From: Casey Schaufler <casey@schaufler-ca.com>
To: Paul Moore <paul@paul-moore.com>
Cc: linux-security-module@vger.kernel.org, jmorris@namei.org,
keescook@chromium.org, john.johansen@canonical.com,
penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, mic@digikod.net,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v7 07/11] LSM: Helpers for attribute names and filling an lsm_ctx
Date: Thu, 30 Mar 2023 13:42:44 -0700 [thread overview]
Message-ID: <c79a66f4-53c0-66f5-4539-4994365aa656@schaufler-ca.com> (raw)
In-Reply-To: <CAHC9VhT9j78jC66xv-pV1iPmgEK6=fHddFVaAS8Qmm_WyYMypQ@mail.gmail.com>
On 3/29/2023 6:13 PM, Paul Moore wrote:
> On Wed, Mar 15, 2023 at 6:50 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> Add lsm_name_to_attr(), which translates a text string to a
>> LSM_ATTR value if one is available.
>>
>> Add lsm_fill_user_ctx(), which fills a struct lsm_ctx, including
>> the trailing attribute value.
>>
>> All are used in module specific components of LSM system calls.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>> include/linux/security.h | 13 ++++++++++
>> security/lsm_syscalls.c | 51 ++++++++++++++++++++++++++++++++++++++++
>> security/security.c | 31 ++++++++++++++++++++++++
>> 3 files changed, 95 insertions(+)
> ..
>
>> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
>> index 6efbe244d304..55d849ad5d6e 100644
>> --- a/security/lsm_syscalls.c
>> +++ b/security/lsm_syscalls.c
>> @@ -17,6 +17,57 @@
>> #include <linux/lsm_hooks.h>
>> #include <uapi/linux/lsm.h>
>>
>> +struct attr_map {
>> + char *name;
>> + u64 attr;
>> +};
>> +
>> +static const struct attr_map lsm_attr_names[] = {
>> + {
>> + .name = "current",
>> + .attr = LSM_ATTR_CURRENT,
>> + },
>> + {
>> + .name = "exec",
>> + .attr = LSM_ATTR_EXEC,
>> + },
>> + {
>> + .name = "fscreate",
>> + .attr = LSM_ATTR_FSCREATE,
>> + },
>> + {
>> + .name = "keycreate",
>> + .attr = LSM_ATTR_KEYCREATE,
>> + },
>> + {
>> + .name = "prev",
>> + .attr = LSM_ATTR_PREV,
>> + },
>> + {
>> + .name = "sockcreate",
>> + .attr = LSM_ATTR_SOCKCREATE,
>> + },
>> +};
>> +
>> +/**
>> + * lsm_name_to_attr - map an LSM attribute name to its ID
>> + * @name: name of the attribute
>> + *
>> + * Look the given @name up in the table of know attribute names.
>> + *
>> + * Returns the LSM attribute value associated with @name, or 0 if
>> + * there is no mapping.
>> + */
>> +u64 lsm_name_to_attr(const char *name)
>> +{
>> + int i;
>> +
>> + for (i = 0; i < ARRAY_SIZE(lsm_attr_names); i++)
>> + if (!strcmp(name, lsm_attr_names[i].name))
>> + return lsm_attr_names[i].attr;
> I'm pretty sure this is the only place where @lsm_attr_names is used,
> right? If true, when coupled with the idea that these syscalls are
> going to close the door on new LSM attributes in procfs I think we can
> just put the mapping directly in this function via a series of
> if-statements.
Ick. You're not wrong, but the hard coded if-statement approach goes
against all sorts of coding principles. I'll do it, but I can't say I
like it.
>> + return 0;
>> +}
>> +
>> /**
>> * sys_lsm_set_self_attr - Set current task's security module attribute
>> * @attr: which attribute to set
>> diff --git a/security/security.c b/security/security.c
>> index 2c57fe28c4f7..f7b814a3940c 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -753,6 +753,37 @@ static int lsm_superblock_alloc(struct super_block *sb)
>> return 0;
>> }
>>
>> +/**
>> + * lsm_fill_user_ctx - Fill a user space lsm_ctx structure
>> + * @ctx: an LSM context to be filled
>> + * @context: the new context value
>> + * @context_size: the size of the new context value
>> + * @id: LSM id
>> + * @flags: LSM defined flags
>> + *
>> + * Fill all of the fields in a user space lsm_ctx structure.
