Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp4425975rwl; Mon, 3 Apr 2023 05:02:07 -0700 (PDT) X-Google-Smtp-Source: AKy350ZU0mhyYhT1GrIq+N0Vz5Grk6VtHmw2GUnnxR7kPtJG14kzw1zpGFlFTcnfzRi9s5MG7fgc X-Received: by 2002:a17:906:8559:b0:931:9cd2:c214 with SMTP id h25-20020a170906855900b009319cd2c214mr33234841ejy.66.1680523327687; Mon, 03 Apr 2023 05:02:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680523327; cv=none; d=google.com; s=arc-20160816; b=sBMNkYM1nViWUzqyjQ6SK35ouhGUfDu+rM/skScvrHDtOD/nCAH+FV44TeXvXFbuRd QOWRJIFd/qpDYnMKKayKcXN3HakH++IgZgatbl4w04a1CzzLjZ0k65YNhoAYe3HAEoRo TVePr07QAFapLXXB56Z98v6NVvcax0HwEIDRdanWdP43M+Tuc/Rd8yEr9/K7GJQQ69vu YN3CKMrNp39i0C/LjQ3gI8BLZopzPFV73lxUDxocIUYFA11O1N7UKu4LJdFZWEk8BnJn nDNpZokz7oMXuHqAhYFssA58eFvJxB1Lz64xc9bi0SQ//mVmVA2AIZ3LLoZKlMLxm65C z7Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=s/CkwYODQDf6u3DMjFke+AO75ohA6C0s7c4ITNsB8ro=; b=Oa4d8MiJ59w7O5YirGPz1wAgyEgNnqXxz7fpFM5Y0/lsqyAQmsodkgLISg7F04o5wc X9CKhtN/wktuuQR/QpacXWqSARcYHitAIs2i8qkwsI8wOviYddYuKBxrZYBbpISugc3I mN5qkDkfcTDnFIx/+3yh8iObGfCt3dZoZviEK62ZqPYlk5knMHoBJONP5TPhtYjNCwXf R4GP6nqD6UIFrGTJhgarL7gXPLs49q6QHoI9xP7aH/9bsatNno8yjzmBiPcHDf/Uu6pR TRT2vVWvqbL27YED+N0b4fK36QQCNCioANyOZhuuy9XFjlQWSCV1EnflRJ9iH6wLBKMO 7T2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=parMgoYO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n3-20020a17090695c300b0093e3a33d7easi7858292ejy.451.2023.04.03.05.01.42; Mon, 03 Apr 2023 05:02:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=parMgoYO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231411AbjDCLrS (ORCPT + 99 others); Mon, 3 Apr 2023 07:47:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50088 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231444AbjDCLrR (ORCPT ); Mon, 3 Apr 2023 07:47:17 -0400 Received: from smtp-190e.mail.infomaniak.ch (smtp-190e.mail.infomaniak.ch [IPv6:2001:1600:4:17::190e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D780F1FF1 for ; Mon, 3 Apr 2023 04:47:14 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4Pqpz46kG2zMqR6Y; Mon, 3 Apr 2023 13:47:12 +0200 (CEST) Received: from unknown by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4Pqpz22sdDzMpqjL; Mon, 3 Apr 2023 13:47:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1680522432; bh=l/Miq1FXcuzbR9T4SFEdiVhywd+ZoHuDueWC1NgtO10=; h=Date:Subject:From:To:Cc:References:In-Reply-To:From; b=parMgoYOeYZBV33/rJmJ+eAckFCZZpy5lx7PAuQfzAOBTgtwZdaa1gNnPCiHnV/j/ 0e8VE5xQzF5hJjMMvL5TcYZoPAxf+pMVCT4+24NSF2SeOz+2KMdg+K4NkzU70S6nO1 XgaXeFdMsajoahOpGUvZ/v4zaLVmH3yBfS61mpks= Message-ID: <40081d47-14f3-b86c-59e3-6f78aeae4e2b@digikod.net> Date: Mon, 3 Apr 2023 13:47:09 +0200 MIME-Version: 1.0 User-Agent: Subject: Re: [PATCH v7 07/11] LSM: Helpers for attribute names and filling an lsm_ctx Content-Language: en-US From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= To: Casey Schaufler , paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org References: <20230315224704.2672-1-casey@schaufler-ca.com> <20230315224704.2672-8-casey@schaufler-ca.com> <544a4809-1a79-9dd7-61a5-5fce1f4a5f10@digikod.net> <539e698a-1ab7-a390-a3a4-6c7e43db4eb6@digikod.net> In-Reply-To: <539e698a-1ab7-a390-a3a4-6c7e43db4eb6@digikod.