Add three system calls for the Linux Security Module ABI.
lsm_get_self_attr() provides the security module specific attributes
that have previously been visible in the /proc/self/attr directory.
For each security module that uses the specified attribute on the
current process the system call will return an LSM identifier and
the value of the attribute. The LSM and attribute identifier values
are defined in include/uapi/linux/lsm.h
lsm_module_list() provides the LSM identifiers, in order, of the
security modules that are active on the system. This has been
available in the securityfs file /sys/kernel/security/lsm.
lsm_set_self_attr() changes the specified LSM attribute. Only one
attribute can be changed at a time, and then only if the specified
security module allows the change.
Patch 0001 changes the LSM registration from passing the name
of the module to passing a lsm_id structure that contains the
name of the module and adds an LSM identifier number to the lsm_id
structure.
Patch 0002 adds an attribute identifier to the lsm_id.
Patch 0003 adds the registered lsm_ids to a table.
Patch 0004 changes security_[gs]etprocattr() to use LSM IDs instead
of LSM names.
Patch 0005 implements lsm_get_self_attr().
Patch 0006 implements lsm_module_list().
Patch 0007 implements lsm_set_self_attr().
Patch 0008 wires up the syscalls.
Patch 0009 implements selftests for the three new syscalls.
https://github.com/cschaufler/lsm-stacking.git#lsm-syscall-6.1-rc5-v3
v3: Add lsm_set_self_attr().
Rename lsm_self_attr() to lsm_get_self_attr().
Provide the values only for a specifed attribute in
lsm_get_self_attr().
Add selftests for the three new syscalls.
Correct some parameter checking.
v2: Use user-interface safe data types.
Remove "reserved" LSM ID values.
Improve kerneldoc comments
Include copyright dates
Use more descriptive name for LSM counter
Add documentation
Correct wireup errors
Casey Schaufler (9):
LSM: Identify modules by more than name
LSM: Identify the process attributes for each module
LSM: Maintain a table of LSM attribute data
proc: Use lsmids instead of lsm names for attrs
LSM: lsm_get_self_attr syscall for LSM self attributes
LSM: Create lsm_module_list system call
LSM: lsm_set_self_attr syscall for LSM self attributes
LSM: wireup Linux Security Module syscalls
LSM: selftests for Linux Security Module infrastructure syscalls
Documentation/userspace-api/index.rst | 1 +
Documentation/userspace-api/lsm.rst | 70 ++++
arch/alpha/kernel/syscalls/syscall.tbl | 3 +
arch/arm/tools/syscall.tbl | 3 +
arch/arm64/include/asm/unistd32.h | 6 +
arch/ia64/kernel/syscalls/syscall.tbl | 3 +
arch/m68k/kernel/syscalls/syscall.tbl | 3 +
arch/microblaze/kernel/syscalls/syscall.tbl | 3 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 3 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 3 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 3 +
arch/parisc/kernel/syscalls/syscall.tbl | 3 +
arch/powerpc/kernel/syscalls/syscall.tbl | 3 +
arch/s390/kernel/syscalls/syscall.tbl | 3 +
arch/sh/kernel/syscalls/syscall.tbl | 3 +
arch/sparc/kernel/syscalls/syscall.tbl | 3 +
arch/x86/entry/syscalls/syscall_32.tbl | 3 +
arch/x86/entry/syscalls/syscall_64.tbl | 3 +
arch/xtensa/kernel/syscalls/syscall.tbl | 3 +
fs/proc/base.c | 29 +-
fs/proc/internal.h | 2 +-
include/linux/lsm_hooks.h | 18 +-
include/linux/security.h | 29 +-
include/linux/syscalls.h | 6 +
include/uapi/asm-generic/unistd.h | 11 +-
include/uapi/linux/lsm.h | 65 ++++
kernel/sys_ni.c | 5 +
security/Makefile | 1 +
security/apparmor/lsm.c | 9 +-
security/bpf/hooks.c | 13 +-
security/commoncap.c | 8 +-
security/landlock/cred.c | 2 +-
security/landlock/fs.c | 2 +-
security/landlock/ptrace.c | 2 +-
security/landlock/setup.c | 6 +
security/landlock/setup.h | 1 +
security/loadpin/loadpin.c | 9 +-
security/lockdown/lockdown.c | 8 +-
security/lsm_syscalls.c | 264 ++++++++++++++
security/safesetid/lsm.c | 9 +-
security/security.c | 37 +-
security/selinux/hooks.c | 11 +-
security/smack/smack_lsm.c | 9 +-
security/tomoyo/tomoyo.c | 9 +-
security/yama/yama_lsm.c | 8 +-
.../arch/mips/entry/syscalls/syscall_n64.tbl | 3 +
.../arch/powerpc/entry/syscalls/syscall.tbl | 3 +
.../perf/arch/s390/entry/syscalls/syscall.tbl | 3 +
.../arch/x86/entry/syscalls/syscall_64.tbl | 3 +
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/lsm/Makefile | 13 +
tools/testing/selftests/lsm/config | 2 +
.../selftests/lsm/lsm_get_self_attr_test.c | 268 ++++++++++++++
.../selftests/lsm/lsm_module_list_test.c | 149 ++++++++
.../selftests/lsm/lsm_set_self_attr_test.c | 328 ++++++++++++++++++
55 files changed, 1424 insertions(+), 47 deletions(-)
create mode 100644 Documentation/userspace-api/lsm.rst
create mode 100644 include/uapi/linux/lsm.h
create mode 100644 security/lsm_syscalls.c
create mode 100644 tools/testing/selftests/lsm/Makefile
create mode 100644 tools/testing/selftests/lsm/config
create mode 100644 tools/testing/selftests/lsm/lsm_get_self_attr_test.c
create mode 100644 tools/testing/selftests/lsm/lsm_module_list_test.c
create mode 100644 tools/testing/selftests/lsm/lsm_set_self_attr_test.c
--
2.38.1
Create a struct lsm_id to contain identifying information
about Linux Security Modules (LSMs). At inception this contains
the name of the module and an identifier associated with the
security module. Change the security_add_hooks() interface to
use this structure. Change the individual modules to maintain
their own struct lsm_id and pass it to security_add_hooks().
The values are for LSM identifiers are defined in a new UAPI
header file linux/lsm.h. Each existing LSM has been updated to
include it's LSMID in the lsm_id.
The LSM ID values are sequential, with the oldest module
LSM_ID_CAPABILITY being the lowest value and the existing modules
numbered in the order they were included in the main line kernel.
This is an arbitrary convention for assigning the values, but
none better presents itself. The value 0 is defined as being invalid.
The values 1-99 are reserved for any special case uses which may
arise in the future.
Signed-off-by: Casey Schaufler <[email protected]>
---
include/linux/lsm_hooks.h | 16 ++++++++++++++--
include/uapi/linux/lsm.h | 32 ++++++++++++++++++++++++++++++++
security/apparmor/lsm.c | 8 +++++++-
security/bpf/hooks.c | 13 ++++++++++++-
security/commoncap.c | 8 +++++++-
security/landlock/cred.c | 2 +-
security/landlock/fs.c | 2 +-
security/landlock/ptrace.c | 2 +-
security/landlock/setup.c | 6 ++++++
security/landlock/setup.h | 1 +
security/loadpin/loadpin.c | 9 ++++++++-
security/lockdown/lockdown.c | 8 +++++++-
security/safesetid/lsm.c | 9 ++++++++-
security/security.c | 12 ++++++------
security/selinux/hooks.c | 9 ++++++++-
security/smack/smack_lsm.c | 8 +++++++-
security/tomoyo/tomoyo.c | 9 ++++++++-
security/yama/yama_lsm.c | 8 +++++++-
18 files changed, 141 insertions(+), 21 deletions(-)
create mode 100644 include/uapi/linux/lsm.h
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 4ec80b96c22e..d306db1044d1 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1602,6 +1602,18 @@ struct security_hook_heads {
#undef LSM_HOOK
} __randomize_layout;
+/**
+ * struct lsm_id - identify a Linux Security Module.
+ * @lsm: Name of the LSM. Must be approved by the LSM maintainers.
+ * @id: LSM ID number from uapi/linux/lsm.h
+ *
+ * Contains the information that identifies the LSM.
+ */
+struct lsm_id {
+ const u8 *lsm;
+ u32 id;
+};
+
/*
* Security module hook list structure.
* For use with generic list macros for common operations.
@@ -1610,7 +1622,7 @@ struct security_hook_list {
struct hlist_node list;
struct hlist_head *head;
union security_list_options hook;
- const char *lsm;
+ struct lsm_id *lsmid;
} __randomize_layout;
/*
@@ -1645,7 +1657,7 @@ extern struct security_hook_heads security_hook_heads;
extern char *lsm_names;
extern void security_add_hooks(struct security_hook_list *hooks, int count,
- const char *lsm);
+ struct lsm_id *lsmid);
#define LSM_FLAG_LEGACY_MAJOR BIT(0)
#define LSM_FLAG_EXCLUSIVE BIT(1)
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
new file mode 100644
index 000000000000..47791c330cbf
--- /dev/null
+++ b/include/uapi/linux/lsm.h
@@ -0,0 +1,32 @@
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
+/*
+ * Linux Security Modules (LSM) - User space API
+ *
+ * Copyright (C) 2022 Casey Schaufler <[email protected]>
+ * Copyright (C) 2022 Intel Corporation
+ */
+
+#ifndef _UAPI_LINUX_LSM_H
+#define _UAPI_LINUX_LSM_H
+
+/*
+ * ID values to identify security modules.
+ * A system may use more than one security module.
+ *
+ * Values 1-99 are reserved for future use in special cases.
+ */
+#define LSM_ID_INVALID 0
+#define LSM_ID_CAPABILITY 100
+#define LSM_ID_SELINUX 101
+#define LSM_ID_SMACK 102
+#define LSM_ID_TOMOYO 103
+#define LSM_ID_IMA 104
+#define LSM_ID_APPARMOR 105
+#define LSM_ID_YAMA 106
+#define LSM_ID_LOADPIN 107
+#define LSM_ID_SAFESETID 108
+#define LSM_ID_LOCKDOWN 109
+#define LSM_ID_BPF 110
+#define LSM_ID_LANDLOCK 111
+
+#endif /* _UAPI_LINUX_LSM_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f56070270c69..b859b1af6c75 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -24,6 +24,7 @@
#include <linux/zlib.h>
#include <net/sock.h>
#include <uapi/linux/mount.h>
+#include <uapi/linux/lsm.h>
#include "include/apparmor.h"
#include "include/apparmorfs.h"
@@ -1202,6 +1203,11 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
.lbs_task = sizeof(struct aa_task_ctx),
};
+static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
+ .lsm = "apparmor",
+ .id = LSM_ID_APPARMOR,
+};
+
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
@@ -1897,7 +1903,7 @@ static int __init apparmor_init(void)
goto buffers_out;
}
security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
- "apparmor");
+ &apparmor_lsmid);
/* Report that AppArmor successfully initialized */
apparmor_initialized = 1;
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index e5971fa74fd7..20983ae8d31f 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -5,6 +5,7 @@
*/
#include <linux/lsm_hooks.h>
#include <linux/bpf_lsm.h>
+#include <uapi/linux/lsm.h>
static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
@@ -15,9 +16,19 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(task_free, bpf_task_storage_free),
};
+/*
+ * slot has to be LSMBLOB_NEEDED because some of the hooks
+ * supplied by this module require a slot.
+ */
+struct lsm_id bpf_lsmid __lsm_ro_after_init = {
+ .lsm = "bpf",
+ .id = LSM_ID_BPF,
+};
+
static int __init bpf_lsm_init(void)
{
- security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf");
+ security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks),
+ &bpf_lsmid);
pr_info("LSM support for eBPF active\n");
return 0;
}
diff --git a/security/commoncap.c b/security/commoncap.c
index bc751fa5adad..f6d50b69f43d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -25,6 +25,7 @@
#include <linux/binfmts.h>
#include <linux/personality.h>
#include <linux/mnt_idmapping.h>
+#include <uapi/linux/lsm.h>
/*
* If a non-root user executes a setuid-root binary in
@@ -1448,6 +1449,11 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
#ifdef CONFIG_SECURITY
+static struct lsm_id capability_lsmid __lsm_ro_after_init = {
+ .lsm = "capability",
+ .id = LSM_ID_CAPABILITY,
+};
+
static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(capable, cap_capable),
LSM_HOOK_INIT(settime, cap_settime),
@@ -1472,7 +1478,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
static int __init capability_init(void)
{
security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
- "capability");
+ &capability_lsmid);
return 0;
}
diff --git a/security/landlock/cred.c b/security/landlock/cred.c
index ec6c37f04a19..2eb1d65f10d6 100644
--- a/security/landlock/cred.c
+++ b/security/landlock/cred.c
@@ -42,5 +42,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
__init void landlock_add_cred_hooks(void)
{
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
- LANDLOCK_NAME);
+ &landlock_lsmid);
}
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 64ed7665455f..486ff50d54a1 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1201,5 +1201,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
__init void landlock_add_fs_hooks(void)
{
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
- LANDLOCK_NAME);
+ &landlock_lsmid);
}
diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c
index 4c5b9cd71286..eab35808f395 100644
--- a/security/landlock/ptrace.c
+++ b/security/landlock/ptrace.c
@@ -116,5 +116,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
__init void landlock_add_ptrace_hooks(void)
{
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
- LANDLOCK_NAME);
+ &landlock_lsmid);
}
diff --git a/security/landlock/setup.c b/security/landlock/setup.c
index f8e8e980454c..5b32c087e34b 100644
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -8,6 +8,7 @@
#include <linux/init.h>
#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
#include "common.h"
#include "cred.h"
@@ -23,6 +24,11 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
.lbs_superblock = sizeof(struct landlock_superblock_security),
};
+struct lsm_id landlock_lsmid __lsm_ro_after_init = {
+ .lsm = LANDLOCK_NAME,
+ .id = LSM_ID_LANDLOCK,
+};
+
static int __init landlock_init(void)
{
landlock_add_cred_hooks();
diff --git a/security/landlock/setup.h b/security/landlock/setup.h
index 1daffab1ab4b..38bce5b172dc 100644
--- a/security/landlock/setup.h
+++ b/security/landlock/setup.h
@@ -14,5 +14,6 @@
extern bool landlock_initialized;
extern struct lsm_blob_sizes landlock_blob_sizes;
+extern struct lsm_id landlock_lsmid;
#endif /* _SECURITY_LANDLOCK_SETUP_H */
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index de41621f4998..32bdf7294a6f 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -20,6 +20,7 @@
#include <linux/string_helpers.h>
#include <linux/dm-verity-loadpin.h>
#include <uapi/linux/loadpin.h>
+#include <uapi/linux/lsm.h>
#define VERITY_DIGEST_FILE_HEADER "# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS"
@@ -197,6 +198,11 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
return loadpin_read_file(NULL, (enum kernel_read_file_id) id, contents);
}
+static struct lsm_id loadpin_lsmid __lsm_ro_after_init = {
+ .lsm = "loadpin",
+ .id = LSM_ID_LOADPIN,
+};
+
static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
@@ -244,7 +250,8 @@ static int __init loadpin_init(void)
pr_info("ready to pin (currently %senforcing)\n",
enforce ? "" : "not ");
parse_exclude();
- security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
+ security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks),
+ &loadpin_lsmid);
return 0;
}
diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
index a79b985e917e..e8c41a0caf7d 100644
--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -13,6 +13,7 @@
#include <linux/security.h>
#include <linux/export.h>
#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
static enum lockdown_reason kernel_locked_down;
@@ -75,6 +76,11 @@ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
};
+static struct lsm_id lockdown_lsmid __lsm_ro_after_init = {
+ .lsm = "lockdown",
+ .id = LSM_ID_LOCKDOWN,
+};
+
static int __init lockdown_lsm_init(void)
{
#if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY)
@@ -83,7 +89,7 @@ static int __init lockdown_lsm_init(void)
lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX);
#endif
security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks),
- "lockdown");
+ &lockdown_lsmid);
return 0;
}
diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c
index e806739f7868..8d0742ba045d 100644
--- a/security/safesetid/lsm.c
+++ b/security/safesetid/lsm.c
@@ -19,6 +19,7 @@
#include <linux/ptrace.h>
#include <linux/sched/task_stack.h>
#include <linux/security.h>
+#include <uapi/linux/lsm.h>
#include "lsm.h"
/* Flag indicating whether initialization completed */
@@ -261,6 +262,11 @@ static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old
return 0;
}
+static struct lsm_id safesetid_lsmid __lsm_ro_after_init = {
+ .lsm = "safesetid",
+ .id = LSM_ID_SAFESETID,
+};
+
static struct security_hook_list safesetid_security_hooks[] = {
LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid),
LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid),
@@ -271,7 +277,8 @@ static struct security_hook_list safesetid_security_hooks[] = {
static int __init safesetid_security_init(void)
{
security_add_hooks(safesetid_security_hooks,
- ARRAY_SIZE(safesetid_security_hooks), "safesetid");
+ ARRAY_SIZE(safesetid_security_hooks),
+ &safesetid_lsmid);
/* Report that SafeSetID successfully initialized */
safesetid_initialized = 1;
diff --git a/security/security.c b/security/security.c
index 79d82cb6e469..b2eb0ccd954b 100644
--- a/security/security.c
+++ b/security/security.c
@@ -476,17 +476,17 @@ static int lsm_append(const char *new, char **result)
* security_add_hooks - Add a modules hooks to the hook lists.
* @hooks: the hooks to add
* @count: the number of hooks to add
- * @lsm: the name of the security module
+ * @lsmid: the identification information for the security module
*
* Each LSM has to register its hooks with the infrastructure.
*/
void __init security_add_hooks(struct security_hook_list *hooks, int count,
- const char *lsm)
+ struct lsm_id *lsmid)
{
int i;
for (i = 0; i < count; i++) {
- hooks[i].lsm = lsm;
+ hooks[i].lsmid = lsmid;
hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
}
@@ -495,7 +495,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
* and fix this up afterwards.