>> + * Caller is assumed to have verified that @ctx has enough space
>> + * for @context.
>> + * Returns 0 on success, -EFAULT on a copyout error.
>> + */
>> +int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context,
>> + size_t context_size, u64 id, u64 flags)
>> +{
>> + struct lsm_ctx local;
>> + void __user *vc = ctx;
>> +
>> + local.id = id;
>> + local.flags = flags;
>> + local.ctx_len = context_size;
>> + local.len = context_size + sizeof(local);
>> + vc += sizeof(local);
> See my prior comments about void pointer math.
>
>> + if (copy_to_user(ctx, &local, sizeof(local)))
>> + return -EFAULT;
>> + if (context_size > 0 && copy_to_user(vc, context, context_size))
>> + return -EFAULT;
> Should we handle the padding in this function?
This function fills in a lsm_ctx. The padding, if any, is in addition to
the lsm_ctx, not part of it.
>> + return 0;
>> +}
> --
> paul-moore.com
next prev parent reply other threads:[~2023-03-30 20:43 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230315224704.2672-1-casey.ref@schaufler-ca.com>
2023-03-15 22:46 ` [PATCH v7 00/11] LSM: Three basic syscalls Casey Schaufler
2023-03-15 22:46 ` [PATCH v7 01/11] LSM: Identify modules by more than name Casey Schaufler
2023-03-30 1:10 ` Paul Moore
2023-03-15 22:46 ` [PATCH v7 02/11] LSM: Maintain a table of LSM attribute data Casey Schaufler
2023-03-22 15:30 ` kernel test robot
2023-03-30 1:10 ` Paul Moore
2023-03-15 22:46 ` [PATCH v7 03/11] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2023-03-15 22:46 ` [PATCH v7 04/11] LSM: syscalls for current process attributes Casey Schaufler
2023-03-16 12:35 ` kernel test robot
2023-03-30 1:12 ` Paul Moore
2023-03-30 11:24 ` Paul Moore
2023-03-30 20:00 ` Casey Schaufler
2023-03-30 23:22 ` Paul Moore
2023-04-03 12:04 ` Mickaël Salaün
2023-04-03 17:36 ` Casey Schaufler
2023-04-03 18:04 ` Mickaël Salaün
2023-04-03 18:28 ` Casey Schaufler
2023-04-11 0:31 ` Paul Moore
2023-03-15 22:46 ` [PATCH v7 05/11] LSM: Create lsm_list_modules system call Casey Schaufler
2023-03-30 1:12 ` Paul Moore
2023-04-03 12:04 ` Mickaël Salaün
2023-04-10 23:37 ` Paul Moore
2023-04-10 23:38 ` Paul Moore
2023-04-13 11:55 ` Mickaël Salaün
2023-03-15 22:46 ` [PATCH v7 06/11] LSM: wireup Linux Security Module syscalls Casey Schaufler
2023-03-15 22:47 ` [PATCH v7 07/11] LSM: Helpers for attribute names and filling an lsm_ctx Casey Schaufler
2023-03-30 1:13 ` Paul Moore
2023-03-30 20:42 ` Casey Schaufler [this message]
2023-03-30 23:28 ` Paul Moore
2023-03-31 16:56 ` Casey Schaufler
2023-03-31 19:24 ` Paul Moore
2023-03-31 20:22 ` Casey Schaufler
2023-04-03 9:47 ` Mickaël Salaün
2023-04-03 9:54 ` Mickaël Salaün
2023-04-03 11:47 ` Mickaël Salaün
2023-04-03 18:04 ` Casey Schaufler
2023-04-03 18:03 ` Casey Schaufler
2023-04-03 18:06 ` Mickaël Salaün
2023-04-03 18:33 ` Casey Schaufler
2023-03-15 22:47 ` [PATCH v7 08/11] Smack: implement setselfattr and getselfattr hooks Casey Schaufler
2023-03-15 22:47 ` [PATCH v7 09/11] AppArmor: Add selfattr hooks Casey Schaufler
2023-03-15 22:47 ` [PATCH v7 10/11] SELinux: " Casey Schaufler
2023-03-30 1:13 ` Paul Moore
2023-03-30 20:55 ` Casey Schaufler
2023-03-30 23:32 ` Paul Moore
2023-03-15 22:47 ` [PATCH v7 11/11] LSM: selftests for Linux Security Module syscalls Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c79a66f4-53c0-66f5-4539-4994365aa656@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).