a total
length/size count would need to be maintained in case the buffer is
too small, but those should be relatively minor things.
--
paul-moore.com
On 1/11/2023 1:07 PM, Paul Moore wrote:
> On Mon, Jan 9, 2023 at 1:09 PM Casey Schaufler <[email protected]> wrote:
>> Create a system call lsm_get_self_attr() to provide the security
>> module maintained attributes of the current process. Historically
>> these attributes have been exposed to user space via entries in
>> procfs under /proc/self/attr.
>>
>> Attributes are provided as a collection of lsm_ctx structures
>> which are placed into a user supplied buffer. Each structure
>> identifys the size of the attribute, and the attribute value.
> ^^^
> identifies
Pluralses are hard in the vicinity of 'y's. ;)
>> The format of the attribute value is defined by the security
>> module, but will always be \0 terminated. The ctx_len value
>> will always be strlen(ctx)+1.
> I don't want to limit ourselves to only sending string values as
> attributes as who knows what we might need to do in the future, and
> the struct was originally designed to support both strings and binary
> data. I would suggest changing the sentences above to something like
> this:
Part of creating a sane and sensible API is setting rational limitations.
While a "context" has always allowed for a binary value it has always
been a user friendly, nul terminated string. The one case where someone
proposed otherwise was my "hideous" format for compound contexts, and we
know how well that was received. If we're serious about cleaning up our
API let's quit bending over to support something no one is using and that
we'd prefer they didn't.
That's my preference. Is there anyone who wants a binary interface, or any
really good reason to provide one? I'm not going to stand fast on a strings
only interface, but it would make it significantly cleaner if we had one.
>
> The format of the attribute value is defined by the individual LSM,
> with the attribute itself stored in @ctx and the length of the
> attribute stored in @ctx_len. Both strings and arbitrary binary
> attributes are supported, but strings should be NULL terminated and
> @ctx_len should be equal to `strlen(@ctx) + 1`.
>
>> ---------------------------
>> | __u32 id |
>> ---------------------------
>> | __u64 flags |
>> ---------------------------
>> | __kernel_size_t ctx_len |
>> ---------------------------
>> | __u8 ctx[ctx_len] |
>> ---------------------------
>> | __u32 id |
>> ---------------------------
>> | __u64 flags |
>> ---------------------------
>> | __kernel_size_t ctx_len |
>> ---------------------------
>> | __u8 ctx[ctx_len] |
>> ---------------------------
> Don't repeat the structure layout in memory twice here, it's
> confusing. I also think it would be easier to read, and arguably more
> useful, to simply copy the struct definition into the description
> instead of the ASCII art column.
OK on both.
> Although, this has got me wondering if we should think about aligning
> the lsm_ctx structs when we are populating them in the kernel; more on
> this below ...
As you say below, we'll need a total_len for this, but OK.
>> ---
>> Documentation/userspace-api/lsm.rst | 9 ++
>> include/linux/syscalls.h | 3 +
>> include/uapi/linux/lsm.h | 21 ++++
>> kernel/sys_ni.c | 3 +
>> security/Makefile | 1 +
>> security/lsm_syscalls.c | 182 ++++++++++++++++++++++++++++
>> 6 files changed, 219 insertions(+)
>> create mode 100644 security/lsm_syscalls.c
> ..
>
>> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
>> index 33a0ee3bcb2e..a89205c70ffa 100644
>> --- a/include/linux/syscalls.h
>> +++ b/include/linux/syscalls.h
>> @@ -71,6 +71,7 @@ struct clone_args;
>> struct open_how;
>> struct mount_attr;
>> struct landlock_ruleset_attr;
>> +struct lsm_ctx;
>> enum landlock_rule_type;
>>
>> #include <linux/types.h>
>> @@ -1058,6 +1059,8 @@ asmlinkage long sys_memfd_secret(unsigned int flags);
>> asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len,
>> unsigned long home_node,
>> unsigned long flags);
>> +asmlinkage long sys_lsm_get_self_attr(struct lsm_ctx *ctx, size_t *size,
>> + int flags);
>>
>> /*
>> * Architecture-specific system calls
>> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
>> index 61a91b7d946f..8674d8c6b326 100644
>> --- a/include/uapi/linux/lsm.h
>> +++ b/include/uapi/linux/lsm.h
>> @@ -9,6 +9,27 @@
>> #ifndef _UAPI_LINUX_LSM_H
>> #define _UAPI_LINUX_LSM_H
>>
>> +#include <linux/types.h>
>> +#include <linux/unistd.h>
>> +
>> +/**
>> + * struct lsm_ctx - LSM context
>> + * @id: the LSM id number, see LSM_ID_XXX
> As mentioned above, it occurred to me that we might want want to pad
> out the lsm_ctx struct to ensure that the "array" of lsm_ctx is nicely
> aligned. I know some systems used to complain about unaligned
> accesses, and even on those that don't complain tend to be faster when
> access are aligned. We can either implicitly align the individual
> lsm_ctx structs or we can add a total length field (in addition to the
> @ctx_len field) so that the padding/alignment is explicit.
>
> Adding an explicit total length field could have some other advantages
> in that it, in conjunction with the existing @flags field, would allow
> an individual LSM to "extend" the lsm_ctx struct to provide additional
> LSM specific information in the case where the single @ctx field was
> not sufficient. Think of it as some additional future proofing in
> addition to explicit padding.
I'm not sure whether to call it future proofing or confusion assurance,
and I certainly wouldn't encourage such use. On the other hand, I wouldn't
let that get in the way of the performant aligned interface, so I'm good
with the len field in addition to the ctx_len.
>> + * @flags: context specifier and LSM specific flags
> * @flags: LSM specific flags
>
> Only the individual LSM specified in @id should ever interpret @flags or @ctx.
Sure.
>> + * @ctx_len: the size of @ctx
>> + * @ctx: the LSM context, a nul terminated string
> * @ctx: the LSM context value
As above, I would like to make this a string. I won't fight over it however.
>> + * @ctx in a nul terminated string.
>> + * (strlen(@ctx) < @ctx_len) is always true.
>> + * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
>> + */
> Let's rework the extra description too based on the comments above.
