Re: [PATCH v14 22/23] LSM: Add /proc attr entry for full LSM context

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Casey Schaufler <casey@schaufler-ca.com>,
	casey.schaufler@intel.com, jmorris@namei.org,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: keescook@chromium.org, john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: Re: [PATCH v14 22/23] LSM: Add /proc attr entry for full LSM context
Date: Mon, 3 Feb 2020 13:54:45 -0500	[thread overview]
Message-ID: <09d96236-715a-344a-38bc-c05208698125@tycho.nsa.gov> (raw)
In-Reply-To: <446935fa-2926-c346-a273-ae1ecbb072cd@schaufler-ca.com>

On 1/31/20 5:10 PM, Casey Schaufler wrote:
>  From c4085435215653b7c4d07a35a9df308120441d79 Mon Sep 17 00:00:00 2001
> From: Casey Schaufler <casey@schaufler-ca.com>
> Date: Fri, 31 Jan 2020 13:57:23 -0800
> Subject: [PATCH v14] LSM: Move "context" format enforcement into security
>   modules
> 
> Document in lsm_hooks.h what is expected of a security module that
> supplies the "context" attribute.  Add handling of the "context"
> attribute to SELinux, Smack and AppArmor security modules. The
> AppArmor implementation provides a different string for "context"
> than it does for other attributes to conform with the "context"
> format.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
>   include/linux/lsm_hooks.h            |  6 ++++++
>   security/apparmor/include/procattr.h |  2 +-
>   security/apparmor/lsm.c              |  8 ++++++--
>   security/apparmor/procattr.c         | 11 +++++++----
>   security/security.c                  |  2 +-
>   security/selinux/hooks.c             |  2 +-
>   security/smack/smack_lsm.c           |  2 +-
>   7 files changed, 23 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 2bf82e1cf347..61977a33f2c3 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1321,6 +1321,12 @@
>    *	@pages contains the number of pages.
>    *	Return 0 if permission is granted.
>    *
> + * @getprocattr:
> + *	Provide the named process attribute for display in special files in
> + *	the /proc/.../attr directory.  Attribute naming and the data displayed
> + *	is at the discretion of the security modules.  The exception is the
> + *	"context" attribute, which will contain the security context of the
> + *	task as a nul terminated text string without trailing whitespace.

I'd suggest something like the following instead:
* @getprocattr
*   Get the value of process attribute @name for task @p into a buffer
*   allocated by the security module and returned via @value.  The
*   caller will free the returned buffer via kfree.  The set of
*   attribute names is fixed by proc but the format of @value is up
*   to the security module authors except for the "context" attribute,
*   whose value is required to be a NUL-terminated printable ASCII
*   string without trailing whitespace.
*   @p the task whose attribute is being fetched
*   @name the name of the process attribute being fetched
*   @value set to point to the buffer containing the attribute value
*   Return the length of @value including the NUL on success, or -errno 
on error.

The printable ASCII bit is based on what the dbus maintainer requested 
in previous discussions.  The question of whether the terminating NUL 
should be included in the returned length was otherwise left ambiguous 
and inconsistent in your patch among the different security modules; if 
you prefer not including it in the length returned by the security 
modules, you'll need to adjust SELinux at least to not do so for "context".