From patchwork Fri Apr 28 20:26:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 88717 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1194399vqo; Fri, 28 Apr 2023 13:30:22 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6lMFqx6MXm+AmIlM9X7UJ9ZClKR1CSuG3G8PMsPCeriCnCZo5ePj/bsEmfLl5kRoBVsHA/ X-Received: by 2002:a17:902:c94c:b0:1a9:8907:ae3d with SMTP id i12-20020a170902c94c00b001a98907ae3dmr8054904pla.30.1682713821856; Fri, 28 Apr 2023 13:30:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682713821; cv=none; d=google.com; s=arc-20160816; b=pYB6VX9ods7SBKydAjHkDEUsYe1qBjF9V1eTDPzT6aJ8GfvNqJmFtH2g+hqnUd3948 HI+hTODT21rw/VDgE29S5QKJVb1E6FVvecITx+d9RGZzalIC+sI+Iv5gytH0oH9gO6e7 BoBjJ1Szw8Q+4+gD0+/4IMPbbUWZixnP6oU/5H9ilo1TLRKuXPD/mdo3+Stmcbix4B2m DnLbHESiIawycDs9Hma/TzvMoWJVd/hIAWXMEmllfvowkcjVrubVcQkbS/eSxSWz5zrW UipzhlMrl+gvbejqETuFUwmy6mVX6suESIA1ERmfRqdt772c0P00GAtD4kYCJNK08Xjl XuqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=3rrx2/4CPchvROU7XfPjU63ZFDXsxZuUk/9nazGCq3E=; b=Ajm60wF5I0gYEUkydj0wCdAb9pRiDpAjZsyIeMwI/HzhBPT3tHB4giejCrm/K5hW+d 2HJ701pXFtLHH0FprVdU0dXNjfCx1pOEAQCmCoRofKWVKfrDL7ZVsP1V0DTh9058XRrM 3ilWf4LEMQAE2QNNszpK0uaFLiIsrnk8s33XeWXL+PsrOHVHfpXjMmruN4mOrkY9pQpP E41ICERL5hXr4WuiygHhVqev+ZoSzoTxgfySkc4o2rB+9Ce7CaICvPBUHS1PXpLRSHTI EOjg77V8i4py/XCji+tiHFW2HtXZpmBpn6Aql62M6rWH/7y3IcgOMxXJyDA2tLV1RVT6 A0sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=oiN6rQSl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q13-20020a17090311cd00b001a6db2bef14si23234381plh.157.2023.04.28.13.30.06; Fri, 28 Apr 2023 13:30:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=oiN6rQSl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346536AbjD1U2u (ORCPT + 99 others); Fri, 28 Apr 2023 16:28:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346125AbjD1U2k (ORCPT ); Fri, 28 Apr 2023 16:28:40 -0400 Received: from sonic311-30.consmr.mail.ne1.yahoo.com (sonic311-30.consmr.mail.ne1.yahoo.com [66.163.188.211]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 524D01A4 for ; Fri, 28 Apr 2023 13:28:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682713718; bh=3rrx2/4CPchvROU7XfPjU63ZFDXsxZuUk/9nazGCq3E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=oiN6rQSlVNOINNLUDvFahlFzE6OaW6ivEOwn3XEmFGJ0TkzELD5dEy+mw78yb1mMdwudcFmST7KGuj5nSxPfjiXTYU+evfrM/TPKbp3BGMHR2SlSHjmdbGKSUWPdvbPY5g32ePYkpZFNAgmE9si8XHnzebMwnJTK1HHfdwG6W+q4+aopgsWEizDV9ADckQFpfCs1PjLypRPkRmTOv/v8AoCbWT8GYe/qyiepYT2QG8y7BrfRRDdvQLmaKLn0PH6VUCPBmoQnoFO8oPciRcCSh92EkTHu5hsS5oEuiThhr1Z6YbvNtLqY+XiGHSNL03zRuWBfsKQFzdio0sjK06GaYA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1682713718; bh=lJ0QVD5wkDil+YgIbx19IPl2Vyf0WCSRCNhQ8pYXfiu=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=hXMQeLB4qPzS8pzTB/pzxV5ZL6RuZnOVehzz7xAJZab835qKvP8vohurf2PBG4LllbmT8N/kr6GQYf108wmDV3Pmzd5O/AA8P43LbzBGc17ioZzzv2wFP6R41kjaP4TNBi+Tw1hFbAH7tgkVoJnDDUMBx3Dtpn/tVU7X97ovBIQFlFVo9wffbzdQbtPW6yltUzYoCrWg/9VTlchWncf+t/9b2JEUUvtIjOszwiK7c77BlzrK/0KmqJD/wtIsbgsHIq20+cuPBoxytyh9wKbuaitMm3lNbB0rgE3lJgeDJYPDpNQahUXQgyV69NxUPptFrNz26yL25Sqlp0awgQzCvw== X-YMail-OSG: _7O72f8VM1nHW5HLy7KME2Hsa67vEzsSvgGv_iVXcWQR62mqtj6jJVOCS7qjIoZ KYNIGi8CEv9333NWNEUeFYfyrOBILADInQgmVwOk.D77arzZak7y9YHX9rOVnQLa3qyalLFnrJWy 8wn0vfwEJWxC71jlzCFXwD44TcVcfqJN5Ep1GlsuqjbOTpNvKDjtesuJriEGEKJG9EP6D2q5wrun tsaPPjV0zlmCDRQHyvCfctP6xw7w5ZEvodguVJKb.2mvbmR2uTkTGjHjCtmKwjUWxL4gkE.3XOQd .RDaCkE2KpTzMGyFl0ma1BkhBj_ULlC5Tnmk0_._.OpMJqCO6.HkfOPQ_XaWDIQD0A9vp.2rQVQX pSNODyfK0Bd6asO7_DYYifsEpgjMFtYHJSUR8TyQRSmjwkR2yrYU7eJmfKowt1Em9lHlo3dH0gx7 SUnxyR3pnXPwQw68CW8CQwkBArGRx0zC1KlHVaTN0wfX5zKO0m2f6Li9Jg9X1le8hSouGPtwOEQZ b.HUJJSFOiB_0sjIiCPUKllYwHKqZMNybgCCjdoyn36TILkAVFCWjQDyzRwrVsN7I9UfSOxDisSX BqW11e2TiXSvrLnUeRzBBwzbMax2FzSsgqf4MpzFW.ICfEPse8UUUdlRXKbA5TpC2dZQfHGdXkZ7 7zsL_eQgHxuZSLkfl4KY0QkAELBQcXgwngfqJX3M1YJqHjaAQKlUlD5xuhVBeOTBNQCy74TnMa1q 16ECkn.EcYQ2Uo5I1uexzFXT6.re8TovxTTBAwFq1xBZcO0JryvFnDN8eVi8L72G0GmVOPpaY4Cc 5mhqTnIESAbIYP1PA70xGc0qG39j__mdNhTw12eEQYqiR7rRBuQBdXaAb1ik9Ibqjpd9e2R2CtOw 4xXdXd1jXhjPiLV534g8LrU2lgjaKff0bpckMbMj32BxYkRQc_OPCdZtqZbsKkEi7grZAyyFqpYh EsizJq4s5s6SvR4VC9xLgWBkvaNbFPS4LtRssCPMn6nFpBmkcNooRidIp.DjP_ygMtpvaFkBEaa2 9sWyMM.iugnfYTPHegTTHx3ab._P5j8wIqbvxAAgMPIlQNJ6845LHJgL.o3fKlRDCRJKF_Ynpj0a w.146UcguHD.8F2aqMYZGuMQDFSexvqxM7IoLHX1unDxtkxCBVDuIIrtZZJTswbANQWxW1D7F7xp zIKofnqIe2AJmkBbQcOt5HpEJB1O4jPUxZ.9SkZ6lQ4XNnOQC_AvTbC9eybjqpkIkL_Yekx0Pf.H aiI9_JYLJKhTvdnl4P1l2VFaxTJVvOkgFDwSPQ2tJIoEytQez3s8t57pvBOOUu3WIH23.EgKPMK6 bDTDvxZn9Zah4oOx6yUpo5w9aXm5ac2WPoPFjBlgM9FynLyql8Ycg8bGLGa0MpAZ5V4xeeSbuSTx 5QPuvH8.Wc9h.fboDsIP5wRmPApK7nBwbh1tFTQSVKeooBEJMY3jjxegEbHGIk.hIvGHIg_ghOwV M1Zrd0Me.XiapyRMFU1zd5tXBMaOf8pZh1rkhJzqyTle3zHxcXWPyoIwgevJxAfcTopDB6Qflae9 lw4lpczbhUmipZvkAdQIPDl_UBYUBMf.fx1fZuKSSCz6w7d5scl9JUBWPiejFb5ghdwO3gE72fMx FfswJv5ng4avFckOTzpzrlrUn0Y43lp6w.YxVXnQrg56Qalf39Bsnch2yex_jvPdP4LZbYyd9Xqn WTYEtOzO4vH6sWsW0NBoF0KlqH4YOvCJt7ROGFQoAUHgfnPrjYkwPrteKCHu4sodmUnyRx8yx9gI i1c1yHRp1HQyoM60G68L_AHyGWOrWY8lI0Hp6kg9TlTLhX7rHxtejEeLYiHy_P.KwnSAchMkXgno 2KBRUUZWmvOe4Mm7tf2z4dLj4V3tgCGSn_Wtn5r4ShK9QiYrEk6KvkMSx5qwPCnuWsPz7LEyPynF Za5939cTj9t1VIWdBqt5IYPk1AAFGNcOP9tDdJl_dJPWBwNCTbc_Qe28DVMvAh_JZEje4Zk_7nLz q5D3kIHbvvbfkZB9anIP0CpR7uG6ZTZGwy0rK6kdC.8m6vd8ba5pTXw1Xp_TgCx_H760VifETvCm h7dUj8JK_JdyBuaqrDMnCIXdDlNKlcirtG4aB3dN72dOA5PaR_YeEJVNaGN3W4xUJjzChHIf5rK9 .lXglJJR.n.ATJXoXLiLehQ5Hls88O.5f2RsmhQD63GXz8VMCQMZbsbqVFbBOLxJ5.SXfrBFgnSU .UhOYt0HzPoXR6S2OOvLFQ2SxB8Ba4BC6otYjwBJ1toDn.5hKqbbY3A4vx5LtFS4Jjbm7MdCNd1d eVHIal39.dg94BqwACCY- X-Sonic-MF: X-Sonic-ID: b45a82f2-6dc2-4956-8fcd-1d405b8b8989 Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Fri, 28 Apr 2023 20:28:38 +0000 Received: by hermes--production-ne1-7dbd98dd99-tcjjg (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID b58a5884cc254441b7169bc1ab603d8d; Fri, 28 Apr 2023 20:28:35 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v10 05/11] LSM: Create lsm_list_modules system call Date: Fri, 28 Apr 2023 13:26:45 -0700 Message-Id: <20230428202651.159828-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230428202651.159828-1-casey@schaufler-ca.com> References: <20230428202651.159828-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1764453328658887643?= X-GMAIL-MSGID: =?utf-8?q?1764453328658887643?