> For the sake of clarity, here is what I'm currently thinking (comments
> and feedback are encouraged):
>
> /**
> * struct lsm_ctx - LSM context information
> * @id: the LSM ID token, see LSM_ID_XXX
> * @flags: LSM specific flags
> * @len: length of the lsm_ctx struct + extra (?) + padding
> * @ctx_len: the size of @ctx
> * @ctx: the LSM context value
> *
> * The @len field MUST be equal to size of the lsm_ctx struct
> * plus any additional padding and/or data placed after @ctx.
> *
> * In all cases @ctx_len MUST be equal to length of @ctx. If
> * @ctx is a string value, it should be nul terminated with
> * @ctx_len equal to `strlen(@ctx) + 1`. Binary @ctx values
> * are supported.
> *
> * The @flags and @ctx fields SHOULD only be interpreted by the
> * LSM specified by @id; they MUST be set to zero/0 when not used.
> */
> struct lsm_ctx {
> __u32 id;
> __u64 flags;
> __kernel_size_t len;
> __kernel_size_t ctx_len;
> __u8 ctx[];
> };
Yes, if there's a convincing argument for binary values.
>> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
>> new file mode 100644
>> index 000000000000..55e8bf61ac8a
>> --- /dev/null
>> +++ b/security/lsm_syscalls.c
>> @@ -0,0 +1,182 @@
>> +// SPDX-License-Identifier: GPL-2.0-only
>> +/*
>> + * System calls implementing the Linux Security Module API.
>> + *
>> + * Copyright (C) 2022 Casey Schaufler <[email protected]>
>> + * Copyright (C) 2022 Intel Corporation
>> + */
>> +
>> +#include <asm/current.h>
>> +#include <linux/compiler_types.h>
>> +#include <linux/err.h>
>> +#include <linux/errno.h>
>> +#include <linux/security.h>
>> +#include <linux/stddef.h>
>> +#include <linux/syscalls.h>
>> +#include <linux/types.h>
>> +#include <linux/lsm_hooks.h>
>> +#include <uapi/linux/lsm.h>
>> +
>> +struct attrs_used_map {
>> + char *name;
>> + int attrs_used;
> Based on the usage below it really seems like @attrs_used should just
> be @attr, yes? That said, I'm not too bothered by it either way so if
> you really love @attrs_used that's fine.
Potato - Potatoe - Seeing the same field name in different structs at
the same time gives me a headache, but I'm not going to quibble.
>> +};
>> +
>> +static const struct attrs_used_map lsm_attr_names[] = {
> We can probably just call this "attr_map" right? I mean the "used"
> portion is pretty inherent in the fact that we're defining a mapping
> :)
Sure.
>> + { .name = "current", .attrs_used = LSM_ATTR_CURRENT, },
>> + { .name = "exec", .attrs_used = LSM_ATTR_EXEC, },
>> + { .name = "fscreate", .attrs_used = LSM_ATTR_FSCREATE, },
>> + { .name = "keycreate", .attrs_used = LSM_ATTR_KEYCREATE, },
>> + { .name = "prev", .attrs_used = LSM_ATTR_PREV, },
>> + { .name = "sockcreate", .attrs_used = LSM_ATTR_SOCKCREATE, },
>> +};
>> +
>> +static int attr_used_index(u32 flags)
> Since you can only return one index value at a time in this function
> you can't really support multiple attribute bits set in the @flags
> parameter so why not change the prototype to better match the required
> usage, example:
>
> static int attr_index(u32 attr)
>
>> +{
>> + int i;
>> +
>> + if (flags == 0)
>> + return -EINVAL;
>> +
>> + for (i = 0; i < ARRAY_SIZE(lsm_attr_names); i++)
>> + if ((lsm_attr_names[i].attrs_used & flags) == flags)
>> + return i;
> Given the above, why not simplify the above test to this:
>
> if (lsm_attr_name[i].attr == attr)
> return i;
That won't work in the case where an LSM supports more than one attribute.
>
> If we don't care about failing fast in the case of being passed 0 (why
> would we?) we can define this function as follows:
>
> static int attr_index(u32 attr)
> {
> int i;
> for (i = 0; i < ARRAY_SIZE(lsm_attr_names); i++)
> if (lsm_attr_names[i].attr == attr)
> return i;
> return -EINVAL;
> }
>
> If we wanted to streamline things even further we could define
> attr_map a bit differently and drop the loop in attr_index(). Yes, it
> does waste attr_map[0], but I don't think anyone is going to be too
> upset about one wasted index if it scales better.
>
> static const struct attr_map[] = {
> [LSM_ATTR_CURRENT] = { .name = "current", .attr = LSM_ATTR_CURRENT },
> [LSM_ATTR_EXEC] = { .name = "exec", .attr = LSM_ATTR_EXEC },
> ...
> };
>
> static int attr_index(u32 attr)
> {
> if (attr == 0 || attr >= ARRAY_SIZE(attr_map))
> return -EINVAL;
> return attr;
> }
>
> If you did this you could probably also convert attr_map from a struct
> to a simple array of strings as the attribute value would be the
> associated index.
>
>> +/**
>> + * sys_lsm_get_self_attr - Return current task's security module attributes
>> + * @ctx: the LSM contexts
>> + * @size: size of @ctx, updated on return
>> + * @flags: which attribute to return
>> + *
>> + * Returns the calling task's LSM contexts. On success this
>> + * function returns the number of @ctx array elements. This value
>> + * may be zero if there are no LSM contexts assigned. If @size is
>> + * insufficient to contain the return data -E2BIG is returned and
>> + * @size is set to the minimum required size. In all other cases
>> + * a negative value indicating the error is returned.