*/
if (slab_is_available()) {
- if (lsm_append(lsm, &lsm_names) < 0)
+ if (lsm_append(lsmid->lsm, &lsm_names) < 0)
panic("%s - Cannot get early memory.\n", __func__);
}
}
@@ -2070,7 +2070,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm,
struct security_hook_list *hp;
hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
+ if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
continue;
return hp->hook.getprocattr(p, name, value);
}
@@ -2083,7 +2083,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
struct security_hook_list *hp;
hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsm))
+ if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
continue;
return hp->hook.setprocattr(name, value, size);
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f553c370397e..5fcce36267bd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -92,6 +92,7 @@
#include <linux/fsnotify.h>
#include <linux/fanotify.h>
#include <linux/io_uring.h>
+#include <uapi/linux/lsm.h>
#include "avc.h"
#include "objsec.h"
@@ -7014,6 +7015,11 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
}
#endif /* CONFIG_IO_URING */
+static struct lsm_id selinux_lsmid __lsm_ro_after_init = {
+ .lsm = "selinux",
+ .id = LSM_ID_SELINUX,
+};
+
/*
* IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
* 1. any hooks that don't belong to (2.) or (3.) below,
@@ -7334,7 +7340,8 @@ static __init int selinux_init(void)
hashtab_cache_init();
- security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
+ security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
+ &selinux_lsmid);
if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
panic("SELinux: Unable to register AVC netcache callback\n");
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b6306d71c908..c7ba80e20b8d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -43,6 +43,7 @@
#include <linux/fs_parser.h>
#include <linux/watch_queue.h>
#include <linux/io_uring.h>
+#include <uapi/linux/lsm.h>
#include "smack.h"
#define TRANS_TRUE "TRUE"
@@ -4787,6 +4788,11 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
.lbs_superblock = sizeof(struct superblock_smack),
};
+static struct lsm_id smack_lsmid __lsm_ro_after_init = {
+ .lsm = "smack",
+ .id = LSM_ID_SMACK,
+};
+
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
@@ -4990,7 +4996,7 @@ static __init int smack_init(void)
/*
* Register with LSM
*/
- security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
+ security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid);
smack_enabled = 1;
pr_info("Smack: Initializing.\n");
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 71e82d855ebf..1916eb6216f7 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -6,6 +6,7 @@
*/
#include <linux/lsm_hooks.h>
+#include <uapi/linux/lsm.h>
#include "common.h"
/**
@@ -530,6 +531,11 @@ static void tomoyo_task_free(struct task_struct *task)
}
}
+static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = {
+ .lsm = "tomoyo",
+ .id = LSM_ID_TOMOYO,
+};
+
/*
* tomoyo_security_ops is a "struct security_operations" which is used for
* registering TOMOYO.
@@ -582,7 +588,8 @@ static int __init tomoyo_init(void)
struct tomoyo_task *s = tomoyo_task(current);
/* register ourselves with the security framework */
- security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
+ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks),
+ &tomoyo_lsmid);
pr_info("TOMOYO Linux initialized\n");
s->domain_info = &tomoyo_kernel_domain;
atomic_inc(&tomoyo_kernel_domain.users);
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 06e226166aab..2487b8f847f3 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -18,6 +18,7 @@
#include <linux/task_work.h>
#include <linux/sched.h>
#include <linux/spinlock.h>
+#include <uapi/linux/lsm.h>
#define YAMA_SCOPE_DISABLED 0
#define YAMA_SCOPE_RELATIONAL 1
@@ -421,6 +422,11 @@ static int yama_ptrace_traceme(struct task_struct *parent)
return rc;
}
+static struct lsm_id yama_lsmid __lsm_ro_after_init = {
+ .lsm = "yama",
+ .id = LSM_ID_YAMA,
+};
+
static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
@@ -477,7 +483,7 @@ static inline void yama_init_sysctl(void) { }
static int __init yama_init(void)
{
pr_info("Yama: becoming mindful.\n");
- security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama");
+ security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid);
yama_init_sysctl();
return 0;
}
--
2.38.1
Add selftests for the three system calls supporting the LSM
infrastructure.
Signed-off-by: Casey Schaufler <[email protected]>
---
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/lsm/Makefile | 13 +
tools/testing/selftests/lsm/config | 2 +
.../selftests/lsm/lsm_get_self_attr_test.c | 268 ++++++++++++++
.../selftests/lsm/lsm_module_list_test.c | 149 ++++++++
.../selftests/lsm/lsm_set_self_attr_test.c | 328 ++++++++++++++++++
6 files changed, 761 insertions(+)
create mode 100644 tools/testing/selftests/lsm/Makefile
create mode 100644 tools/testing/selftests/lsm/config
create mode 100644 tools/testing/selftests/lsm/lsm_get_self_attr_test.c
create mode 100644 tools/testing/selftests/lsm/lsm_module_list_test.c
create mode 100644 tools/testing/selftests/lsm/lsm_set_self_attr_test.c
diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
index f07aef7c592c..ee7e93bf956d 100644
--- a/tools/testing/selftests/Makefile
+++ b/tools/testing/selftests/Makefile
@@ -36,6 +36,7 @@ TARGETS += landlock
TARGETS += lib
TARGETS += livepatch
TARGETS += lkdtm
+TARGETS += lsm
TARGETS += membarrier
TARGETS += memfd
TARGETS += memory-hotplug
diff --git a/tools/testing/selftests/lsm/Makefile b/tools/testing/selftests/lsm/Makefile
new file mode 100644
index 000000000000..601974fdd9b8
--- /dev/null
+++ b/tools/testing/selftests/lsm/Makefile
@@ -0,0 +1,13 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# First run: make -C ../../../.. headers_install
+
+CFLAGS += -Wall -O2 $(KHDR_INCLUDES)
+
+TEST_GEN_PROGS := lsm_get_self_attr_test lsm_module_list_test \
+ lsm_set_self_attr_test
+
+include ../lib.mk
+
+$(TEST_GEN_PROGS):
+
diff --git a/tools/testing/selftests/lsm/config b/tools/testing/selftests/lsm/config
new file mode 100644
index 000000000000..afb887715f64
--- /dev/null
+++ b/tools/testing/selftests/lsm/config
@@ -0,0 +1,2 @@
+CONFIG_SYSFS=y
+CONFIG_SECURITY=y
diff --git a/tools/testing/selftests/lsm/lsm_get_self_attr_test.c b/tools/testing/selftests/lsm/lsm_get_self_attr_test.c
new file mode 100644
index 000000000000..6f7f72c25cda
--- /dev/null
+++ b/tools/testing/selftests/lsm/lsm_get_self_attr_test.c
@@ -0,0 +1,268 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Linux Security Module infrastructure tests
+ * Tests for the lsm_get_self_attr system call
+ *
+ * Copyright © 2022 Casey Schaufler <[email protected]>
+ * Copyright © 2022 Intel Corporation
+ */
+
+#define _GNU_SOURCE
+#include <linux/lsm.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "../kselftest_harness.h"
+
+#define PROCATTR "/proc/self/attr/"
+
+static int read_proc_attr(const char *attr, char *value, __kernel_size_t size)
+{
+ FILE *fp;
+ int len;
+ char *path;
+
+ len = strlen(PROCATTR) + strlen(attr) + 1;
+ path = calloc(len, 1);
+ if (path == NULL)
+ return -1;
+ sprintf(path, "%s%s", PROCATTR, attr);
+
+ fp = fopen(path, "r");
+ free(path);
+
+ if (fp == NULL)
+ return -1;
+ if (fread(value, 1, size, fp) <= 0)
+ return -1;
+ fclose(fp);
+
+ path = strchr(value, '\n');
+ if (path)
+ *path = '\0';
+
+ return 0;
+}
+
+static struct lsm_ctx *next_ctx(struct lsm_ctx *ctxp)
+{
+ void *vp;
+
+ vp = (void *)ctxp + sizeof(*ctxp) + ctxp->ctx_len;
+ return (struct lsm_ctx *)vp;
+}
+
+TEST(size_null_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, ctx, NULL,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(EFAULT, errno);
+
+ free(ctx);
+}
+
+TEST(ctx_null_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, NULL, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(EFAULT, errno);
+ ASSERT_NE(1, size);
+}
+
+TEST(size_too_small_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = 1;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(ERANGE, errno);
+ ASSERT_NE(1, size);
+
+ free(ctx);
+}
+
+TEST(flags_zero_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, ctx, &size, 0));
+ ASSERT_EQ(EINVAL, errno);
+ ASSERT_EQ(page_size, size);
+
+ free(ctx);
+}
+
+TEST(flags_overset_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_EQ(-1, syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT | LSM_ATTR_PREV));
+ ASSERT_EQ(EINVAL, errno);
+ ASSERT_EQ(page_size, size);
+
+ free(ctx);
+}
+
+TEST(basic_lsm_get_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+ struct lsm_ctx *ctx = calloc(page_size, 1);
+ struct lsm_ctx *tctx = NULL;
+ __u32 *syscall_lsms = calloc(page_size, 1);
+ char *attr = calloc(page_size, 1);
+ int cnt_current = 0;
+ int cnt_exec = 0;
+ int cnt_fscreate = 0;
+ int cnt_keycreate = 0;
+ int cnt_prev = 0;
+ int cnt_sockcreate = 0;
+ int lsmcount;
+ int count;
+ int i;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_NE(NULL, syscall_lsms);
+
+ lsmcount = syscall(__NR_lsm_module_list, syscall_lsms, &size, 0);
+ ASSERT_LE(1, lsmcount);
+
+ for (i = 0; i < lsmcount; i++) {
+ switch (syscall_lsms[i]) {
+ case LSM_ID_SELINUX:
+ cnt_current++;
+ cnt_exec++;
+ cnt_fscreate++;
+ cnt_keycreate++;
+ cnt_prev++;
+ cnt_sockcreate++;
+ break;
+ case LSM_ID_SMACK:
+ cnt_current++;
+ break;
+ case LSM_ID_APPARMOR:
+ cnt_current++;
+ cnt_exec++;
+ cnt_prev++;
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (cnt_current) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(cnt_current, count);
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("current", attr, page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ if (cnt_exec) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_EXEC);
+ ASSERT_GE(cnt_exec, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("exec", attr, page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ }
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ if (cnt_fscreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_FSCREATE);
+ ASSERT_GE(cnt_fscreate, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("fscreate", attr,
+ page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ }
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ if (cnt_keycreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_KEYCREATE);
+ ASSERT_GE(cnt_keycreate, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("keycreate", attr,
+ page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ }
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ if (cnt_prev) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_PREV);
+ ASSERT_GE(cnt_prev, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("prev", attr, page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+ }
+ if (cnt_sockcreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_SOCKCREATE);
+ ASSERT_GE(cnt_sockcreate, count);
+ if (count > 0) {
+ tctx = ctx;
+ ASSERT_EQ(0, read_proc_attr("sockcreate", attr,
+ page_size));
+ ASSERT_EQ(0, strcmp((char *)tctx->ctx, attr));
+ }
+ for (i = 1; i < count; i++) {
+ tctx = next_ctx(tctx);
+ ASSERT_NE(0, strcmp((char *)tctx->ctx, attr));
+ }
+ }
+
+ free(ctx);
+ free(attr);
+ free(syscall_lsms);
+}
+
+TEST_HARNESS_MAIN
diff --git a/tools/testing/selftests/lsm/lsm_module_list_test.c b/tools/testing/selftests/lsm/lsm_module_list_test.c
new file mode 100644
index 000000000000..c5675598b2a4
--- /dev/null
+++ b/tools/testing/selftests/lsm/lsm_module_list_test.c
@@ -0,0 +1,149 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Linux Security Module infrastructure tests
+ * Tests for the lsm_module_list system call
+ *
+ * Copyright © 2022 Casey Schaufler <[email protected]>
+ * Copyright © 2022 Intel Corporation
+ */
+
+#define _GNU_SOURCE
+#include <linux/lsm.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "../kselftest_harness.h"
+
+static int read_sysfs_lsms(char *lsms, __kernel_size_t size)
+{
+ FILE *fp;
+
+ fp = fopen("/sys/kernel/security/lsm", "r");
+ if (fp == NULL)
+ return -1;
+ if (fread(lsms, 1, size, fp) <= 0)
+ return -1;
+ fclose(fp);
+ return 0;
+}
+
+TEST(size_null_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *syscall_lsms = calloc(page_size, 1);
+
+ ASSERT_NE(NULL, syscall_lsms);
+ ASSERT_EQ(-1, syscall(__NR_lsm_module_list, syscall_lsms, NULL, 0));
+ ASSERT_EQ(EFAULT, errno);
+
+ free(syscall_lsms);
+}
+
+TEST(ids_null_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+
+ ASSERT_EQ(-1, syscall(__NR_lsm_module_list, NULL, &size, 0));
+ ASSERT_EQ(EFAULT, errno);
+ ASSERT_NE(1, size);
+}
+
+TEST(size_too_small_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *syscall_lsms = calloc(page_size, 1);
+ __kernel_size_t size = 1;
+
+ ASSERT_NE(NULL, syscall_lsms);
+ ASSERT_EQ(-1, syscall(__NR_lsm_module_list, syscall_lsms, &size, 0));
+ ASSERT_EQ(E2BIG, errno);
+ ASSERT_NE(1, size);
+
+ free(syscall_lsms);
+}
+
+TEST(flags_set_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *syscall_lsms = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, syscall_lsms);
+ ASSERT_EQ(-1, syscall(__NR_lsm_module_list, syscall_lsms, &size, 7));
+ ASSERT_EQ(EINVAL, errno);
+ ASSERT_EQ(page_size, size);
+
+ free(syscall_lsms);
+}
+
+TEST(correct_lsm_module_list)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+ __u32 *syscall_lsms = calloc(page_size, 1);
+ char *sysfs_lsms = calloc(page_size, 1);
+ char *name;
+ char *cp;
+ int count;
+ int i;
+
+ ASSERT_NE(NULL, sysfs_lsms);
+ ASSERT_NE(NULL, syscall_lsms);
+ ASSERT_EQ(0, read_sysfs_lsms(sysfs_lsms, page_size));
+
+ count = syscall(__NR_lsm_module_list, syscall_lsms, &size, 0);
+ ASSERT_LE(1, count);
+ cp = sysfs_lsms;
+ for (i = 0; i < count; i++) {
+ switch (syscall_lsms[i]) {
+ case LSM_ID_CAPABILITY:
+ name = "capability";
+ break;
+ case LSM_ID_SELINUX:
+ name = "selinux";
+ break;
+ case LSM_ID_SMACK:
+ name = "smack";
+ break;
+ case LSM_ID_TOMOYO:
+ name = "tomoyo";
+ break;
+ case LSM_ID_IMA:
+ name = "ima";
+ break;
+ case LSM_ID_APPARMOR:
+ name = "apparmor";
+ break;
+ case LSM_ID_YAMA:
+ name = "yama";
+ break;
+ case LSM_ID_LOADPIN:
+ name = "loadpin";
+ break;
+ case LSM_ID_SAFESETID:
+ name = "safesetid";
+ break;
+ case LSM_ID_LOCKDOWN:
+ name = "lockdown";
+ break;
+ case LSM_ID_BPF:
+ name = "bpf";
+ break;
+ case LSM_ID_LANDLOCK:
+ name = "landlock";
+ break;
+ default:
+ name = "INVALID";
+ break;
+ }
+ ASSERT_EQ(0, strncmp(cp, name, strlen(name)));
+ cp += strlen(name) + 1;
+ }
+
+ free(sysfs_lsms);
+ free(syscall_lsms);
+}
+
+TEST_HARNESS_MAIN
diff --git a/tools/testing/selftests/lsm/lsm_set_self_attr_test.c b/tools/testing/selftests/lsm/lsm_set_self_attr_test.c
new file mode 100644
index 000000000000..86f8a5952471
--- /dev/null
+++ b/tools/testing/selftests/lsm/lsm_set_self_attr_test.c
@@ -0,0 +1,328 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Linux Security Module infrastructure tests
+ * Tests for the lsm_set_self_attr system call
+ *
+ * Copyright © 2022 Casey Schaufler <[email protected]>
+ * Copyright © 2022 Intel Corporation
+ */
+
+#define _GNU_SOURCE
+#include <linux/lsm.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "../kselftest_harness.h"
+
+static struct lsm_ctx *next_ctx(struct lsm_ctx *tctx)
+{
+ void *vp;
+
+ vp = (void *)tctx + sizeof(*tctx) + tctx->ctx_len;
+ return (struct lsm_ctx *)vp;
+}
+
+TEST(ctx_null_lsm_set_self_attr)
+{
+ ASSERT_EQ(-1, syscall(__NR_lsm_set_self_attr, NULL, _SC_PAGESIZE,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(EFAULT, errno);
+}
+
+TEST(size_too_small_lsm_set_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ struct lsm_ctx *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_GE(1, syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(-1, syscall(__NR_lsm_set_self_attr, ctx, 1,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(EINVAL, errno);
+
+ free(ctx);
+}
+
+TEST(flags_zero_lsm_set_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_GE(1, syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(-1, syscall(__NR_lsm_set_self_attr, ctx, size, 0));
+ ASSERT_EQ(EINVAL, errno);
+
+ free(ctx);
+}
+
+TEST(flags_overset_lsm_set_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ char *ctx = calloc(page_size, 1);
+ __kernel_size_t size = page_size;
+ struct lsm_ctx *tctx = (struct lsm_ctx *)ctx;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_GE(1, syscall(__NR_lsm_get_self_attr, tctx, &size,
+ LSM_ATTR_CURRENT));
+ ASSERT_EQ(-1, syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT | LSM_ATTR_PREV));
+ ASSERT_EQ(EINVAL, errno);
+
+ free(ctx);
+}
+
+TEST(basic_lsm_set_self_attr)
+{
+ const long page_size = sysconf(_SC_PAGESIZE);
+ __kernel_size_t size = page_size;
+ struct lsm_ctx *ctx = calloc(page_size, 1);
+ struct lsm_ctx *tctx;
+ __u32 *syscall_lsms = calloc(page_size, 1);
+ char *attr = calloc(page_size, 1);
+ bool active_apparmor = false;
+ bool active_selinux = false;
+ bool active_smack = false;
+ int cnt_current = 0;
+ int cnt_exec = 0;
+ int cnt_fscreate = 0;
+ int cnt_keycreate = 0;
+ int cnt_prev = 0;
+ int cnt_sockcreate = 0;
+ int lsmcount;
+ int count;
+ int rc;
+ int i;
+
+ ASSERT_NE(NULL, ctx);
+ ASSERT_NE(NULL, syscall_lsms);
+
+ lsmcount = syscall(__NR_lsm_module_list, syscall_lsms, &size, 0);
+ ASSERT_LE(1, lsmcount);
+
+ for (i = 0; i < lsmcount; i++) {
+ switch (syscall_lsms[i]) {
+ case LSM_ID_SELINUX:
+ active_selinux = true;
+ cnt_current++;
+ cnt_exec++;
+ cnt_fscreate++;
+ cnt_keycreate++;
+ cnt_prev++;
+ cnt_sockcreate++;
+ break;
+ case LSM_ID_SMACK:
+ active_smack = true;
+ cnt_current++;
+ break;
+ case LSM_ID_APPARMOR:
+ active_apparmor = true;
+ cnt_current++;
+ cnt_exec++;
+ cnt_prev++;
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (cnt_current) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(cnt_current, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(0, rc);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ case LSM_ID_SMACK:
+ ASSERT_EQ(active_smack, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EPERM, errno);
+ break;
+ case LSM_ID_APPARMOR:
+ ASSERT_EQ(active_apparmor, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_CURRENT);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ default:
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_exec) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_EXEC);
+ ASSERT_GE(cnt_exec, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_EXEC);
+ ASSERT_EQ(0, rc);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_EXEC);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ case LSM_ID_APPARMOR:
+ ASSERT_EQ(active_apparmor, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_EXEC);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EPERM, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_prev) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_PREV);
+ ASSERT_GE(cnt_prev, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_PREV);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_PREV);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ case LSM_ID_APPARMOR:
+ ASSERT_EQ(active_apparmor, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_PREV);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EPERM, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_fscreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_FSCREATE);
+ ASSERT_GE(cnt_fscreate, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_FSCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_FSCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_keycreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_KEYCREATE);
+ ASSERT_GE(cnt_keycreate, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_KEYCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_KEYCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+ if (cnt_sockcreate) {
+ size = page_size;
+ count = syscall(__NR_lsm_get_self_attr, ctx, &size,
+ LSM_ATTR_SOCKCREATE);
+ ASSERT_GE(cnt_sockcreate, count);
+ tctx = ctx;
+
+ for (i = 0; i < count; i++) {
+ switch (tctx->id) {
+ case LSM_ID_SELINUX:
+ ASSERT_EQ(active_selinux, true);
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_SOCKCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ tctx->ctx[0] = 'X';
+ rc = syscall(__NR_lsm_set_self_attr, tctx, size,
+ LSM_ATTR_SOCKCREATE);
+ ASSERT_EQ(-1, rc);
+ ASSERT_EQ(EINVAL, errno);
+ break;
+ default:
+ break;
+ }
+ tctx = next_ctx(tctx);
+ }
+ }
+
+ free(ctx);
+ free(attr);
+ free(syscall_lsms);
+}
+
+TEST_HARNESS_MAIN
--
2.38.1
Wireup lsm_get_self_attr, lsm_set_self_attr and lsm_module_list
system calls.
