Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1389086rwd; Wed, 7 Jun 2023 15:45:22 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7jmHMLrLaSXcgn2WcBGQIyJH8IRMBiIQ6B+Q09ZVR3RUOenpY9pb1dwQRBtrxx6S9bCATB X-Received: by 2002:a17:902:e811:b0:1ae:8fa:cd4c with SMTP id u17-20020a170902e81100b001ae08facd4cmr514960plg.7.1686177921920; Wed, 07 Jun 2023 15:45:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1686177921; cv=none; d=google.com; s=arc-20160816; b=lyjiN7eFiyi8TIciPrAljGT1ORyvrw8fiz36/IevjoiE353vZ9WDKOiwH/zPYTD+2K BBml8nWHSmDJzSJEWfCsWtj/GpGFYpaFWM74TFBvu6tdkOvOY+4rURJHNVD1cYGOG8gN FMYAhocLiKGnB8ik+RIMC0YQOQRN4UIV7bmJt/Z2Ekq47VBSeq2Ltf2/xFB1+pd2cYkq V+aQnTNQOuBzFbthjdJtjDyrDEZDh9g705hiSVJJr7HiTrGu8xGm7aAs1bIy6Muf8qoc WjPZF1qJJEdfRlw3rJtmxr7Yy7yz9FhMNFvlwhNRXmT3NijbRr8uKDFJM0+nQ13l2IDb Ugxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:subject:cc:to:from :message-id:date:dkim-signature; bh=hZXIJgO0yR4cIcee4w+UOn0ROi+cGZITxROBHRvLSZY=; b=mR6X5i2Kn8hisgxSnHN+qZjngxX2CflH1ORhAyCdvuc05edcfVOylRXKxaz/lkpPBY R5Fx18li+FdZYT3dZ9WPKranE7tDUJOFcd30ECOHR0q8WzOUpw2OQufbL0UwwfGCCZeK 25gdNm+HQII5Pg7xfjs5ib20a0HGSR0UgLYm7uE5S22o5TxyVGQKEGPlHu9mx+YA0y8X ErdsBVyrfSDi38o5Jgb6cf1UjMwMgpJ1cf8Y5Apdg3RI0vF4qz+Qxuh76QAujpVs8Zsj kCh980etf57oC3WHa7wK44tdQx31irNQamCqMYM5cceLqBPMvu8l27XQYSvwoXXjHAc+ 5gMA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b="X/riXzpO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j189-20020a636ec6000000b00534dbd0d219si9459637pgc.301.2023.06.07.15.45.08; Wed, 07 Jun 2023 15:45:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b="X/riXzpO"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231449AbjFGWdD (ORCPT + 99 others); Wed, 7 Jun 2023 18:33:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45416 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229556AbjFGWdC (ORCPT ); Wed, 7 Jun 2023 18:33:02 -0400 Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 973DD1734 for ; Wed, 7 Jun 2023 15:32:59 -0700 (PDT) Received: by mail-qk1-x72a.google.com with SMTP id af79cd13be357-75d536afa43so1560985a.1 for ; Wed, 07 Jun 2023 15:32:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1686177178; x=1688769178; h=in-reply-to:references:subject:cc:to:from:message-id:date:from:to :cc:subject:date:message-id:reply-to; bh=hZXIJgO0yR4cIcee4w+UOn0ROi+cGZITxROBHRvLSZY=; b=X/riXzpOF/e1z57/D1w9xWtuZFR8Os282CJJh2gLbfofZgnft5MCwx9btiFxP+SPXz 7EMWTmqedtsCzEOJ5t3SPnQMC4tKXzBhvAchmLqVwvd/tHSbJVnAtiStxoy/6Rg8/ZBs SsLpQomYqNS0dZxyoOuDMMXFFYViM5VBTVjBO8jJghJylkLYhdE/fZzuxDB1HcL43z/d udOGdC6ep/Aa0ZOctcsQDOZKtl164NB4MINCniJ5ALeyb1zkmXqvw2Kdb6cJgNoY3Z6n 3OlhfQFiJ74wn5kpJbFao1c06C6MFEQGLMJAnjh7iCYy/xGrKwB32vn/8Ff/rhGTBE+G tqew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686177178; x=1688769178; h=in-reply-to:references:subject:cc:to:from:message-id:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hZXIJgO0yR4cIcee4w+UOn0ROi+cGZITxROBHRvLSZY=; b=EZwsjpbDDqioG+8U4ArtI53mJivfGW07CcVSdN1geC/K0XPRnhEILQjv7KZfRlkVwW D8Wq2DtDTplWY+EqOoL95+k/o1IWXNLpksbZf1yaUcgD4Xb9aBE/FVlaiMnxz/k7xVPg P6TbuxKtqDjtE7a/nOX2AaYoEiEIMyZA5vSkGjYcPPCWpJDuvTf8a91ttHMi4FJ0JZDe 7xeRHOAbjn0Qk7SVUgff2WAZaqSvT+UvOv7SOcLduj7mRJ9WoqKMqWX5dzTrGp64VfCn mbXdPIPBHcKe1eBnQRcoku0ps0D1yYRZ56YOeMvEng9fc1DzCHkbSKTW4ERRBaVbeuq7 eE2A== X-Gm-Message-State: AC+VfDx+z1ki3JDHzEqlN53j8Sv1qzLf7URy+SOGYcUgpsaJv6Au3BSK vvZEHKlxYe29C5lAI9pubytAqg7gGifgiEC+3w== X-Received: by 2002:a05:620a:8c3:b0:75d:1145:8151 with SMTP id z3-20020a05620a08c300b0075d11458151mr611357qkz.12.1686177178558; Wed, 07 Jun 2023 15:32:58 -0700 (PDT) Received: from localhost (static-96-237-115-254.bstnma.fios.verizon.net. [96.237.115.254]) by smtp.gmail.com with ESMTPSA id y8-20020a37e308000000b0075ecdc937ffsm221321qki.41.2023.06.07.15.32.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jun 2023 15:32:58 -0700 (PDT) Date: Wed, 07 Jun 2023 18:32:57 -0400 Message-ID: <76f37cf7b20b8c63cf78d4ddca5a7375.paul@paul-moore.com> From: Paul Moore To: Casey Schaufler , linux-security-module@vger.kernel.org Cc: jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: Re: [PATCH v10 4/11] LSM: syscalls for current process attributes References: <20230428203417.159874-5-casey@schaufler-ca.com> In-Reply-To: <20230428203417.159874-5-casey@schaufler-ca.com> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Apr 28, 2023 Casey Schaufler wrote: > > Create a system call lsm_get_self_attr() to provide the security > module maintained attributes of the current process. > Create a system call lsm_set_self_attr() to set a security > module maintained attribute of the current process. > Historically these attributes have been exposed to user space via > entries in procfs under /proc/self/attr. > > The attribute value is provided in a lsm_ctx structure. The structure > identifies the size of the attribute, and the attribute value. The format > of the attribute value is defined by the security module. A flags field > is included for LSM specific information. It is currently unused and must > be 0. The total size of the data, including the lsm_ctx structure and any > padding, is maintained as well. > > struct lsm_ctx { > __u64 id; > __u64 flags; > __u64 len; > __u64 ctx_len; > __u8 ctx[]; > }; > > Two new LSM hooks are used to interface with the LSMs. > security_getselfattr() collects the lsm_ctx values from the > LSMs that support the hook, accounting for space requirements. > security_setselfattr() identifies which LSM the attribute is > intended for and passes it along. > > Signed-off-by: Casey Schaufler > Reviewed-by: Kees Cook > --- > Documentation/userspace-api/lsm.rst | 15 ++++ > include/linux/lsm_hook_defs.h | 4 + > include/linux/lsm_hooks.h | 9 +++ > include/linux/security.h | 19 +++++ > include/linux/syscalls.h | 5 ++ > include/uapi/linux/lsm.h | 36 +++++++++ > kernel/sys_ni.c | 4 + > security/Makefile | 1 + > security/lsm_syscalls.c | 55 ++++++++++++++ > security/security.c | 112 ++++++++++++++++++++++++++++ > 10 files changed, 260 insertions(+) > create mode 100644 security/lsm_syscalls.c ... > diff --git a/security/security.c b/security/security.c > index 5a48b1b539e5..94b78bfd06b9 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -2176,6 +2176,118 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode) > } > EXPORT_SYMBOL(security_d_instantiate); > > +/** > + * security_getselfattr - Read an LSM attribute of the current process. > + * @attr: which attribute to return > + * @ctx: the user-space destination for the information, or NULL > + * @size: the size of space available to receive the data > + * @flags: special handling options. LSM_FLAG_SINGLE indicates that only > + * attributes associated with the LSM identified in the passed @ctx be > + * reported > + * > + * Returns the number of attributes found on success, negative value > + * on error. @size is reset to the total size of the data. > + * If @size is insufficient to contain the data -E2BIG is returned. > + */ > +int security_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, > + size_t __user *size, u32 flags) > +{ > + struct security_hook_list *hp; > + struct lsm_ctx lctx = { .id = LSM_ID_UNDEF, }; > + u8 __user *base = (u8 __user *)ctx; > + size_t total = 0; > + size_t entrysize; > + size_t left; > + bool toobig = false; > + int count = 0; > + int rc; > + > + if (attr == 0) > + return -EINVAL; > + if (size == NULL) > + return -EINVAL; > + if (get_user(left, size)) > + return -EFAULT; > + > + if ((flags & LSM_FLAG_SINGLE) == LSM_FLAG_SINGLE) { > + if (!ctx) > + return -EINVAL; > + if (copy_struct_from_user(&lctx, sizeof(lctx), ctx, left)) > + return -EFAULT; > + if (lctx.id == LSM_ID_UNDEF) > + return -EINVAL; > + } else if (flags) { > + return -EINVAL; > + } > + > + hlist_for_each_entry(hp, &security_hook_heads.getselfattr, list) { > + if (lctx.id != LSM_ID_UNDEF && lctx.id != hp->lsmid->id) > + continue; I think we're missing a copy_struct_from_user() call somewhere; how does @lctx get populated in the non-LSM_FLAG_SINGLE case? How does it move to the next entry in the buffer? Am I missing something obvious? Was this code tested? > + entrysize = left; > + if (base) > + ctx = (struct lsm_ctx __user *)(base + total); > + rc = hp->hook.getselfattr(attr, ctx, &entrysize, flags); > + if (rc == -EOPNOTSUPP) { > + rc = 0; > + continue; > + } > + if (rc == -E2BIG) { > + toobig = true; > + left = 0; > + continue; > + } > + if (rc < 0) > + return rc; > + > + left -= entrysize; > + total += entrysize; > + count += rc; > + } > + if (put_user(total, size)) > + return -EFAULT; > + if (toobig) > + return -E2BIG; > + if (count == 0) > + return LSM_RET_DEFAULT(getselfattr); > + return count; > +} > + > +/** > + * security_setselfattr - Set an LSM attribute on the current process. > + * @attr: which attribute to set > + * @ctx: the user-space source for the information > + * @size: the size of the data > + * @flags: reserved for future use, must be 0 > + * > + * Set an LSM attribute for the current process. The LSM, attribute > + * and new value are included in @ctx. > + * > + * Returns 0 on success, -EINVAL if the input is inconsistent, -EFAULT > + * if the user buffer is inaccessible or an LSM specific failure. > + */ > +int security_setselfattr(unsigned int attr, struct lsm_ctx __user *ctx, > + size_t size, u32 flags) > +{ > + struct security_hook_list *hp; > + struct lsm_ctx lctx; > + > + if (flags) > + return -EINVAL; Once again, I don't see a reasonable way to support setting an attribute across multiple LSMs, but for the sake of consistency across both the getselfattr and setselfattr syscalls, what do people think about *requiring* the LSM_FLAG_SINGLE flag here in the setselfattr syscalls since it can only operate on a single LSM at a time? A zero flag value would return -EINVAL. > + if (size < sizeof(*ctx)) > + return -EINVAL; > + if (copy_from_user(&lctx, ctx, sizeof(*ctx))) > + return -EFAULT; > + if (size < lctx.len || size < lctx.ctx_len + sizeof(ctx) || > + lctx.len < lctx.ctx_len + sizeof(ctx)) > + return -EINVAL; > + > + hlist_for_each_entry(hp, &security_hook_heads.setselfattr, list) > + if ((hp->lsmid->id) == lctx.id) > + return hp->hook.setselfattr(attr, ctx, size, flags); > + > + return LSM_RET_DEFAULT(setselfattr); > +} > + > int security_getprocattr(struct task_struct *p, int lsmid, const char *name, > char **value) > { > -- > 2.39.2 -- paul-moore.com