>> + */
>> +SYSCALL_DEFINE3(lsm_get_self_attr,
>> + struct lsm_ctx __user *, ctx,
>> + size_t __user *, size,
>> + u32, flags)
>> +{
>> + int i;
>> + int rc = 0;
>> + int len;
>> + int attr;
>> + int count = 0;
>> + void *curr;
>> + char *cp;
>> + char *np;
>> + char **interum_ctx;
>> + size_t total_size = 0;
>> + struct lsm_ctx *ip;
>> + struct lsm_ctx *interum;
>> + struct lsm_ctx *final = NULL;
>> +
>> + attr = attr_used_index(flags);
>> + if (attr < 0)
>> + return attr;
>> +
>> + interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
>> + sizeof(*interum), GFP_KERNEL);
>> + if (interum == NULL)
>> + return -ENOMEM;
>> + ip = interum;
>> +
>> + interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
>> + sizeof(*interum_ctx), GFP_KERNEL);
>> + if (interum_ctx == NULL) {
>> + kfree(interum);
>> + return -ENOMEM;
>> + }
>> +
>> + for (i = 0; i < lsm_active_cnt; i++) {
>> + if ((lsm_idlist[i]->attrs_used &
>> + lsm_attr_names[attr].attrs_used) == 0)
>> + continue;
>> +
>> + len = security_getprocattr(current, lsm_idlist[i]->id,
>> + lsm_attr_names[attr].name,
>> + &cp);
>> + if (len <= 0)
>> + continue;
>> +
>> + ip->id = lsm_idlist[i]->id;
>> + ip->flags = lsm_attr_names[attr].attrs_used;
>> + interum_ctx[count] = cp;
>> +
>> + /*
>> + * A security module that returns a binary attribute
>> + * will need to identify itself to prevent string
>> + * processing.
>> + *
>> + * At least one security module adds a \n at the
>> + * end of a context to make it look nicer. Change
>> + * that to a \0 so that user space doesn't have to
>> + * work around it.
>> + *
>> + * Security modules have been inconsistent about
>> + * including the \0 terminator in the size. If it's
>> + * not there make space for it.
>> + *
>> + * The length returned will reflect the length of
>> + * the string provided by the security module, which
>> + * may not match what getprocattr returned.
>> + */
>> + np = strnchr(cp, len, '\n');
>> + if (np != NULL)
>> + *np = '\0';
>> + ip->ctx_len = strnlen(cp, len) + 1;
>> + total_size += sizeof(*interum) + ip->ctx_len;
>> + ip++;
>> + count++;
>> + }
>> +
>> + if (count == 0)
>> + goto free_out;
>> +
>> + final = kzalloc(total_size, GFP_KERNEL);
>> + if (final == NULL) {
>> + rc = -ENOMEM;
>> + goto free_out;
>> + }
>> +
>> + curr = final;
>> + ip = interum;
>> + for (i = 0; i < count; i++) {
>> + memcpy(curr, ip, sizeof(*interum));
>> + curr += sizeof(*interum);
>> + if (ip->ctx_len > 1)
>> + memcpy(curr, interum_ctx[i], ip->ctx_len - 1);
>> + curr += ip->ctx_len;
>> + ip++;
>> + }
>> +
>> + if (get_user(len, size)) {
>> + rc = -EFAULT;
>> + goto free_out;
>> + }
>> + if (total_size > len) {
>> + rc = -ERANGE;
>> + if (put_user(total_size, size) != 0)
>> + rc = -EFAULT;
>> + goto free_out;
>> + }
>> + if (copy_to_user(ctx, final, total_size) != 0 ||
>> + put_user(total_size, size) != 0)
>> + rc = -EFAULT;
>> + else
>> + rc = count;
>> +
>> +free_out:
>> + for (i = 0; i < count; i++)
>> + kfree(interum_ctx[i]);
>> + kfree(interum_ctx);
>> + kfree(interum);
>> + kfree(final);
>> + return rc;
>> +}
> Hmm. That's all kinda painful isn't it?
It's not so bad as all that. Well, maybe.
> I think trying to reuse
> security_getprocattr() is doing more harm than good with all the
> awkward handling necessary to ensure consistent output. While it's
> nice to be able to reuse existing interfaces, one of the main
> motivations behind the LSM syscall effort is to create a cleaner
> interface that was designed from the beginning to support multiple
> LSMs and provide a level of extensibility that we do not currently
> have with the procfs interface. Hacking together all our old crap to
> make this happen seems very wrong to me.
>
> With that in mind I would like to propose we introduce a new LSM hook
> to populate a lsm_ctx struct based on a LSM_ATTR_XXX value:
>
> int security_sys_getselfattr(u64 attr, struct lsm_ctx __user *ctx,
> size_t *len);
>
> The individual LSMs would be responsible for fully populating their
> lsm_ctx struct specified by @ctx (note the __user tagging) and would
> return 0 on success or negative values on failure. The maximum size
> of the @ctx buffer would be passed in via @len and the used size would
> be returned in @len; in the case of an too-small @ctx, -E2BIG would be
> returned and the necessary size would be returned in @len (just as
> discussed for the syscall itself). This way the LSM layer syscall
> function would not need to worry about properly terminating the
> lsm_ctx::ctx field, setting any LSM specific flags, etc. Passing the
> __user pointer directly not only greatly simplifies the LSM layer, it
> also has the potential to reduce the number of allocations/copies.
That's going to be a lot of duplicate code to add to each LSM. Yes,
we can do that, but I don't see it as any cleaner.
> Taking this approach should shrink the LSM layer syscall function to
> simply needing to validate the passed @flags before looping through
> the LSMs calling security_sys_getselfattr(). The lsm_ctx pointer
> would need to be incremented appropriately for each call, and a total
> length/size count would need to be maintained in case the buffer is
> too small, but those should be relatively minor things.
I think this pushed the complexity downward. If we only had one LSM
it would be a wash. With each LSM having to provide this we're multiplying
the complexity rather than reducing it.
But again, I'll listen to reason.
>
> --
> paul-moore.com
On Mon, Jan 9, 2023, at 19:07, Casey Schaufler wrote:
> +/**
> + * struct lsm_ctx - LSM context
> + * @id: the LSM id number, see LSM_ID_XXX
> + * @flags: context specifier and LSM specific flags
> + * @ctx_len: the size of @ctx
> + * @ctx: the LSM context, a nul terminated string
> + *
> + * @ctx in a nul terminated string.
> + * (strlen(@ctx) < @ctx_len) is always true.
> + * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
> + */
> +struct lsm_ctx {
> + __u32 id;
> + __u64 flags;
> + __kernel_size_t ctx_len;
> + __u8 ctx[];
> +};
I think this should be changed to be the same layout on
all architectures regardless of __u64 alignment and
sizeof(__kernel_size_t) differences, to avoid the need
for compat syscalls and explicit clearing of the
internal padding.
Maybe just use __u64 fields for all three integers?
