From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, paul@paul-moore.com,
linux-security-module@vger.kernel.org
Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org, mic@digikod.net
Subject: [PATCH v1 0/8] LSM: Two basic syscalls
Date: Tue, 25 Oct 2022 11:45:11 -0700 [thread overview]
Message-ID: <20221025184519.13231-1-casey@schaufler-ca.com> (raw)
In-Reply-To: 20221025184519.13231-1-casey.ref@schaufler-ca.com
Add two system calls for the Linux Security Module ABI.
lsm_self_attr() provides the security module specific attributes
that have previously been visible in the /proc/self/attr directory.
For each attribute that is set on the current process the system
call will return an LSM identifier, an attribute identifier and
the value of the attribute. The LSM and attribute identifier values
are defined in include/uapi/linux/lsm.h
lsm_module_list() provides the LSM identifiers, in order, of the
security modules that are active on the system. This has been
available in the securityfs file /sys/kernel/security/lsm.
Patch 0001 changes the LSM registration from passing the name
of the module to passing a lsm_id structure that contains the
name of the module.
Patch 0002 adds an LSM identifier number to the lsm_id structure.
Patch 0003 adds an attribute identifier to the lsm_id.
Patch 0004 adds the registered lsm_ids to a table.
Patch 0005 changes security_[gs]etprocattr() to use LSM IDs instead
of LSM names.
Patch 0006 implements lsm_self_attr().
Patch 0007 implements lsm_module_list().
Patch 0008 wires up the two syscalls.
Casey Schaufler (8):
LSM: Identify modules by more than name
LSM: Add an LSM identifier for external use
LSM: Identify the process attributes for each module
LSM: Maintain a table of LSM attribute data
proc: Use lsmids instead of lsm names for attrs
LSM: lsm_self_attr syscall for LSM self attributes
LSM: Create lsm_module_list system call
lsm: wireup syscalls lsm_self_attr and lsm_module_list
arch/alpha/kernel/syscalls/syscall.tbl | 2 +
arch/arm/tools/syscall.tbl | 2 +
arch/arm64/include/asm/unistd32.h | 2 +
arch/ia64/kernel/syscalls/syscall.tbl | 2 +
arch/m68k/kernel/syscalls/syscall.tbl | 2 +
arch/microblaze/kernel/syscalls/syscall.tbl | 2 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 2 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 2 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +
arch/parisc/kernel/syscalls/syscall.tbl | 2 +
arch/powerpc/kernel/syscalls/syscall.tbl | 2 +
arch/s390/kernel/syscalls/syscall.tbl | 2 +
arch/sh/kernel/syscalls/syscall.tbl | 2 +
arch/sparc/kernel/syscalls/syscall.tbl | 2 +
arch/x86/entry/syscalls/syscall_32.tbl | 2 +
arch/x86/entry/syscalls/syscall_64.tbl | 2 +
arch/xtensa/kernel/syscalls/syscall.tbl | 2 +
fs/proc/base.c | 29 +--
fs/proc/internal.h | 2 +-
include/linux/lsm_hooks.h | 13 +-
include/linux/security.h | 28 ++-
include/linux/syscalls.h | 3 +
include/uapi/asm-generic/unistd.h | 5 +-
include/uapi/linux/lsm.h | 67 ++++++
kernel/sys_ni.c | 4 +
security/Makefile | 1 +
security/apparmor/lsm.c | 9 +-
security/bpf/hooks.c | 13 +-
security/commoncap.c | 8 +-
security/landlock/cred.c | 2 +-
security/landlock/fs.c | 2 +-
security/landlock/ptrace.c | 2 +-
security/landlock/setup.c | 6 +