Signed-off-by: Casey Schaufler <[email protected]>
---
arch/alpha/kernel/syscalls/syscall.tbl | 3 +++
arch/arm/tools/syscall.tbl | 3 +++
arch/arm64/include/asm/unistd32.h | 6 ++++++
arch/ia64/kernel/syscalls/syscall.tbl | 3 +++
arch/m68k/kernel/syscalls/syscall.tbl | 3 +++
arch/microblaze/kernel/syscalls/syscall.tbl | 3 +++
arch/mips/kernel/syscalls/syscall_n32.tbl | 3 +++
arch/mips/kernel/syscalls/syscall_n64.tbl | 3 +++
arch/mips/kernel/syscalls/syscall_o32.tbl | 3 +++
arch/parisc/kernel/syscalls/syscall.tbl | 3 +++
arch/powerpc/kernel/syscalls/syscall.tbl | 3 +++
arch/s390/kernel/syscalls/syscall.tbl | 3 +++
arch/sh/kernel/syscalls/syscall.tbl | 3 +++
arch/sparc/kernel/syscalls/syscall.tbl | 3 +++
arch/x86/entry/syscalls/syscall_32.tbl | 3 +++
arch/x86/entry/syscalls/syscall_64.tbl | 3 +++
arch/xtensa/kernel/syscalls/syscall.tbl | 3 +++
include/uapi/asm-generic/unistd.h | 11 ++++++++++-
tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl | 3 +++
tools/perf/arch/powerpc/entry/syscalls/syscall.tbl | 3 +++
tools/perf/arch/s390/entry/syscalls/syscall.tbl | 3 +++
tools/perf/arch/x86/entry/syscalls/syscall_64.tbl | 3 +++
22 files changed, 76 insertions(+), 1 deletion(-)
diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl
index 8ebacf37a8cf..002e6a39fcb1 100644
--- a/arch/alpha/kernel/syscalls/syscall.tbl
+++ b/arch/alpha/kernel/syscalls/syscall.tbl
@@ -490,3 +490,6 @@
558 common process_mrelease sys_process_mrelease
559 common futex_waitv sys_futex_waitv
560 common set_mempolicy_home_node sys_ni_syscall
+561 common lsm_get_self_attr sys_lsm_get_self_attr
+562 common lsm_module_list sys_lsm_module_list
+563 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/arm/tools/syscall.tbl b/arch/arm/tools/syscall.tbl
index ac964612d8b0..dca80a2d3927 100644
--- a/arch/arm/tools/syscall.tbl
+++ b/arch/arm/tools/syscall.tbl
@@ -464,3 +464,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
index 604a2053d006..cb4b3149024d 100644
--- a/arch/arm64/include/asm/unistd32.h
+++ b/arch/arm64/include/asm/unistd32.h
@@ -907,6 +907,12 @@ __SYSCALL(__NR_process_mrelease, sys_process_mrelease)
__SYSCALL(__NR_futex_waitv, sys_futex_waitv)
#define __NR_set_mempolicy_home_node 450
__SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
+#define __NR_lsm_get_self_attr 451
+__SYSCALL(__NR_lsm_get_self_attr, sys_lsm_get_self_attr)
+#define __NR_lsm_module_list 452
+__SYSCALL(__NR_lsm_module_list, sys_module_list)
+#define __NR_lsm_set_self_attr 453
+__SYSCALL(__NR_lsm_set_self_attr, sys_lsm_set_self_attr)
/*
* Please add new compat syscalls above this comment and update
diff --git a/arch/ia64/kernel/syscalls/syscall.tbl b/arch/ia64/kernel/syscalls/syscall.tbl
index 72c929d9902b..1a5d560a1317 100644
--- a/arch/ia64/kernel/syscalls/syscall.tbl
+++ b/arch/ia64/kernel/syscalls/syscall.tbl
@@ -371,3 +371,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/m68k/kernel/syscalls/syscall.tbl b/arch/m68k/kernel/syscalls/syscall.tbl
index b1f3940bc298..0b7b01c90315 100644
--- a/arch/m68k/kernel/syscalls/syscall.tbl
+++ b/arch/m68k/kernel/syscalls/syscall.tbl
@@ -450,3 +450,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/microblaze/kernel/syscalls/syscall.tbl b/arch/microblaze/kernel/syscalls/syscall.tbl
index 820145e47350..b69d57014c7b 100644
--- a/arch/microblaze/kernel/syscalls/syscall.tbl
+++ b/arch/microblaze/kernel/syscalls/syscall.tbl
@@ -456,3 +456,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl
index 253ff994ed2e..7c1ca6241b90 100644
--- a/arch/mips/kernel/syscalls/syscall_n32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n32.tbl
@@ -389,3 +389,6 @@
448 n32 process_mrelease sys_process_mrelease
449 n32 futex_waitv sys_futex_waitv
450 n32 set_mempolicy_home_node sys_set_mempolicy_home_node
+451 n32 lsm_get_self_attr sys_lsm_get_self_attr
+452 n32 lsm_module_list sys_lsm_module_list
+453 n32 lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/mips/kernel/syscalls/syscall_n64.tbl b/arch/mips/kernel/syscalls/syscall_n64.tbl
index 3f1886ad9d80..99453966d179 100644
--- a/arch/mips/kernel/syscalls/syscall_n64.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n64.tbl
@@ -365,3 +365,6 @@
448 n64 process_mrelease sys_process_mrelease
449 n64 futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 n64 lsm_get_self_attr sys_lsm_get_self_attr
+452 n64 lsm_module_list sys_lsm_module_list
+453 n64 lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl
index 8f243e35a7b2..4ddb0ff66793 100644
--- a/arch/mips/kernel/syscalls/syscall_o32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_o32.tbl
@@ -438,3 +438,6 @@
448 o32 process_mrelease sys_process_mrelease
449 o32 futex_waitv sys_futex_waitv
450 o32 set_mempolicy_home_node sys_set_mempolicy_home_node
+451 o32 lsm_get_self_attr sys_lsm_get_self_attr
+452 o32 lsm_module_list sys_lsm_module_list
+453 032 lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl
index 8a99c998da9b..ea5ca5f70cbe 100644
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -448,3 +448,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl
index a0be127475b1..8d31bb83d6a2 100644
--- a/arch/powerpc/kernel/syscalls/syscall.tbl
+++ b/arch/powerpc/kernel/syscalls/syscall.tbl
@@ -537,3 +537,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 nospu set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl
index 799147658dee..bb7597be2e4f 100644
--- a/arch/s390/kernel/syscalls/syscall.tbl
+++ b/arch/s390/kernel/syscalls/syscall.tbl
@@ -453,3 +453,6 @@
448 common process_mrelease sys_process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl
index 2de85c977f54..43d468742916 100644
--- a/arch/sh/kernel/syscalls/syscall.tbl
+++ b/arch/sh/kernel/syscalls/syscall.tbl
@@ -453,3 +453,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl
index 4398cc6fb68d..c7791c7bdde4 100644
--- a/arch/sparc/kernel/syscalls/syscall.tbl
+++ b/arch/sparc/kernel/syscalls/syscall.tbl
@@ -496,3 +496,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 320480a8db4f..4f2e6577466e 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -455,3 +455,6 @@
448 i386 process_mrelease sys_process_mrelease
449 i386 futex_waitv sys_futex_waitv
450 i386 set_mempolicy_home_node sys_set_mempolicy_home_node
+451 i386 lsm_get_self_attr sys_lsm_get_self_attr
+452 i386 lsm_module_list sys_lsm_module_list
+453 i386 lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
index c84d12608cd2..3a7866f72042 100644
--- a/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/arch/x86/entry/syscalls/syscall_64.tbl
@@ -372,6 +372,9 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
#
# Due to a historical design error, certain syscalls are numbered differently
diff --git a/arch/xtensa/kernel/syscalls/syscall.tbl b/arch/xtensa/kernel/syscalls/syscall.tbl
index 52c94ab5c205..e0a5b61c1f1a 100644
--- a/arch/xtensa/kernel/syscalls/syscall.tbl
+++ b/arch/xtensa/kernel/syscalls/syscall.tbl
@@ -421,3 +421,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 45fa180cc56a..3659b2b02f5a 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -886,8 +886,17 @@ __SYSCALL(__NR_futex_waitv, sys_futex_waitv)
#define __NR_set_mempolicy_home_node 450
__SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
+#define __NR_lsm_get_self_attr 451
+__SYSCALL(__NR_lsm_get_self_attr, sys_lsm_get_self_attr)
+
+#define __NR_lsm_module_list 452
+__SYSCALL(__NR_lsm_module_list, sys_lsm_module_list)
+
+#define __NR_lsm_set_self_attr 453
+__SYSCALL(__NR_lsm_set_self_attr, sys_lsm_set_self_attr)
+
#undef __NR_syscalls
-#define __NR_syscalls 451
+#define __NR_syscalls 454
/*
* 32 bit systems traditionally used different
diff --git a/tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl b/tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl
index 3f1886ad9d80..99453966d179 100644
--- a/tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl
+++ b/tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl
@@ -365,3 +365,6 @@
448 n64 process_mrelease sys_process_mrelease
449 n64 futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 n64 lsm_get_self_attr sys_lsm_get_self_attr
+452 n64 lsm_module_list sys_lsm_module_list
+453 n64 lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/tools/perf/arch/powerpc/entry/syscalls/syscall.tbl b/tools/perf/arch/powerpc/entry/syscalls/syscall.tbl
index e9e0df4f9a61..bdedea2aa778 100644
--- a/tools/perf/arch/powerpc/entry/syscalls/syscall.tbl
+++ b/tools/perf/arch/powerpc/entry/syscalls/syscall.tbl
@@ -534,3 +534,6 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 nospu set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/tools/perf/arch/s390/entry/syscalls/syscall.tbl b/tools/perf/arch/s390/entry/syscalls/syscall.tbl
index 799147658dee..d69bd5550b46 100644
--- a/tools/perf/arch/s390/entry/syscalls/syscall.tbl
+++ b/tools/perf/arch/s390/entry/syscalls/syscall.tbl
@@ -453,3 +453,6 @@
448 common process_mrelease sys_process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr sys_lsm_set_self_attr
diff --git a/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl b/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl
index c84d12608cd2..3a7866f72042 100644
--- a/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl
@@ -372,6 +372,9 @@
448 common process_mrelease sys_process_mrelease
449 common futex_waitv sys_futex_waitv
450 common set_mempolicy_home_node sys_set_mempolicy_home_node
+451 common lsm_get_self_attr sys_lsm_get_self_attr
+452 common lsm_module_list sys_lsm_module_list
+453 common lsm_set_self_attr sys_lsm_set_self_attr
#
# Due to a historical design error, certain syscalls are numbered differently
--
2.38.1
Use the LSM ID number instead of the LSM name to identify which
security module's attibute data should be shown in /proc/self/attr.
The security_[gs]etprocattr() functions have been changed to expect
the LSM ID. The change from a string comparison to an integer comparison
in these functions will provide a minor performance improvement.
Signed-off-by: Casey Schaufler <[email protected]>
---
fs/proc/base.c | 29 +++++++++++++++--------------
fs/proc/internal.h | 2 +-
include/linux/security.h | 11 +++++------
security/security.c | 11 +++++------
4 files changed, 26 insertions(+), 27 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 9e479d7d202b..e3dfcb9d68f2 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -96,6 +96,7 @@
#include <linux/time_namespace.h>
#include <linux/resctrl.h>
#include <linux/cn_proc.h>
+#include <uapi/linux/lsm.h>
#include <trace/events/oom.h>
#include "internal.h"
#include "fd.h"
@@ -145,10 +146,10 @@ struct pid_entry {
NOD(NAME, (S_IFREG|(MODE)), \
NULL, &proc_single_file_operations, \
{ .proc_show = show } )
-#define ATTR(LSM, NAME, MODE) \
+#define ATTR(LSMID, NAME, MODE) \
NOD(NAME, (S_IFREG|(MODE)), \
NULL, &proc_pid_attr_operations, \
- { .lsm = LSM })
+ { .lsmid = LSMID })
/*
* Count the number of hardlinks for the pid_entry table, excluding the .
@@ -2730,7 +2731,7 @@ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
if (!task)
return -ESRCH;
- length = security_getprocattr(task, PROC_I(inode)->op.lsm,
+ length = security_getprocattr(task, PROC_I(inode)->op.lsmid,
file->f_path.dentry->d_name.name,
&p);
put_task_struct(task);
@@ -2788,7 +2789,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
if (rv < 0)
goto out_free;
- rv = security_setprocattr(PROC_I(inode)->op.lsm,
+ rv = security_setprocattr(PROC_I(inode)->op.lsmid,
file->f_path.dentry->d_name.name, page,
count);
mutex_unlock(¤t->signal->cred_guard_mutex);
@@ -2837,27 +2838,27 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \
#ifdef CONFIG_SECURITY_SMACK
static const struct pid_entry smack_attr_dir_stuff[] = {
- ATTR("smack", "current", 0666),
+ ATTR(LSM_ID_SMACK, "current", 0666),
};
LSM_DIR_OPS(smack);
#endif
#ifdef CONFIG_SECURITY_APPARMOR
static const struct pid_entry apparmor_attr_dir_stuff[] = {
- ATTR("apparmor", "current", 0666),
- ATTR("apparmor", "prev", 0444),
- ATTR("apparmor", "exec", 0666),
+ ATTR(LSM_ID_APPARMOR, "current", 0666),
+ ATTR(LSM_ID_APPARMOR, "prev", 0444),
+ ATTR(LSM_ID_APPARMOR, "exec", 0666),
};
LSM_DIR_OPS(apparmor);
#endif
static const struct pid_entry attr_dir_stuff[] = {
- ATTR(NULL, "current", 0666),
- ATTR(NULL, "prev", 0444),
- ATTR(NULL, "exec", 0666),
- ATTR(NULL, "fscreate", 0666),
- ATTR(NULL, "keycreate", 0666),
- ATTR(NULL, "sockcreate", 0666),
+ ATTR(LSM_ID_INVALID, "current", 0666),
+ ATTR(LSM_ID_INVALID, "prev", 0444),
+ ATTR(LSM_ID_INVALID, "exec", 0666),
+ ATTR(LSM_ID_INVALID, "fscreate", 0666),
+ ATTR(LSM_ID_INVALID, "keycreate", 0666),
+ ATTR(LSM_ID_INVALID, "sockcreate", 0666),
#ifdef CONFIG_SECURITY_SMACK
DIR("smack", 0555,
proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
index b701d0207edf..18db9722c81b 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -92,7 +92,7 @@ union proc_op {
int (*proc_show)(struct seq_file *m,
struct pid_namespace *ns, struct pid *pid,
struct task_struct *task);
- const char *lsm;
+ int lsmid;
};
struct proc_inode {
diff --git a/include/linux/security.h b/include/linux/security.h
index 5b7d486ae1f3..ed2aae04db3b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -482,10 +482,9 @@ int security_sem_semctl(struct kern_ipc_perm *sma, int cmd);
int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
unsigned nsops, int alter);
void security_d_instantiate(struct dentry *dentry, struct inode *inode);
-int security_getprocattr(struct task_struct *p, const char *lsm, const char *name,
+int security_getprocattr(struct task_struct *p, int lsmid, const char *name,
char **value);
-int security_setprocattr(const char *lsm, const char *name, void *value,
- size_t size);
+int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
@@ -1326,14 +1325,14 @@ static inline void security_d_instantiate(struct dentry *dentry,
struct inode *inode)
{ }
-static inline int security_getprocattr(struct task_struct *p, const char *lsm,
+static inline int security_getprocattr(struct task_struct *p, int lsmid,
const char *name, char **value)
{
return -EINVAL;
}
-static inline int security_setprocattr(const char *lsm, char *name,
- void *value, size_t size)
+static inline int security_setprocattr(int lsmid, char *name, void *value,
+ size_t size)
{
return -EINVAL;
}
diff --git a/security/security.c b/security/security.c
index 6e8ed58423d7..7d6e4f788f93 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2082,26 +2082,25 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode)
}
EXPORT_SYMBOL(security_d_instantiate);
-int security_getprocattr(struct task_struct *p, const char *lsm,
- const char *name, char **value)
+int security_getprocattr(struct task_struct *p, int lsmid, const char *name,
+ char **value)
{
struct security_hook_list *hp;
hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
+ if (lsmid != LSM_ID_INVALID && lsmid != hp->lsmid->id)
continue;
return hp->hook.getprocattr(p, name, value);
}
return LSM_RET_DEFAULT(getprocattr);
}
-int security_setprocattr(const char *lsm, const char *name, void *value,
- size_t size)
+int security_setprocattr(int lsmid, const char *name, void *value, size_t size)
{
struct security_hook_list *hp;
hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
- if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
+ if (lsmid != LSM_ID_INVALID && lsmid != hp->lsmid->id)
continue;
return hp->hook.setprocattr(name, value, size);
}
--
2.38.1
Create a system call lsm_set_self_attr() to set a security
module maintained attribute of the current process. Historically
these attributes have been exposed to user space via entries in
procfs under /proc/self/attr.
The attribute value is provided in a lsm_ctx structure. The structure
identifys the size of the attribute, and the attribute value. The format
of the attribute value is defined by the security module, but will always
be \0 terminated if it is a string. The ctx_len value must always be
strlen(ctx)+1 if the value is a string. The flags field is reserved for
future security module specific use and must be 0.