Arnd
On Thu, Jan 12, 2023 at 9:40 AM Arnd Bergmann <[email protected]> wrote:
> On Mon, Jan 9, 2023, at 19:07, Casey Schaufler wrote:
> > +/**
> > + * struct lsm_ctx - LSM context
> > + * @id: the LSM id number, see LSM_ID_XXX
> > + * @flags: context specifier and LSM specific flags
> > + * @ctx_len: the size of @ctx
> > + * @ctx: the LSM context, a nul terminated string
> > + *
> > + * @ctx in a nul terminated string.
> > + * (strlen(@ctx) < @ctx_len) is always true.
> > + * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
> > + */
> > +struct lsm_ctx {
> > + __u32 id;
> > + __u64 flags;
> > + __kernel_size_t ctx_len;
> > + __u8 ctx[];
> > +};
>
> I think this should be changed to be the same layout on
> all architectures regardless of __u64 alignment and
> sizeof(__kernel_size_t) differences, to avoid the need
> for compat syscalls and explicit clearing of the
> internal padding.
>
> Maybe just use __u64 fields for all three integers?
I have no problem with that ... the ctx[] field is variable length
anyway so keeping it as a __u8 should be fine.
--
paul-moore.com
On Wed, Jan 11, 2023 at 8:37 PM Casey Schaufler <[email protected]> wrote:
> On 1/11/2023 1:07 PM, Paul Moore wrote:
> > On Mon, Jan 9, 2023 at 1:09 PM Casey Schaufler <[email protected]> wrote:
> >> Create a system call lsm_get_self_attr() to provide the security
> >> module maintained attributes of the current process. Historically
> >> these attributes have been exposed to user space via entries in
> >> procfs under /proc/self/attr.
> >>
> >> Attributes are provided as a collection of lsm_ctx structures
> >> which are placed into a user supplied buffer. Each structure
> >> identifys the size of the attribute, and the attribute value.
> > ^^^
> > identifies
>
> Pluralses are hard in the vicinity of 'y's. ;)
>
> >> The format of the attribute value is defined by the security
> >> module, but will always be \0 terminated. The ctx_len value
> >> will always be strlen(ctx)+1.
> > I don't want to limit ourselves to only sending string values as
> > attributes as who knows what we might need to do in the future, and
> > the struct was originally designed to support both strings and binary
> > data. I would suggest changing the sentences above to something like
> > this:
>
> Part of creating a sane and sensible API is setting rational limitations.
> While a "context" has always allowed for a binary value it has always
> been a user friendly, nul terminated string. The one case where someone
> proposed otherwise was my "hideous" format for compound contexts, and we
> know how well that was received. If we're serious about cleaning up our
> API let's quit bending over to support something no one is using and that
> we'd prefer they didn't.
I agree that I'm in no rush to move away from a simple string format
for context values, but as we are at a unique point in time where we
get to define a new API I think it is important to ensure that it has
enough flexibility to endure whatever changes might come along in the
next 10~20 years. I mean ~20 years ago we only had one LSM and the
concept of containers/namespaces in the kernel was just a fringe
concept (if at all!).
I think it's also important to remember that we still review code
around here, and just because the struct has the necessary provisions
to *support* a binary context, it doesn't mean we are going to allow
it to be used that way without a lot of discussion first. Any move to
a binary format would have to be done in a way that doesn't break
existing applications which would likely mean either a secondary LSM
ID for those LSMs which provided a new format, a new LSM specific
flag, and in the most extreme case a LSM specific override tacked to
the end of the struct after the ctx field (possible since we now have
the total length field).
> That's my preference. Is there anyone who wants a binary interface, or any
> really good reason to provide one? I'm not going to stand fast on a strings
> only interface, but it would make it significantly cleaner if we had one.
It's not about needing or even wanting it right now, it's about
keeping it as a possible option for some point in the future when we
might need it.
> > The format of the attribute value is defined by the individual LSM,
> > with the attribute itself stored in @ctx and the length of the
> > attribute stored in @ctx_len. Both strings and arbitrary binary
> > attributes are supported, but strings should be NULL terminated and
> > @ctx_len should be equal to `strlen(@ctx) + 1`.
> >
> >> ---------------------------
> >> | __u32 id |
> >> ---------------------------
> >> | __u64 flags |
> >> ---------------------------
> >> | __kernel_size_t ctx_len |
> >> ---------------------------
> >> | __u8 ctx[ctx_len] |
> >> ---------------------------
> >> | __u32 id |
> >> ---------------------------
> >> | __u64 flags |
> >> ---------------------------
> >> | __kernel_size_t ctx_len |
> >> ---------------------------
> >> | __u8 ctx[ctx_len] |
> >> ---------------------------
> > Don't repeat the structure layout in memory twice here, it's
> > confusing. I also think it would be easier to read, and arguably more
> > useful, to simply copy the struct definition into the description
> > instead of the ASCII art column.
>
> OK on both.
>
> > Although, this has got me wondering if we should think about aligning
> > the lsm_ctx structs when we are populating them in the kernel; more on
> > this below ...
>
> As you say below, we'll need a total_len for this, but OK.
>
>
> >> ---
> >> Documentation/userspace-api/lsm.rst | 9 ++
> >> include/linux/syscalls.h | 3 +
> >> include/uapi/linux/lsm.h | 21 ++++
> >> kernel/sys_ni.c | 3 +
> >> security/Makefile | 1 +
> >> security/lsm_syscalls.c | 182 ++++++++++++++++++++++++++++
> >> 6 files changed, 219 insertions(+)
> >> create mode 100644 security/lsm_syscalls.c
> > ..
> >
> >> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
> >> index 33a0ee3bcb2e..a89205c70ffa 100644
> >> --- a/include/linux/syscalls.h
> >> +++ b/include/linux/syscalls.h
> >> @@ -71,6 +71,7 @@ struct clone_args;
> >> struct open_how;
> >> struct mount_attr;
> >> struct landlock_ruleset_attr;
> >> +struct lsm_ctx;
> >> enum landlock_rule_type;
> >>
> >> #include <linux/types.h>
> >> @@ -1058,6 +1059,8 @@ asmlinkage long sys_memfd_secret(unsigned int flags);
> >> asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len,
> >> unsigned long home_node,
> >> unsigned long flags);
> >> +asmlinkage long sys_lsm_get_self_attr(struct lsm_ctx *ctx, size_t *size,
> >> + int flags);
> >>
> >> /*
> >> * Architecture-specific system calls
> >> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> >> index 61a91b7d946f..8674d8c6b326 100644
> >> --- a/include/uapi/linux/lsm.h
> >> +++ b/include/uapi/linux/lsm.h
> >> @@ -9,6 +9,27 @@
> >> #ifndef _UAPI_LINUX_LSM_H
> >> #define _UAPI_LINUX_LSM_H
> >>
> >> +#include <linux/types.h>
> >> +#include <linux/unistd.h>
> >> +
> >> +/**
> >> + * struct lsm_ctx - LSM context
> >> + * @id: the LSM id number, see LSM_ID_XXX
> > As mentioned above, it occurred to me that we might want want to pad
> > out the lsm_ctx struct to ensure that the "array" of lsm_ctx is nicely
> > aligned. I know some systems used to complain about unaligned
> > accesses, and even on those that don't complain tend to be faster when
> > access are aligned. We can either implicitly align the individual
> > lsm_ctx structs or we can add a total length field (in addition to the
> > @ctx_len field) so that the padding/alignment is explicit.
