All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: "Mickaël Salaün" <mic@digikod.net>,
	casey.schaufler@intel.com, paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org, keescook@chromium.org,
	john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
	linux-api@vger.kernel.org, casey@schaufler-ca.com
Subject: Re: [PATCH v3 2/9] LSM: Identify the process attributes for each module
Date: Fri, 25 Nov 2022 10:27:02 -0800	[thread overview]
Message-ID: <e75185e6-9b16-82a8-5d9b-cdfdc60962bf@schaufler-ca.com> (raw)
In-Reply-To: <a94f2bf6-1429-af6d-64a2-3403f60c8ba3@digikod.net>

On 11/25/2022 8:41 AM, Mickaël Salaün wrote:
>
> On 23/11/2022 21:15, Casey Schaufler wrote:
>> Add an integer member "attrs_used" to the struct lsm_id which
>> identifies the API related data associated with each security
>> module. The initial set of features maps to information that
>> has traditionaly been available in /proc/self/attr. They are
>> documented in a new userspace-api file.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>>   Documentation/userspace-api/index.rst |  1 +
>>   Documentation/userspace-api/lsm.rst   | 55 +++++++++++++++++++++++++++
>>   include/linux/lsm_hooks.h             |  2 +
>>   include/uapi/linux/lsm.h              | 12 ++++++
>>   security/apparmor/lsm.c               |  1 +
>>   security/selinux/hooks.c              |  2 +
>>   security/smack/smack_lsm.c            |  1 +
>>   7 files changed, 74 insertions(+)
>>   create mode 100644 Documentation/userspace-api/lsm.rst
>>
>> diff --git a/Documentation/userspace-api/index.rst
>> b/Documentation/userspace-api/index.rst
>> index c78da9ce0ec4..6feff0fcd88f 100644
>> --- a/Documentation/userspace-api/index.rst
>> +++ b/Documentation/userspace-api/index.rst
>> @@ -30,6 +30,7 @@ place where this information is gathered.
>>      sysfs-platform_profile
>>      vduse
>>      futex2
>> +   lsm
>>     .. only::  subproject and html
>>   diff --git a/Documentation/userspace-api/lsm.rst
>> b/Documentation/userspace-api/lsm.rst
>> new file mode 100644
>> index 000000000000..6ddf5506110b
>> --- /dev/null
>> +++ b/Documentation/userspace-api/lsm.rst
>> @@ -0,0 +1,55 @@
>> +.. SPDX-License-Identifier: GPL-2.0
>> +.. Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com>
>> +.. Copyright (C) 2022 Intel Corporation
>> +
>> +=====================================
>> +Linux Security Modules
>> +=====================================
>> +
>> +:Author: Casey Schaufler
>> +:Date: November 2022
>> +
>> +Linux security modules (LSM) provide a mechanism to implement
>> +additional access controls to the Linux security policies.
>> +
>> +The various security modules may support any of these attributes:
>> +
>> +``LSM_ATTR_CURRENT`` is the current, active security context of the
>> +process.
>> +The proc filesystem provides this value in ``/proc/self/attr/current``.
>> +This is supported by the SELinux, Smack and AppArmor security modules.
>> +Smack also provides this value in ``/proc/self/attr/smack/current``.
>> +AppArmor also provides this value in
>> ``/proc/self/attr/apparmor/current``.
>> +
>> +``LSM_ATTR_EXEC`` is the security context of the process at the time
>> the
>> +current image was executed.
>> +The proc filesystem provides this value in ``/proc/self/attr/exec``.
>> +This is supported by the SELinux and AppArmor security modules.
>> +AppArmor also provides this value in ``/proc/self/attr/apparmor/exec``.
>> +
>> +``LSM_ATTR_FSCREATE`` is the security context of the process used when
>> +creating file system objects.
>> +The proc filesystem provides this value in
>> ``/proc/self/attr/fscreate``.
>> +This is supported by the SELinux security module.
>> +
>> +``LSM_ATTR_KEYCREATE`` is the security context of the process used when
>> +creating key objects.
>> +The proc filesystem provides this value in
>> ``/proc/self/attr/keycreate``.
>> +This is supported by the SELinux security module.
>> +
>> +``LSM_ATTR_PREV`` is the security context of the process at the time
>> the
>> +current security context was set.
>> +The proc filesystem provides this value in ``/proc/self/attr/prev``.
>> +This is supported by the SELinux and AppArmor security modules.
>> +AppArmor also provides this value in ``/proc/self/attr/apparmor/prev``.
>> +
>> +``LSM_ATTR_SOCKCREATE`` is the security context of the process used
>> when
>> +creating socket objects.
>> +The proc filesystem provides this value in
>> ``/proc/self/attr/sockcreate``.
>> +This is supported by the SELinux security module.
>> +
>> +Additional documentation
>> +========================
>> +
>> +* Documentation/security/lsm.rst
>> +* Documentation/security/lsm-development.rst
>> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
>> index d306db1044d1..7e88acc37a29 100644
>> --- a/include/linux/lsm_hooks.h
>> +++ b/include/linux/lsm_hooks.h
>> @@ -1606,12 +1606,14 @@ struct security_hook_heads {
>>    * struct lsm_id - identify a Linux Security Module.
>>    * @lsm: Name of the LSM. Must be approved by the LSM maintainers.
>>    * @id: LSM ID number from uapi/linux/lsm.h
>> + * @attrs_used: Which attributes this LSM supports.
>>    *
>>    * Contains the information that identifies the LSM.
>>    */
>>   struct lsm_id {
>>       const u8    *lsm;
>>       u32        id;
>> +    u64        attrs_used;
>
> I'd prefer this field to be part of the previous patch. This doesn't
> change much but it is to highlight that the struct lsm_id size should
> not change unless properly handled by userspace.