---------------------------
| __u32 id |
---------------------------
| __u64 flags |
---------------------------
| __kernel_size_t ctx_len |
---------------------------
| __u8 ctx[ctx_len] |
---------------------------
Signed-off-by: Casey Schaufler <[email protected]>
---
Documentation/userspace-api/lsm.rst | 3 +++
include/linux/syscalls.h | 2 ++
kernel/sys_ni.c | 1 +
security/lsm_syscalls.c | 41 +++++++++++++++++++++++++++++
4 files changed, 47 insertions(+)
diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst
index e342d75b99ab..c7da13801305 100644
--- a/Documentation/userspace-api/lsm.rst
+++ b/Documentation/userspace-api/lsm.rst
@@ -57,6 +57,9 @@ Get the security attributes of the current process
.. kernel-doc:: security/lsm_syscalls.c
:identifiers: sys_lsm_get_self_attr
+.. kernel-doc:: security/lsm_syscalls.c
+ :identifiers: sys_lsm_set_self_attr
+
.. kernel-doc:: security/lsm_syscalls.c
:identifiers: sys_lsm_module_list
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 2411b4043752..75123c13a55f 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -1060,6 +1060,8 @@ asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long l
asmlinkage long sys_lsm_get_self_attr(struct lsm_ctx *ctx, size_t *size,
int flags);
asmlinkage long sys_lsm_module_list(u32 *ids, size_t *size, int flags);
+asmlinkage long sys_lsm_set_self_attr(struct lsm_ctx *ctx, size_t size,
+ int flags);
/*
* Architecture-specific system calls
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
index af1fd28c0420..c3884c1c7339 100644
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -265,6 +265,7 @@ COND_SYSCALL(mremap);
/* security/lsm_syscalls.c */
COND_SYSCALL(lsm_get_self_attr);
COND_SYSCALL(lsm_module_list);
+COND_SYSCALL(lsm_set_self_attr);
/* security/keys/keyctl.c */
COND_SYSCALL(add_key);
diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
index 3838cdf66310..b0dc11e7d3df 100644
--- a/security/lsm_syscalls.c
+++ b/security/lsm_syscalls.c
@@ -181,6 +181,47 @@ SYSCALL_DEFINE3(lsm_get_self_attr,
return rc;
}
+/**
+ * sys_lsm_set_self_attr - Set current task's security module attribute
+ * @ctx: the LSM contexts
+ * @size: size of @ctx
+ * @flags: which attribute to set
+ *
+ * Sets the calling task's LSM context. On success this function
+ * returns 0. If the attribute specified cannot be set a negative
+ * value indicating the reason for the error is returned.
+ */
+SYSCALL_DEFINE3(lsm_set_self_attr,
+ struct lsm_ctx __user *, ctx,
+ __kernel_size_t, size,
+ __u32, flags)
+{
+ int rc = -EINVAL;
+ int attr;
+ void *page;
+ struct lsm_ctx *ip;
+
+ if (size > PAGE_SIZE)
+ return -E2BIG;
+ if (size <= sizeof(*ip))
+ return -EINVAL;
+
+ attr = attr_used_index(flags);
+ if (attr < 0)
+ return attr;
+
+ page = memdup_user(ctx, size);
+ if (IS_ERR(page))
+ return PTR_ERR(page);
+
+ ip = page;
+ if (sizeof(*ip) + ip->ctx_len <= size)
+ rc = security_setprocattr(ip->id, lsm_attr_names[attr].name,
+ ip->ctx, ip->ctx_len);
+ kfree(page);
+ return (rc > 0) ? 0 : rc;
+}
+
/**
* sys_lsm_module_list - Return a list of the active security modules
* @ids: the LSM module ids
--
2.38.1
On Wed, Nov 23, 2022 at 12:15:44PM -0800, Casey Schaufler wrote:
> Create a struct lsm_id to contain identifying information
> about Linux Security Modules (LSMs). At inception this contains
> the name of the module and an identifier associated with the
> security module. Change the security_add_hooks() interface to
> use this structure. Change the individual modules to maintain
> their own struct lsm_id and pass it to security_add_hooks().
>
> The values are for LSM identifiers are defined in a new UAPI
> header file linux/lsm.h. Each existing LSM has been updated to
> include it's LSMID in the lsm_id.
>
> The LSM ID values are sequential, with the oldest module
> LSM_ID_CAPABILITY being the lowest value and the existing modules
> numbered in the order they were included in the main line kernel.
> This is an arbitrary convention for assigning the values, but
> none better presents itself. The value 0 is defined as being invalid.
> The values 1-99 are reserved for any special case uses which may
> arise in the future.
What would be a "special case" that deserves a lower number?
> diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
> index e5971fa74fd7..20983ae8d31f 100644
> --- a/security/bpf/hooks.c
> +++ b/security/bpf/hooks.c
> @@ -5,6 +5,7 @@
> */
> #include <linux/lsm_hooks.h>
> #include <linux/bpf_lsm.h>
> +#include <uapi/linux/lsm.h>
>
> static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
> #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
> @@ -15,9 +16,19 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(task_free, bpf_task_storage_free),
> };
>
> +/*
> + * slot has to be LSMBLOB_NEEDED because some of the hooks
> + * supplied by this module require a slot.
> + */
> +struct lsm_id bpf_lsmid __lsm_ro_after_init = {
> + .lsm = "bpf",
> + .id = LSM_ID_BPF,
> +};
I do not understand this comment, what is LSMBLOB_NEEDED and how does
that relate to the struct lsm_id?
thanks,
greg k-h
On 24/11/2022 06:40, Greg KH wrote:
> On Wed, Nov 23, 2022 at 12:15:44PM -0800, Casey Schaufler wrote:
>> Create a struct lsm_id to contain identifying information
>> about Linux Security Modules (LSMs). At inception this contains
>> the name of the module and an identifier associated with the
>> security module. Change the security_add_hooks() interface to
>> use this structure. Change the individual modules to maintain
>> their own struct lsm_id and pass it to security_add_hooks().
>>
>> The values are for LSM identifiers are defined in a new UAPI
>> header file linux/lsm.h. Each existing LSM has been updated to
>> include it's LSMID in the lsm_id.
>>
>> The LSM ID values are sequential, with the oldest module
>> LSM_ID_CAPABILITY being the lowest value and the existing modules
>> numbered in the order they were included in the main line kernel.
>> This is an arbitrary convention for assigning the values, but
>> none better presents itself. The value 0 is defined as being invalid.
>> The values 1-99 are reserved for any special case uses which may
>> arise in the future.
>
> What would be a "special case" that deserves a lower number?
I don't see any meaningful use case for these reserved numbers either.
If there are some, let's put them now, otherwise we should start with 1.
Is it inspired by an existing UAPI?
Reserving 0 as invalid is good though.
On 23/11/2022 21:15, Casey Schaufler wrote:
> Create a struct lsm_id to contain identifying information
> about Linux Security Modules (LSMs). At inception this contains
> the name of the module and an identifier associated with the
> security module. Change the security_add_hooks() interface to
> use this structure. Change the individual modules to maintain
> their own struct lsm_id and pass it to security_add_hooks().
>
> The values are for LSM identifiers are defined in a new UAPI
> header file linux/lsm.h. Each existing LSM has been updated to
> include it's LSMID in the lsm_id.
>
> The LSM ID values are sequential, with the oldest module
> LSM_ID_CAPABILITY being the lowest value and the existing modules
> numbered in the order they were included in the main line kernel.
> This is an arbitrary convention for assigning the values, but
> none better presents itself. The value 0 is defined as being invalid.
> The values 1-99 are reserved for any special case uses which may
> arise in the future.
>
> Signed-off-by: Casey Schaufler <[email protected]>
> ---
> include/linux/lsm_hooks.h | 16 ++++++++++++++--
> include/uapi/linux/lsm.h | 32 ++++++++++++++++++++++++++++++++
> security/apparmor/lsm.c | 8 +++++++-
> security/bpf/hooks.c | 13 ++++++++++++-
> security/commoncap.c | 8 +++++++-
> security/landlock/cred.c | 2 +-
> security/landlock/fs.c | 2 +-
> security/landlock/ptrace.c | 2 +-
> security/landlock/setup.c | 6 ++++++
> security/landlock/setup.h | 1 +
> security/loadpin/loadpin.c | 9 ++++++++-
> security/lockdown/lockdown.c | 8 +++++++-
> security/safesetid/lsm.c | 9 ++++++++-
> security/security.c | 12 ++++++------
> security/selinux/hooks.c | 9 ++++++++-
> security/smack/smack_lsm.c | 8 +++++++-
> security/tomoyo/tomoyo.c | 9 ++++++++-
> security/yama/yama_lsm.c | 8 +++++++-
> 18 files changed, 141 insertions(+), 21 deletions(-)
> create mode 100644 include/uapi/linux/lsm.h
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 4ec80b96c22e..d306db1044d1 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1602,6 +1602,18 @@ struct security_hook_heads {
> #undef LSM_HOOK
> } __randomize_layout;
>
> +/**
> + * struct lsm_id - identify a Linux Security Module.
> + * @lsm: Name of the LSM. Must be approved by the LSM maintainers.
> + * @id: LSM ID number from uapi/linux/lsm.h
> + *
> + * Contains the information that identifies the LSM.
> + */
> +struct lsm_id {
> + const u8 *lsm;
> + u32 id;
> +};
> +
> /*
> * Security module hook list structure.
> * For use with generic list macros for common operations.
> @@ -1610,7 +1622,7 @@ struct security_hook_list {
> struct hlist_node list;
> struct hlist_head *head;
> union security_list_options hook;
> - const char *lsm;
> + struct lsm_id *lsmid;
> } __randomize_layout;
>
> /*
> @@ -1645,7 +1657,7 @@ extern struct security_hook_heads security_hook_heads;
> extern char *lsm_names;
>
> extern void security_add_hooks(struct security_hook_list *hooks, int count,
> - const char *lsm);
> + struct lsm_id *lsmid);
>
> #define LSM_FLAG_LEGACY_MAJOR BIT(0)
> #define LSM_FLAG_EXCLUSIVE BIT(1)
> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> new file mode 100644
> index 000000000000..47791c330cbf
> --- /dev/null
> +++ b/include/uapi/linux/lsm.h
> @@ -0,0 +1,32 @@
> +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +/*
> + * Linux Security Modules (LSM) - User space API
> + *
> + * Copyright (C) 2022 Casey Schaufler <[email protected]>
> + * Copyright (C) 2022 Intel Corporation
> + */
> +
> +#ifndef _UAPI_LINUX_LSM_H
> +#define _UAPI_LINUX_LSM_H
> +
> +/*
> + * ID values to identify security modules.
> + * A system may use more than one security module.
> + *
> + * Values 1-99 are reserved for future use in special cases.
This line should be removed unless justified. What could be special
about IDs? The syscalls already have a "flags" argument, which is enough.
> + */
> +#define LSM_ID_INVALID 0
Reserving 0 is good, but it doesn't deserve a dedicated declaration.
LSM_ID_INVALID should be removed.
> +#define LSM_ID_CAPABILITY 100
This should be 1…
> +#define LSM_ID_SELINUX 101
> +#define LSM_ID_SMACK 102
> +#define LSM_ID_TOMOYO 103
> +#define LSM_ID_IMA 104
> +#define LSM_ID_APPARMOR 105
> +#define LSM_ID_YAMA 106
> +#define LSM_ID_LOADPIN 107
> +#define LSM_ID_SAFESETID 108
> +#define LSM_ID_LOCKDOWN 109
> +#define LSM_ID_BPF 110
> +#define LSM_ID_LANDLOCK 111
> +
> +#endif /* _UAPI_LINUX_LSM_H */
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index f56070270c69..b859b1af6c75 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -24,6 +24,7 @@
> #include <linux/zlib.h>
> #include <net/sock.h>
> #include <uapi/linux/mount.h>
> +#include <uapi/linux/lsm.h>
>
> #include "include/apparmor.h"
> #include "include/apparmorfs.h"
> @@ -1202,6 +1203,11 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
> .lbs_task = sizeof(struct aa_task_ctx),
> };
>
> +static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
> + .lsm = "apparmor",
> + .id = LSM_ID_APPARMOR,
> +};
> +
> static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
> LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
> @@ -1897,7 +1903,7 @@ static int __init apparmor_init(void)
> goto buffers_out;
> }
> security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
> - "apparmor");
> + &apparmor_lsmid);
>
> /* Report that AppArmor successfully initialized */
> apparmor_initialized = 1;
> diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
> index e5971fa74fd7..20983ae8d31f 100644
> --- a/security/bpf/hooks.c
> +++ b/security/bpf/hooks.c
> @@ -5,6 +5,7 @@
> */
> #include <linux/lsm_hooks.h>
> #include <linux/bpf_lsm.h>
> +#include <uapi/linux/lsm.h>
>
> static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
> #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
> @@ -15,9 +16,19 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(task_free, bpf_task_storage_free),
> };
>
> +/*
> + * slot has to be LSMBLOB_NEEDED because some of the hooks
> + * supplied by this module require a slot.
> + */
> +struct lsm_id bpf_lsmid __lsm_ro_after_init = {
> + .lsm = "bpf",
> + .id = LSM_ID_BPF,
> +};
> +
> static int __init bpf_lsm_init(void)
> {
> - security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf");
> + security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks),
> + &bpf_lsmid);
> pr_info("LSM support for eBPF active\n");
> return 0;
> }
> diff --git a/security/commoncap.c b/security/commoncap.c
> index bc751fa5adad..f6d50b69f43d 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -25,6 +25,7 @@
> #include <linux/binfmts.h>
> #include <linux/personality.h>
> #include <linux/mnt_idmapping.h>
> +#include <uapi/linux/lsm.h>
>
> /*
> * If a non-root user executes a setuid-root binary in
> @@ -1448,6 +1449,11 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,
>
> #ifdef CONFIG_SECURITY
>
> +static struct lsm_id capability_lsmid __lsm_ro_after_init = {
> + .lsm = "capability",
> + .id = LSM_ID_CAPABILITY,
> +};
> +
> static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(capable, cap_capable),
> LSM_HOOK_INIT(settime, cap_settime),
> @@ -1472,7 +1478,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
> static int __init capability_init(void)
> {
> security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks),
> - "capability");
> + &capability_lsmid);
> return 0;
> }
>
> diff --git a/security/landlock/cred.c b/security/landlock/cred.c
> index ec6c37f04a19..2eb1d65f10d6 100644
> --- a/security/landlock/cred.c
> +++ b/security/landlock/cred.c
> @@ -42,5 +42,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
> __init void landlock_add_cred_hooks(void)
> {
> security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
> - LANDLOCK_NAME);
> + &landlock_lsmid);
> }
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index 64ed7665455f..486ff50d54a1 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -1201,5 +1201,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
> __init void landlock_add_fs_hooks(void)
> {
> security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
> - LANDLOCK_NAME);
> + &landlock_lsmid);
> }
> diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c
> index 4c5b9cd71286..eab35808f395 100644
> --- a/security/landlock/ptrace.c
> +++ b/security/landlock/ptrace.c
> @@ -116,5 +116,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
> __init void landlock_add_ptrace_hooks(void)
> {
> security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
> - LANDLOCK_NAME);
> + &landlock_lsmid);
> }
> diff --git a/security/landlock/setup.c b/security/landlock/setup.c
> index f8e8e980454c..5b32c087e34b 100644
> --- a/security/landlock/setup.c
> +++ b/security/landlock/setup.c
> @@ -8,6 +8,7 @@
>
> #include <linux/init.h>
> #include <linux/lsm_hooks.h>
> +#include <uapi/linux/lsm.h>
>
> #include "common.h"
> #include "cred.h"
> @@ -23,6 +24,11 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
> .lbs_superblock = sizeof(struct landlock_superblock_security),
> };
>
> +struct lsm_id landlock_lsmid __lsm_ro_after_init = {
> + .lsm = LANDLOCK_NAME,
> + .id = LSM_ID_LANDLOCK,
> +};
> +
> static int __init landlock_init(void)
> {
> landlock_add_cred_hooks();
> diff --git a/security/landlock/setup.h b/security/landlock/setup.h
> index 1daffab1ab4b..38bce5b172dc 100644
> --- a/security/landlock/setup.h
> +++ b/security/landlock/setup.h
> @@ -14,5 +14,6 @@
> extern bool landlock_initialized;
>
> extern struct lsm_blob_sizes landlock_blob_sizes;
> +extern struct lsm_id landlock_lsmid;
>
> #endif /* _SECURITY_LANDLOCK_SETUP_H */
> diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
> index de41621f4998..32bdf7294a6f 100644
> --- a/security/loadpin/loadpin.c
> +++ b/security/loadpin/loadpin.c
> @@ -20,6 +20,7 @@
> #include <linux/string_helpers.h>
> #include <linux/dm-verity-loadpin.h>
> #include <uapi/linux/loadpin.h>
> +#include <uapi/linux/lsm.h>
>
> #define VERITY_DIGEST_FILE_HEADER "# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS"
>
> @@ -197,6 +198,11 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
> return loadpin_read_file(NULL, (enum kernel_read_file_id) id, contents);
> }
>
> +static struct lsm_id loadpin_lsmid __lsm_ro_after_init = {
> + .lsm = "loadpin",
> + .id = LSM_ID_LOADPIN,
> +};
> +
> static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
> LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
> @@ -244,7 +250,8 @@ static int __init loadpin_init(void)
> pr_info("ready to pin (currently %senforcing)\n",
> enforce ? "" : "not ");
> parse_exclude();
> - security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin");
> + security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks),
> + &loadpin_lsmid);
>
> return 0;
> }
> diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
> index a79b985e917e..e8c41a0caf7d 100644
> --- a/security/lockdown/lockdown.c
> +++ b/security/lockdown/lockdown.c
> @@ -13,6 +13,7 @@
> #include <linux/security.h>
> #include <linux/export.h>
> #include <linux/lsm_hooks.h>
> +#include <uapi/linux/lsm.h>
>
> static enum lockdown_reason kernel_locked_down;
>
> @@ -75,6 +76,11 @@ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
> };
>
> +static struct lsm_id lockdown_lsmid __lsm_ro_after_init = {
> + .lsm = "lockdown",
> + .id = LSM_ID_LOCKDOWN,
> +};
> +
> static int __init lockdown_lsm_init(void)
> {
> #if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY)
> @@ -83,7 +89,7 @@ static int __init lockdown_lsm_init(void)
> lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX);
> #endif
> security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks),
> - "lockdown");
> + &lockdown_lsmid);
> return 0;
> }
>
> diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c
> index e806739f7868..8d0742ba045d 100644
> --- a/security/safesetid/lsm.c
> +++ b/security/safesetid/lsm.c
> @@ -19,6 +19,7 @@
> #include <linux/ptrace.h>
> #include <linux/sched/task_stack.h>
> #include <linux/security.h>
> +#include <uapi/linux/lsm.h>
> #include "lsm.h"
>
> /* Flag indicating whether initialization completed */
> @@ -261,6 +262,11 @@ static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old
> return 0;
> }
>
> +static struct lsm_id safesetid_lsmid __lsm_ro_after_init = {
> + .lsm = "safesetid",
> + .id = LSM_ID_SAFESETID,
> +};
> +
> static struct security_hook_list safesetid_security_hooks[] = {
> LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid),
> LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid),
> @@ -271,7 +277,8 @@ static struct security_hook_list safesetid_security_hooks[] = {
> static int __init safesetid_security_init(void)
> {
> security_add_hooks(safesetid_security_hooks,
> - ARRAY_SIZE(safesetid_security_hooks), "safesetid");
> + ARRAY_SIZE(safesetid_security_hooks),
> + &safesetid_lsmid);
>
> /* Report that SafeSetID successfully initialized */
> safesetid_initialized = 1;
> diff --git a/security/security.c b/security/security.c
> index 79d82cb6e469..b2eb0ccd954b 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -476,17 +476,17 @@ static int lsm_append(const char *new, char **result)
> * security_add_hooks - Add a modules hooks to the hook lists.