> >
> > Adding an explicit total length field could have some other advantages
> > in that it, in conjunction with the existing @flags field, would allow
> > an individual LSM to "extend" the lsm_ctx struct to provide additional
> > LSM specific information in the case where the single @ctx field was
> > not sufficient. Think of it as some additional future proofing in
> > addition to explicit padding.
>
> I'm not sure whether to call it future proofing or confusion assurance,
> and I certainly wouldn't encourage such use. On the other hand, I wouldn't
> let that get in the way of the performant aligned interface, so I'm good
> with the len field in addition to the ctx_len.
Whatever you want to call it is fine by me. The more I think about
it, the more I think this will be important to have.
> >> + * @flags: context specifier and LSM specific flags
> > * @flags: LSM specific flags
> >
> > Only the individual LSM specified in @id should ever interpret @flags or @ctx.
>
> Sure.
>
> >> + * @ctx_len: the size of @ctx
> >> + * @ctx: the LSM context, a nul terminated string
> > * @ctx: the LSM context value
>
> As above, I would like to make this a string. I won't fight over it however.
>
> >> + * @ctx in a nul terminated string.
> >> + * (strlen(@ctx) < @ctx_len) is always true.
> >> + * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
> >> + */
> > Let's rework the extra description too based on the comments above.
> > For the sake of clarity, here is what I'm currently thinking (comments
> > and feedback are encouraged):
> >
> > /**
> > * struct lsm_ctx - LSM context information
> > * @id: the LSM ID token, see LSM_ID_XXX
> > * @flags: LSM specific flags
> > * @len: length of the lsm_ctx struct + extra (?) + padding
> > * @ctx_len: the size of @ctx
> > * @ctx: the LSM context value
> > *
> > * The @len field MUST be equal to size of the lsm_ctx struct
> > * plus any additional padding and/or data placed after @ctx.
> > *
> > * In all cases @ctx_len MUST be equal to length of @ctx. If
> > * @ctx is a string value, it should be nul terminated with
> > * @ctx_len equal to `strlen(@ctx) + 1`. Binary @ctx values
> > * are supported.
> > *
> > * The @flags and @ctx fields SHOULD only be interpreted by the
> > * LSM specified by @id; they MUST be set to zero/0 when not used.
> > */
> > struct lsm_ctx {
> > __u32 id;
> > __u64 flags;
> > __kernel_size_t len;
> > __kernel_size_t ctx_len;
> > __u8 ctx[];
> > };
>
> Yes, if there's a convincing argument for binary values.
>
> >> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
> >> new file mode 100644
> >> index 000000000000..55e8bf61ac8a
> >> --- /dev/null
> >> +++ b/security/lsm_syscalls.c
> >> @@ -0,0 +1,182 @@
> >> +// SPDX-License-Identifier: GPL-2.0-only
> >> +/*
> >> + * System calls implementing the Linux Security Module API.
> >> + *
> >> + * Copyright (C) 2022 Casey Schaufler <[email protected]>
> >> + * Copyright (C) 2022 Intel Corporation
> >> + */
> >> +
> >> +#include <asm/current.h>
> >> +#include <linux/compiler_types.h>
> >> +#include <linux/err.h>
> >> +#include <linux/errno.h>
> >> +#include <linux/security.h>
> >> +#include <linux/stddef.h>
> >> +#include <linux/syscalls.h>
> >> +#include <linux/types.h>
> >> +#include <linux/lsm_hooks.h>
> >> +#include <uapi/linux/lsm.h>
> >> +
> >> +struct attrs_used_map {
> >> + char *name;
> >> + int attrs_used;
> > Based on the usage below it really seems like @attrs_used should just
> > be @attr, yes? That said, I'm not too bothered by it either way so if
> > you really love @attrs_used that's fine.
>
> Potato - Potatoe - Seeing the same field name in different structs at
> the same time gives me a headache, but I'm not going to quibble.
>
>
> >> +};
> >> +
> >> +static const struct attrs_used_map lsm_attr_names[] = {
> > We can probably just call this "attr_map" right? I mean the "used"
> > portion is pretty inherent in the fact that we're defining a mapping
> > :)
>
> Sure.
>
>
> >> + { .name = "current", .attrs_used = LSM_ATTR_CURRENT, },
> >> + { .name = "exec", .attrs_used = LSM_ATTR_EXEC, },
> >> + { .name = "fscreate", .attrs_used = LSM_ATTR_FSCREATE, },
> >> + { .name = "keycreate", .attrs_used = LSM_ATTR_KEYCREATE, },
> >> + { .name = "prev", .attrs_used = LSM_ATTR_PREV, },
> >> + { .name = "sockcreate", .attrs_used = LSM_ATTR_SOCKCREATE, },
> >> +};
> >> +
> >> +static int attr_used_index(u32 flags)
> > Since you can only return one index value at a time in this function
> > you can't really support multiple attribute bits set in the @flags
> > parameter so why not change the prototype to better match the required
> > usage, example:
> >
> > static int attr_index(u32 attr)
> >
> >> +{
> >> + int i;
> >> +
> >> + if (flags == 0)
> >> + return -EINVAL;
> >> +
> >> + for (i = 0; i < ARRAY_SIZE(lsm_attr_names); i++)
> >> + if ((lsm_attr_names[i].attrs_used & flags) == flags)
> >> + return i;
> > Given the above, why not simplify the above test to this:
> >
> > if (lsm_attr_name[i].attr == attr)
> > return i;
>
> That won't work in the case where an LSM supports more than one attribute.
