From patchwork Tue Oct 25 18:45:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10931 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1160917wru; Tue, 25 Oct 2022 11:46:05 -0700 (PDT) X-Google-Smtp-Source: AMsMyM71gBiYUfNNPDY0oYIMOsQ7S0RrLJh+hXDeAD/VrJoOHV4ML5h5mKC4rBfZ92SUnwJSYj54 X-Received: by 2002:a17:903:124b:b0:179:da2f:2457 with SMTP id u11-20020a170903124b00b00179da2f2457mr39663231plh.156.1666723564810; Tue, 25 Oct 2022 11:46:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666723564; cv=none; d=google.com; s=arc-20160816; b=THTG/zU5HKDoGtjZy43MfH+GTswn3WjrB4YUGLo9Lgl7usBSmrbfHguhSJ55L/Fp3R hfKJGV4RBMQiONKMsUaNzUXn+VaEnvOQErvST9t8SocHnCxphkePu4obJ53ZcSgBd1Dw nqWI2DbGGR6r/qAii+oQqcOCnYYDzHstbtJo1J1Hylzt0EgMeVWzh7Em5bRud+6W5vAL mqp0inCvwvVyvRuPhu3Ttw5z5TQB9PqnH6LpnR4IeKHYO+gffHg4hbFtt2DIUZNXckCm kfkIZ2TzJ0SpSczGnzf3XuOi2SE2I1uCL8DM82qnWq0CS3+jgTGFzDMN3sAwTdP/FO9r ARCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=JARP/NpAJnvAW8bEed4MotaU2iP9MbULMTHRb5KT8J8=; b=fVGGvqEA2JmZ/h/2WCWR271CSdeJSt76Bfur+c69vdc5cfgzUzJlkcJlBz8Sw3KQw6 zCbcYzYTSKwLFZf043dIH4DWkbBWsEFNH4g2awBP6me37oVV4WsltKN71iQFxrX5vzqM lURqbJ2iHSYt/nBekRygZCvXz6AmmcZW/P9wkIBg10NirC8l39GUI/4L3+qpXVVCxm0I Ebnx+rHg0PBL/IWZvQuqsMtzHQXbAx0XCfnQLF5WKBPsKIdMjVEaxfyb8TqJdi6Sdgbs qPiUhQi/S0PjDhwx4NyS+aVtmKSl9Otj3c0u8F/zpa7CsxZUt4NhSvnKteAkKrBlisVT x1sQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=MT7KGERc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q18-20020a170902eb9200b00182bccf6195si3600467plg.596.2022.10.25.11.45.49; Tue, 25 Oct 2022 11:46:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=MT7KGERc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232681AbiJYSpd (ORCPT + 99 others); Tue, 25 Oct 2022 14:45:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232667AbiJYSpa (ORCPT ); Tue, 25 Oct 2022 14:45:30 -0400 Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 05B8D46621 for ; Tue, 25 Oct 2022 11:45:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723527; bh=JARP/NpAJnvAW8bEed4MotaU2iP9MbULMTHRb5KT8J8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=MT7KGERcFdu7OGGDNJ1XEIYvlfePYeV5a1zBFRPMhh699oOMWOaog3NbpnIGwg79yHXhBkCEMpRGS9fK9EnKwm10UKo9jHGDhZ5/0XoqxhN6lmoaXiS8vcf9XoCpw5c5iJS7J4X26aDwcsLirEeES9h4z+bNWajR1nXEbvzNwiwgNaOTTeHfNXUGOB2b38CZcxjcrCicXeL/Qf7eI5II0IgZb6H/tXAK7iEhnWhXit7cxtKfj2q5xf6Vz90buarlzkE/a6pp+YzMmwXrT7olswOAS0dBUjcJu5O5nmiHkK1HR19JC/u7CwoVQc5uTaD6QLT/mkx7WXkrFiplS6W7EA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723527; bh=DtwKq9JjMQ6drYhmCRTA0DAh8uYBLRsZsyciouYTIT1=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=q70tsLz5dbiA0hPPH2QqClmY5Ui/ToBF+nKmQysy2HPkq+hjHTqsVv0nJe/hOU25m2lFfDCzDo1Hgntla9rCUxajrgv7f9w+DsNsTh+3COuIrLfKX/iBsLGemhtyJWYFnGuhGVYfqfNFljL1psdYgMPT7Gpyzx7zkOTyow33w2FKGeYsgaPR10crOJkSAuMiI/vgOZZszNqO+iItnZWbePdi9vINDCHMZBDWonWkEhr6CnZGhKKuGO/DRC0OQs5Knmo83PPwMawDdCE5h55FIhTLh6WBK+4VWBkc2HcQP1itNwzUHUfXKxHziJlbCcBEQkWGw9KBpgAme3/OdXMfJw== X-YMail-OSG: eQg4j8UVM1mPENE3C0V766mLSXyH1A1lDtcNkJvUS0bXbGED1MsyUiFXiGfxPSS vP8Fyf2auyQ4ZNxWAgI1lxid2Ijy1Fxw86.cAgyg2Rwa.iIYAyC6vCxw8SZuTy7nEy1IBCmUgqvh B7vxI7d5Y6tzRqoFLXarpVztzcLkvZ7pDQGouNF3dr5PkWHvNudO9YuwwJO3qsP1XL30n24MTUdF OLqLVgtti9PuZMdvcPoy7KUZdpA2VJsOU3nnfzz39Twtu7Q2FKWzAFEc3UvS37Z0ztqQr6dM2rBg g40JZ8yDmXGHu3wt.2AAmvRo4SHQbc056LANZZG3K780UARZppLnHw_Gp.Tfw2QZUc1F9SnYcWMa iStO5lp1fyTFX87.mpT2zGuACVFIKiOosAjXwRe9iuv8D6dScUUFI3YEe6mRj8WmYahMEEsROSYZ M._OKYWWcfnpZ40W4sgKeHG7kGzf5eIIwiYyUDwdk6jgcCo0insuLw5Kziia2eiGtgm7SeV.tUjF Xu7p.3_ZqSzOsp2H7IhYuOgw5LuPFvPqgmslQqNijcb1AJ3CcKyjbyNz3MDDsGGpOHPmf.bosWyC Ij_L01Zup2ev0qsLsGble1gYF7LKEur.uogRXFba9txXOQpf9plBoNh5z7YO3WulhPq8IpnEZwAL tOE9gpRZa1B5zSS85Ocz1veDfB2wtcL3xupB4JBruK_xA1Ys6yP4UipBnXowVWix5kZHFEqQ3.Vh QOCObvMxphytD_fj_ySN_ybef7fFPQ5c2F300evRSlAoTh8votNSNA1tUb1rq_..4mqcMN.s6j1Z DsQXVATJeZIvis5dbrhkOUmUa_GYjjbUC1eh6LKB8HG_llWu7jtoATs8VIcpjJEvmAszLk5BsMW0 e2sTiw4P6HrEjUnycmWCiSDwa9Z1GWEnpc5qINLMqZH0eSQpIFAbwQHfhtfLnqeR502a9mbSq29e 70jeH762cTofuHAWvBlxdU6tTPmCgmfc36jQjV2mh95c4Z1kfBFbLK3BoJGyHTjbvCvBTEuDiJ_e p1Bcxw2gxHLEfbckaOqbVFVaiVfG6l.z7ttZUcKdefNs9xaKLzYzvb6QpDX3avvSUe.pZ3pwntX5 l5tvYXIoWX4Wc_lfBgSX82XN0Q9JgXp0r60fdKYG7xm2tOZLPhI1GsjQ6MIO9b.pAXu_I3TBkp5k 6fQsnyb5_3Zg4MgeJUP_3bGSlbeguzx7.Ert2XDwxv4.GIjV2AI.GvGpWnQ4XICxf5BqstTwK4_. BOR4Vh2bm1wZxdrUwiMy3dM_SlT4XgDZqeRrgn2KHvjconKLvsWjT3vbeYVp7odMmEU6CO7hc7M2 NJ2q.umUDV1J4j3ERHUZ2a9S3qZLusvTNBPSzmx8td5ZItfl5Yrb4C5uXCzP6LVhTuMc85CpqzoF KplrBsE7xGn76gs98kIOWWQCwlfAPziJxLBRmMNTLxnmv6_86uWeoiA8vI6udAshjMKhOoxEyK8a 5sYtIBEkYj5XUhRALyrJUtFc7O4Ub427Rzl8Tetd3R62THlaYUqz1HE.oKEdUEd1OlGUtAhwxRs2 nHlPwsqsGPkBX6y15FhEub0t8UvyMgwnqWNd9w4494kLPq84nSFoX6orKeZAUdCcLCXaJW2lbxyt 7qcNLad9HPMdIQ9cUc1JqHkkCLE2Y7FeJ.3cGzbkTragc1wVOP2sbeNeoglFgSFXpvm01wYoInN_ D9U4hoKqF.iUL49h39QnQ4tu7TM.cdA5W1WzWfJDfmDdSw1YF2JIqMUyq8RS1Tubj3SfdvpqUqNG VMfdZ_kNeP5IAbwYTcAIKYjM37WK.KEY_4l4nfjCSOzz.RRcwRFOCVOha3YFaKKx6yxKcMBgX.8L iZUrx_eONgkb1QImiUDsqV4w3lLf9yTFqkWXN3rXEGOIv4IQw2g4rQtYdJfm4i8Y.9nbN.JbbRuG pTSryvxo9P0D5beANzozFnsIYeDSRguUe4ppGGYZPFVPIdteMCzqVvm4.NjFblmLX.vCitb2DchS BHxl9TNCdeyjdZ3pzyOE9S5y_6af7QxpheVvXHtjlHpW.Yt4S_9ciUFJWZTUZmBa0CBaPG12VmqT gKWTT1suCCdXMZOmJD93OPBcaA5JG6.FiUes_UDO62z_QAV7HTQ36v1DU3O95a4HIBj3wbPtzy3o d.JLXh2iUKx9zi462ncBFnh3Qe0b24vuKaR5Gd0WQDHcHDPqC.XOOPFdQb_blsSzYMAvTTvSlkDA 5Fwit954cZDj26eiEc0IiDegOYsGLIUGJH2k8_MbBW4dU X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Oct 2022 18:45:27 +0000 Received: by hermes--production-ne1-c47ffd5f5-h6ptj (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID cee108ccde84a9105dc7ebe9516c7326; Tue, 25 Oct 2022 18:45:25 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v1 1/8] LSM: Identify modules by more than name Date: Tue, 25 Oct 2022 11:45:12 -0700 Message-Id: <20221025184519.13231-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221025184519.13231-1-casey@schaufler-ca.com> References: <20221025184519.13231-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747686328608889160?