> * @hooks: the hooks to add
> * @count: the number of hooks to add
> - * @lsm: the name of the security module
> + * @lsmid: the identification information for the security module
> *
> * Each LSM has to register its hooks with the infrastructure.
> */
> void __init security_add_hooks(struct security_hook_list *hooks, int count,
> - const char *lsm)
> + struct lsm_id *lsmid)
> {
> int i;
>
> for (i = 0; i < count; i++) {
> - hooks[i].lsm = lsm;
> + hooks[i].lsmid = lsmid;
> hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
> }
>
> @@ -495,7 +495,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
> * and fix this up afterwards.
> */
> if (slab_is_available()) {
> - if (lsm_append(lsm, &lsm_names) < 0)
> + if (lsm_append(lsmid->lsm, &lsm_names) < 0)
> panic("%s - Cannot get early memory.\n", __func__);
> }
> }
> @@ -2070,7 +2070,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm,
> struct security_hook_list *hp;
>
> hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
> - if (lsm != NULL && strcmp(lsm, hp->lsm))
> + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
> continue;
> return hp->hook.getprocattr(p, name, value);
> }
> @@ -2083,7 +2083,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
> struct security_hook_list *hp;
>
> hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
> - if (lsm != NULL && strcmp(lsm, hp->lsm))
> + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
> continue;
> return hp->hook.setprocattr(name, value, size);
> }
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f553c370397e..5fcce36267bd 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -92,6 +92,7 @@
> #include <linux/fsnotify.h>
> #include <linux/fanotify.h>
> #include <linux/io_uring.h>
> +#include <uapi/linux/lsm.h>
>
> #include "avc.h"
> #include "objsec.h"
> @@ -7014,6 +7015,11 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
> }
> #endif /* CONFIG_IO_URING */
>
> +static struct lsm_id selinux_lsmid __lsm_ro_after_init = {
> + .lsm = "selinux",
> + .id = LSM_ID_SELINUX,
> +};
> +
> /*
> * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order:
> * 1. any hooks that don't belong to (2.) or (3.) below,
> @@ -7334,7 +7340,8 @@ static __init int selinux_init(void)
>
> hashtab_cache_init();
>
> - security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux");
> + security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks),
> + &selinux_lsmid);
>
> if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
> panic("SELinux: Unable to register AVC netcache callback\n");
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index b6306d71c908..c7ba80e20b8d 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -43,6 +43,7 @@
> #include <linux/fs_parser.h>
> #include <linux/watch_queue.h>
> #include <linux/io_uring.h>
> +#include <uapi/linux/lsm.h>
> #include "smack.h"
>
> #define TRANS_TRUE "TRUE"
> @@ -4787,6 +4788,11 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
> .lbs_superblock = sizeof(struct superblock_smack),
> };
>
> +static struct lsm_id smack_lsmid __lsm_ro_after_init = {
> + .lsm = "smack",
> + .id = LSM_ID_SMACK,
> +};
> +
> static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
> LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
> @@ -4990,7 +4996,7 @@ static __init int smack_init(void)
> /*
> * Register with LSM
> */
> - security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
> + security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid);
> smack_enabled = 1;
>
> pr_info("Smack: Initializing.\n");
> diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> index 71e82d855ebf..1916eb6216f7 100644
> --- a/security/tomoyo/tomoyo.c
> +++ b/security/tomoyo/tomoyo.c
> @@ -6,6 +6,7 @@
> */
>
> #include <linux/lsm_hooks.h>
> +#include <uapi/linux/lsm.h>
> #include "common.h"
>
> /**
> @@ -530,6 +531,11 @@ static void tomoyo_task_free(struct task_struct *task)
> }
> }
>
> +static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = {
> + .lsm = "tomoyo",
> + .id = LSM_ID_TOMOYO,
> +};
> +
> /*
> * tomoyo_security_ops is a "struct security_operations" which is used for
> * registering TOMOYO.
> @@ -582,7 +588,8 @@ static int __init tomoyo_init(void)
> struct tomoyo_task *s = tomoyo_task(current);
>
> /* register ourselves with the security framework */
> - security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
> + security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks),
> + &tomoyo_lsmid);
> pr_info("TOMOYO Linux initialized\n");
> s->domain_info = &tomoyo_kernel_domain;
> atomic_inc(&tomoyo_kernel_domain.users);
> diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
> index 06e226166aab..2487b8f847f3 100644
> --- a/security/yama/yama_lsm.c
> +++ b/security/yama/yama_lsm.c
> @@ -18,6 +18,7 @@
> #include <linux/task_work.h>
> #include <linux/sched.h>
> #include <linux/spinlock.h>
> +#include <uapi/linux/lsm.h>
>
> #define YAMA_SCOPE_DISABLED 0
> #define YAMA_SCOPE_RELATIONAL 1
> @@ -421,6 +422,11 @@ static int yama_ptrace_traceme(struct task_struct *parent)
> return rc;
> }
>
> +static struct lsm_id yama_lsmid __lsm_ro_after_init = {
> + .lsm = "yama",
> + .id = LSM_ID_YAMA,
> +};
> +
> static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
> LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
> @@ -477,7 +483,7 @@ static inline void yama_init_sysctl(void) { }
> static int __init yama_init(void)
> {
> pr_info("Yama: becoming mindful.\n");
> - security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama");
> + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid);
> yama_init_sysctl();
> return 0;
> }
The rest looks good to me.
Hi Casey,
I love your patch! Yet something to improve:
[auto build test ERROR on tip/perf/core]
[also build test ERROR on acme/perf/core shuah-kselftest/next shuah-kselftest/fixes linus/master v6.1-rc6]
[cannot apply to next-20221125]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Identify-modules-by-more-than-name/20221124-051600
patch link: https://lore.kernel.org/r/20221123201552.7865-9-casey%40schaufler-ca.com
patch subject: [PATCH v3 8/9] LSM: wireup Linux Security Module syscalls
config: arm64-allyesconfig
compiler: aarch64-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/2065fca9591ef23d2c3af224bb4dac0eb9bbea78
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Casey-Schaufler/LSM-Identify-modules-by-more-than-name/20221124-051600
git checkout 2065fca9591ef23d2c3af224bb4dac0eb9bbea78
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=arm64 SHELL=/bin/bash arch/arm64/kernel/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
All error/warnings (new ones prefixed by >>):
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:893:1: note: in expansion of macro '__SYSCALL'
893 | __SYSCALL(__NR_epoll_pwait2, compat_sys_epoll_pwait2)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: warning: initialized field overwritten [-Woverride-init]
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:895:1: note: in expansion of macro '__SYSCALL'
895 | __SYSCALL(__NR_mount_setattr, sys_mount_setattr)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table[442]')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:895:1: note: in expansion of macro '__SYSCALL'
895 | __SYSCALL(__NR_mount_setattr, sys_mount_setattr)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: warning: initialized field overwritten [-Woverride-init]
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:897:1: note: in expansion of macro '__SYSCALL'
897 | __SYSCALL(__NR_quotactl_fd, sys_quotactl_fd)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table[443]')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:897:1: note: in expansion of macro '__SYSCALL'
897 | __SYSCALL(__NR_quotactl_fd, sys_quotactl_fd)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: warning: initialized field overwritten [-Woverride-init]
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:899:1: note: in expansion of macro '__SYSCALL'
899 | __SYSCALL(__NR_landlock_create_ruleset, sys_landlock_create_ruleset)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table[444]')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:899:1: note: in expansion of macro '__SYSCALL'
899 | __SYSCALL(__NR_landlock_create_ruleset, sys_landlock_create_ruleset)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: warning: initialized field overwritten [-Woverride-init]
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:901:1: note: in expansion of macro '__SYSCALL'
901 | __SYSCALL(__NR_landlock_add_rule, sys_landlock_add_rule)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table[445]')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:901:1: note: in expansion of macro '__SYSCALL'
901 | __SYSCALL(__NR_landlock_add_rule, sys_landlock_add_rule)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: warning: initialized field overwritten [-Woverride-init]
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:903:1: note: in expansion of macro '__SYSCALL'
903 | __SYSCALL(__NR_landlock_restrict_self, sys_landlock_restrict_self)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table[446]')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:903:1: note: in expansion of macro '__SYSCALL'
903 | __SYSCALL(__NR_landlock_restrict_self, sys_landlock_restrict_self)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: warning: initialized field overwritten [-Woverride-init]
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:905:1: note: in expansion of macro '__SYSCALL'
905 | __SYSCALL(__NR_process_mrelease, sys_process_mrelease)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table[448]')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:905:1: note: in expansion of macro '__SYSCALL'
905 | __SYSCALL(__NR_process_mrelease, sys_process_mrelease)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: warning: initialized field overwritten [-Woverride-init]
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:907:1: note: in expansion of macro '__SYSCALL'
907 | __SYSCALL(__NR_futex_waitv, sys_futex_waitv)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table[449]')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:907:1: note: in expansion of macro '__SYSCALL'
907 | __SYSCALL(__NR_futex_waitv, sys_futex_waitv)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: warning: initialized field overwritten [-Woverride-init]
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:909:1: note: in expansion of macro '__SYSCALL'
909 | __SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table[450]')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:909:1: note: in expansion of macro '__SYSCALL'
909 | __SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
| ^~~~~~~~~
>> arch/arm64/include/asm/unistd32.h:910:32: error: array index in initializer exceeds array bounds
910 | #define __NR_lsm_get_self_attr 451
| ^~~
arch/arm64/kernel/sys32.c:130:34: note: in definition of macro '__SYSCALL'
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~
arch/arm64/include/asm/unistd32.h:911:11: note: in expansion of macro '__NR_lsm_get_self_attr'
911 | __SYSCALL(__NR_lsm_get_self_attr, sys_lsm_get_self_attr)
| ^~~~~~~~~~~~~~~~~~~~~~
arch/arm64/include/asm/unistd32.h:910:32: note: (near initialization for 'compat_sys_call_table')
910 | #define __NR_lsm_get_self_attr 451
| ^~~
arch/arm64/kernel/sys32.c:130:34: note: in definition of macro '__SYSCALL'
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~
arch/arm64/include/asm/unistd32.h:911:11: note: in expansion of macro '__NR_lsm_get_self_attr'
911 | __SYSCALL(__NR_lsm_get_self_attr, sys_lsm_get_self_attr)
| ^~~~~~~~~~~~~~~~~~~~~~
>> arch/arm64/kernel/sys32.c:130:40: warning: excess elements in array initializer
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:911:1: note: in expansion of macro '__SYSCALL'
911 | __SYSCALL(__NR_lsm_get_self_attr, sys_lsm_get_self_attr)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:911:1: note: in expansion of macro '__SYSCALL'
911 | __SYSCALL(__NR_lsm_get_self_attr, sys_lsm_get_self_attr)
| ^~~~~~~~~
arch/arm64/include/asm/unistd32.h:912:30: error: array index in initializer exceeds array bounds
912 | #define __NR_lsm_module_list 452
| ^~~
arch/arm64/kernel/sys32.c:130:34: note: in definition of macro '__SYSCALL'
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~
arch/arm64/include/asm/unistd32.h:913:11: note: in expansion of macro '__NR_lsm_module_list'
913 | __SYSCALL(__NR_lsm_module_list, sys_module_list)
| ^~~~~~~~~~~~~~~~~~~~
arch/arm64/include/asm/unistd32.h:912:30: note: (near initialization for 'compat_sys_call_table')
912 | #define __NR_lsm_module_list 452
| ^~~
arch/arm64/kernel/sys32.c:130:34: note: in definition of macro '__SYSCALL'
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~
arch/arm64/include/asm/unistd32.h:913:11: note: in expansion of macro '__NR_lsm_module_list'
913 | __SYSCALL(__NR_lsm_module_list, sys_module_list)
| ^~~~~~~~~~~~~~~~~~~~
>> arch/arm64/kernel/sys32.c:130:40: warning: excess elements in array initializer
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:913:1: note: in expansion of macro '__SYSCALL'
913 | __SYSCALL(__NR_lsm_module_list, sys_module_list)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:913:1: note: in expansion of macro '__SYSCALL'
913 | __SYSCALL(__NR_lsm_module_list, sys_module_list)
| ^~~~~~~~~
arch/arm64/include/asm/unistd32.h:914:32: error: array index in initializer exceeds array bounds
914 | #define __NR_lsm_set_self_attr 453
| ^~~
arch/arm64/kernel/sys32.c:130:34: note: in definition of macro '__SYSCALL'
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~
arch/arm64/include/asm/unistd32.h:915:11: note: in expansion of macro '__NR_lsm_set_self_attr'
915 | __SYSCALL(__NR_lsm_set_self_attr, sys_lsm_set_self_attr)
| ^~~~~~~~~~~~~~~~~~~~~~
arch/arm64/include/asm/unistd32.h:914:32: note: (near initialization for 'compat_sys_call_table')
914 | #define __NR_lsm_set_self_attr 453
| ^~~
arch/arm64/kernel/sys32.c:130:34: note: in definition of macro '__SYSCALL'
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~
arch/arm64/include/asm/unistd32.h:915:11: note: in expansion of macro '__NR_lsm_set_self_attr'
915 | __SYSCALL(__NR_lsm_set_self_attr, sys_lsm_set_self_attr)
| ^~~~~~~~~~~~~~~~~~~~~~
>> arch/arm64/kernel/sys32.c:130:40: warning: excess elements in array initializer
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:915:1: note: in expansion of macro '__SYSCALL'
915 | __SYSCALL(__NR_lsm_set_self_attr, sys_lsm_set_self_attr)
| ^~~~~~~~~
arch/arm64/kernel/sys32.c:130:40: note: (near initialization for 'compat_sys_call_table')
130 | #define __SYSCALL(nr, sym) [nr] = __arm64_##sym,
| ^~~~~~~~
arch/arm64/include/asm/unistd32.h:915:1: note: in expansion of macro '__SYSCALL'
915 | __SYSCALL(__NR_lsm_set_self_attr, sys_lsm_set_self_attr)
| ^~~~~~~~~
vim +910 arch/arm64/include/asm/unistd32.h
12
13 #define __NR_restart_syscall 0
14 __SYSCALL(__NR_restart_syscall, sys_restart_syscall)
15 #define __NR_exit 1
16 __SYSCALL(__NR_exit, sys_exit)
17 #define __NR_fork 2
18 __SYSCALL(__NR_fork, sys_fork)
19 #define __NR_read 3
20 __SYSCALL(__NR_read, sys_read)
21 #define __NR_write 4
22 __SYSCALL(__NR_write, sys_write)
23 #define __NR_open 5
24 __SYSCALL(__NR_open, compat_sys_open)
25 #define __NR_close 6
26 __SYSCALL(__NR_close, sys_close)
27 /* 7 was sys_waitpid */
28 __SYSCALL(7, sys_ni_syscall)
29 #define __NR_creat 8
30 __SYSCALL(__NR_creat, sys_creat)
31 #define __NR_link 9
32 __SYSCALL(__NR_link, sys_link)
33 #define __NR_unlink 10
34 __SYSCALL(__NR_unlink, sys_unlink)
35 #define __NR_execve 11
36 __SYSCALL(__NR_execve, compat_sys_execve)
37 #define __NR_chdir 12
38 __SYSCALL(__NR_chdir, sys_chdir)
39 /* 13 was sys_time */
40 __SYSCALL(13, sys_ni_syscall)
41 #define __NR_mknod 14
42 __SYSCALL(__NR_mknod, sys_mknod)