>
> >
> > If we don't care about failing fast in the case of being passed 0 (why
> > would we?) we can define this function as follows:
> >
> > static int attr_index(u32 attr)
> > {
> > int i;
> > for (i = 0; i < ARRAY_SIZE(lsm_attr_names); i++)
> > if (lsm_attr_names[i].attr == attr)
> > return i;
> > return -EINVAL;
> > }
> >
> > If we wanted to streamline things even further we could define
> > attr_map a bit differently and drop the loop in attr_index(). Yes, it
> > does waste attr_map[0], but I don't think anyone is going to be too
> > upset about one wasted index if it scales better.
> >
> > static const struct attr_map[] = {
> > [LSM_ATTR_CURRENT] = { .name = "current", .attr = LSM_ATTR_CURRENT },
> > [LSM_ATTR_EXEC] = { .name = "exec", .attr = LSM_ATTR_EXEC },
> > ...
> > };
> >
> > static int attr_index(u32 attr)
> > {
> > if (attr == 0 || attr >= ARRAY_SIZE(attr_map))
> > return -EINVAL;
> > return attr;
> > }
> >
> > If you did this you could probably also convert attr_map from a struct
> > to a simple array of strings as the attribute value would be the
> > associated index.
> >
> >> +/**
> >> + * sys_lsm_get_self_attr - Return current task's security module attributes
> >> + * @ctx: the LSM contexts
> >> + * @size: size of @ctx, updated on return
> >> + * @flags: which attribute to return
> >> + *
> >> + * Returns the calling task's LSM contexts. On success this
> >> + * function returns the number of @ctx array elements. This value
> >> + * may be zero if there are no LSM contexts assigned. If @size is
> >> + * insufficient to contain the return data -E2BIG is returned and
> >> + * @size is set to the minimum required size. In all other cases
> >> + * a negative value indicating the error is returned.
> >> + */
> >> +SYSCALL_DEFINE3(lsm_get_self_attr,
> >> + struct lsm_ctx __user *, ctx,
> >> + size_t __user *, size,
> >> + u32, flags)
> >> +{
> >> + int i;
> >> + int rc = 0;
> >> + int len;
> >> + int attr;
> >> + int count = 0;
> >> + void *curr;
> >> + char *cp;
> >> + char *np;
> >> + char **interum_ctx;
> >> + size_t total_size = 0;
> >> + struct lsm_ctx *ip;
> >> + struct lsm_ctx *interum;
> >> + struct lsm_ctx *final = NULL;
> >> +
> >> + attr = attr_used_index(flags);
> >> + if (attr < 0)
> >> + return attr;
> >> +
> >> + interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
> >> + sizeof(*interum), GFP_KERNEL);
> >> + if (interum == NULL)
> >> + return -ENOMEM;
> >> + ip = interum;
> >> +
> >> + interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
> >> + sizeof(*interum_ctx), GFP_KERNEL);
> >> + if (interum_ctx == NULL) {
> >> + kfree(interum);
> >> + return -ENOMEM;
> >> + }
> >> +
> >> + for (i = 0; i < lsm_active_cnt; i++) {
> >> + if ((lsm_idlist[i]->attrs_used &
> >> + lsm_attr_names[attr].attrs_used) == 0)
> >> + continue;
> >> +
> >> + len = security_getprocattr(current, lsm_idlist[i]->id,
> >> + lsm_attr_names[attr].name,
> >> + &cp);
> >> + if (len <= 0)
> >> + continue;
> >> +
> >> + ip->id = lsm_idlist[i]->id;
> >> + ip->flags = lsm_attr_names[attr].attrs_used;
> >> + interum_ctx[count] = cp;
> >> +
> >> + /*
> >> + * A security module that returns a binary attribute
> >> + * will need to identify itself to prevent string
> >> + * processing.
> >> + *
> >> + * At least one security module adds a \n at the
> >> + * end of a context to make it look nicer. Change
> >> + * that to a \0 so that user space doesn't have to
> >> + * work around it.
> >> + *
> >> + * Security modules have been inconsistent about
> >> + * including the \0 terminator in the size. If it's
> >> + * not there make space for it.
> >> + *
> >> + * The length returned will reflect the length of
> >> + * the string provided by the security module, which
> >> + * may not match what getprocattr returned.
> >> + */
> >> + np = strnchr(cp, len, '\n');
> >> + if (np != NULL)
> >> + *np = '\0';
> >> + ip->ctx_len = strnlen(cp, len) + 1;
> >> + total_size += sizeof(*interum) + ip->ctx_len;
> >> + ip++;
> >> + count++;
> >> + }
> >> +
> >> + if (count == 0)
> >> + goto free_out;
> >> +
> >> + final = kzalloc(total_size, GFP_KERNEL);
> >> + if (final == NULL) {
> >> + rc = -ENOMEM;
> >> + goto free_out;
> >> + }
> >> +
> >> + curr = final;
> >> + ip = interum;
> >> + for (i = 0; i < count; i++) {
> >> + memcpy(curr, ip, sizeof(*interum));
> >> + curr += sizeof(*interum);
> >> + if (ip->ctx_len > 1)
> >> + memcpy(curr, interum_ctx[i], ip->ctx_len - 1);
> >> + curr += ip->ctx_len;
> >> + ip++;
> >> + }
> >> +
> >> + if (get_user(len, size)) {
> >> + rc = -EFAULT;
> >> + goto free_out;
> >> + }
> >> + if (total_size > len) {
> >> + rc = -ERANGE;
> >> + if (put_user(total_size, size) != 0)
> >> + rc = -EFAULT;
> >> + goto free_out;
> >> + }
> >> + if (copy_to_user(ctx, final, total_size) != 0 ||
> >> + put_user(total_size, size) != 0)
> >> + rc = -EFAULT;
> >> + else
> >> + rc = count;
> >> +
> >> +free_out:
> >> + for (i = 0; i < count; i++)
> >> + kfree(interum_ctx[i]);
> >> + kfree(interum_ctx);
> >> + kfree(interum);
> >> + kfree(final);
> >> + return rc;
> >> +}
> > Hmm. That's all kinda painful isn't it?
>
> It's not so bad as all that. Well, maybe.