= X-GMAIL-MSGID: =?utf-8?q?1747686328608889160?= Create a struct lsm_id to contain identifying information about Linux Security Modules (LSMs). At inception this contains a single member, which is the name of the module. Change the security_add_hooks() interface to use this structure. Change the individual modules to maintain their own struct lsm_id and pass it to security_add_hooks(). Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 11 +++++++++-- security/apparmor/lsm.c | 6 +++++- security/bpf/hooks.c | 11 ++++++++++- security/commoncap.c | 6 +++++- security/landlock/cred.c | 2 +- security/landlock/fs.c | 2 +- security/landlock/ptrace.c | 2 +- security/landlock/setup.c | 4 ++++ security/landlock/setup.h | 1 + security/loadpin/loadpin.c | 7 ++++++- security/lockdown/lockdown.c | 6 +++++- security/safesetid/lsm.c | 7 ++++++- security/security.c | 12 ++++++------ security/selinux/hooks.c | 7 ++++++- security/smack/smack_lsm.c | 6 +++++- security/tomoyo/tomoyo.c | 7 ++++++- security/yama/yama_lsm.c | 6 +++++- 17 files changed, 82 insertions(+), 21 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 4ec80b96c22e..e383e468f742 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1602,6 +1602,13 @@ struct security_hook_heads { #undef LSM_HOOK } __randomize_layout; +/* + * Information that identifies a security module. + */ +struct lsm_id { + const char *lsm; /* Name of the LSM */ +}; + /* * Security module hook list structure. * For use with generic list macros for common operations. @@ -1610,7 +1617,7 @@ struct security_hook_list { struct hlist_node list; struct hlist_head *head; union security_list_options hook; - const char *lsm; + struct lsm_id *lsmid; } __randomize_layout; /* @@ -1645,7 +1652,7 @@ extern struct security_hook_heads security_hook_heads; extern char *lsm_names; extern void security_add_hooks(struct security_hook_list *hooks, int count, - const char *lsm); + struct lsm_id *lsmid); #define LSM_FLAG_LEGACY_MAJOR BIT(0) #define LSM_FLAG_EXCLUSIVE BIT(1) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index f56070270c69..e708c1ad7267 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1202,6 +1202,10 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { .lbs_task = sizeof(struct aa_task_ctx), }; +static struct lsm_id apparmor_lsmid __lsm_ro_after_init = { + .lsm = "apparmor", +}; + static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), @@ -1897,7 +1901,7 @@ static int __init apparmor_init(void) goto buffers_out; } security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), - "apparmor"); + &apparmor_lsmid); /* Report that AppArmor successfully initialized */ apparmor_initialized = 1; diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index e5971fa74fd7..ef9b1d983665 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c @@ -15,9 +15,18 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(task_free, bpf_task_storage_free), }; +/* + * slot has to be LSMBLOB_NEEDED because some of the hooks + * supplied by this module require a slot. + */ +struct lsm_id bpf_lsmid __lsm_ro_after_init = { + .lsm = "bpf", +}; + static int __init bpf_lsm_init(void) { - security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), "bpf"); + security_add_hooks(bpf_lsm_hooks, ARRAY_SIZE(bpf_lsm_hooks), + &bpf_lsmid); pr_info("LSM support for eBPF active\n"); return 0; } diff --git a/security/commoncap.c b/security/commoncap.c index 5fc8986c3c77..986920da0c26 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1446,6 +1446,10 @@ int cap_mmap_file(struct file *file, unsigned long reqprot, #ifdef CONFIG_SECURITY +static struct lsm_id capability_lsmid __lsm_ro_after_init = { + .lsm = "capability", +}; + static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(capable, cap_capable), LSM_HOOK_INIT(settime, cap_settime), @@ -1470,7 +1474,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { static int __init capability_init(void) { security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks), - "capability"); + &capability_lsmid); return 0; } diff --git a/security/landlock/cred.c b/security/landlock/cred.c index ec6c37f04a19..2eb1d65f10d6 100644 --- a/security/landlock/cred.c +++ b/security/landlock/cred.c @@ -42,5 +42,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_cred_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 64ed7665455f..486ff50d54a1 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -1201,5 +1201,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_fs_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c index 4c5b9cd71286..eab35808f395 100644 --- a/security/landlock/ptrace.c +++ b/security/landlock/ptrace.c @@ -116,5 +116,5 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { __init void landlock_add_ptrace_hooks(void) { security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), - LANDLOCK_NAME); + &landlock_lsmid); } diff --git a/security/landlock/setup.c b/security/landlock/setup.c index f8e8e980454c..4a12666a4090 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -23,6 +23,10 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct landlock_superblock_security), }; +struct lsm_id landlock_lsmid __lsm_ro_after_init = { + .lsm = LANDLOCK_NAME, +}; + static int __init landlock_init(void) { landlock_add_cred_hooks(); diff --git a/security/landlock/setup.h b/security/landlock/setup.h index 1daffab1ab4b..38bce5b172dc 100644 --- a/security/landlock/setup.h +++ b/security/landlock/setup.h @@ -14,5 +14,6 @@ extern bool landlock_initialized; extern struct