43 #define __NR_chmod 15
44 __SYSCALL(__NR_chmod, sys_chmod)
45 #define __NR_lchown 16
46 __SYSCALL(__NR_lchown, sys_lchown16)
47 /* 17 was sys_break */
48 __SYSCALL(17, sys_ni_syscall)
49 /* 18 was sys_stat */
50 __SYSCALL(18, sys_ni_syscall)
51 #define __NR_lseek 19
52 __SYSCALL(__NR_lseek, compat_sys_lseek)
53 #define __NR_getpid 20
54 __SYSCALL(__NR_getpid, sys_getpid)
55 #define __NR_mount 21
56 __SYSCALL(__NR_mount, sys_mount)
57 /* 22 was sys_umount */
58 __SYSCALL(22, sys_ni_syscall)
59 #define __NR_setuid 23
60 __SYSCALL(__NR_setuid, sys_setuid16)
61 #define __NR_getuid 24
62 __SYSCALL(__NR_getuid, sys_getuid16)
63 /* 25 was sys_stime */
64 __SYSCALL(25, sys_ni_syscall)
65 #define __NR_ptrace 26
66 __SYSCALL(__NR_ptrace, compat_sys_ptrace)
67 /* 27 was sys_alarm */
68 __SYSCALL(27, sys_ni_syscall)
69 /* 28 was sys_fstat */
70 __SYSCALL(28, sys_ni_syscall)
71 #define __NR_pause 29
72 __SYSCALL(__NR_pause, sys_pause)
73 /* 30 was sys_utime */
74 __SYSCALL(30, sys_ni_syscall)
75 /* 31 was sys_stty */
76 __SYSCALL(31, sys_ni_syscall)
77 /* 32 was sys_gtty */
78 __SYSCALL(32, sys_ni_syscall)
79 #define __NR_access 33
80 __SYSCALL(__NR_access, sys_access)
81 #define __NR_nice 34
82 __SYSCALL(__NR_nice, sys_nice)
83 /* 35 was sys_ftime */
84 __SYSCALL(35, sys_ni_syscall)
85 #define __NR_sync 36
86 __SYSCALL(__NR_sync, sys_sync)
87 #define __NR_kill 37
88 __SYSCALL(__NR_kill, sys_kill)
89 #define __NR_rename 38
90 __SYSCALL(__NR_rename, sys_rename)
91 #define __NR_mkdir 39
92 __SYSCALL(__NR_mkdir, sys_mkdir)
93 #define __NR_rmdir 40
94 __SYSCALL(__NR_rmdir, sys_rmdir)
95 #define __NR_dup 41
96 __SYSCALL(__NR_dup, sys_dup)
97 #define __NR_pipe 42
98 __SYSCALL(__NR_pipe, sys_pipe)
99 #define __NR_times 43
100 __SYSCALL(__NR_times, compat_sys_times)
101 /* 44 was sys_prof */
102 __SYSCALL(44, sys_ni_syscall)
103 #define __NR_brk 45
104 __SYSCALL(__NR_brk, sys_brk)
105 #define __NR_setgid 46
106 __SYSCALL(__NR_setgid, sys_setgid16)
107 #define __NR_getgid 47
108 __SYSCALL(__NR_getgid, sys_getgid16)
109 /* 48 was sys_signal */
110 __SYSCALL(48, sys_ni_syscall)
111 #define __NR_geteuid 49
112 __SYSCALL(__NR_geteuid, sys_geteuid16)
113 #define __NR_getegid 50
114 __SYSCALL(__NR_getegid, sys_getegid16)
115 #define __NR_acct 51
116 __SYSCALL(__NR_acct, sys_acct)
117 #define __NR_umount2 52
118 __SYSCALL(__NR_umount2, sys_umount)
119 /* 53 was sys_lock */
120 __SYSCALL(53, sys_ni_syscall)
121 #define __NR_ioctl 54
122 __SYSCALL(__NR_ioctl, compat_sys_ioctl)
123 #define __NR_fcntl 55
124 __SYSCALL(__NR_fcntl, compat_sys_fcntl)
125 /* 56 was sys_mpx */
126 __SYSCALL(56, sys_ni_syscall)
127 #define __NR_setpgid 57
128 __SYSCALL(__NR_setpgid, sys_setpgid)
129 /* 58 was sys_ulimit */
130 __SYSCALL(58, sys_ni_syscall)
131 /* 59 was sys_olduname */
132 __SYSCALL(59, sys_ni_syscall)
133 #define __NR_umask 60
134 __SYSCALL(__NR_umask, sys_umask)
135 #define __NR_chroot 61
136 __SYSCALL(__NR_chroot, sys_chroot)
137 #define __NR_ustat 62
138 __SYSCALL(__NR_ustat, compat_sys_ustat)
139 #define __NR_dup2 63
140 __SYSCALL(__NR_dup2, sys_dup2)
141 #define __NR_getppid 64
142 __SYSCALL(__NR_getppid, sys_getppid)
143 #define __NR_getpgrp 65
144 __SYSCALL(__NR_getpgrp, sys_getpgrp)
145 #define __NR_setsid 66
146 __SYSCALL(__NR_setsid, sys_setsid)
147 #define __NR_sigaction 67
148 __SYSCALL(__NR_sigaction, compat_sys_sigaction)
149 /* 68 was sys_sgetmask */
150 __SYSCALL(68, sys_ni_syscall)
151 /* 69 was sys_ssetmask */
152 __SYSCALL(69, sys_ni_syscall)
153 #define __NR_setreuid 70
154 __SYSCALL(__NR_setreuid, sys_setreuid16)
155 #define __NR_setregid 71
156 __SYSCALL(__NR_setregid, sys_setregid16)
157 #define __NR_sigsuspend 72
158 __SYSCALL(__NR_sigsuspend, sys_sigsuspend)
159 #define __NR_sigpending 73
160 __SYSCALL(__NR_sigpending, compat_sys_sigpending)
161 #define __NR_sethostname 74
162 __SYSCALL(__NR_sethostname, sys_sethostname)
163 #define __NR_setrlimit 75
164 __SYSCALL(__NR_setrlimit, compat_sys_setrlimit)
165 /* 76 was compat_sys_getrlimit */
166 __SYSCALL(76, sys_ni_syscall)
167 #define __NR_getrusage 77
168 __SYSCALL(__NR_getrusage, compat_sys_getrusage)
169 #define __NR_gettimeofday 78
170 __SYSCALL(__NR_gettimeofday, compat_sys_gettimeofday)
171 #define __NR_settimeofday 79
172 __SYSCALL(__NR_settimeofday, compat_sys_settimeofday)
173 #define __NR_getgroups 80
174 __SYSCALL(__NR_getgroups, sys_getgroups16)
175 #define __NR_setgroups 81
176 __SYSCALL(__NR_setgroups, sys_setgroups16)
177 /* 82 was compat_sys_select */
178 __SYSCALL(82, sys_ni_syscall)
179 #define __NR_symlink 83
180 __SYSCALL(__NR_symlink, sys_symlink)
181 /* 84 was sys_lstat */
182 __SYSCALL(84, sys_ni_syscall)
183 #define __NR_readlink 85
184 __SYSCALL(__NR_readlink, sys_readlink)
185 #define __NR_uselib 86
186 __SYSCALL(__NR_uselib, sys_uselib)
187 #define __NR_swapon 87
188 __SYSCALL(__NR_swapon, sys_swapon)
189 #define __NR_reboot 88
190 __SYSCALL(__NR_reboot, sys_reboot)
191 /* 89 was sys_readdir */
192 __SYSCALL(89, sys_ni_syscall)
193 /* 90 was sys_mmap */
194 __SYSCALL(90, sys_ni_syscall)
195 #define __NR_munmap 91
196 __SYSCALL(__NR_munmap, sys_munmap)
197 #define __NR_truncate 92
198 __SYSCALL(__NR_truncate, compat_sys_truncate)
199 #define __NR_ftruncate 93
200 __SYSCALL(__NR_ftruncate, compat_sys_ftruncate)
201 #define __NR_fchmod 94
202 __SYSCALL(__NR_fchmod, sys_fchmod)
203 #define __NR_fchown 95
204 __SYSCALL(__NR_fchown, sys_fchown16)
205 #define __NR_getpriority 96
206 __SYSCALL(__NR_getpriority, sys_getpriority)
207 #define __NR_setpriority 97
208 __SYSCALL(__NR_setpriority, sys_setpriority)
209 /* 98 was sys_profil */
210 __SYSCALL(98, sys_ni_syscall)
211 #define __NR_statfs 99
212 __SYSCALL(__NR_statfs, compat_sys_statfs)
213 #define __NR_fstatfs 100
214 __SYSCALL(__NR_fstatfs, compat_sys_fstatfs)
215 /* 101 was sys_ioperm */
216 __SYSCALL(101, sys_ni_syscall)
217 /* 102 was sys_socketcall */
218 __SYSCALL(102, sys_ni_syscall)
219 #define __NR_syslog 103
220 __SYSCALL(__NR_syslog, sys_syslog)
221 #define __NR_setitimer 104
222 __SYSCALL(__NR_setitimer, compat_sys_setitimer)
223 #define __NR_getitimer 105
224 __SYSCALL(__NR_getitimer, compat_sys_getitimer)
225 #define __NR_stat 106
226 __SYSCALL(__NR_stat, compat_sys_newstat)
227 #define __NR_lstat 107
228 __SYSCALL(__NR_lstat, compat_sys_newlstat)
229 #define __NR_fstat 108
230 __SYSCALL(__NR_fstat, compat_sys_newfstat)
231 /* 109 was sys_uname */
232 __SYSCALL(109, sys_ni_syscall)
233 /* 110 was sys_iopl */
234 __SYSCALL(110, sys_ni_syscall)
235 #define __NR_vhangup 111
236 __SYSCALL(__NR_vhangup, sys_vhangup)
237 /* 112 was sys_idle */
238 __SYSCALL(112, sys_ni_syscall)
239 /* 113 was sys_syscall */
240 __SYSCALL(113, sys_ni_syscall)
241 #define __NR_wait4 114
242 __SYSCALL(__NR_wait4, compat_sys_wait4)
243 #define __NR_swapoff 115
244 __SYSCALL(__NR_swapoff, sys_swapoff)
245 #define __NR_sysinfo 116
246 __SYSCALL(__NR_sysinfo, compat_sys_sysinfo)
247 /* 117 was sys_ipc */
248 __SYSCALL(117, sys_ni_syscall)
249 #define __NR_fsync 118
250 __SYSCALL(__NR_fsync, sys_fsync)
251 #define __NR_sigreturn 119
252 __SYSCALL(__NR_sigreturn, compat_sys_sigreturn)
253 #define __NR_clone 120
254 __SYSCALL(__NR_clone, sys_clone)
255 #define __NR_setdomainname 121
256 __SYSCALL(__NR_setdomainname, sys_setdomainname)
257 #define __NR_uname 122
258 __SYSCALL(__NR_uname, sys_newuname)
259 /* 123 was sys_modify_ldt */
260 __SYSCALL(123, sys_ni_syscall)
261 #define __NR_adjtimex 124
262 __SYSCALL(__NR_adjtimex, sys_adjtimex_time32)
263 #define __NR_mprotect 125
264 __SYSCALL(__NR_mprotect, sys_mprotect)
265 #define __NR_sigprocmask 126
266 __SYSCALL(__NR_sigprocmask, compat_sys_sigprocmask)
267 /* 127 was sys_create_module */
268 __SYSCALL(127, sys_ni_syscall)
269 #define __NR_init_module 128
270 __SYSCALL(__NR_init_module, sys_init_module)
271 #define __NR_delete_module 129
272 __SYSCALL(__NR_delete_module, sys_delete_module)
273 /* 130 was sys_get_kernel_syms */
274 __SYSCALL(130, sys_ni_syscall)
275 #define __NR_quotactl 131
276 __SYSCALL(__NR_quotactl, sys_quotactl)
277 #define __NR_getpgid 132
278 __SYSCALL(__NR_getpgid, sys_getpgid)
279 #define __NR_fchdir 133
280 __SYSCALL(__NR_fchdir, sys_fchdir)
281 #define __NR_bdflush 134
282 __SYSCALL(__NR_bdflush, sys_ni_syscall)
283 #define __NR_sysfs 135
284 __SYSCALL(__NR_sysfs, sys_sysfs)
285 #define __NR_personality 136
286 __SYSCALL(__NR_personality, sys_personality)
287 /* 137 was sys_afs_syscall */
288 __SYSCALL(137, sys_ni_syscall)
289 #define __NR_setfsuid 138
290 __SYSCALL(__NR_setfsuid, sys_setfsuid16)
291 #define __NR_setfsgid 139
292 __SYSCALL(__NR_setfsgid, sys_setfsgid16)
293 #define __NR__llseek 140
294 __SYSCALL(__NR__llseek, sys_llseek)
295 #define __NR_getdents 141
296 __SYSCALL(__NR_getdents, compat_sys_getdents)
297 #define __NR__newselect 142
298 __SYSCALL(__NR__newselect, compat_sys_select)
299 #define __NR_flock 143
300 __SYSCALL(__NR_flock, sys_flock)
301 #define __NR_msync 144
302 __SYSCALL(__NR_msync, sys_msync)
303 #define __NR_readv 145
304 __SYSCALL(__NR_readv, sys_readv)
305 #define __NR_writev 146
306 __SYSCALL(__NR_writev, sys_writev)
307 #define __NR_getsid 147
308 __SYSCALL(__NR_getsid, sys_getsid)
309 #define __NR_fdatasync 148
310 __SYSCALL(__NR_fdatasync, sys_fdatasync)
311 /* 149 was sys_sysctl */
312 __SYSCALL(149, sys_ni_syscall)
313 #define __NR_mlock 150
314 __SYSCALL(__NR_mlock, sys_mlock)
315 #define __NR_munlock 151
316 __SYSCALL(__NR_munlock, sys_munlock)
317 #define __NR_mlockall 152
318 __SYSCALL(__NR_mlockall, sys_mlockall)
319 #define __NR_munlockall 153
320 __SYSCALL(__NR_munlockall, sys_munlockall)
321 #define __NR_sched_setparam 154
322 __SYSCALL(__NR_sched_setparam, sys_sched_setparam)
323 #define __NR_sched_getparam 155
324 __SYSCALL(__NR_sched_getparam, sys_sched_getparam)
325 #define __NR_sched_setscheduler 156
326 __SYSCALL(__NR_sched_setscheduler, sys_sched_setscheduler)
327 #define __NR_sched_getscheduler 157
328 __SYSCALL(__NR_sched_getscheduler, sys_sched_getscheduler)
329 #define __NR_sched_yield 158
330 __SYSCALL(__NR_sched_yield, sys_sched_yield)
331 #define __NR_sched_get_priority_max 159
332 __SYSCALL(__NR_sched_get_priority_max, sys_sched_get_priority_max)
333 #define __NR_sched_get_priority_min 160
334 __SYSCALL(__NR_sched_get_priority_min, sys_sched_get_priority_min)
335 #define __NR_sched_rr_get_interval 161
336 __SYSCALL(__NR_sched_rr_get_interval, sys_sched_rr_get_interval_time32)
337 #define __NR_nanosleep 162
338 __SYSCALL(__NR_nanosleep, sys_nanosleep_time32)
339 #define __NR_mremap 163
340 __SYSCALL(__NR_mremap, sys_mremap)
341 #define __NR_setresuid 164
342 __SYSCALL(__NR_setresuid, sys_setresuid16)
343 #define __NR_getresuid 165
344 __SYSCALL(__NR_getresuid, sys_getresuid16)
345 /* 166 was sys_vm86 */
346 __SYSCALL(166, sys_ni_syscall)
347 /* 167 was sys_query_module */
348 __SYSCALL(167, sys_ni_syscall)
349 #define __NR_poll 168
350 __SYSCALL(__NR_poll, sys_poll)
351 #define __NR_nfsservctl 169
352 __SYSCALL(__NR_nfsservctl, sys_ni_syscall)
353 #define __NR_setresgid 170
354 __SYSCALL(__NR_setresgid, sys_setresgid16)
355 #define __NR_getresgid 171
356 __SYSCALL(__NR_getresgid, sys_getresgid16)
357 #define __NR_prctl 172
358 __SYSCALL(__NR_prctl, sys_prctl)
359 #define __NR_rt_sigreturn 173
360 __SYSCALL(__NR_rt_sigreturn, compat_sys_rt_sigreturn)
361 #define __NR_rt_sigaction 174
362 __SYSCALL(__NR_rt_sigaction, compat_sys_rt_sigaction)
363 #define __NR_rt_sigprocmask 175
364 __SYSCALL(__NR_rt_sigprocmask, compat_sys_rt_sigprocmask)
365 #define __NR_rt_sigpending 176
366 __SYSCALL(__NR_rt_sigpending, compat_sys_rt_sigpending)
367 #define __NR_rt_sigtimedwait 177
368 __SYSCALL(__NR_rt_sigtimedwait, compat_sys_rt_sigtimedwait_time32)
369 #define __NR_rt_sigqueueinfo 178
370 __SYSCALL(__NR_rt_sigqueueinfo, compat_sys_rt_sigqueueinfo)
371 #define __NR_rt_sigsuspend 179
372 __SYSCALL(__NR_rt_sigsuspend, compat_sys_rt_sigsuspend)
373 #define __NR_pread64 180
374 __SYSCALL(__NR_pread64, compat_sys_aarch32_pread64)
375 #define __NR_pwrite64 181
376 __SYSCALL(__NR_pwrite64, compat_sys_aarch32_pwrite64)
377 #define __NR_chown 182
378 __SYSCALL(__NR_chown, sys_chown16)
379 #define __NR_getcwd 183
380 __SYSCALL(__NR_getcwd, sys_getcwd)
381 #define __NR_capget 184
382 __SYSCALL(__NR_capget, sys_capget)
383 #define __NR_capset 185
384 __SYSCALL(__NR_capset, sys_capset)
385 #define __NR_sigaltstack 186
386 __SYSCALL(__NR_sigaltstack, compat_sys_sigaltstack)
387 #define __NR_sendfile 187
388 __SYSCALL(__NR_sendfile, compat_sys_sendfile)
389 /* 188 reserved */
390 __SYSCALL(188, sys_ni_syscall)
391 /* 189 reserved */
392 __SYSCALL(189, sys_ni_syscall)
393 #define __NR_vfork 190
394 __SYSCALL(__NR_vfork, sys_vfork)
395 #define __NR_ugetrlimit 191 /* SuS compliant getrlimit */
396 __SYSCALL(__NR_ugetrlimit, compat_sys_getrlimit) /* SuS compliant getrlimit */
397 #define __NR_mmap2 192
398 __SYSCALL(__NR_mmap2, compat_sys_aarch32_mmap2)
399 #define __NR_truncate64 193
400 __SYSCALL(__NR_truncate64, compat_sys_aarch32_truncate64)
401 #define __NR_ftruncate64 194
402 __SYSCALL(__NR_ftruncate64, compat_sys_aarch32_ftruncate64)
403 #define __NR_stat64 195
404 __SYSCALL(__NR_stat64, sys_stat64)
405 #define __NR_lstat64 196
406 __SYSCALL(__NR_lstat64, sys_lstat64)
407 #define __NR_fstat64 197
408 __SYSCALL(__NR_fstat64, sys_fstat64)
409 #define __NR_lchown32 198
410 __SYSCALL(__NR_lchown32, sys_lchown)
411 #define __NR_getuid32 199
412 __SYSCALL(__NR_getuid32, sys_getuid)
413 #define __NR_getgid32 200
414 __SYSCALL(__NR_getgid32, sys_getgid)
415 #define __NR_geteuid32 201
416 __SYSCALL(__NR_geteuid32, sys_geteuid)
417 #define __NR_getegid32 202
418 __SYSCALL(__NR_getegid32, sys_getegid)
419 #define __NR_setreuid32 203
420 __SYSCALL(__NR_setreuid32, sys_setreuid)
421 #define __NR_setregid32 204
422 __SYSCALL(__NR_setregid32, sys_setregid)
423 #define __NR_getgroups32 205
424 __SYSCALL(__NR_getgroups32, sys_getgroups)
425 #define __NR_setgroups32 206
426 __SYSCALL(__NR_setgroups32, sys_setgroups)
427 #define __NR_fchown32 207
428 __SYSCALL(__NR_fchown32, sys_fchown)
429 #define __NR_setresuid32 208
430 __SYSCALL(__NR_setresuid32, sys_setresuid)
431 #define __NR_getresuid32 209
432 __SYSCALL(__NR_getresuid32, sys_getresuid)
433 #define __NR_setresgid32 210
434 __SYSCALL(__NR_setresgid32, sys_setresgid)
435 #define __NR_getresgid32 211
436 __SYSCALL(__NR_getresgid32, sys_getresgid)
437 #define __NR_chown32 212
438 __SYSCALL(__NR_chown32, sys_chown)
439 #define __NR_setuid32 213
440 __SYSCALL(__NR_setuid32, sys_setuid)
441 #define __NR_setgid32 214
442 __SYSCALL(__NR_setgid32, sys_setgid)
443 #define __NR_setfsuid32 215
444 __SYSCALL(__NR_setfsuid32, sys_setfsuid)
445 #define __NR_setfsgid32 216
446 __SYSCALL(__NR_setfsgid32, sys_setfsgid)
447 #define __NR_getdents64 217
448 __SYSCALL(__NR_getdents64, sys_getdents64)
449 #define __NR_pivot_root 218
450 __SYSCALL(__NR_pivot_root, sys_pivot_root)
451 #define __NR_mincore 219
452 __SYSCALL(__NR_mincore, sys_mincore)
453 #define __NR_madvise 220
454 __SYSCALL(__NR_madvise, sys_madvise)
455 #define __NR_fcntl64 221
456 __SYSCALL(__NR_fcntl64, compat_sys_fcntl64)
457 /* 222 for tux */
458 __SYSCALL(222, sys_ni_syscall)
459 /* 223 is unused */
460 __SYSCALL(223, sys_ni_syscall)
461 #define __NR_gettid 224
462 __SYSCALL(__NR_gettid, sys_gettid)
463 #define __NR_readahead 225
464 __SYSCALL(__NR_readahead, compat_sys_aarch32_readahead)
465 #define __NR_setxattr 226
466 __SYSCALL(__NR_setxattr, sys_setxattr)
467 #define __NR_lsetxattr 227
468 __SYSCALL(__NR_lsetxattr, sys_lsetxattr)
469 #define __NR_fsetxattr 228
470 __SYSCALL(__NR_fsetxattr, sys_fsetxattr)
471 #define __NR_getxattr 229
472 __SYSCALL(__NR_getxattr, sys_getxattr)
473 #define __NR_lgetxattr 230
474 __SYSCALL(__NR_lgetxattr, sys_lgetxattr)
475 #define __NR_fgetxattr 231
476 __SYSCALL(__NR_fgetxattr, sys_fgetxattr)
477 #define __NR_listxattr 232