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Infomaniak-Routing: alpha X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/04/2023 11:54, Mickaël Salaün wrote: > > On 03/04/2023 11:47, Mickaël Salaün wrote: >> >> On 15/03/2023 23:47, Casey Schaufler wrote: >>> Add lsm_name_to_attr(), which translates a text string to a >>> LSM_ATTR value if one is available. >>> >>> Add lsm_fill_user_ctx(), which fills a struct lsm_ctx, including >>> the trailing attribute value. >>> >>> All are used in module specific components of LSM system calls. >>> >>> Signed-off-by: Casey Schaufler >>> --- >>> include/linux/security.h | 13 ++++++++++ >>> security/lsm_syscalls.c | 51 ++++++++++++++++++++++++++++++++++++++++ >>> security/security.c | 31 ++++++++++++++++++++++++ >>> 3 files changed, 95 insertions(+) >> >> [...] >> >>> diff --git a/security/security.c b/security/security.c >>> index 2c57fe28c4f7..f7b814a3940c 100644 >>> --- a/security/security.c >>> +++ b/security/security.c >>> @@ -753,6 +753,37 @@ static int lsm_superblock_alloc(struct super_block *sb) >>> return 0; >>> } >>> >>> +/** >>> + * lsm_fill_user_ctx - Fill a user space lsm_ctx structure >>> + * @ctx: an LSM context to be filled >>> + * @context: the new context value >>> + * @context_size: the size of the new context value >>> + * @id: LSM id >>> + * @flags: LSM defined flags >>> + * >>> + * Fill all of the fields in a user space lsm_ctx structure. >>> + * Caller is assumed to have verified that @ctx has enough space >>> + * for @context. >>> + * Returns 0 on success, -EFAULT on a copyout error. >>> + */ >>> +int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context, >>> + size_t context_size, u64 id, u64 flags) >>> +{ >>> + struct lsm_ctx local; >>> + void __user *vc = ctx; >>> + >>> + local.id = id; >>> + local.flags = flags; >>> + local.ctx_len = context_size; >>> + local.len = context_size + sizeof(local); >>> + vc += sizeof(local); >>> + if (copy_to_user(ctx, &local, sizeof(local))) >>> + return -EFAULT; >>> + if (context_size > 0 && copy_to_user(vc, context, context_size)) >>> + return -EFAULT; >> >> Can we do a single copy_to_user() call? That would avoid inconsistent >> user space data, could speed up a bit the operation, and make the code >> easier to understand. To use the stack, we need to know the maximum size >> of context_size for all use cases, which seems reasonable and can be >> checked at build time (on each LSM side, and potentially with specific >> context type passed as enum instead of context_size) and run time (for >> this generic helper). > > Well, actually the context_size should be inferred from id, and the > "local" size should be defined and check at build time against all > context ID sizes. @ctx_len should already be known by user space according to the LSM ID and the requested attribute. @len should already be known by user space because lsm_ctx is part of the ABI. The only reason I can think of the rationale for @len and @ctx_len is that struct lsm_ctx could gain more fields. If this happen, they would then need to be inserted before @ctx. This would make this struct lsm_ctx too flexible and complex for user space to parse correctly (e.g. for strace, gdb). I don't see where we could use @flags instead of relying on a new attribute type. I think security_getselfattr() and lsm_fill_user_ctx() could be changed to avoid each LSM to pass their own ID to lsm_fill_user_ctx(). We could have a lsm_get_attr_size(lsm_id, attr) helper (called by security_getselfattr) to group these relations, based on fixed values, exposed in the UAPI, and checked at build time with the size of the related LSM-specific attribute type. This would also allow to factor out the total size calculation needed before calling the getselfattr() implementers, and then rely on a common consistent behavior. That could also be used to not call getselfattr() implementers if they don't handle a specific attribute, and then remove their related error handling for this case. For now, the getselfattr() hook (not the related syscall) doesn't need to pass a "flags" argument to each LSM because there is no use of it. > >> >> >>> + return 0; >>> +} >>> + >>> /* >>> * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and >>> * can be accessed with: