From patchwork Thu Jan 18 14:36:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alice Ryhl X-Patchwork-Id: 189227 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7301:2bc4:b0:101:a8e8:374 with SMTP id hx4csp383983dyb; Thu, 18 Jan 2024 06:38:46 -0800 (PST) X-Google-Smtp-Source: AGHT+IFHVLbrDC8yLuia0W2CvOoyKTpDJ5hodiqNr2qHsVHvXcapnUbHmvoPSVi/TV8BYBDso4Ge X-Received: by 2002:aa7:9a0e:0:b0:6d9:bd4f:9212 with SMTP id w14-20020aa79a0e000000b006d9bd4f9212mr667830pfj.21.1705588726029; Thu, 18 Jan 2024 06:38:46 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1705588726; cv=pass; d=google.com; s=arc-20160816; b=qmWFwpkl/s7QEWYEGbM8h6KwEHM9+GmUmirPeXAJWhct8ql9pJkr80oEK0DVeYMqJo YaME3LSf+IGJPWC9fOlVULoRrRVYv9Hotmlf4MKfb67AV4x9ZBFBf07ZkB1S4Pmx93UR mwPmlo9FwB4TWpo+F26e5O7BYaqVOD6lwDT5gA8yyZCqbudhufl+yKUNkuCH5ReePq+d OsiS6qTW8q1DDZhCISxyi6nDKEQtpSiqxZiShJbuDmf8KVkDU7WyAadjLrxglIm9rjZO 2ViO6nDYdwNJU9ZSetrfvG3mwetkusVttnr3ZEbrRG4DnFIiRRDGs3vq+9QTMDeo+3TU lMDg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:from:subject:message-id:references:mime-version :list-unsubscribe:list-subscribe:list-id:precedence:in-reply-to:date :dkim-signature; bh=jmgH0qa3XVbjpGQhdkp6BesDtjCOSEZUBkhyiBWTkXg=; fh=OP+vvG9ih/wBlPG6J6WwyVN77+HGWDbQuR6Uf4lsYyg=; b=KzOtRGOD9Pr7A4wWPHGTv8KJ4iVmhqGZ0a43glOBroPiUSAi2MIjyCgVV5VRztoJav DN3xeJIwhueTYQbg5v9m1LiRNXmPk+Cs3S8CvEHdI3Nbrx8bFarvJORsZJdIfR6fECLL LxcaERyrqU1gkvJnGzJgrZLkA7cv25nsHwqSzUhreOQIOTBpqjfdjCqCendLPura3DvY dW3RsKP96wexNw0UuCQZUdJ/gohylfTVT4iTq+PMI1Gq28v+Gbf7XP4nAnFSwJIMjrYp RO8rW3uRewxhgQHO1qxI6ji4DS3NQfyBgaJwyv7jr6vnW4ezzm21eage1LpkJmK7vcOv TieA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=bYtXRFKX; arc=pass (i=1 spf=pass spfdomain=flex--aliceryhl.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-30204-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-30204-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id e26-20020a65679a000000b005cf88b03757si1507352pgr.70.2024.01.18.06.38.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Jan 2024 06:38:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-30204-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=bYtXRFKX; arc=pass (i=1 spf=pass spfdomain=flex--aliceryhl.bounces.google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-30204-ouuuleilei=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-30204-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id BC83328417B for ; Thu, 18 Jan 2024 14:38:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 078262C1B9; Thu, 18 Jan 2024 14:37:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="bYtXRFKX" Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E3E8728DC6 for ; Thu, 18 Jan 2024 14:37:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705588625; cv=none; b=A1kYOiWKMOTggeES0Cug+tkCjxD7dX2uIMa+VBvK6lYlrZZ3sV4Zcy4UfT7WkMYmVcGIyOvMnnVlGEEI2b9HHAwd190Wl7spd8/FlOMJJLEtQUvJhglQQpFGuy2a6Y0F/EfekuG9bTwJHhdul8AF5wnhKH8nswW50ZnwGgODh5U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705588625; c=relaxed/simple; bh=CsfuAls1TL2YV7CMFadTLsxtXkXtmg2JI5t9uRUkTZc=; h=Received:DKIM-Signature:X-Google-DKIM-Signature: X-Gm-Message-State:X-Google-Smtp-Source:X-Received:Date: In-Reply-To:Mime-Version:References:X-Developer-Key: X-Developer-Signature:X-Mailer:Message-ID:Subject:From:To:Cc: Content-Type; b=aE8UqiCOPln0ifR4g0ZdOA4EgflBXbP8+CE9WRTDB7esJdLkn/idaSJbWOLOSvYjpg0jojUSLO10lOosee2PLSPqSLlPgZO75MSmtO0e6r3rXVHqzXgygDmpZ2Dyp2MAZFbdVPvQJ57MiWvFms/i6keElS+GD0JaHWay8TbT+dM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=bYtXRFKX; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-dc21b7f41a1so5207283276.2 for ; Thu, 18 Jan 2024 06:37:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1705588621; x=1706193421; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=jmgH0qa3XVbjpGQhdkp6BesDtjCOSEZUBkhyiBWTkXg=; b=bYtXRFKX20WqqUNCOdLv5Q7Y/17bqb57fPhKDwLlTsgI34LY35PbHoUruVForWiowk eofZOhLD4xhjsNG63qJJjCx4i2p3elFlhoqE4Yao/RInjoeo6LJjv+TTIGThGzTsNRaa P96a7ew20nUND5yS2kcgv0ruHDzD/i4KO8kxS7ep1dNl+ww4c/FNQMabptsE3JAJxwxr xkjqW7VfxO62MFisgLAflhUfTgu3Q5WCfwj6PNDl5pmr5X8+JT/tS3SJMYqCq5JA9k7j OIETocJUxgEarAJbM4o67KJIS8k6XwB1mhH5qKHkpNXWyKaEBwGRsRnDGksd3yGn8JKm 6FMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705588621; x=1706193421; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jmgH0qa3XVbjpGQhdkp6BesDtjCOSEZUBkhyiBWTkXg=; b=ivNtMKUv6oxRQDucpcMjT2jcdJ8KKFNLrGBVQNvv+cUjGx9gmdNhBlc7vmjVxJh67k cjAgNgGrrdg50YSpLVW3EVsOPGn2Q0ljyk9nHluZm3omESXVQXvg+fH/EBeG+4l9pPOd cQxK2PV3r5Zwy0YghhKBmTO75QJayGeDz2lg+3ql8h8ZWwk74IzREt3VrgnjYhSMFwpw 3KIv3Yi44941slFfe/4r0kz/YfkgbYKiFFUvHrT6mw1mnjVgIygWnHS3OogSj8o8N6P+ MfA38niMZhn4THd0tnsZ4Qtj2x+kxwwMch13/5bsTnITvk7SibYhCSN+7HhnezP7SrWV Hfyw== X-Gm-Message-State: AOJu0Yw6ob9tRXk/uOwUv3a2uqPRAyacQDNDd6JemOuSgv/OTPniRBsZ gwjpP3S6f3hArYt83NDRMr7G0yMWgMQno3VaxWwoFMgvq0S2g3Srb9M7Z/PJxDLi2X0Xm5PBqvQ 324AyMc4+8BAmyQ== X-Received: from aliceryhl2.c.googlers.com ([fda3:e722:ac3:cc00:68:949d:c0a8:572]) (user=aliceryhl job=sendgmr) by 2002:a25:d7cb:0:b0:dc2:4cca:7577 with SMTP id o194-20020a25d7cb000000b00dc24cca7577mr42715ybg.8.1705588620910; Thu, 18 Jan 2024 06:37:00 -0800 (PST) Date: Thu, 18 Jan 2024 14:36:44 +0000 In-Reply-To: <20240118-alice-file-v3-0-9694b6f9580c@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240118-alice-file-v3-0-9694b6f9580c@google.com> X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F X-Developer-Signature: v=1; a=openpgp-sha256; l=6255; i=aliceryhl@google.com; h=from:subject; bh=CsfuAls1TL2YV7CMFadTLsxtXkXtmg2JI5t9uRUkTZc=; b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBlqTHPjVUL1zehP8gc1SMJfGp9FtGF+NYrfZ3D8 /AoIuEsBTyJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCZakxzwAKCRAEWL7uWMY5 Ro02D/9kTb/8CRLZRUrxFSKqM82brI9ojK0ut4bbufbYBgISSYjp0boAOwrdi+OADA/EKJioacU B77Grno1bpyVpGB7WkixKv7QAwQcZGBLLrKvVWe1oBKpBaRuztogNZte3dFMT2yh+i8aZfEIKj7 ixn0Km3PaEzkGYeMx925pyHL17H3LWgLDImSgTuorrnbxnDl0B9NlKHeMBihWFDwYBQQVmupw+Z 61+Q3pKi0aXK+w8AcVQjo06N/DLgCQSHlgc8K+8vq3ClFu9XaSmyTFXq8ktEo201F+x3pRUdtUe QQFii/m01ASttjeQWXfMG7WEw0t8CUVu8itN5TFqsjk/puZTEYZALPJshFJREtCeMnYYrsoFa3w asFMeQ7TywEAzRHbKaLF8IMwRJVEijCsr+pJdZABZDUgDyH90SIVsu86AwerEG7CdC+Ju0dJ5eZ DHT/V8Agt8PZ+Qyj/ScctUUEyogo8AhYOHe1d/T3Hu5wtt17mFhGrt5b23oJlduzqJrThcyz5oS XrMbFQyssebdKpmE8ajDgl5wLRyY+CZf4+LCOjOXd2pwCsDwaIxDl485d0Rpr9aRrXUWK6xgyLG Fp20oqVvA1cJ9WkfnqxN71VF3ULdKgQgAZXfuvF/4+ti/GcNzwxQkbSYXRdurIMb1Lp+f7836dG U7qBuzoDTrJAueA== X-Mailer: git-send-email 2.43.0.381.gb435a96ce8-goog Message-ID: <20240118-alice-file-v3-3-9694b6f9580c@google.com> Subject: [PATCH v3 3/9] rust: security: add abstraction for secctx From: Alice Ryhl To: Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , " =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= " , Benno Lossin , Andreas Hindborg , Peter Zijlstra , Alexander Viro , Christian Brauner , Greg Kroah-Hartman , " =?utf-8?q?Arve_Hj=C3=B8n?= =?utf-8?q?nev=C3=A5g?= " , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan Cc: Dan Williams , Kees Cook , Matthew Wilcox , Thomas Gleixner , Daniel Xu , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Alice Ryhl X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1788439403815546792 X-GMAIL-MSGID: 1788439403815546792 Adds an abstraction for viewing the string representation of a security context. This is needed by Rust Binder because it has feature where a process can view the string representation of the security context for incoming transactions. The process can use that to authenticate incoming transactions, and since the feature is provided by the kernel, the process can trust that the security context is legitimate. Signed-off-by: Alice Ryhl Reviewed-by: Benno Lossin --- rust/bindings/bindings_helper.h | 1 + rust/helpers.c | 21 ++++++++++ rust/kernel/cred.rs | 8 ++++ rust/kernel/lib.rs | 1 + rust/kernel/security.rs | 71 +++++++++++++++++++++++++++++++++ 5 files changed, 102 insertions(+) create mode 100644 rust/kernel/security.rs diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h index fb7d4b0b0554..0e2a9b46459a 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include diff --git a/rust/helpers.c b/rust/helpers.c index 10ed69f76424..fd633d9db79a 100644 --- a/rust/helpers.c +++ b/rust/helpers.c @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -177,6 +178,26 @@ void rust_helper_put_cred(const struct cred *cred) } EXPORT_SYMBOL_GPL(rust_helper_put_cred); +#ifndef CONFIG_SECURITY +void rust_helper_security_cred_getsecid(const struct cred *c, u32 *secid) +{ + security_cred_getsecid(c, secid); +} +EXPORT_SYMBOL_GPL(rust_helper_security_cred_getsecid); + +int rust_helper_security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +{ + return security_secid_to_secctx(secid, secdata, seclen); +} +EXPORT_SYMBOL_GPL(rust_helper_security_secid_to_secctx); + +void rust_helper_security_release_secctx(char *secdata, u32 seclen) +{ + security_release_secctx(secdata, seclen); +} +EXPORT_SYMBOL_GPL(rust_helper_security_release_secctx); +#endif + /* * `bindgen` binds the C `size_t` type as the Rust `usize` type, so we can * use it in contexts where Rust expects a `usize` like slice (array) indices. diff --git a/rust/kernel/cred.rs b/rust/kernel/cred.rs index ccec77242dfd..8017525cf329 100644 --- a/rust/kernel/cred.rs +++ b/rust/kernel/cred.rs @@ -43,6 +43,14 @@ pub unsafe fn from_ptr<'a>(ptr: *const bindings::cred) -> &'a Credential { unsafe { &*ptr.cast() } } + /// Get the id for this security context. + pub fn get_secid(&self) -> u32 { + let mut secid = 0; + // SAFETY: The invariants of this type ensures that the pointer is valid. + unsafe { bindings::security_cred_getsecid(self.0.get(), &mut secid) }; + secid + } + /// Returns the effective UID of the given credential. pub fn euid(&self) -> bindings::kuid_t { // SAFETY: By the type invariant, we know that `self.0` is valid. diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index 097fe9bb93ed..342cb02c495a 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -42,6 +42,7 @@ pub mod kunit; pub mod prelude; pub mod print; +pub mod security; mod static_assert; #[doc(hidden)] pub mod std_vendor; diff --git a/rust/kernel/security.rs b/rust/kernel/security.rs new file mode 100644 index 000000000000..e3cbbab6405a --- /dev/null +++ b/rust/kernel/security.rs @@ -0,0 +1,71 @@ +// SPDX-License-Identifier: GPL-2.0 + +//! Linux Security Modules (LSM). +//! +//! C header: [`include/linux/security.h`](../../../../include/linux/security.h). + +use crate::{ + bindings, + error::{to_result, Result}, +}; + +/// A security context string. +/// +/// # Invariants +/// +/// The `secdata` and `seclen` fields correspond to a valid security context as returned by a +/// successful call to `security_secid_to_secctx`, that has not yet been destroyed by calling +/// `security_release_secctx`. +pub struct SecurityCtx { + secdata: *mut core::ffi::c_char, + seclen: usize, +} + +impl SecurityCtx { + /// Get the security context given its id. + pub fn from_secid(secid: u32) -> Result { + let mut secdata = core::ptr::null_mut(); + let mut seclen = 0u32; + // SAFETY: Just a C FFI call. The pointers are valid for writes. + to_result(unsafe { bindings::security_secid_to_secctx(secid, &mut secdata, &mut seclen) })?; + + // INVARIANT: If the above call did not fail, then we have a valid security context. + Ok(Self { + secdata, + seclen: seclen as usize, + }) + } + + /// Returns whether the security context is empty. + pub fn is_empty(&self) -> bool { + self.seclen == 0 + } + + /// Returns the length of this security context. + pub fn len(&self) -> usize { + self.seclen + } + + /// Returns the bytes for this security context. + pub fn as_bytes(&self) -> &[u8] { + let ptr = self.secdata; + if ptr.is_null() { + debug_assert_eq!(self.seclen, 0); + // We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero. + return &[]; + } + + // SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for + // `seclen` bytes. Furthermore, if the length is zero, then we have ensured that the + // pointer is not null. + unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) } + } +} + +impl Drop for SecurityCtx { + fn drop(&mut self) { + // SAFETY: This frees a pointer that came from a successful call to + // `security_secid_to_secctx` and has not yet been destroyed by `security_release_secctx`. + unsafe { bindings::security_release_secctx(self.secdata, self.seclen as u32) }; + } +}