security/landlock/setup.h | 1 +
security/loadpin/loadpin.c | 9 +-
security/lockdown/lockdown.c | 8 +-
security/lsm_syscalls.c | 194 ++++++++++++++++++
security/safesetid/lsm.c | 9 +-
security/security.c | 37 +++-
security/selinux/hooks.c | 11 +-
security/smack/smack_lsm.c | 9 +-
security/tomoyo/tomoyo.c | 9 +-
security/yama/yama_lsm.c | 8 +-
.../arch/mips/entry/syscalls/syscall_n64.tbl | 2 +
.../arch/powerpc/entry/syscalls/syscall.tbl | 2 +
.../perf/arch/s390/entry/syscalls/syscall.tbl | 2 +
.../arch/x86/entry/syscalls/syscall_64.tbl | 2 +
47 files changed, 484 insertions(+), 47 deletions(-)
create mode 100644 include/uapi/linux/lsm.h
create mode 100644 security/lsm_syscalls.c
base-commit: 247f34f7b80357943234f93f247a1ae6b6c3a740
--
2.37.3
next parent reply other threads:[~2022-10-25 18:45 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20221025184519.13231-1-casey.ref@schaufler-ca.com>
2022-10-25 18:45 ` Casey Schaufler [this message]
2022-10-25 18:45 ` [PATCH v1 1/8] LSM: Identify modules by more than name Casey Schaufler
2022-10-26 5:56 ` Greg KH
2022-10-25 18:45 ` [PATCH v1 2/8] LSM: Add an LSM identifier for external use Casey Schaufler
2022-10-26 5:58 ` Greg KH
2022-10-26 19:36 ` Casey Schaufler
2022-10-27 0:11 ` Tetsuo Handa
2022-10-27 6:31 ` Greg KH
2022-10-28 16:54 ` Casey Schaufler
2022-11-09 23:33 ` Paul Moore
2022-11-10 0:57 ` Casey Schaufler
2022-11-10 2:37 ` Paul Moore
2022-11-09 23:33 ` Paul Moore
2022-11-10 0:46 ` Casey Schaufler
2022-10-25 18:45 ` [PATCH v1 3/8] LSM: Identify the process attributes for each module Casey Schaufler
2022-10-26 5:59 ` Greg KH
2022-11-09 23:34 ` Paul Moore
2022-11-10 1:03 ` Casey Schaufler
2022-11-10 2:39 ` Paul Moore
2022-10-25 18:45 ` [PATCH v1 4/8] LSM: Maintain a table of LSM attribute data Casey Schaufler
2022-10-26 6:00 ` Greg KH
2022-10-27 0:38 ` Casey Schaufler
2022-10-27 6:29 ` Greg KH
2022-10-27 17:08 ` Casey Schaufler
2022-10-27 17:13 ` Greg KH
2022-11-09 23:34 ` Paul Moore
2022-11-09 23:34 ` Paul Moore
2022-10-25 18:45 ` [PATCH v1 5/8] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2022-10-25 18:45 ` [PATCH v1 6/8] LSM: lsm_self_attr syscall for LSM self attributes Casey Schaufler
2022-10-25 21:49 ` kernel test robot
2022-10-26 6:03 ` Greg KH
2022-10-26 7:01 ` kernel test robot
2022-10-26 8:14 ` kernel test robot
2022-10-26 9:33 ` kernel test robot
2022-11-09 23:34 ` Paul Moore
2022-11-10 1:32 ` Casey Schaufler
2022-11-10 3:02 ` Paul Moore
2022-11-10 23:36 ` Paul Moore
2022-11-11 0:36 ` Casey Schaufler
2022-11-11 3:16 ` Paul Moore
2022-10-25 18:45 ` [PATCH v1 7/8] LSM: Create lsm_module_list system call Casey Schaufler
2022-10-26 6:02 ` Greg KH
2022-10-26 12:07 ` kernel test robot
2022-11-09 23:35 ` Paul Moore
2022-11-10 1:37 ` Casey Schaufler
2022-11-10 3:17 ` Paul Moore
2022-10-25 18:45 ` [PATCH v1 8/8] lsm: wireup syscalls lsm_self_attr and lsm_module_list Casey Schaufler
2022-10-26 2:01 ` kernel test robot
2022-10-26 8:07 ` Geert Uytterhoeven
[not found] <20221123195744.7738-1-casey.ref@schaufler-ca.com>
2022-11-23 19:57 ` [PATCH v1 0/8] LSM: Two basic syscalls Casey Schaufler
2022-11-23 20:11 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221025184519.13231-1-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).