478 __SYSCALL(__NR_listxattr, sys_listxattr)
479 #define __NR_llistxattr 233
480 __SYSCALL(__NR_llistxattr, sys_llistxattr)
481 #define __NR_flistxattr 234
482 __SYSCALL(__NR_flistxattr, sys_flistxattr)
483 #define __NR_removexattr 235
484 __SYSCALL(__NR_removexattr, sys_removexattr)
485 #define __NR_lremovexattr 236
486 __SYSCALL(__NR_lremovexattr, sys_lremovexattr)
487 #define __NR_fremovexattr 237
488 __SYSCALL(__NR_fremovexattr, sys_fremovexattr)
489 #define __NR_tkill 238
490 __SYSCALL(__NR_tkill, sys_tkill)
491 #define __NR_sendfile64 239
492 __SYSCALL(__NR_sendfile64, sys_sendfile64)
493 #define __NR_futex 240
494 __SYSCALL(__NR_futex, sys_futex_time32)
495 #define __NR_sched_setaffinity 241
496 __SYSCALL(__NR_sched_setaffinity, compat_sys_sched_setaffinity)
497 #define __NR_sched_getaffinity 242
498 __SYSCALL(__NR_sched_getaffinity, compat_sys_sched_getaffinity)
499 #define __NR_io_setup 243
500 __SYSCALL(__NR_io_setup, compat_sys_io_setup)
501 #define __NR_io_destroy 244
502 __SYSCALL(__NR_io_destroy, sys_io_destroy)
503 #define __NR_io_getevents 245
504 __SYSCALL(__NR_io_getevents, sys_io_getevents_time32)
505 #define __NR_io_submit 246
506 __SYSCALL(__NR_io_submit, compat_sys_io_submit)
507 #define __NR_io_cancel 247
508 __SYSCALL(__NR_io_cancel, sys_io_cancel)
509 #define __NR_exit_group 248
510 __SYSCALL(__NR_exit_group, sys_exit_group)
511 #define __NR_lookup_dcookie 249
512 __SYSCALL(__NR_lookup_dcookie, compat_sys_lookup_dcookie)
513 #define __NR_epoll_create 250
514 __SYSCALL(__NR_epoll_create, sys_epoll_create)
515 #define __NR_epoll_ctl 251
516 __SYSCALL(__NR_epoll_ctl, sys_epoll_ctl)
517 #define __NR_epoll_wait 252
518 __SYSCALL(__NR_epoll_wait, sys_epoll_wait)
519 #define __NR_remap_file_pages 253
520 __SYSCALL(__NR_remap_file_pages, sys_remap_file_pages)
521 /* 254 for set_thread_area */
522 __SYSCALL(254, sys_ni_syscall)
523 /* 255 for get_thread_area */
524 __SYSCALL(255, sys_ni_syscall)
525 #define __NR_set_tid_address 256
526 __SYSCALL(__NR_set_tid_address, sys_set_tid_address)
527 #define __NR_timer_create 257
528 __SYSCALL(__NR_timer_create, compat_sys_timer_create)
529 #define __NR_timer_settime 258
530 __SYSCALL(__NR_timer_settime, sys_timer_settime32)
531 #define __NR_timer_gettime 259
532 __SYSCALL(__NR_timer_gettime, sys_timer_gettime32)
533 #define __NR_timer_getoverrun 260
534 __SYSCALL(__NR_timer_getoverrun, sys_timer_getoverrun)
535 #define __NR_timer_delete 261
536 __SYSCALL(__NR_timer_delete, sys_timer_delete)
537 #define __NR_clock_settime 262
538 __SYSCALL(__NR_clock_settime, sys_clock_settime32)
539 #define __NR_clock_gettime 263
540 __SYSCALL(__NR_clock_gettime, sys_clock_gettime32)
541 #define __NR_clock_getres 264
542 __SYSCALL(__NR_clock_getres, sys_clock_getres_time32)
543 #define __NR_clock_nanosleep 265
544 __SYSCALL(__NR_clock_nanosleep, sys_clock_nanosleep_time32)
545 #define __NR_statfs64 266
546 __SYSCALL(__NR_statfs64, compat_sys_aarch32_statfs64)
547 #define __NR_fstatfs64 267
548 __SYSCALL(__NR_fstatfs64, compat_sys_aarch32_fstatfs64)
549 #define __NR_tgkill 268
550 __SYSCALL(__NR_tgkill, sys_tgkill)
551 #define __NR_utimes 269
552 __SYSCALL(__NR_utimes, sys_utimes_time32)
553 #define __NR_arm_fadvise64_64 270
554 __SYSCALL(__NR_arm_fadvise64_64, compat_sys_aarch32_fadvise64_64)
555 #define __NR_pciconfig_iobase 271
556 __SYSCALL(__NR_pciconfig_iobase, sys_pciconfig_iobase)
557 #define __NR_pciconfig_read 272
558 __SYSCALL(__NR_pciconfig_read, sys_pciconfig_read)
559 #define __NR_pciconfig_write 273
560 __SYSCALL(__NR_pciconfig_write, sys_pciconfig_write)
561 #define __NR_mq_open 274
562 __SYSCALL(__NR_mq_open, compat_sys_mq_open)
563 #define __NR_mq_unlink 275
564 __SYSCALL(__NR_mq_unlink, sys_mq_unlink)
565 #define __NR_mq_timedsend 276
566 __SYSCALL(__NR_mq_timedsend, sys_mq_timedsend_time32)
567 #define __NR_mq_timedreceive 277
568 __SYSCALL(__NR_mq_timedreceive, sys_mq_timedreceive_time32)
569 #define __NR_mq_notify 278
570 __SYSCALL(__NR_mq_notify, compat_sys_mq_notify)
571 #define __NR_mq_getsetattr 279
572 __SYSCALL(__NR_mq_getsetattr, compat_sys_mq_getsetattr)
573 #define __NR_waitid 280
574 __SYSCALL(__NR_waitid, compat_sys_waitid)
575 #define __NR_socket 281
576 __SYSCALL(__NR_socket, sys_socket)
577 #define __NR_bind 282
578 __SYSCALL(__NR_bind, sys_bind)
579 #define __NR_connect 283
580 __SYSCALL(__NR_connect, sys_connect)
581 #define __NR_listen 284
582 __SYSCALL(__NR_listen, sys_listen)
583 #define __NR_accept 285
584 __SYSCALL(__NR_accept, sys_accept)
585 #define __NR_getsockname 286
586 __SYSCALL(__NR_getsockname, sys_getsockname)
587 #define __NR_getpeername 287
588 __SYSCALL(__NR_getpeername, sys_getpeername)
589 #define __NR_socketpair 288
590 __SYSCALL(__NR_socketpair, sys_socketpair)
591 #define __NR_send 289
592 __SYSCALL(__NR_send, sys_send)
593 #define __NR_sendto 290
594 __SYSCALL(__NR_sendto, sys_sendto)
595 #define __NR_recv 291
596 __SYSCALL(__NR_recv, compat_sys_recv)
597 #define __NR_recvfrom 292
598 __SYSCALL(__NR_recvfrom, compat_sys_recvfrom)
599 #define __NR_shutdown 293
600 __SYSCALL(__NR_shutdown, sys_shutdown)
601 #define __NR_setsockopt 294
602 __SYSCALL(__NR_setsockopt, sys_setsockopt)
603 #define __NR_getsockopt 295
604 __SYSCALL(__NR_getsockopt, sys_getsockopt)
605 #define __NR_sendmsg 296
606 __SYSCALL(__NR_sendmsg, compat_sys_sendmsg)
607 #define __NR_recvmsg 297
608 __SYSCALL(__NR_recvmsg, compat_sys_recvmsg)
609 #define __NR_semop 298
610 __SYSCALL(__NR_semop, sys_semop)
611 #define __NR_semget 299
612 __SYSCALL(__NR_semget, sys_semget)
613 #define __NR_semctl 300
614 __SYSCALL(__NR_semctl, compat_sys_old_semctl)
615 #define __NR_msgsnd 301
616 __SYSCALL(__NR_msgsnd, compat_sys_msgsnd)
617 #define __NR_msgrcv 302
618 __SYSCALL(__NR_msgrcv, compat_sys_msgrcv)
619 #define __NR_msgget 303
620 __SYSCALL(__NR_msgget, sys_msgget)
621 #define __NR_msgctl 304
622 __SYSCALL(__NR_msgctl, compat_sys_old_msgctl)
623 #define __NR_shmat 305
624 __SYSCALL(__NR_shmat, compat_sys_shmat)
625 #define __NR_shmdt 306
626 __SYSCALL(__NR_shmdt, sys_shmdt)
627 #define __NR_shmget 307
628 __SYSCALL(__NR_shmget, sys_shmget)
629 #define __NR_shmctl 308
630 __SYSCALL(__NR_shmctl, compat_sys_old_shmctl)
631 #define __NR_add_key 309
632 __SYSCALL(__NR_add_key, sys_add_key)
633 #define __NR_request_key 310
634 __SYSCALL(__NR_request_key, sys_request_key)
635 #define __NR_keyctl 311
636 __SYSCALL(__NR_keyctl, compat_sys_keyctl)
637 #define __NR_semtimedop 312
638 __SYSCALL(__NR_semtimedop, sys_semtimedop_time32)
639 #define __NR_vserver 313
640 __SYSCALL(__NR_vserver, sys_ni_syscall)
641 #define __NR_ioprio_set 314
642 __SYSCALL(__NR_ioprio_set, sys_ioprio_set)
643 #define __NR_ioprio_get 315
644 __SYSCALL(__NR_ioprio_get, sys_ioprio_get)
645 #define __NR_inotify_init 316
646 __SYSCALL(__NR_inotify_init, sys_inotify_init)
647 #define __NR_inotify_add_watch 317
648 __SYSCALL(__NR_inotify_add_watch, sys_inotify_add_watch)
649 #define __NR_inotify_rm_watch 318
650 __SYSCALL(__NR_inotify_rm_watch, sys_inotify_rm_watch)
651 #define __NR_mbind 319
652 __SYSCALL(__NR_mbind, sys_mbind)
653 #define __NR_get_mempolicy 320
654 __SYSCALL(__NR_get_mempolicy, sys_get_mempolicy)
655 #define __NR_set_mempolicy 321
656 __SYSCALL(__NR_set_mempolicy, sys_set_mempolicy)
657 #define __NR_openat 322
658 __SYSCALL(__NR_openat, compat_sys_openat)
659 #define __NR_mkdirat 323
660 __SYSCALL(__NR_mkdirat, sys_mkdirat)
661 #define __NR_mknodat 324
662 __SYSCALL(__NR_mknodat, sys_mknodat)
663 #define __NR_fchownat 325
664 __SYSCALL(__NR_fchownat, sys_fchownat)
665 #define __NR_futimesat 326
666 __SYSCALL(__NR_futimesat, sys_futimesat_time32)
667 #define __NR_fstatat64 327
668 __SYSCALL(__NR_fstatat64, sys_fstatat64)
669 #define __NR_unlinkat 328
670 __SYSCALL(__NR_unlinkat, sys_unlinkat)
671 #define __NR_renameat 329
672 __SYSCALL(__NR_renameat, sys_renameat)
673 #define __NR_linkat 330
674 __SYSCALL(__NR_linkat, sys_linkat)
675 #define __NR_symlinkat 331
676 __SYSCALL(__NR_symlinkat, sys_symlinkat)
677 #define __NR_readlinkat 332
678 __SYSCALL(__NR_readlinkat, sys_readlinkat)
679 #define __NR_fchmodat 333
680 __SYSCALL(__NR_fchmodat, sys_fchmodat)
681 #define __NR_faccessat 334
682 __SYSCALL(__NR_faccessat, sys_faccessat)
683 #define __NR_pselect6 335
684 __SYSCALL(__NR_pselect6, compat_sys_pselect6_time32)
685 #define __NR_ppoll 336
686 __SYSCALL(__NR_ppoll, compat_sys_ppoll_time32)
687 #define __NR_unshare 337
688 __SYSCALL(__NR_unshare, sys_unshare)
689 #define __NR_set_robust_list 338
690 __SYSCALL(__NR_set_robust_list, compat_sys_set_robust_list)
691 #define __NR_get_robust_list 339
692 __SYSCALL(__NR_get_robust_list, compat_sys_get_robust_list)
693 #define __NR_splice 340
694 __SYSCALL(__NR_splice, sys_splice)
695 #define __NR_sync_file_range2 341
696 __SYSCALL(__NR_sync_file_range2, compat_sys_aarch32_sync_file_range2)
697 #define __NR_tee 342
698 __SYSCALL(__NR_tee, sys_tee)
699 #define __NR_vmsplice 343
700 __SYSCALL(__NR_vmsplice, sys_vmsplice)
701 #define __NR_move_pages 344
702 __SYSCALL(__NR_move_pages, sys_move_pages)
703 #define __NR_getcpu 345
704 __SYSCALL(__NR_getcpu, sys_getcpu)
705 #define __NR_epoll_pwait 346
706 __SYSCALL(__NR_epoll_pwait, compat_sys_epoll_pwait)
707 #define __NR_kexec_load 347
708 __SYSCALL(__NR_kexec_load, compat_sys_kexec_load)
709 #define __NR_utimensat 348
710 __SYSCALL(__NR_utimensat, sys_utimensat_time32)
711 #define __NR_signalfd 349
712 __SYSCALL(__NR_signalfd, compat_sys_signalfd)
713 #define __NR_timerfd_create 350
714 __SYSCALL(__NR_timerfd_create, sys_timerfd_create)
715 #define __NR_eventfd 351
716 __SYSCALL(__NR_eventfd, sys_eventfd)
717 #define __NR_fallocate 352
718 __SYSCALL(__NR_fallocate, compat_sys_aarch32_fallocate)
719 #define __NR_timerfd_settime 353
720 __SYSCALL(__NR_timerfd_settime, sys_timerfd_settime32)
721 #define __NR_timerfd_gettime 354
722 __SYSCALL(__NR_timerfd_gettime, sys_timerfd_gettime32)
723 #define __NR_signalfd4 355
724 __SYSCALL(__NR_signalfd4, compat_sys_signalfd4)
725 #define __NR_eventfd2 356
726 __SYSCALL(__NR_eventfd2, sys_eventfd2)
727 #define __NR_epoll_create1 357
728 __SYSCALL(__NR_epoll_create1, sys_epoll_create1)
729 #define __NR_dup3 358
730 __SYSCALL(__NR_dup3, sys_dup3)
731 #define __NR_pipe2 359
732 __SYSCALL(__NR_pipe2, sys_pipe2)
733 #define __NR_inotify_init1 360
734 __SYSCALL(__NR_inotify_init1, sys_inotify_init1)
735 #define __NR_preadv 361
736 __SYSCALL(__NR_preadv, compat_sys_preadv)
737 #define __NR_pwritev 362
738 __SYSCALL(__NR_pwritev, compat_sys_pwritev)
739 #define __NR_rt_tgsigqueueinfo 363
740 __SYSCALL(__NR_rt_tgsigqueueinfo, compat_sys_rt_tgsigqueueinfo)
741 #define __NR_perf_event_open 364
742 __SYSCALL(__NR_perf_event_open, sys_perf_event_open)
743 #define __NR_recvmmsg 365
744 __SYSCALL(__NR_recvmmsg, compat_sys_recvmmsg_time32)
745 #define __NR_accept4 366
746 __SYSCALL(__NR_accept4, sys_accept4)
747 #define __NR_fanotify_init 367
748 __SYSCALL(__NR_fanotify_init, sys_fanotify_init)
749 #define __NR_fanotify_mark 368
750 __SYSCALL(__NR_fanotify_mark, compat_sys_fanotify_mark)
751 #define __NR_prlimit64 369
752 __SYSCALL(__NR_prlimit64, sys_prlimit64)
753 #define __NR_name_to_handle_at 370
754 __SYSCALL(__NR_name_to_handle_at, sys_name_to_handle_at)
755 #define __NR_open_by_handle_at 371
756 __SYSCALL(__NR_open_by_handle_at, compat_sys_open_by_handle_at)
757 #define __NR_clock_adjtime 372
758 __SYSCALL(__NR_clock_adjtime, sys_clock_adjtime32)
759 #define __NR_syncfs 373
760 __SYSCALL(__NR_syncfs, sys_syncfs)
761 #define __NR_sendmmsg 374
762 __SYSCALL(__NR_sendmmsg, compat_sys_sendmmsg)
763 #define __NR_setns 375
764 __SYSCALL(__NR_setns, sys_setns)
765 #define __NR_process_vm_readv 376
766 __SYSCALL(__NR_process_vm_readv, sys_process_vm_readv)
767 #define __NR_process_vm_writev 377
768 __SYSCALL(__NR_process_vm_writev, sys_process_vm_writev)
769 #define __NR_kcmp 378
770 __SYSCALL(__NR_kcmp, sys_kcmp)
771 #define __NR_finit_module 379
772 __SYSCALL(__NR_finit_module, sys_finit_module)
773 #define __NR_sched_setattr 380
774 __SYSCALL(__NR_sched_setattr, sys_sched_setattr)
775 #define __NR_sched_getattr 381
776 __SYSCALL(__NR_sched_getattr, sys_sched_getattr)
777 #define __NR_renameat2 382
778 __SYSCALL(__NR_renameat2, sys_renameat2)
779 #define __NR_seccomp 383
780 __SYSCALL(__NR_seccomp, sys_seccomp)
781 #define __NR_getrandom 384
782 __SYSCALL(__NR_getrandom, sys_getrandom)
783 #define __NR_memfd_create 385
784 __SYSCALL(__NR_memfd_create, sys_memfd_create)
785 #define __NR_bpf 386
786 __SYSCALL(__NR_bpf, sys_bpf)
787 #define __NR_execveat 387
788 __SYSCALL(__NR_execveat, compat_sys_execveat)
789 #define __NR_userfaultfd 388
790 __SYSCALL(__NR_userfaultfd, sys_userfaultfd)
791 #define __NR_membarrier 389
792 __SYSCALL(__NR_membarrier, sys_membarrier)
793 #define __NR_mlock2 390
794 __SYSCALL(__NR_mlock2, sys_mlock2)
795 #define __NR_copy_file_range 391
796 __SYSCALL(__NR_copy_file_range, sys_copy_file_range)
797 #define __NR_preadv2 392
798 __SYSCALL(__NR_preadv2, compat_sys_preadv2)
799 #define __NR_pwritev2 393
800 __SYSCALL(__NR_pwritev2, compat_sys_pwritev2)
801 #define __NR_pkey_mprotect 394
802 __SYSCALL(__NR_pkey_mprotect, sys_pkey_mprotect)
803 #define __NR_pkey_alloc 395
804 __SYSCALL(__NR_pkey_alloc, sys_pkey_alloc)
805 #define __NR_pkey_free 396
806 __SYSCALL(__NR_pkey_free, sys_pkey_free)
807 #define __NR_statx 397
808 __SYSCALL(__NR_statx, sys_statx)
809 #define __NR_rseq 398
810 __SYSCALL(__NR_rseq, sys_rseq)
811 #define __NR_io_pgetevents 399
812 __SYSCALL(__NR_io_pgetevents, compat_sys_io_pgetevents)
813 #define __NR_migrate_pages 400
814 __SYSCALL(__NR_migrate_pages, sys_migrate_pages)
815 #define __NR_kexec_file_load 401
816 __SYSCALL(__NR_kexec_file_load, sys_kexec_file_load)
817 /* 402 is unused */
818 #define __NR_clock_gettime64 403
819 __SYSCALL(__NR_clock_gettime64, sys_clock_gettime)
820 #define __NR_clock_settime64 404
821 __SYSCALL(__NR_clock_settime64, sys_clock_settime)
822 #define __NR_clock_adjtime64 405
823 __SYSCALL(__NR_clock_adjtime64, sys_clock_adjtime)
824 #define __NR_clock_getres_time64 406
825 __SYSCALL(__NR_clock_getres_time64, sys_clock_getres)
826 #define __NR_clock_nanosleep_time64 407
827 __SYSCALL(__NR_clock_nanosleep_time64, sys_clock_nanosleep)
828 #define __NR_timer_gettime64 408
829 __SYSCALL(__NR_timer_gettime64, sys_timer_gettime)
830 #define __NR_timer_settime64 409
831 __SYSCALL(__NR_timer_settime64, sys_timer_settime)
832 #define __NR_timerfd_gettime64 410
833 __SYSCALL(__NR_timerfd_gettime64, sys_timerfd_gettime)
834 #define __NR_timerfd_settime64 411
835 __SYSCALL(__NR_timerfd_settime64, sys_timerfd_settime)
836 #define __NR_utimensat_time64 412
837 __SYSCALL(__NR_utimensat_time64, sys_utimensat)
838 #define __NR_pselect6_time64 413
839 __SYSCALL(__NR_pselect6_time64, compat_sys_pselect6_time64)
840 #define __NR_ppoll_time64 414
841 __SYSCALL(__NR_ppoll_time64, compat_sys_ppoll_time64)
842 #define __NR_io_pgetevents_time64 416
843 __SYSCALL(__NR_io_pgetevents_time64, sys_io_pgetevents)
844 #define __NR_recvmmsg_time64 417
845 __SYSCALL(__NR_recvmmsg_time64, compat_sys_recvmmsg_time64)
846 #define __NR_mq_timedsend_time64 418
847 __SYSCALL(__NR_mq_timedsend_time64, sys_mq_timedsend)
848 #define __NR_mq_timedreceive_time64 419
849 __SYSCALL(__NR_mq_timedreceive_time64, sys_mq_timedreceive)
850 #define __NR_semtimedop_time64 420
851 __SYSCALL(__NR_semtimedop_time64, sys_semtimedop)
852 #define __NR_rt_sigtimedwait_time64 421
853 __SYSCALL(__NR_rt_sigtimedwait_time64, compat_sys_rt_sigtimedwait_time64)
854 #define __NR_futex_time64 422
855 __SYSCALL(__NR_futex_time64, sys_futex)
856 #define __NR_sched_rr_get_interval_time64 423
857 __SYSCALL(__NR_sched_rr_get_interval_time64, sys_sched_rr_get_interval)
858 #define __NR_pidfd_send_signal 424
859 __SYSCALL(__NR_pidfd_send_signal, sys_pidfd_send_signal)