>
> > I think trying to reuse
> > security_getprocattr() is doing more harm than good with all the
> > awkward handling necessary to ensure consistent output. While it's
> > nice to be able to reuse existing interfaces, one of the main
> > motivations behind the LSM syscall effort is to create a cleaner
> > interface that was designed from the beginning to support multiple
> > LSMs and provide a level of extensibility that we do not currently
> > have with the procfs interface. Hacking together all our old crap to
> > make this happen seems very wrong to me.
> >
> > With that in mind I would like to propose we introduce a new LSM hook
> > to populate a lsm_ctx struct based on a LSM_ATTR_XXX value:
> >
> > int security_sys_getselfattr(u64 attr, struct lsm_ctx __user *ctx,
> > size_t *len);
> >
> > The individual LSMs would be responsible for fully populating their
> > lsm_ctx struct specified by @ctx (note the __user tagging) and would
> > return 0 on success or negative values on failure. The maximum size
> > of the @ctx buffer would be passed in via @len and the used size would
> > be returned in @len; in the case of an too-small @ctx, -E2BIG would be
> > returned and the necessary size would be returned in @len (just as
> > discussed for the syscall itself). This way the LSM layer syscall
> > function would not need to worry about properly terminating the
> > lsm_ctx::ctx field, setting any LSM specific flags, etc. Passing the
> > __user pointer directly not only greatly simplifies the LSM layer, it
> > also has the potential to reduce the number of allocations/copies.
>
> That's going to be a lot of duplicate code to add to each LSM. Yes,
> we can do that, but I don't see it as any cleaner.
It puts the individual LSMs in charge of setting their own lsm_ctx
struct which I think will be increasingly important as time goes on
and things evolve. I'd rather make sure the infrastructure is doing
the right thing now so we can avoid having to have this exact same
discussion each time an individual LSM wants to do something a little
different with their lsm_ctx struct :)
If you need something more concrete and immediate to justify this
work, think about how a LSM could set a bit in the lsm_ctx::flags
field using the current approach of reusing the procfs hook.
> > Taking this approach should shrink the LSM layer syscall function to
> > simply needing to validate the passed @flags before looping through
> > the LSMs calling security_sys_getselfattr(). The lsm_ctx pointer
> > would need to be incremented appropriately for each call, and a total
> > length/size count would need to be maintained in case the buffer is
> > too small, but those should be relatively minor things.
>
> I think this pushed the complexity downward. If we only had one LSM
> it would be a wash. With each LSM having to provide this we're multiplying
> the complexity rather than reducing it.
>
> But again, I'll listen to reason.
I think we are all better off if the LSM layer is as thin as possible.
I believe we've seen the number of LSMs grow and the variety of
security models expand largely in part of this approach; while a thin
LSM layer may force the LSMs to do some extra work, it allows varied
approaches that might not be possible if the LSM layer enforced more
of a specific world-view.
--
paul-moore.com
On Mon, Jan 09, 2023 at 10:07:13AM -0800, Casey Schaufler wrote:
> +/**
> + * sys_lsm_get_self_attr - Return current task's security module attributes
> + * @ctx: the LSM contexts
> + * @size: size of @ctx, updated on return
> + * @flags: which attribute to return
> + *
> + * Returns the calling task's LSM contexts. On success this
> + * function returns the number of @ctx array elements. This value
> + * may be zero if there are no LSM contexts assigned. If @size is
> + * insufficient to contain the return data -E2BIG is returned and
Technicality: You say -E2BIG, which is -7, but in fact belog you return
-ERANGE, which is -34.
> + * @size is set to the minimum required size. In all other cases
> + * a negative value indicating the error is returned.
> + */
> +SYSCALL_DEFINE3(lsm_get_self_attr,
> + struct lsm_ctx __user *, ctx,
> + size_t __user *, size,
> + u32, flags)
> +{
> + int i;
> + int rc = 0;
> + int len;
> + int attr;
> + int count = 0;
> + void *curr;
> + char *cp;
> + char *np;
> + char **interum_ctx;
> + size_t total_size = 0;
> + struct lsm_ctx *ip;
> + struct lsm_ctx *interum;
> + struct lsm_ctx *final = NULL;
> +
> + attr = attr_used_index(flags);
> + if (attr < 0)
> + return attr;
> +
> + interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
> + sizeof(*interum), GFP_KERNEL);
> + if (interum == NULL)
> + return -ENOMEM;
> + ip = interum;
> +
> + interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_active_cnt *
> + sizeof(*interum_ctx), GFP_KERNEL);
> + if (interum_ctx == NULL) {
> + kfree(interum);
> + return -ENOMEM;
> + }
> +
> + for (i = 0; i < lsm_active_cnt; i++) {
> + if ((lsm_idlist[i]->attrs_used &
> + lsm_attr_names[attr].attrs_used) == 0)
> + continue;
> +
> + len = security_getprocattr(current, lsm_idlist[i]->id,
> + lsm_attr_names[attr].name,
> + &cp);
> + if (len <= 0)
> + continue;
> +
> + ip->id = lsm_idlist[i]->id;
> + ip->flags = lsm_attr_names[attr].attrs_used;
> + interum_ctx[count] = cp;
> +
> + /*
> + * A security module that returns a binary attribute
> + * will need to identify itself to prevent string
> + * processing.
> + *
> + * At least one security module adds a \n at the
> + * end of a context to make it look nicer. Change
> + * that to a \0 so that user space doesn't have to
> + * work around it.
> + *
> + * Security modules have been inconsistent about
> + * including the \0 terminator in the size. If it's
> + * not there make space for it.
> + *
> + * The length returned will reflect the length of
> + * the string provided by the security module, which
> + * may not match what getprocattr returned.