Sigh. Given my druthers there would be a lot fewer, but somewhat larger, patches
in this set. I will happily make this change, but fear reprisal from those who
want a bizzilion tiny patches. (You know who you are) Also note that this is not
an externally visible structure, and that the lsm_ctx structure that is user
visible hasn't been introduced yet.

>
>
>>   };
>>     /*
>> diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h
>> index 47791c330cbf..8e9124bf622c 100644
>> --- a/include/uapi/linux/lsm.h
>> +++ b/include/uapi/linux/lsm.h
>> @@ -29,4 +29,16 @@
>>   #define LSM_ID_BPF        110
>>   #define LSM_ID_LANDLOCK        111
>>   +/*
>> + * LSM_ATTR_XXX values identify the /proc/.../attr entry that the
>> + * context represents. Not all security modules provide all of these
>> + * values. Some security modules provide none of them.
>> + */
>> +#define LSM_ATTR_CURRENT    0x0001
>> +#define LSM_ATTR_EXEC        0x0002
>> +#define LSM_ATTR_FSCREATE    0x0004
>> +#define LSM_ATTR_KEYCREATE    0x0008
>> +#define LSM_ATTR_PREV        0x0010
>> +#define LSM_ATTR_SOCKCREATE    0x0020
>> +
>>   #endif /* _UAPI_LINUX_LSM_H */
>> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
>> index b859b1af6c75..3a6bf4f95d84 100644
>> --- a/security/apparmor/lsm.c
>> +++ b/security/apparmor/lsm.c
>> @@ -1206,6 +1206,7 @@ struct lsm_blob_sizes apparmor_blob_sizes
>> __lsm_ro_after_init = {
>>   static struct lsm_id apparmor_lsmid __lsm_ro_after_init = {
>>       .lsm = "apparmor",
>>       .id = LSM_ID_APPARMOR,
>> +    .attrs_used = LSM_ATTR_CURRENT | LSM_ATTR_PREV | LSM_ATTR_EXEC,
>>   };
>>     static struct security_hook_list apparmor_hooks[]
>> __lsm_ro_after_init = {
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 5fcce36267bd..e831d9c38c54 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -7018,6 +7018,8 @@ static int selinux_uring_cmd(struct
>> io_uring_cmd *ioucmd)
>>   static struct lsm_id selinux_lsmid __lsm_ro_after_init = {
>>       .lsm = "selinux",
>>       .id = LSM_ID_SELINUX,
>> +    .attrs_used = LSM_ATTR_CURRENT | LSM_ATTR_EXEC |
>> LSM_ATTR_FSCREATE |
>> +              LSM_ATTR_KEYCREATE | LSM_ATTR_PREV | LSM_ATTR_SOCKCREATE,
>>   };
>>     /*
>> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
>> index c7ba80e20b8d..c2a05217bde4 100644
>> --- a/security/smack/smack_lsm.c
>> +++ b/security/smack/smack_lsm.c
>> @@ -4791,6 +4791,7 @@ struct lsm_blob_sizes smack_blob_sizes
>> __lsm_ro_after_init = {
>>   static struct lsm_id smack_lsmid __lsm_ro_after_init = {
>>       .lsm = "smack",
>>       .id = LSM_ID_SMACK,
>> +    .attrs_used = LSM_ATTR_CURRENT,
>>   };
>>     static struct security_hook_list smack_hooks[]
>> __lsm_ro_after_init = {

  reply	other threads:[~2022-11-25 18:27 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20221123201552.7865-1-casey.ref@schaufler-ca.com>
2022-11-23 20:15 ` [PATCH v3 0/9] LSM: Three basic syscalls Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 1/9] LSM: Identify modules by more than name Casey Schaufler
2022-11-24  5:40     ` Greg KH
2022-11-25 16:19       ` Mickaël Salaün
2022-11-28  3:48         ` Paul Moore
2022-11-28  7:51           ` Greg KH
2022-11-28 12:49             ` Paul Moore
2022-11-28 19:07               ` Casey Schaufler
2022-11-25 16:30     ` Mickaël Salaün
2022-11-28  3:52       ` Paul Moore
2022-11-23 20:15   ` [PATCH v3 2/9] LSM: Identify the process attributes for each module Casey Schaufler
2022-11-25 16:41     ` Mickaël Salaün
2022-11-25 18:27       ` Casey Schaufler [this message]
2022-11-23 20:15   ` [PATCH v3 3/9] LSM: Maintain a table of LSM attribute data Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 4/9] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 5/9] LSM: lsm_get_self_attr syscall for LSM self attributes Casey Schaufler
2022-11-25 13:54     ` kernel test robot
2022-12-04  2:16     ` kernel test robot
2022-11-23 20:15   ` [PATCH v3 6/9] LSM: Create lsm_module_list system call Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 7/9] LSM: lsm_set_self_attr syscall for LSM self attributes Casey Schaufler
2022-11-23 20:15   ` [PATCH v3 8/9] LSM: wireup Linux Security Module syscalls Casey Schaufler
2022-11-27  9:50     ` kernel test robot
2022-11-23 20:15   ` [PATCH v3 9/9] LSM: selftests for Linux Security Module infrastructure syscalls Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e75185e6-9b16-82a8-5d9b-cdfdc60962bf@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=casey.schaufler@intel.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.