860 #define __NR_io_uring_setup 425
861 __SYSCALL(__NR_io_uring_setup, sys_io_uring_setup)
862 #define __NR_io_uring_enter 426
863 __SYSCALL(__NR_io_uring_enter, sys_io_uring_enter)
864 #define __NR_io_uring_register 427
865 __SYSCALL(__NR_io_uring_register, sys_io_uring_register)
866 #define __NR_open_tree 428
867 __SYSCALL(__NR_open_tree, sys_open_tree)
868 #define __NR_move_mount 429
869 __SYSCALL(__NR_move_mount, sys_move_mount)
870 #define __NR_fsopen 430
871 __SYSCALL(__NR_fsopen, sys_fsopen)
872 #define __NR_fsconfig 431
873 __SYSCALL(__NR_fsconfig, sys_fsconfig)
874 #define __NR_fsmount 432
875 __SYSCALL(__NR_fsmount, sys_fsmount)
876 #define __NR_fspick 433
877 __SYSCALL(__NR_fspick, sys_fspick)
878 #define __NR_pidfd_open 434
879 __SYSCALL(__NR_pidfd_open, sys_pidfd_open)
880 #define __NR_clone3 435
881 __SYSCALL(__NR_clone3, sys_clone3)
882 #define __NR_close_range 436
883 __SYSCALL(__NR_close_range, sys_close_range)
884 #define __NR_openat2 437
885 __SYSCALL(__NR_openat2, sys_openat2)
886 #define __NR_pidfd_getfd 438
887 __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd)
888 #define __NR_faccessat2 439
889 __SYSCALL(__NR_faccessat2, sys_faccessat2)
890 #define __NR_process_madvise 440
891 __SYSCALL(__NR_process_madvise, sys_process_madvise)
892 #define __NR_epoll_pwait2 441
893 __SYSCALL(__NR_epoll_pwait2, compat_sys_epoll_pwait2)
894 #define __NR_mount_setattr 442
895 __SYSCALL(__NR_mount_setattr, sys_mount_setattr)
896 #define __NR_quotactl_fd 443
897 __SYSCALL(__NR_quotactl_fd, sys_quotactl_fd)
898 #define __NR_landlock_create_ruleset 444
899 __SYSCALL(__NR_landlock_create_ruleset, sys_landlock_create_ruleset)
900 #define __NR_landlock_add_rule 445
901 __SYSCALL(__NR_landlock_add_rule, sys_landlock_add_rule)
902 #define __NR_landlock_restrict_self 446
903 __SYSCALL(__NR_landlock_restrict_self, sys_landlock_restrict_self)
904 #define __NR_process_mrelease 448
905 __SYSCALL(__NR_process_mrelease, sys_process_mrelease)
906 #define __NR_futex_waitv 449
907 __SYSCALL(__NR_futex_waitv, sys_futex_waitv)
908 #define __NR_set_mempolicy_home_node 450
909 __SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node)
> 910 #define __NR_lsm_get_self_attr 451
911 __SYSCALL(__NR_lsm_get_self_attr, sys_lsm_get_self_attr)
912 #define __NR_lsm_module_list 452
913 __SYSCALL(__NR_lsm_module_list, sys_module_list)
914 #define __NR_lsm_set_self_attr 453
915 __SYSCALL(__NR_lsm_set_self_attr, sys_lsm_set_self_attr)
916
--
0-DAY CI Kernel Test Service
https://01.org/lkp
On Fri, Nov 25, 2022 at 11:19 AM Mickaël Salaün <[email protected]> wrote:
> On 24/11/2022 06:40, Greg KH wrote:
> > On Wed, Nov 23, 2022 at 12:15:44PM -0800, Casey Schaufler wrote:
> >> Create a struct lsm_id to contain identifying information
> >> about Linux Security Modules (LSMs). At inception this contains
> >> the name of the module and an identifier associated with the
> >> security module. Change the security_add_hooks() interface to
> >> use this structure. Change the individual modules to maintain
> >> their own struct lsm_id and pass it to security_add_hooks().
> >>
> >> The values are for LSM identifiers are defined in a new UAPI
> >> header file linux/lsm.h. Each existing LSM has been updated to
> >> include it's LSMID in the lsm_id.
> >>
> >> The LSM ID values are sequential, with the oldest module
> >> LSM_ID_CAPABILITY being the lowest value and the existing modules
> >> numbered in the order they were included in the main line kernel.
> >> This is an arbitrary convention for assigning the values, but
> >> none better presents itself. The value 0 is defined as being invalid.
> >> The values 1-99 are reserved for any special case uses which may
> >> arise in the future.
> >
> > What would be a "special case" that deserves a lower number?
>
> I don't see any meaningful use case for these reserved numbers either.
> If there are some, let's put them now, otherwise we should start with 1.
> Is it inspired by an existing UAPI?
> Reserving 0 as invalid is good though.
I haven't finished reviewing this latest patchset, but I wanted to
comment on this quickly while I had a moment in front of a keyboard
... I did explain my desire and reasoning for this in a previous
revision of this patchset and I still believe the
reserved-for-potential-future-use to be a valid reason so I'm going to
ask for this to remain. Several of you may disagree, but unless you
can provide a reason why these reserved values would *seriously* break
these, or potential future syscalls, I'm going to be stubborn and
insist we retain a set of low-numbered reserved values.
--
paul-moore.com
On Fri, Nov 25, 2022 at 11:30 AM Mickaël Salaün <[email protected]> wrote:
> On 23/11/2022 21:15, Casey Schaufler wrote:
> > Create a struct lsm_id to contain identifying information
> > about Linux Security Modules (LSMs). At inception this contains
> > the name of the module and an identifier associated with the
> > security module. Change the security_add_hooks() interface to
> > use this structure. Change the individual modules to maintain
> > their own struct lsm_id and pass it to security_add_hooks().
> >
> > The values are for LSM identifiers are defined in a new UAPI
> > header file linux/lsm.h. Each existing LSM has been updated to
> > include it's LSMID in the lsm_id.
> >
> > The LSM ID values are sequential, with the oldest module
> > LSM_ID_CAPABILITY being the lowest value and the existing modules
> > numbered in the order they were included in the main line kernel.
> > This is an arbitrary convention for assigning the values, but
> > none better presents itself. The value 0 is defined as being invalid.
> > The values 1-99 are reserved for any special case uses which may
> > arise in the future.
> >
> > Signed-off-by: Casey Schaufler <[email protected]>
> > ---
> > include/linux/lsm_hooks.h | 16 ++++++++++++++--
> > include/uapi/linux/lsm.h | 32 ++++++++++++++++++++++++++++++++
> > security/apparmor/lsm.c | 8 +++++++-
> > security/bpf/hooks.c | 13 ++++++++++++-
> > security/commoncap.c | 8 +++++++-
> > security/landlock/cred.c | 2 +-
> > security/landlock/fs.c | 2 +-
> > security/landlock/ptrace.c | 2 +-
> > security/landlock/setup.c | 6 ++++++
> > security/landlock/setup.h | 1 +
> > security/loadpin/loadpin.c | 9 ++++++++-
> > security/lockdown/lockdown.c | 8 +++++++-
> > security/safesetid/lsm.c | 9 ++++++++-
> > security/security.c | 12 ++++++------
> > security/selinux/hooks.c | 9 ++++++++-
> > security/smack/smack_lsm.c | 8 +++++++-
> > security/tomoyo/tomoyo.c | 9 ++++++++-
> > security/yama/yama_lsm.c | 8 +++++++-
> > 18 files changed, 141 insertions(+), 21 deletions(-)
> > create mode 100644 include/uapi/linux/lsm.h
...
> > diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
> > new file mode 100644
> > index 000000000000..47791c330cbf
> > --- /dev/null
> > +++ b/include/uapi/linux/lsm.h
> > @@ -0,0 +1,32 @@
> > +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> > +/*
> > + * Linux Security Modules (LSM) - User space API
> > + *
> > + * Copyright (C) 2022 Casey Schaufler <[email protected]>
> > + * Copyright (C) 2022 Intel Corporation
> > + */
> > +
> > +#ifndef _UAPI_LINUX_LSM_H
> > +#define _UAPI_LINUX_LSM_H
> > +
> > +/*
> > + * ID values to identify security modules.
> > + * A system may use more than one security module.
> > + *
> > + * Values 1-99 are reserved for future use in special cases.
>
> This line should be removed unless justified. What could be special
> about IDs? The syscalls already have a "flags" argument, which is enough.
>
> > + */
> > +#define LSM_ID_INVALID 0
>
> Reserving 0 is good, but it doesn't deserve a dedicated declaration.
> LSM_ID_INVALID should be removed.
>
>
> > +#define LSM_ID_CAPABILITY 100
>
> This should be 1…
No. Scratch that, make that an emphatic "No".
If you want to argue for a different reserved low-number range, e.g.
something with a nice power-of-2 limit, I'm okay with that, but as I
wrote earlier I feel strongly we need to have a low-number reserved
range for potential future uses.
--
paul-moore.com
On Sun, Nov 27, 2022 at 10:48:53PM -0500, Paul Moore wrote:
> On Fri, Nov 25, 2022 at 11:19 AM Micka?l Sala?n <[email protected]> wrote:
> > On 24/11/2022 06:40, Greg KH wrote:
> > > On Wed, Nov 23, 2022 at 12:15:44PM -0800, Casey Schaufler wrote:
> > >> Create a struct lsm_id to contain identifying information
> > >> about Linux Security Modules (LSMs). At inception this contains
> > >> the name of the module and an identifier associated with the
> > >> security module. Change the security_add_hooks() interface to
> > >> use this structure. Change the individual modules to maintain
> > >> their own struct lsm_id and pass it to security_add_hooks().
> > >>
> > >> The values are for LSM identifiers are defined in a new UAPI
> > >> header file linux/lsm.h. Each existing LSM has been updated to
> > >> include it's LSMID in the lsm_id.
> > >>
> > >> The LSM ID values are sequential, with the oldest module
> > >> LSM_ID_CAPABILITY being the lowest value and the existing modules
> > >> numbered in the order they were included in the main line kernel.
> > >> This is an arbitrary convention for assigning the values, but
> > >> none better presents itself. The value 0 is defined as being invalid.
> > >> The values 1-99 are reserved for any special case uses which may
> > >> arise in the future.
> > >
> > > What would be a "special case" that deserves a lower number?
> >
> > I don't see any meaningful use case for these reserved numbers either.
> > If there are some, let's put them now, otherwise we should start with 1.
> > Is it inspired by an existing UAPI?
> > Reserving 0 as invalid is good though.
>
> I haven't finished reviewing this latest patchset, but I wanted to
> comment on this quickly while I had a moment in front of a keyboard
> ... I did explain my desire and reasoning for this in a previous
> revision of this patchset and I still believe the
> reserved-for-potential-future-use to be a valid reason so I'm going to
> ask for this to remain.
Then that reasoning and explaination needs to be here in the changelog
so that we understand and have a chance to agree/disagree with that.
Otherwise we, and everyone else, are left to just be confused.
thanks,
greg k-h
On November 28, 2022 2:51:55 AM Greg KH <[email protected]> wrote:
> On Sun, Nov 27, 2022 at 10:48:53PM -0500, Paul Moore wrote:
>> On Fri, Nov 25, 2022 at 11:19 AM Mickaël Salaün <[email protected]> wrote:
>>> On 24/11/2022 06:40, Greg KH wrote:
>>>> On Wed, Nov 23, 2022 at 12:15:44PM -0800, Casey Schaufler wrote:
>>>>> Create a struct lsm_id to contain identifying information
>>>>> about Linux Security Modules (LSMs). At inception this contains
>>>>> the name of the module and an identifier associated with the
>>>>> security module. Change the security_add_hooks() interface to
>>>>> use this structure. Change the individual modules to maintain
>>>>> their own struct lsm_id and pass it to security_add_hooks().
>>>>>
>>>>> The values are for LSM identifiers are defined in a new UAPI
>>>>> header file linux/lsm.h. Each existing LSM has been updated to
>>>>> include it's LSMID in the lsm_id.
>>>>>
>>>>> The LSM ID values are sequential, with the oldest module
>>>>> LSM_ID_CAPABILITY being the lowest value and the existing modules
>>>>> numbered in the order they were included in the main line kernel.
>>>>> This is an arbitrary convention for assigning the values, but
>>>>> none better presents itself. The value 0 is defined as being invalid.
>>>>> The values 1-99 are reserved for any special case uses which may
>>>>> arise in the future.
>>>>
>>>> What would be a "special case" that deserves a lower number?
>>>
>>> I don't see any meaningful use case for these reserved numbers either.
>>> If there are some, let's put them now, otherwise we should start with 1.
>>> Is it inspired by an existing UAPI?
>>> Reserving 0 as invalid is good though.
>>
>> I haven't finished reviewing this latest patchset, but I wanted to
>> comment on this quickly while I had a moment in front of a keyboard
>> ... I did explain my desire and reasoning for this in a previous
>> revision of this patchset and I still believe the
>> reserved-for-potential-future-use to be a valid reason so I'm going to
>> ask for this to remain.
>
> Then that reasoning and explaination needs to be here in the changelog
> so that we understand and have a chance to agree/disagree with that.
> Otherwise we, and everyone else, are left to just be confused.
>
> thanks,
>
> greg k-h
The patch author should have done that considering I made my comments on the last revision.
--
paul-moore.com
On 11/28/2022 4:49 AM, Paul Moore wrote:
> On November 28, 2022 2:51:55 AM Greg KH <[email protected]> wrote:
>
>> On Sun, Nov 27, 2022 at 10:48:53PM -0500, Paul Moore wrote:
>>> On Fri, Nov 25, 2022 at 11:19 AM Mickaël Salaün <[email protected]> wrote:
>>>> On 24/11/2022 06:40, Greg KH wrote:
>>>>> On Wed, Nov 23, 2022 at 12:15:44PM -0800, Casey Schaufler wrote:
>>>>>> Create a struct lsm_id to contain identifying information
>>>>>> about Linux Security Modules (LSMs). At inception this contains
>>>>>> the name of the module and an identifier associated with the
>>>>>> security module. Change the security_add_hooks() interface to
>>>>>> use this structure. Change the individual modules to maintain
>>>>>> their own struct lsm_id and pass it to security_add_hooks().
>>>>>>
>>>>>> The values are for LSM identifiers are defined in a new UAPI
>>>>>> header file linux/lsm.h. Each existing LSM has been updated to
>>>>>> include it's LSMID in the lsm_id.
>>>>>>
>>>>>> The LSM ID values are sequential, with the oldest module
>>>>>> LSM_ID_CAPABILITY being the lowest value and the existing modules
>>>>>> numbered in the order they were included in the main line kernel.
>>>>>> This is an arbitrary convention for assigning the values, but
>>>>>> none better presents itself. The value 0 is defined as being invalid.
>>>>>> The values 1-99 are reserved for any special case uses which may
>>>>>> arise in the future.
>>>>> What would be a "special case" that deserves a lower number?
The interface is designed to extend to attributes beyond those which
are active today. Currently all the attributes are specific to the
individual modules. The LSM infrastructure itself has no variable state,
but that may change. One proposal would allow loadable modules, in which
case an attribute such as LSM_IS_LOADABLE might identify the dynamic
modules. Another potential attribute could be which security module is
responsible for network labeling via netlabel. That could be LSM_NETLABEL.
Another possible attribute could be related to stacking behavior in a
namespaced environment.
While it would be possible to intermingle the LSM infrastructure attribute
values with the security module provided values, separating them makes for
a clearer distinction.
>>>> I don't see any meaningful use case for these reserved numbers either.
>>>> If there are some, let's put them now, otherwise we should start with 1.
>>>> Is it inspired by an existing UAPI?
>>>> Reserving 0 as invalid is good though.
>>> I haven't finished reviewing this latest patchset, but I wanted to
>>> comment on this quickly while I had a moment in front of a keyboard
>>> ... I did explain my desire and reasoning for this in a previous
>>> revision of this patchset and I still believe the
>>> reserved-for-potential-future-use to be a valid reason so I'm going to
>>> ask for this to remain.
>> Then that reasoning and explaination needs to be here in the changelog
>> so that we understand and have a chance to agree/disagree with that.
>> Otherwise we, and everyone else, are left to just be confused.
>>
>> thanks,
>>
>> greg k-h
> The patch author should have done that considering I made my comments on the last revision.
>
> --
> paul-moore.com
>
>