> + */
> + np = strnchr(cp, len, '\n');
> + if (np != NULL)
> + *np = '\0';
> + ip->ctx_len = strnlen(cp, len) + 1;
> + total_size += sizeof(*interum) + ip->ctx_len;
> + ip++;
> + count++;
> + }
> +
> + if (count == 0)
> + goto free_out;
> +
> + final = kzalloc(total_size, GFP_KERNEL);
> + if (final == NULL) {
> + rc = -ENOMEM;
> + goto free_out;
> + }
> +
> + curr = final;
> + ip = interum;
> + for (i = 0; i < count; i++) {
> + memcpy(curr, ip, sizeof(*interum));
> + curr += sizeof(*interum);
> + if (ip->ctx_len > 1)
> + memcpy(curr, interum_ctx[i], ip->ctx_len - 1);
> + curr += ip->ctx_len;
> + ip++;
> + }
> +
> + if (get_user(len, size)) {
> + rc = -EFAULT;
> + goto free_out;
> + }
> + if (total_size > len) {
> + rc = -ERANGE;
> + if (put_user(total_size, size) != 0)
> + rc = -EFAULT;
> + goto free_out;
> + }
> + if (copy_to_user(ctx, final, total_size) != 0 ||
> + put_user(total_size, size) != 0)
> + rc = -EFAULT;
> + else
> + rc = count;
> +
> +free_out:
> + for (i = 0; i < count; i++)
> + kfree(interum_ctx[i]);
> + kfree(interum_ctx);
> + kfree(interum);
> + kfree(final);
> + return rc;
> +}
> --
> 2.39.0
>
On 12/01/2023 22:39, Paul Moore wrote:
> On Thu, Jan 12, 2023 at 9:40 AM Arnd Bergmann <[email protected]> wrote:
>> On Mon, Jan 9, 2023, at 19:07, Casey Schaufler wrote:
>>> +/**
>>> + * struct lsm_ctx - LSM context
>>> + * @id: the LSM id number, see LSM_ID_XXX
>>> + * @flags: context specifier and LSM specific flags
>>> + * @ctx_len: the size of @ctx
>>> + * @ctx: the LSM context, a nul terminated string
>>> + *
>>> + * @ctx in a nul terminated string.
>>> + * (strlen(@ctx) < @ctx_len) is always true.
>>> + * (strlen(@ctx) == @ctx_len + 1) is not guaranteed.
>>> + */
>>> +struct lsm_ctx {
>>> + __u32 id;
There is a hole here for 64-bit architectures.
>>> + __u64 flags;
>>> + __kernel_size_t ctx_len;
This is an architecture-related size, which makes the struct size
different according to architectures. We should avoid that.
>>> + __u8 ctx[];
>>> +};
I suggest packing this struct.
>>
>> I think this should be changed to be the same layout on
>> all architectures regardless of __u64 alignment and
>> sizeof(__kernel_size_t) differences, to avoid the need
>> for compat syscalls and explicit clearing of the
>> internal padding.
>>
>> Maybe just use __u64 fields for all three integers?
>
> I have no problem with that ... the ctx[] field is variable length
> anyway so keeping it as a __u8 should be fine.
>
For Landlock, we make sure the UAPI structs don't contain holes, are
packed, and have the same size for all architectures. We can check that
with pahole but for strong guarantee I suggest the same build check as
for Landlock's build_check_abi():
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/landlock/syscalls.c#n68
We don't need to use 64-bit fields everywhere.
On 09/01/2023 19:07, Casey Schaufler wrote:
> Create a system call lsm_get_self_attr() to provide the security
> module maintained attributes of the current process. Historically
> these attributes have been exposed to user space via entries in
> procfs under /proc/self/attr.
>
> Attributes are provided as a collection of lsm_ctx structures
> which are placed into a user supplied buffer. Each structure
> identifys the size of the attribute, and the attribute value.
> The format of the attribute value is defined by the security
> module, but will always be \0 terminated. The ctx_len value
> will always be strlen(ctx)+1.
>
> ---------------------------
> | __u32 id |
> ---------------------------
> | __u64 flags |
> ---------------------------
> | __kernel_size_t ctx_len |
> ---------------------------
> | __u8 ctx[ctx_len] |
> ---------------------------
> | __u32 id |
> ---------------------------
> | __u64 flags |
> ---------------------------
> | __kernel_size_t ctx_len |
> ---------------------------
> | __u8 ctx[ctx_len] |
> ---------------------------
>
> Signed-off-by: Casey Schaufler <[email protected]>
> ---
> Documentation/userspace-api/lsm.rst | 9 ++
> include/linux/syscalls.h | 3 +
> include/uapi/linux/lsm.h | 21 ++++
> kernel/sys_ni.c | 3 +
> security/Makefile | 1 +
> security/lsm_syscalls.c | 182 ++++++++++++++++++++++++++++
> 6 files changed, 219 insertions(+)
> create mode 100644 security/lsm_syscalls.c
For new files (e.g. lsm_syscalls.c), it would be nice to auto-format
them with clang-format. It helps maintenance by keeping a consistent
style across commits, which should also help backports, and it avoids
nitpicking on style issues.
On 2/14/2023 9:41 AM, Mickaël Salaün wrote:
>
> On 09/01/2023 19:07, Casey Schaufler wrote:
>> Create a system call lsm_get_self_attr() to provide the security
>> module maintained attributes of the current process. Historically
>> these attributes have been exposed to user space via entries in
>> procfs under /proc/self/attr.
>>
>> Attributes are provided as a collection of lsm_ctx structures
>> which are placed into a user supplied buffer. Each structure
>> identifys the size of the attribute, and the attribute value.
>> The format of the attribute value is defined by the security
>> module, but will always be \0 terminated. The ctx_len value
>> will always be strlen(ctx)+1.
>>
>> ---------------------------
>> | __u32 id |
>> ---------------------------
>> | __u64 flags |
>> ---------------------------
>> | __kernel_size_t ctx_len |
>> ---------------------------
>> | __u8 ctx[ctx_len] |
>> ---------------------------
>> | __u32 id |
>> ---------------------------
>> | __u64 flags |
>> ---------------------------
>> | __kernel_size_t ctx_len |
>> ---------------------------
>> | __u8 ctx[ctx_len] |
>> ---------------------------
>>
>> Signed-off-by: Casey Schaufler <[email protected]>
>> ---
>> Documentation/userspace-api/lsm.rst | 9 ++
>> include/linux/syscalls.h | 3 +
>> include/uapi/linux/lsm.h | 21 ++++
>> kernel/sys_ni.c | 3 +
>> security/Makefile | 1 +
>> security/lsm_syscalls.c | 182 ++++++++++++++++++++++++++++
>> 6 files changed, 219 insertions(+)
>> create mode 100644 security/lsm_syscalls.c
>
> For new files (e.g. lsm_syscalls.c), it would be nice to auto-format
> them with clang-format. It helps maintenance by keeping a consistent
> style across commits, which should also help backports, and it avoids
> nitpicking on style issues.
Good idea.