From: Paul Moore <paul@paul-moore.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-security-module@vger.kernel.org, jmorris@namei.org,
serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, mic@digikod.net
Subject: Re: [PATCH v15 00/11] LSM: Three basic syscalls
Date: Sun, 12 Nov 2023 23:03:09 -0500 [thread overview]
Message-ID: <CAHC9VhQ=+Wkww2zhvtNvW8wacd6KBTc1AHTGVVY=1mUNK8Y_Jg@mail.gmail.com> (raw)
In-Reply-To: <20230912205658.3432-1-casey@schaufler-ca.com>
On Tue, Sep 12, 2023 at 4:57 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> Add three system calls for the Linux Security Module ABI.
>
> lsm_get_self_attr() provides the security module specific attributes
> that have previously been visible in the /proc/self/attr directory.
> For each security module that uses the specified attribute on the
> current process the system call will return an LSM identifier and
> the value of the attribute. The LSM and attribute identifier values
> are defined in include/uapi/linux/lsm.h
>
> LSM identifiers are simple integers and reflect the order in which
> the LSM was added to the mainline kernel. This is a convention, not
> a promise of the API. LSM identifiers below the value of 100 are
> reserved for unspecified future uses. That could include information
> about the security infrastructure itself, or about how multiple LSMs
> might interact with each other.
>
> A new LSM hook security_getselfattr() is introduced to get the
> required information from the security modules. This is similar
> to the existing security_getprocattr() hook, but specifies the
> format in which string data is returned and requires the module
> to put the information into a userspace destination.
>
> lsm_set_self_attr() changes the specified LSM attribute. Only one
> attribute can be changed at a time, and then only if the specified
> security module allows the change.
>
> A new LSM hook security_setselfattr() is introduced to set the
> required information in the security modules. This is similar
> to the existing security_setprocattr() hook, but specifies the
> format in which string data is presented and requires the module
> to get the information from a userspace destination.
>
> lsm_list_modules() provides the LSM identifiers, in order, of the
> security modules that are active on the system. This has been
> available in the securityfs file /sys/kernel/security/lsm.
>
> Patch 0001 changes the LSM registration from passing the name
> of the module to passing a lsm_id structure that contains the
> name of the module, an LSM identifier number and an attribute
> identifier.
> Patch 0002 adds the registered lsm_ids to a table.
> Patch 0003 changes security_[gs]etprocattr() to use LSM IDs instead
> of LSM names.
> Patch 0004 implements lsm_get_self_attr() and lsm_set_self_attr().
> New LSM hooks security_getselfattr() and security_setselfattr() are
> defined.
> Patch 0005 implements lsm_list_modules().
> Patch 0006 wires up the syscalls.
> Patch 0007 implements helper functions to make it easier for
> security modules to use lsm_ctx structures.
> Patch 0008 provides the Smack implementation for [gs]etselfattr().
> Patch 0009 provides the AppArmor implementation for [gs]etselfattr().
> Patch 0010 provides the SELinux implementation for [gs]etselfattr().
> Patch 0011 implements selftests for the three new syscalls.
>
> https://github.com/cschaufler/lsm-stacking.git#syscalls-6.5-rc7-v14
>
> v15: Rebased on 6.6-rc1.
> Adopt suggested improvements to security_getprocattr,
> making the code easier to read.
> Squash a code fix from 0011 to 0004.
> v14: Make the handling of LSM_FLAG_SINGLE easier to understand.
> Tighten the comments and documentation.
> Better use of const, static, and __ro_after_init.
> Add selftests for LSM_FLAG_SINGLE cases.
> v13: Change the setselfattr code to do a single user copy.
> Make the self tests more robust.
> Improve use of const.
> Change syscall numbers to reflect upstream additions.
> v12: Repair a registration time overflow check.
> v11: Remove redundent alignment code
> Improve a few comments.
> Use LSM_ATTR_UNDEF in place of 0 in a few places.
> Correct a return of -EINVAL to -E2BIG.
> v10: Correct use of __user.
> Improve a few comments.
> Revert unnecessary changes in module initialization.
> v9: Support a flag LSM_FLAG_SINGLE in lsm_get_self_attr() that
> instructs the call to provide only the attribute for the LSM
> identified in the referenced lsm_ctx structure.
> Fix a typing error.
> Change some coding style.
> v8: Allow an LSM to provide more than one instance of an attribute,
> even though none of the existing modules do so.
> Pad the data returned by lsm_get_self_attr() to the size of
> the struct lsm_ctx.
> Change some displeasing varilable names.
> v7: Pass the attribute desired to lsm_[gs]et_self_attr in its own
> parameter rather than encoding it in the flags.
> Change the flags parameters to u32.
> Don't shortcut out of calling LSM specific code in the
> infrastructure, let the LSM report that doesn't support an
> attribute instead. With that it is not necessary to maintain
> a set of supported attributes in the lsm_id structure.
> Fix a typing error.
> v6: Switch from reusing security_[gs]procattr() to using new
> security_[gs]selfattr() hooks. Use explicit sized data types
> in the lsm_ctx structure.
>
> v5: Correct syscall parameter data types.
>
> v4: Restore "reserved" LSM ID values. Add explaination.
> Squash patches that introduce fields in lsm_id.
> Correct a wireup error.
>
> v3: Add lsm_set_self_attr().
> Rename lsm_self_attr() to lsm_get_self_attr().
> Provide the values only for a specifed attribute in
> lsm_get_self_attr().
> Add selftests for the three new syscalls.
> Correct some parameter checking.
>
> v2: Use user-interface safe data types.
> Remove "reserved" LSM ID values.
> Improve kerneldoc comments
> Include copyright dates
> Use more descriptive name for LSM counter
> Add documentation
> Correct wireup errors
>
> Casey Schaufler (11):
> LSM: Identify modules by more than name
> LSM: Maintain a table of LSM attribute data
> proc: Use lsmids instead of lsm names for attrs
> LSM: syscalls for current process attributes
> LSM: Create lsm_list_modules system call
> LSM: wireup Linux Security Module syscalls
> LSM: Helpers for attribute names and filling lsm_ctx
> Smack: implement setselfattr and getselfattr hooks
> AppArmor: Add selfattr hooks
> SELinux: Add selfattr hooks
> LSM: selftests for Linux Security Module syscalls
>
> Documentation/userspace-api/index.rst | 1 +
> Documentation/userspace-api/lsm.rst | 73 +++++
> MAINTAINERS | 2 +
> arch/alpha/kernel/syscalls/syscall.tbl | 3 +
> arch/arm/tools/syscall.tbl | 3 +
> arch/arm64/include/asm/unistd.h | 2 +-
> arch/arm64/include/asm/unistd32.h | 6 +
> arch/ia64/kernel/syscalls/syscall.tbl | 3 +
> arch/m68k/kernel/syscalls/syscall.tbl | 3 +
> arch/microblaze/kernel/syscalls/syscall.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_n32.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_n64.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_o32.tbl | 3 +
> arch/parisc/kernel/syscalls/syscall.tbl | 3 +
> arch/powerpc/kernel/syscalls/syscall.tbl | 3 +
> arch/s390/kernel/syscalls/syscall.tbl | 3 +
> arch/sh/kernel/syscalls/syscall.tbl | 3 +
> arch/sparc/kernel/syscalls/syscall.tbl | 3 +
> arch/x86/entry/syscalls/syscall_32.tbl | 3 +
> arch/x86/entry/syscalls/syscall_64.tbl | 3 +
> arch/xtensa/kernel/syscalls/syscall.tbl | 3 +
> fs/proc/base.c | 29 +-
> fs/proc/internal.h | 2 +-
> include/linux/lsm_hook_defs.h | 4 +
> include/linux/lsm_hooks.h | 17 +-
> include/linux/security.h | 46 ++-
> include/linux/syscalls.h | 6 +
> include/uapi/asm-generic/unistd.h | 9 +-
> include/uapi/linux/lsm.h | 90 ++++++
> kernel/sys_ni.c | 3 +
> security/Makefile | 1 +
> security/apparmor/include/procattr.h | 2 +-
> security/apparmor/lsm.c | 99 ++++++-
> security/apparmor/procattr.c | 10 +-
> security/bpf/hooks.c | 9 +-
> security/commoncap.c | 8 +-
> security/landlock/cred.c | 2 +-
> security/landlock/fs.c | 2 +-
> security/landlock/ptrace.c | 2 +-
> security/landlock/setup.c | 6 +
> security/landlock/setup.h | 1 +
> security/loadpin/loadpin.c | 9 +-
> security/lockdown/lockdown.c | 8 +-
> security/lsm_syscalls.c | 120 ++++++++
> security/safesetid/lsm.c | 9 +-
> security/security.c | 253 +++++++++++++++-
> security/selinux/hooks.c | 143 +++++++--
> security/smack/smack_lsm.c | 103 ++++++-
> security/tomoyo/tomoyo.c | 9 +-
> security/yama/yama_lsm.c | 8 +-
> .../arch/mips/entry/syscalls/syscall_n64.tbl | 3 +
> .../arch/powerpc/entry/syscalls/syscall.tbl | 3 +
> .../perf/arch/s390/entry/syscalls/syscall.tbl | 3 +
> .../arch/x86/entry/syscalls/syscall_64.tbl | 3 +
> tools/testing/selftests/Makefile | 1 +
> tools/testing/selftests/lsm/.gitignore | 1 +
> tools/testing/selftests/lsm/Makefile | 17 ++
> tools/testing/selftests/lsm/common.c | 89 ++++++
> tools/testing/selftests/lsm/common.h | 33 +++
> tools/testing/selftests/lsm/config | 3 +
> .../selftests/lsm/lsm_get_self_attr_test.c | 275 ++++++++++++++++++
> .../selftests/lsm/lsm_list_modules_test.c | 140 +++++++++
> .../selftests/lsm/lsm_set_self_attr_test.c | 74 +++++
> 63 files changed, 1694 insertions(+), 93 deletions(-)
> create mode 100644 Documentation/userspace-api/lsm.rst
> create mode 100644 include/uapi/linux/lsm.h
> create mode 100644 security/lsm_syscalls.c
> create mode 100644 tools/testing/selftests/lsm/.gitignore
> create mode 100644 tools/testing/selftests/lsm/Makefile
> create mode 100644 tools/testing/selftests/lsm/common.c
> create mode 100644 tools/testing/selftests/lsm/common.h
> create mode 100644 tools/testing/selftests/lsm/config
> create mode 100644 tools/testing/selftests/lsm/lsm_get_self_attr_test.c
> create mode 100644 tools/testing/selftests/lsm/lsm_list_modules_test.c
> create mode 100644 tools/testing/selftests/lsm/lsm_set_self_attr_test.c
This patchset is now in lsm/dev, thanks everyone!