lsm_blob_sizes landlock_blob_sizes; +extern struct lsm_id landlock_lsmid; #endif /* _SECURITY_LANDLOCK_SETUP_H */ diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index de41621f4998..24d041a888b8 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -197,6 +197,10 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents) return loadpin_read_file(NULL, (enum kernel_read_file_id) id, contents); } +static struct lsm_id loadpin_lsmid __lsm_ro_after_init = { + .lsm = "loadpin", +}; + static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security), LSM_HOOK_INIT(kernel_read_file, loadpin_read_file), @@ -244,7 +248,8 @@ static int __init loadpin_init(void) pr_info("ready to pin (currently %senforcing)\n", enforce ? "" : "not "); parse_exclude(); - security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), "loadpin"); + security_add_hooks(loadpin_hooks, ARRAY_SIZE(loadpin_hooks), + &loadpin_lsmid); return 0; } diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index a79b985e917e..2004d67f7201 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -75,6 +75,10 @@ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(locked_down, lockdown_is_locked_down), }; +static struct lsm_id lockdown_lsmid __lsm_ro_after_init = { + .lsm = "lockdown", +}; + static int __init lockdown_lsm_init(void) { #if defined(CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY) @@ -83,7 +87,7 @@ static int __init lockdown_lsm_init(void) lock_kernel_down("Kernel configuration", LOCKDOWN_CONFIDENTIALITY_MAX); #endif security_add_hooks(lockdown_hooks, ARRAY_SIZE(lockdown_hooks), - "lockdown"); + &lockdown_lsmid); return 0; } diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index e806739f7868..d9af1d04d293 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -261,6 +261,10 @@ static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old return 0; } +static struct lsm_id safesetid_lsmid __lsm_ro_after_init = { + .lsm = "safesetid", +}; + static struct security_hook_list safesetid_security_hooks[] = { LSM_HOOK_INIT(task_fix_setuid, safesetid_task_fix_setuid), LSM_HOOK_INIT(task_fix_setgid, safesetid_task_fix_setgid), @@ -271,7 +275,8 @@ static struct security_hook_list safesetid_security_hooks[] = { static int __init safesetid_security_init(void) { security_add_hooks(safesetid_security_hooks, - ARRAY_SIZE(safesetid_security_hooks), "safesetid"); + ARRAY_SIZE(safesetid_security_hooks), + &safesetid_lsmid); /* Report that SafeSetID successfully initialized */ safesetid_initialized = 1; diff --git a/security/security.c b/security/security.c index 79d82cb6e469..b2eb0ccd954b 100644 --- a/security/security.c +++ b/security/security.c @@ -476,17 +476,17 @@ static int lsm_append(const char *new, char **result) * security_add_hooks - Add a modules hooks to the hook lists. * @hooks: the hooks to add * @count: the number of hooks to add - * @lsm: the name of the security module + * @lsmid: the identification information for the security module * * Each LSM has to register its hooks with the infrastructure. */ void __init security_add_hooks(struct security_hook_list *hooks, int count, - const char *lsm) + struct lsm_id *lsmid) { int i; for (i = 0; i < count; i++) { - hooks[i].lsm = lsm; + hooks[i].lsmid = lsmid; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); } @@ -495,7 +495,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, * and fix this up afterwards. */ if (slab_is_available()) { - if (lsm_append(lsm, &lsm_names) < 0) + if (lsm_append(lsmid->lsm, &lsm_names) < 0) panic("%s - Cannot get early memory.\n", __func__); } } @@ -2070,7 +2070,7 @@ int security_getprocattr(struct task_struct *p, const char *lsm, struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsm)) + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; return hp->hook.getprocattr(p, name, value); } @@ -2083,7 +2083,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value, struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsm)) + if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) continue; return hp->hook.setprocattr(name, value, size); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f553c370397e..aee20bb1778d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7014,6 +7014,10 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) } #endif /* CONFIG_IO_URING */ +static struct lsm_id selinux_lsmid __lsm_ro_after_init = { + .lsm = "selinux", +}; + /* * IMPORTANT NOTE: When adding new hooks, please be careful to keep this order: * 1. any hooks that don't belong to (2.) or (3.) below, @@ -7334,7 +7338,8 @@ static __init int selinux_init(void) hashtab_cache_init(); - security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), "selinux"); + security_add_hooks(selinux_hooks, ARRAY_SIZE(selinux_hooks), + &selinux_lsmid); if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET)) panic("SELinux: Unable to register AVC netcache callback\n"); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index b6306d71c908..0c0fea933bbd 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4787,6 +4787,10 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_superblock = sizeof(struct superblock_smack), }; +static struct lsm_id smack_lsmid __lsm_ro_after_init = { + .lsm = "smack", +}; + static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), @@ -4990,7 +4994,7 @@ static __init int smack_init(void) /* * Register with LSM */ - security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); + security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); smack_enabled = 1; pr_info("Smack: Initializing.\n"); diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 71e82d855ebf..80fbab5d2d7e 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -530,6 +530,10 @@ static void tomoyo_task_free(struct task_struct *task) } } +static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = { + .lsm = "tomoyo", +}; + /* * tomoyo_security_ops is a "struct security_operations" which is used for * registering TOMOYO. @@ -582,7 +586,8 @@ static int __init tomoyo_init(void) struct tomoyo_task *s = tomoyo_task(current); /* register ourselves with the security framework */ - security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); + security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), + &tomoyo_lsmid); pr_info("TOMOYO Linux initialized\n"); s->domain_info = &tomoyo_kernel_domain; atomic_inc(&tomoyo_kernel_domain.users); diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 06e226166aab..4f60158850a7 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -421,6 +421,10 @@ static int yama_ptrace_traceme(struct task_struct *parent) return rc; } +static struct lsm_id yama_lsmid __lsm_ro_after_init = { + .lsm = "yama", +}; + static struct security_hook_list yama_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme), @@ -477,7 +481,7 @@ static inline void yama_init_sysctl(void) { } static int __init yama_init(void) { pr_info("Yama: becoming mindful.\n"); - security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), "yama"); + security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid); yama_init_sysctl(); return 0; } From patchwork Tue Oct 25 18:45:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10932 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1161297wru; Tue, 25 Oct 2022 11:47:12 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5NlVQrtxFJq1LXMsfdspNfFDDu1KJke0d4sTGLUffJrAF8IGlk/ZZCZj6gSW9k1feZ9Bld X-Received: by 2002:a17:907:1ca2:b0:78d:ec49:9c2f with SMTP id nb34-20020a1709071ca200b0078dec499c2fmr33585385ejc.308.1666723632737; Tue, 25 Oct 2022 11:47:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666723632; cv=none; d=google.com; s=arc-20160816; b=QQRI0cKmEEBFLUgzjUitFzUReORfZbwGUFpbHUChitrQIq5fTuBHuoc5yf9/o2afUv e2QqTKFfKdQOpUHyfvzNTS9mL7eebTEIj3FIrAbs/VpHdCcMn91ZMikxmWDOt46wLbSX STgY0UwKcgLc71ybWoUeg0lrOC136WStUoOtctJ9wZUCbMgTPp4/1yXSPMMyvig4603A ZVFloOptWWFBCi9sDPy6C72hZC1iRwe9dlQQr4y7yIa+dW2DPoYM+pBKEmRbRq3CzxS6 OQMzW8KHWCFS8/LRWYGJ0fqQTYaVzwnWcihVng5Lu3SbgphdtBaR4dP6JknPAXTPq1s9 EV1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=vaNHeu+uBrJ/jXIPtDlBaZHKQlALl1G+dML+hKWuQRo=; b=jL9cDA+9Ya7VAYFKhsRwT2tJBH0KEA1E1MhxCy2122tjIrd9qkZo+Lip7WWL2+8yEm TH/bs2AFuVeM0JujoCM6dbZEUEeeMxdUVqEB8j33wsjtTzpkKxt/CFbc5BWZ6j+xLm21 o3EWu5d9c3P8z8XN1Vljx/Q3cGT6/J99x9ZZ0YYwL3ThKEwTdqadxjoPNFEq486d5jpP b9Ephoq4vHTnBh7pNJ2z/PBntc6Mc2MwuZjFqlYoXBD20iWPri+MNRXHCjPMFRA+/376 DE/g6n+Ra393JTUPK9IYFM9yJmHUJap0nihEx5N8dx4pL5qiesw/mDRdWbnrXcAbrA53 1oCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=iMMEG0wJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b2-20020a50ccc2000000b0043dc00e0740si1854986edj.373.2022.10.25.11.46.48; Tue, 25 Oct 2022 11:47:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=iMMEG0wJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232907AbiJYSp7 (ORCPT + 99 others); Tue, 25 Oct 2022 14:45:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46202 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232823AbiJYSpe (ORCPT ); Tue, 25 Oct 2022 14:45:34 -0400 Received: from sonic301-38.consmr.mail.ne1.yahoo.com (sonic301-38.consmr.mail.ne1.yahoo.com [66.163.184.207]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D23E495D6 for ; Tue, 25 Oct 2022 11:45:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723531; bh=vaNHeu+uBrJ/jXIPtDlBaZHKQlALl1G+dML+hKWuQRo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=iMMEG0wJa4SfMXdRJKMN8J7PN9/SIJvKYP9TVEVv1io0mphxnIph53Ni26K/zR+zVeLqUgZHXSubUCad4p1Czb3jQIl7ROnRtNtLlQiVqFM08NeoqsyN/YdsJz4oTCY0f+njCFiDAuAOgB9Z88S/yP5jzIsOQ94D2vk46U4QdR1jAmh/xYGu9VMdI5R1p72dc8ig1vifUprWPqB6H40FEvn8kMt/LhEqyrjcDLauXBtknM4jw9RJoZvoSRgKRnewONxHSTXdjxAqNkh/6KWZPwalQHcZh92or7FVVTSBKFpsGh59aGRrjt6ioplACRt4QLLvmEPDmGM4C+P0oq4D5w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723531; bh=85isr1awwlY2VeM0BK5wNTk3zDRa0JtRBNDGKL13Mq6=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=AUykBW1y2GjLIGDw13vTSYWVR3bQl/t19vS/Nm2SoNg1BTkK2EPJwnMykRGYvhw34lJkISFf4/F/BgfQqv5oWEoXWbFUiQ9NF4n+5BJl05E1TDER0IRC24or8p64y4B13SS74XobnWFtvS1fxGtz8gW0tggf9N3dcGARZa0J9AvvBMmlY8+cl2t+tG2TNl17TLSTPZFT2o3zhCJpziH10oCJHagFYjrdW5+W9MxtAUe0/c9+GHDdUtHUtVQcHUaywuJ7sjdOAcu98YLiMRNn7PQMtWHgB5RA4I3D0oy6QRBbO3nwOSW5IZmGa6WWCJ59iJxSDlZ16PvHM6K6PTH8oA== X-YMail-OSG: Bl4ACdkVM1kHeHDYatofCBccP9gAU_TU5WJGB00POj8tpMfZ.qngYQQFiICWS_H 43u83w2l6ib_s6dp2DRY9yO8IauyWAaYTC6NSkq8JXu83VFwDT4whXqwasGD.Mb5uYS7gvouzu58 BLVY7Ligw28YnKCABy8MbQZCiRhVTSh3RtNBXsoyEh6FIquBUvM6VSqhnJYVmRPnXY7tD44GEOco qzIARaU_V6zo7hye2mE4SREv9rEcRYYBs07IQ3iYqB9zBEO.2_q9neLSoil.6DbXuC_X_Xf3UIjv 5b5wGxhuXv4gIJPGguZIsO.pSAnjybx9llW9rT1SP92a7dG1oI1HMDqgGDXwqpx2dpFNxTEMJQgc Wnau7KaQS3Cz.mGKEq7Dh0rd3JQzZy9PIqZKP7GY1yZPN5KnM5EQXoHdwEbco7D.hI8NXLpMcO_c Mqxdhd3cQRwwaNBtTR0fvO7_xnlCguXXjreeaqwNXL2x5h7EiM5KeivWUpgllO8bbnxGuCrzulTg Sx0YJQyNXE2sdccghE.GY9zbV8S88EcbshQ2XSEHHeuOM8S6tGj8q_hze3WtjQnNDjdI5IcjWNbs q8TLyJPujLdMuAl0ERNW3TzjqFE2_6Ag.Nh8SI2FC.3uLl9ToPc.kIMx2VKwY9qKHWeTL_onO3WC G0FUXCpge4hGLF8YJB6EXqxY6NDtKXmdbsJGLCjSDYn0r9zl3e9X7zLbdafYFAyj.r7kdmMU5mUo Zokqt14p8SIpDamhxrnKZQih6J4jknsa0byvwSkobMlUtLQA5wtApsUWOx94P.FO1N0fiZgTthrj xXSMZ4BAbWAPCS0kpd9B2bCMsxyJNEs6wUdohf43V0ECOr6RZOLkWbpZFi8eJMPF2RirSCOZkkex Glg2_roxsmzTOqb73yKwNhzA.ojDpVcBD3wMKETktrSqeumkexhTfNuCo224n1JRpf3XxDFqHkC8 _7dDbDGadfT14HM7L69M6CkFQJWiCxCm.DhyUWEwlU6u4LRnI7mLJC_T6O6uw1CH9qpD6eFW2Z.R 5vQCYppLSdbBiawPjozHHb5WZ7pTySNO4lw2aKsj5wGsxTrIVcxEownUVm9Llvw0djisjN8jfHJn V2ISjJ8wOMIKWHS4F4inNTG2pkWYZiOGqgNi2zrC1jQjqXCHi7vI78SJYlrq8.B5v6cqCwRYwr7O qgSP5Qc.rkIksay6zEIRVRIKAWFWbTZsHTZoalvtA3op5beMzW5zznAz.29JQKWFiwEBmHsBV4N. PS43T0jnltca.bJWsUb_2lW66OXVpS_ywRRD5fdjB2hX7JUjnKiqHxidFgkRJMhxO2373JJzfMrK l4fhnYF7T4ogIHvNp8Oi5NCosBCuCduXqv7DGRiwVF_DGreFoWFQ5KzCaN1U6BeDA8Leo560XTRN EZmYMyuz_r5_2X8hy52.EHksmV1fiHEDYMrfx8RWKgF2hlps3qsBpmeVtCAm.pFPyW9nHK0hnSRS jax5MHLziMvgLF5UYuMHdvTHTqJPGoO2DN8CvgacH3L0inxfaAGomobUXMg9B78rt.wckNA._neA a3jsiGy5Xr_IDr_HFEI4..QJI6Gps4cVNDpbTf_ir1Cc3_cryLlKbIZIkdpKocuM2h23dg_4Cj0H 7no4HP80WYAUEpUEsoZNpF1FsrWcS9b5tD2RvmGZyo81n6D7B4SuanzEYgD7QV3PMean_ih98p06 iR97NGS.Y3JMWv3dnP.qy4RH0dTUnY1glS_b5e7e0eOvUBhxBoefMnLT1.AwvmHOhU64LDJT5sin 4ePJOrIz4fu2z4b8rdshhjVqFRqqunVg40tj2usW..kKlXkITRzr74O2tvEOKJO7UR6FrQjbaMuk jzgSQA8Yndx1PDiSNMTt9DYh3SA2f1ff5.FAzQLyJiczvLdkj0eBekcBoQuWiKqWFpCcUzt8bim_ XnRKi587TOiHr7vvv5QRPU.aiJhMsUBwkcaXBveHBg5oeZlWRIomT9FxucD_s36eeYGhwae2v87L mF_v8n9_i7yn4bnHbBx8zHy4zePt8dxoHTxVQpZdma3DoSYvxDRBO1KSpa6HfXG67AqFqKmmu9q_ DlC6Es8yTvTJ2n7XbsQLZCgHqCE8JL2Gl8DLb4fIwMSFv8Aot0lr2tejrox6cV5T95ErTsHQl0W4 oyVdBIZQ._DRn1od4JrrF3sfr1Du.f4BfTtYOQ4muCkAbtKZ8u5L2XBdRFXElliqayBwMHUZunme EKy1bR7_ZQsgNw2NYqnB4hFgctXIYp7qTVKdyum.gv9IT X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic301.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Oct 2022 18:45:31 +0000 Received: by hermes--production-ne1-c47ffd5f5-h6ptj (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID cee108ccde84a9105dc7ebe9516c7326; Tue, 25 Oct 2022 18:45:26 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v1 2/8] LSM: Add an LSM identifier for external use Date: Tue, 25 Oct 2022 11:45:13 -0700 Message-Id: <20221025184519.13231-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221025184519.13231-1-casey@schaufler-ca.com> References: <20221025184519.13231-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747686400243372594?= X-GMAIL-MSGID: =?utf-8?q?1747686400243372594?= Add an integer member "id" to the struct lsm_id. This value is a unique identifier associated with each security module. The values are defined in a new UAPI header file. Each existing LSM has been updated to include it's LSMID in the lsm_id. The LSM ID values are sequential, with the oldest module LSM_ID_CAPABILITY being the lowest value and the existing modules numbered in the order they were included in the main line kernel. The first 32 values (0 - 31) are reserved for some as yet unknown but important use. Signed-off-by: Casey Schaufler Nacked-by: Tetsuo Handa --- include/linux/lsm_hooks.h | 1 + include/uapi/linux/lsm.h | 32 ++++++++++++++++++++++++++++++++ security/apparmor/lsm.c | 2 ++ security/bpf/hooks.c | 2 ++ security/commoncap.c | 2 ++ security/landlock/setup.c | 2 ++ security/loadpin/loadpin.c | 2 ++ security/lockdown/lockdown.c | 2 ++ security/safesetid/lsm.c | 2 ++ security/selinux/hooks.c | 2 ++ security/smack/smack_lsm.c | 2 ++ security/tomoyo/tomoyo.c | 2 ++ security/yama/yama_lsm.c | 2 ++ 13 files changed, 55 insertions(+) create mode 100644 include/uapi/linux/lsm.h diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index e383e468f742..dd4b4d95a172 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1607,6 +1607,7 @@ struct security_hook_heads { */ struct lsm_id { const char *lsm; /* Name of the LSM */ + int id; /* LSM ID */ }; /* diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h new file mode 100644 index 000000000000..d5bcbb9375df --- /dev/null +++ b/include/uapi/linux/lsm.h @@ -0,0 +1,32 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +/* + * Linus Security Modules (LSM) - User space API + * + * Copyright (C) 2022 Casey Schaufler + * Copyright (C) Intel Corporation + */ + +#ifndef _UAPI_LINUX_LSM_H +#define _UAPI_LINUX_LSM_H + +/* + * ID values to identify security modules. + * A system may use more than one security module. + * + * LSM_ID_XXX values 0 - 31 are reserved for future use + */ +#define LSM_ID_INVALID -1 +#define LSM_ID_CAPABILITY 32 +#define LSM_ID_SELINUX 33 +#define LSM_ID_SMACK 34 +#define LSM_ID_TOMOYO 35 +#define LSM_ID_IMA 36 +#define LSM_ID_APPARMOR 37 +#define LSM_ID_YAMA 38 +#define LSM_ID_LOADPIN 39 +#define LSM_ID_SAFESETID 40 +#define LSM_ID_LOCKDOWN 41 +#define LSM_ID_BPF 42 +#define LSM_ID_LANDLOCK 43 + +#endif /* _UAPI_LINUX_LSM_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index e708c1ad7267..b859b1af6c75 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -24,6 +24,7 @@ #include #include #include +#include #include "include/apparmor.h" #include "include/apparmorfs.h" @@ -1204,6 +1205,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { static struct lsm_id apparmor_lsmid __lsm_ro_after_init = { .lsm = "apparmor", + .id = LSM_ID_APPARMOR, }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index ef9b1d983665..20983ae8d31f 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c @@ -5,6 +5,7 @@ */ #include #include +#include static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = { #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ @@ -21,6 +22,7 @@ static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = { */ struct lsm_id bpf_lsmid __lsm_ro_after_init = { .lsm = "bpf", + .id = LSM_ID_BPF, }; static int __init bpf_lsm_init(void) diff --git a/security/commoncap.c b/security/commoncap.c index 986920da0c26..940e36d8503d 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -25,6 +25,7 @@ #include #include #include +#include /* * If a non-root user executes a setuid-root binary in @@ -1448,6 +1449,7 @@ int cap_mmap_file(struct file *file, unsigned long reqprot, static struct lsm_id capability_lsmid __lsm_ro_after_init = { .lsm = "capability", + .id = LSM_ID_CAPABILITY, }; static struct security_hook_list capability_hooks[] __lsm_ro_after_init = { diff --git a/security/landlock/setup.c