= Create a system call to report the list of Linux Security Modules that are active on the system. The list is provided as an array of LSM ID numbers. The calling application can use this list determine what LSM specific actions it might take. That might include choosing an output format, determining required privilege or bypassing security module specific behavior. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook --- Documentation/userspace-api/lsm.rst | 3 +++ include/linux/syscalls.h | 1 + kernel/sys_ni.c | 1 + security/lsm_syscalls.c | 39 +++++++++++++++++++++++++++++ 4 files changed, 44 insertions(+) diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst index e6c3f262addc..9edae18a2688 100644 --- a/Documentation/userspace-api/lsm.rst +++ b/Documentation/userspace-api/lsm.rst @@ -63,6 +63,9 @@ Get the specified security attributes of the current process .. kernel-doc:: security/lsm_syscalls.c :identifiers: sys_lsm_get_self_attr +.. kernel-doc:: security/lsm_syscalls.c + :identifiers: sys_lsm_list_modules + Additional documentation ======================== diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 9a94c31bf6b6..ddbcc333f3c3 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -1063,6 +1063,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int attr, struct lsm_ctx *ctx, size_t *size, __u32 flags); asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx *ctx, size_t size, __u32 flags); +asmlinkage long sys_lsm_list_modules(u64 *ids, size_t *size, u32 flags); /* * Architecture-specific system calls diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index d03c78ef1562..ceb3d21a62d0 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -265,6 +265,7 @@ COND_SYSCALL(mremap); /* security/lsm_syscalls.c */ COND_SYSCALL(lsm_get_self_attr); COND_SYSCALL(lsm_set_self_attr); +COND_SYSCALL(lsm_list_modules); /* security/keys/keyctl.c */ COND_SYSCALL(add_key); diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c index ee3881159241..b89cccb2f123 100644 --- a/security/lsm_syscalls.c +++ b/security/lsm_syscalls.c @@ -53,3 +53,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, { return security_getselfattr(attr, ctx, size, flags); } + +/** + * sys_lsm_list_modules - Return a list of the active security modules + * @ids: the LSM module ids + * @size: size of @ids, updated on return + * @flags: reserved for future use, must be zero + * + * Returns a list of the active LSM ids. On success this function + * returns the number of @ids array elements. This value may be zero + * if there are no LSMs active. If @size is insufficient to contain + * the return data -E2BIG is returned and @size is set to the minimum + * required size. In all other cases a negative value indicating the + * error is returned. + */ +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size, + u32, flags) +{ + size_t total_size = lsm_active_cnt * sizeof(*ids); + size_t usize; + int i; + + if (flags) + return -EINVAL; + + if (get_user(usize, size)) + return -EFAULT; + + if (put_user(total_size, size) != 0) + return -EFAULT; + + if (usize < total_size) + return -E2BIG; + + for (i = 0; i < lsm_active_cnt; i++) + if (put_user(lsm_idlist[i]->id, ids++)) + return -EFAULT; + + return lsm_active_cnt; +}