--
paul-moore.com
prev parent reply other threads:[~2023-11-13 4:03 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230912205658.3432-1-casey.ref@schaufler-ca.com>
2023-09-12 20:56 ` [PATCH v15 00/11] LSM: Three basic syscalls Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 01/11] LSM: Identify modules by more than name Casey Schaufler
2023-09-15 11:32 ` Tetsuo Handa
2023-09-15 17:53 ` Casey Schaufler
2023-09-16 6:32 ` Tetsuo Handa
2023-09-17 16:38 ` Casey Schaufler
2023-09-20 10:20 ` Tetsuo Handa
2023-09-20 15:08 ` Kees Cook
2023-09-23 4:46 ` Tetsuo Handa
2023-09-24 1:58 ` Kees Cook
2023-09-24 11:06 ` Tetsuo Handa
2023-09-24 19:48 ` Kees Cook
2023-10-05 12:58 ` Tetsuo Handa
2023-10-20 19:52 ` Casey Schaufler
2023-10-21 12:20 ` Tetsuo Handa
2023-10-21 14:11 ` Casey Schaufler
2023-10-29 10:57 ` Tetsuo Handa
2023-10-29 18:00 ` Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 02/11] LSM: Maintain a table of LSM attribute data Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 03/11] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 04/11] LSM: syscalls for current process attributes Casey Schaufler
2023-10-03 14:09 ` Mickaël Salaün
2023-10-06 1:04 ` Paul Moore
2023-10-09 15:36 ` Mickaël Salaün
2023-10-09 16:04 ` Paul Moore
2023-10-10 9:14 ` Mickaël Salaün
2023-10-10 13:10 ` Paul Moore
2023-09-12 20:56 ` [PATCH v15 05/11] LSM: Create lsm_list_modules system call Casey Schaufler
2023-10-03 14:27 ` Mickaël Salaün
2024-03-12 10:16 ` Dmitry V. Levin
2024-03-12 13:25 ` Paul Moore
2024-03-12 15:27 ` Casey Schaufler
2024-03-12 17:06 ` Paul Moore
2024-03-12 17:44 ` Casey Schaufler
2024-03-12 18:09 ` Paul Moore
2024-03-12 18:28 ` Dmitry V. Levin
2024-03-12 21:50 ` Kees Cook
2024-03-12 22:06 ` Casey Schaufler
2024-03-12 22:06 ` Paul Moore
2024-03-12 22:17 ` Casey Schaufler
2024-03-12 23:17 ` Paul Moore
2023-09-12 20:56 ` [PATCH v15 06/11] LSM: wireup Linux Security Module syscalls Casey Schaufler
2023-10-03 14:27 ` Mickaël Salaün
2023-09-12 20:56 ` [PATCH v15 07/11] LSM: Helpers for attribute names and filling lsm_ctx Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-09-12 20:56 ` [PATCH v15 08/11] Smack: implement setselfattr and getselfattr hooks Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-10-20 19:40 ` Casey Schaufler
2023-10-20 19:42 ` Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 09/11] AppArmor: Add selfattr hooks Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 10/11] SELinux: " Casey Schaufler
2023-09-12 20:56 ` [PATCH v15 11/11] LSM: selftests for Linux Security Module syscalls Casey Schaufler
2023-10-03 14:28 ` Mickaël Salaün
2023-10-12 22:07 ` [PATCH v15 00/11] LSM: Three basic syscalls Paul Moore
2023-10-13 21:55 ` Paul Moore
2023-10-16 12:04 ` Roberto Sassu
2023-10-16 15:06 ` Paul Moore
2023-10-17 7:01 ` Roberto Sassu
2023-10-17 15:58 ` Paul Moore
2023-10-17 16:07 ` Roberto Sassu
2023-10-18 9:31 ` Roberto Sassu
2023-10-18 13:09 ` Mimi Zohar
2023-10-18 14:14 ` Roberto Sassu
2023-10-18 16:35 ` Paul Moore
2023-10-18 20:10 ` Mimi Zohar
2023-10-18 20:40 ` Paul Moore
2023-10-19 7:45 ` Roberto Sassu
2023-10-20 16:36 ` Casey Schaufler
2023-10-19 8:49 ` Roberto Sassu
2023-11-13 4:03 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhQ=+Wkww2zhvtNvW8wacd6KBTc1AHTGVVY=1mUNK8Y_Jg@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.