b/security/landlock/setup.c index 4a12666a4090..5b32c087e34b 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -8,6 +8,7 @@ #include #include +#include #include "common.h" #include "cred.h" @@ -25,6 +26,7 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { struct lsm_id landlock_lsmid __lsm_ro_after_init = { .lsm = LANDLOCK_NAME, + .id = LSM_ID_LANDLOCK, }; static int __init landlock_init(void) diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c index 24d041a888b8..32bdf7294a6f 100644 --- a/security/loadpin/loadpin.c +++ b/security/loadpin/loadpin.c @@ -20,6 +20,7 @@ #include #include #include +#include #define VERITY_DIGEST_FILE_HEADER "# LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS" @@ -199,6 +200,7 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents) static struct lsm_id loadpin_lsmid __lsm_ro_after_init = { .lsm = "loadpin", + .id = LSM_ID_LOADPIN, }; static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = { diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c index 2004d67f7201..e8c41a0caf7d 100644 --- a/security/lockdown/lockdown.c +++ b/security/lockdown/lockdown.c @@ -13,6 +13,7 @@ #include #include #include +#include static enum lockdown_reason kernel_locked_down; @@ -77,6 +78,7 @@ static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = { static struct lsm_id lockdown_lsmid __lsm_ro_after_init = { .lsm = "lockdown", + .id = LSM_ID_LOCKDOWN, }; static int __init lockdown_lsm_init(void) diff --git a/security/safesetid/lsm.c b/security/safesetid/lsm.c index d9af1d04d293..8d0742ba045d 100644 --- a/security/safesetid/lsm.c +++ b/security/safesetid/lsm.c @@ -19,6 +19,7 @@ #include #include #include +#include #include "lsm.h" /* Flag indicating whether initialization completed */ @@ -263,6 +264,7 @@ static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old static struct lsm_id safesetid_lsmid __lsm_ro_after_init = { .lsm = "safesetid", + .id = LSM_ID_SAFESETID, }; static struct security_hook_list safesetid_security_hooks[] = { diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index aee20bb1778d..5fcce36267bd 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -92,6 +92,7 @@ #include #include #include +#include #include "avc.h" #include "objsec.h" @@ -7016,6 +7017,7 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) static struct lsm_id selinux_lsmid __lsm_ro_after_init = { .lsm = "selinux", + .id = LSM_ID_SELINUX, }; /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0c0fea933bbd..c7ba80e20b8d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -43,6 +43,7 @@ #include #include #include +#include #include "smack.h" #define TRANS_TRUE "TRUE" @@ -4789,6 +4790,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { static struct lsm_id smack_lsmid __lsm_ro_after_init = { .lsm = "smack", + .id = LSM_ID_SMACK, }; static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 80fbab5d2d7e..1916eb6216f7 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -6,6 +6,7 @@ */ #include +#include #include "common.h" /** @@ -532,6 +533,7 @@ static void tomoyo_task_free(struct task_struct *task) static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = { .lsm = "tomoyo", + .id = LSM_ID_TOMOYO, }; /* diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 4f60158850a7..2487b8f847f3 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -18,6 +18,7 @@ #include #include #include +#include #define YAMA_SCOPE_DISABLED 0 #define YAMA_SCOPE_RELATIONAL 1 @@ -423,6 +424,7 @@ static int yama_ptrace_traceme(struct task_struct *parent) static struct lsm_id yama_lsmid __lsm_ro_after_init = { .lsm = "yama", + .id = LSM_ID_YAMA, }; static struct security_hook_list yama_hooks[] __lsm_ro_after_init = { From patchwork Tue Oct 25 18:45:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10933 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1161727wru; Tue, 25 Oct 2022 11:48:25 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5dx38UHkI9t2+sXhwE62C7kgqD3+vU/Yic4q+S9o+s0B7Gzdw2xdw3T0tSvy6xT60H3War X-Received: by 2002:a17:903:1250:b0:185:40c6:3c2c with SMTP id u16-20020a170903125000b0018540c63c2cmr40026784plh.64.1666723705451; Tue, 25 Oct 2022 11:48:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666723705; cv=none; d=google.com; s=arc-20160816; b=b4TXlSrK5BVXt/9YSVUZGD0iNzwUYUDrBD7jW+K+2NiJ/0zrJON5OEmchVb87tE0fu KcPAZ+LgTA9q3/7UdDrY5gpCAu0h3mk3vwcRNTtODlVMXg9UPOt2RFPCYyJCqF6SkhEr 2o4cgG662UMKZ/qURjmzv1xzTITlxrrfQPIwNPVPXeDi1NUxIVfFxGj0/z8a6ARqPvMC ra8xLnQ/LmQMrsb7qU+QyMQNDYTTUEp8nKtJgqfM5BVJnP8NYZYr0FCDIwx83IOJQAwU pMynfSklJWXX+7jrZQhE2jwJlclsbT8XHYWrl7+h9pF3icgxqmRkDSxmUvb5e8VQ/w1s 1hGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=KH1GpeT2uoLHjcAGzKdKYk33AV7vMyMYHNZNvsCxlAw=; b=YZrWVzqmUgNcCKgt9PODMlVM0/yfRhnoyis75sM+povm2d76hx9Js7ZeIYZ1jo4nQc ZdcBVXBddVa6wpuuSWNmCxCQQK8w94g5VIZn4uUY2ePDtDmkHBQLl2f3SaoePqyT92wy tv9tQhg83i8HmOu0wq7hpCWXwCHPtOz1osVvUqcGFgSzdhV9iTd1V3U/Kwtg/jsT+Njs J1hUYD7utCIWEaGm77NJpb3Cseyv8fUit/BvH50zp4YNoir9IfaKrrjIkqSlpln9o44m FvO7onxXNiDTeEgxoJFQ4X51XV42qik2KrJQUCoSt03u8qDFkJhUlv3pXP8xgAl1be4A f4JQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b="k8a1/iHx"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c2-20020a63ea02000000b00438806c7b2bsi3454496pgi.154.2022.10.25.11.48.09; Tue, 25 Oct 2022 11:48:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b="k8a1/iHx"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232953AbiJYSrb (ORCPT + 99 others); Tue, 25 Oct 2022 14:47:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233033AbiJYSrK (ORCPT ); Tue, 25 Oct 2022 14:47:10 -0400 Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F09A4AA3CF for ; Tue, 25 Oct 2022 11:47:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723622; bh=KH1GpeT2uoLHjcAGzKdKYk33AV7vMyMYHNZNvsCxlAw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=k8a1/iHx0h2eF0IGrvljpJ50HgIwIvSV3fS4u8W9svfGta8fFRb7PhQ7p3FJWGVLQLNv/a4Cs9nvzGXueZnSVSgKl+ajcxvPxL8e2KREHRRWzAUYvCvEIVSnn9D3ix9qJDExLWz9DPy39XD36G5DGcA95xv703NKQRXq1SjZB2D4STijy214uxq1R1QnV5Ljq4r/bEz8PLnHHdBc0TDioUrLM4p5iekByEiVH93vtvfyqcOC0WYywHU7Oau0IoD/ygHcd/NMQefWgZIpYwfhRKPuFsBLaJ3BHD72Nn1vngCbM/3xER6kz84saO+upbSm295D59WeG8SLoMDrEzraCQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723622; bh=HVMP6nxZVtzQ4eGSt/O7itFBpLng2k80j9xiJo4Nn1t=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=tpPWoBo/wPrXvtR1A5Vj9LLl58R70fNpT+nlWDEFyRuzFmDkOwxjhj05HVm1I/Kv5MepvS/8scGpUMd2jAg+ttTfPt1JU343BVxhujfrpvILN7dADO5nkOVguICoLnlYR5Yxex24SAgCCRmEG9Qm7tdJQe9jwEJvkd5ZNGpMnQ/6ra6xDyOvRb6dnU8+Ol67NcdaK0VrtxfATsUBVRolz6Ud10EyrB1ERyqhJuHWAY6vmQsh2+TeMhyJx+D8muIyKzjoYbdoP8qJ775wNsARUKrKTys3sca4VcI+gtos4rbJMcZpanEuanlToNVQ1XJOMGzbtZEe/F9KM0Bo2o9jPg== X-YMail-OSG: cHlVjpwVM1mf3DhtM20mV9r7hncK6UaW6sVxlkSyThcPUFDNxBi.bz7PLhtya2C _T5ljnyj1Je0bhh8Fk7hyHef7293ZeUE3S170LcPtzPdNOmuTBlIO_zszyxuJ7ITOKmUa1Id1tIk k7xW5bXWM_SyZgGfZdnMhuHFLMu5empsWbUDLvtK3rJTAJQ.Xgzqim9tOa3OATSHLfj6gmBSge3. UlEW0hSvpyXBHz..WfJuB7G5It674Ax0h3ggj5hCZhyUKnzlfG51NuvHgyMdkX3y1DCMDXMT52wf qOWwHWYwWQrNBjF0SU3IzJjL3Z.DljmpcRvTEzQFhvGactVrMtJ91dBpzHuUzPoqdwq8SsQEam6D 8Axz8A3_d5s0CAHNVRjdaGiiu7i3rkYkp23QUREQvnIGjSsaPxTHuy02AnNazeAtB5fzIQwwvRLm .UHIrFh9.Kbj6dOeplY1fWoqwt0DdlKXD.Zm3AxJH0VXebfVyKQYNBAza6dElpdVT1aYIlSwvTL1 nBei6mq_rHefvsIU7TVJIMMwjGJOL4J_bt_vGtrmJQwD4zZuuPTEt4JimAaLQI3sQk5Y7ic9pkPe SZY.m41w_.5mA4M7XrnOwflSVef7taTDB.LZvChRoW70bILNTdDpAqWI.dMgGacnwRexjk7SmTz7 Ymt9n1z106VusMU6pgMoZ56jMlBr0V2Qw79qpzzCAOyoojAbkVW8WPGEiKH5LcBtVs31lBSa1xqB Fj5NOTFOIptHzjWESmZcptkCtZNDdrI0ofn48JVbb_kzol33avpnJA.ihYGUFoD7.t8Ayx4Pv4jq 7o653a0FMQgTfn76Ul4o.bowvs0g5QlL0nkBwC9mWWKo.hS.JejCJ5isxz49ck929W5C43FdNmVK IVr9fXGTqZviwNHm7FF.C9lTNhslBo_MxoHkUUvdXXmvCemPm048LqvKYy_p5gZgoixQ2eROi2BA PLyi0LIEerZ0qVirjQC7ppP.ig.DKkiZcdySRiFWBxTW9AatBwnjTVtn7GSdykSZWSEZ2Y70B5Sb DOQvYhyMEmmx3ghTpsjWDFldGeanrLHrP5DPtJ.HkZ.2WjkAUff9tPLh4uMNbYz3PuNCHEk32tVz 1HlW7hQXPi.8N9msTZGf67x.1NBHzG0LaZhmOB0pKnCbjFWAQApd_5xFVQkPMCPsKKaEMJ_ewO4g DHxnO0XboxrWMfrCFM0n2tFxmrF_0Ov.3UzL0Ky.trdOohMzjfq8nBxqeyp2aVQ9rdwDMzkY44pk 6U2briI9P73Kgdqyeq1cBhBCShSwyLWvZb7VeJHxgb92eL7nsF9OumbjiXQEd77T5nrjhS5quWv1 0luU.GB3DWyjyPIXYQHvkp2ZnP7ziXHvTOJ9zrLY1Y6J_Q1ZHqFVbUh1y4KYt78xfLTYEFN4rz7m acLvio_B5LF_x0V2A.saMRBIznFdeTHFkpKM0PCA8xMiiuqaOdGS3ctzpwBGaHr8Vi4dQTssHLCO rqEr_gXiCar3OWPuscBiUINaWMWVt72eULN2g9pSC8PjMFhvU_xsUwXrknRkJpJGlHXt6.3Z.FbB eklyiN2E2Q5AvXbLZnBxLQelIh8RVkAdrmbNY9qG4UMh.dBkTukUoz54P4At8jmLxOWxpcdzJo10 rO2EyifbfyDkU6SxAhxzOSFu2KxkR8DXk1GhaeI7Iz23JAF6AqFpgFUnLT2lo2eb8lX_JFyd9eg3 W0aVLrLsPuW.clzhnkVtBEwYKE6DfszJEf2pK4I3KVqAXPoWvYlnLVDOq_KK7uXfyw_jcLaedERL MVeYcwy9CbUwgsXMGVbK9XpFcaB7JVrUeRFOPF9.Zc.pq1Bw1oRhKvVydO9qHjFzn11g6obR5QJS KsexUCqnJI4HRVfpRkOQU7qiOShFTorRDXdsv.LBVVPhff4xk1PV2ZJTFo4wZ_Sm75D2NdjXPJv3 QxbMClVEw.lwr8doRYkYS.HzPSazQoSLwWcJQat_A1Oqb_E_7.LtLpL6M7b.jKTmOpSEKE3IUhNi ktGjZM2zfZyp8fM58yNiKjkJBmt40bmsz0wjzaDJYpQGLraaDQUwBTAhudWBB_7IxaZs.u7tJIiF h2_3YclU3kwqm1uXVYntv72dZmjEfG4b.0uk6PzGW3JWgxC0XdUOlf48msNkVhzx3mYLiv4Tgb1j WHHNeWZszF4.H7HAz_mJnpit721LAPP02Cp5eHQlCDU8TydOaP_UeoVllJLSazDO6uYgqMVe4OEv gzhAHleRYBjx8JB.5UT5CPiEy__JJAMBucNCyf9mg1CAHml68XvygTo5pfAJiB3Tn6YTyGmg8dUK N_OWq_zjGmL.J6DA8.McwhRo- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Oct 2022 18:47:02 +0000 Received: by hermes--production-ne1-c47ffd5f5-mfswp (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 6ff43769a0d5883148e3027385165ea8; Tue, 25 Oct 2022 18:46:59 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v1 3/8] LSM: Identify the process attributes for each module Date: Tue, 25 Oct 2022 11:45:14 -0700 Message-Id: <20221025184519.13231-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221025184519.13231-1-casey@schaufler-ca.com> References: <20221025184519.13231-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747686476428647587?= X-GMAIL-MSGID: =?utf-8?q?1747686476428647587?= Add an integer member "features" to the struct lsm_id which identifies the API related data associated with each security module. The initial set of features maps to information that has traditionaly been available in /proc/self/attr. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + include/uapi/linux/lsm.h | 14 ++++++++++++++ security/apparmor/lsm.c | 1 + security/selinux/hooks.c | 2 ++ security/smack/smack_lsm.c | 1 + 5 files changed, 19 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index dd4b4d95a172..46b2aa6a677e 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1608,6 +1608,7 @@ struct security_hook_heads { struct lsm_id { const char *lsm; /* Name of the LSM */ int id; /* LSM ID */ + int features; /* Set of LSM features */ }; /* diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h index d5bcbb9375df..61e13b1b9ece 100644 --- a/include/uapi/linux/lsm.h +++ b/include/uapi/linux/lsm.h @@ -29,4 +29,18 @@ #define LSM_ID_BPF 42 #define LSM_ID_LANDLOCK 43 +/* + * LSM_ATTR_XXX values identify the /proc/.../attr entry that the + * context represents. Not all security modules provide all of these + * values. Some security modules provide none of them. + */ +/* clang-format off */ +#define LSM_ATTR_CURRENT (1UL << 0) +#define LSM_ATTR_EXEC (1UL << 1) +#define LSM_ATTR_FSCREATE (1UL << 2) +#define LSM_ATTR_KEYCREATE (1UL << 3) +#define LSM_ATTR_PREV (1UL << 4) +#define LSM_ATTR_SOCKCREATE (1UL << 5) +/* clang-format on */ + #endif /* _UAPI_LINUX_LSM_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index b859b1af6c75..77260026fda0 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1206,6 +1206,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { static struct lsm_id apparmor_lsmid __lsm_ro_after_init = { .lsm = "apparmor", .id = LSM_ID_APPARMOR, + .features = LSM_ATTR_CURRENT | LSM_ATTR_PREV | LSM_ATTR_EXEC, }; static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 5fcce36267bd..107b944e5d45 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7018,6 +7018,8 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) static struct lsm_id selinux_lsmid __lsm_ro_after_init = { .lsm = "selinux", .id = LSM_ID_SELINUX, + .features = LSM_ATTR_CURRENT | LSM_ATTR_EXEC | LSM_ATTR_FSCREATE | + LSM_ATTR_KEYCREATE | LSM_ATTR_PREV | LSM_ATTR_SOCKCREATE, }; /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c7ba80e20b8d..12ff27c00fe6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4791,6 +4791,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { static struct lsm_id smack_lsmid __lsm_ro_after_init = { .lsm = "smack", .id = LSM_ID_SMACK, + .features = LSM_ATTR_CURRENT, }; static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { From patchwork Tue Oct 25 18:45:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10934 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1161911wru; Tue, 25 Oct 2022 11:48:58 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4gzqhIQMluFwjEd+8T9ksZ7u4FrP50ZSHJGGJseQ7JAwW4B6zJX6YQQnCzXsb6E43A30gd X-Received: by 2002:a63:5164:0:b0:43b:e57c:a15f with SMTP id r36-20020a635164000000b0043be57ca15fmr33452394pgl.586.1666723738460; Tue, 25 Oct 2022 11:48:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666723738; cv=none; d=google.com; s=arc-20160816; b=AZTLhnQoQY/3oYWo2fYtZI7O2FVK5YILj6vOvq3FcxjotMhUwko5qD8dMFi1GpC0y7 cbcyMdlXcij4ZkNOHgyyPVU2qfonTvR+EyaivFSBpr7r73DdKxh7kNWIupZvqtiVbvTC VHZ9CkvPpEpRtAcGOC5WqMKa6juSW5bPALJ39TlCy8n3rK7aEYJ1UW3a67F9R0odhAhe sfs6Xa962e3W5SufAB8e0a9iF1HarRs73nX1Gcpy8H9viYWfpCZIazSzzScF09L43Z2B 2QTL1EvpMGeLIv9ZswzPn/yAlk2segeFO3VmSPm4YgTAj4fQQ4F0LsQyz3ab9ZKOfegF qe2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Df7bQuU86RtfRmA6zmLEew+17FaTUT67EczNgrIKLuU=; b=wbOHtOTHUJY19HjR/djMniJWPvxFGPNtWGMMyiXKXIEz792VnrtV30RZv7QmaTla6R PnPoWelLL9dwULftVNvxJ/xatfCYJ0QNM3MZvnzbS4I7dIPWPuOsRs9VkZczkvh936Y7 3KxZiWElya5RU+E3+fyQNVp8yqmKKbLlCYvZDX67QlAkAdNaOGcnTY88RPet9TVmi3Al bgp0/RtZ2TOH02wq5zEu+r7oLKgRTAj5e1wpdLKKjZBhhWiVZrwDMTpPW8onGEIanhoi 5cVkf8C7mGODaMS4HXZgQXrXCJ8wBUd1UKR57q7EQLIrn1Q794kcre70luRePO4Hhgox wPqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=Marrr2ww; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k3-20020a170902c40300b00186c3afbd25si3163808plk.349.2022.10.25.11.48.42; Tue, 25 Oct 2022 11:48:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=Marrr2ww; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232963AbiJYSrf (ORCPT + 99 others); Tue, 25 Oct 2022 14:47:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48166 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233037AbiJYSrK (ORCPT ); Tue, 25 Oct 2022 14:47:10 -0400 Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F277DE5ED7 for ; Tue, 25 Oct 2022 11:47:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723622; bh=Df7bQuU86RtfRmA6zmLEew+17FaTUT67EczNgrIKLuU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Marrr2wwAhXAjdt1DKtepS/1MIuYV+fAxWJpPp+4EuyFRkTia9dWWfGWtHSvt1BRtz1AE39fS4HLFTjUwn2S8wmLQd1e8SCLm6yWwjEPBLiagWN7XziaqYr9UOt3xjb1PL7thyPNQc533305goGqB2ty4ejXxbQ7riNBfYDi0DsUr9yl/2Tr/VIq52ze0dJV8LNLgliC9fKzo0SP5gX8mSGUVaPd4cG0v8i2uHtbVD7plXmozyErq6pdtIqEPkEp4rBDhaClgMWcg9Y9CYWZEYMOSoc5uP+bqUyxh0VEcqbuX/AW+Q+zsPUZ2rxh1us+Far6bf9cAMeN2TrOaUcXLw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723622; bh=2+qxWdlvbDrXZH4AZuQxgBlCvBcOsyXmDdIdkkqYg8T=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=RkTunHKN3ZTpKpuV9WN/0eN2p6Cjp8vfFKtr7Sjnm6XWcYZKp86jtQ2GCfkSptzb3wp7js6yEDDbd/L0tWM2Iswh8b1mN8TTk+OEIK9OSDgcFhEYAmHT/l87F+Al/eFlXykQmRvpAJSAiqVY7nkhDpeX3b2gaYUNzS1wdA4IsM7OnBp8FhcfKR95huMBpkdpWkpxvs1qiALbfVzjBUNdptXbUu4OPp7bM5OpebjHnbjy/JrXrs5xQ6G1Sqjo3pUZK8PANo/fZW1lNb+zfVGWct+s5Ni+Fl/w/11dgO6KKK2wLQOchXDPS6N/QEhAROfvRThasbknbF9bI3mW3ECYrQ== X-YMail-OSG: Qae11hcVM1l7mtaIMdkZNBuhFEqNOMGmC3vof1l.q25LV0RTuo0a1qzR8Ldlpzq IM8oWysWCXDpXLFk7iO8ttoGqVBVOlvUFsCvwmafwywmafAB6n6Gv.BcI3S63nkaAC5u38C9THxA _g.VfecuosWTs7HuDj6SThvAt_whUlGGa_zOf7N2qCJ4WP_xP2ZBWHop6MzRMSI6HWL2WkYAPjzl zlhTgr0_HraNibXgmhLbCZBeljVEE7AuKJGM1fdFL9XsQI.rPgHVzncRvln.PXzRQ8J_BH7ji0mG Ff8GogrV.4.rrhURevmZvOc6eb99a48iqkW.nyCQEFzl3kDUEScWaqJ..4ipc5YACZly1ORagw6I CcmDCx5Oe_Iv05Ct1gGtNS9V.iwDTMhyymeffwJ.RfJ0dpzmjhXo4g_JQOatbg2UTHuFQ8XhTIY. tuhzHvpCcY9udpAtbTzimu.64lU_4RQ6ddNhqGQtMBtYqtQg0ug.VIogr.RtOVhanGZ3LMMoW5RH 75Y.BWwmgSH0TtwffEzF1UkMdw9Si.cs3jbLOO9S5zGNu3WmWlkhUphQZf9xg.BqYTx8M8YOETsk GpGqr3FcJ.64_xEDGJn6Klom95uiZ.HdreV9MVZyHLglYAzwZaPQtPiTmzCRxMm8ITeVuqxrixs0 5iUq2_wzRCngbN9F.7EJkQ6fattPkG98KQMLSUdDYtUXupgPJ3H3nRqeMzchvWnIywAT0RaPcAil O7fxUCUBtax32EVQ7N21CcvPU2YeH0xf0QihD8xEttIMmeAkYN5edAa0JInELQZIhIkcA2fa2qX4 720jI9V7I6ND1sOqTWDm9128qWDAYaz6vyFbv0qjNY_e9A26gDdV0tPyC52pbFPzqJOfCXrfSpeX t5XRTgALq01juw7xJPJqYh39eoXWtew7t_UlkG_QDaMr0wKOWhkdSBh50ClyCmwAzgCKr.YG5aKh hdndUwHF4Mk047wLcQtqRMhb0pr2Y7tntnwBnG1aojPqEG.LcsW3G2wV2aBBA611oDjW4hHAMrxK tOWGUVPXdw9QlcRqK9loQt9KluqEEl2zMXFwZqvVq2FIJ6D_cPuhOmvXo_GByC2LNumZBWrB2tc6 5_iabRkydANTDXzS2Q__ZIbSKNMYWWNymSCSW3w9I63sYh69W.1bm.8cq9gOjLrYFx4AKCj3iUTH QEvGlh9EqariDn5e1ACIzVXbLV9DDwf3CY374U0w8Fy.o4Myz7uYeC.Vm1pwLlgTTsVfVOipCJqD cH2ei1ux8Py19A5_XwUUAmuTX2I_2Cpaepw_OyGHG.6RpcUu0zSfrqQ89dm7tI3mRmNGQPlXX3fm fdxcC1V8tk4MOBL0hWFVtEiSNNAsXLB7BqSG3pq1DFLbIefdPrCCIBJlfvNMDAFPI_fGhglHt8lz Z99G9YYkRvNpp6cWikQkcsNSmHHZtUESZTQbbJ4jkrGtFSUGXi7bFHDzTppaKWdiQMoyt4Zp6rvw 4oHL_z78rShY45WHoyElhGX0bGPygXOoRJ.w8k1mDtevayrQQEWkQobBWxSH_89sNX82JuEZiFdA k10a.I.cE._qVV50dkgLv6ThPU9tCXRv9tNdyJSfPxvnk7b_tmjrT_gudh_liAZUNS25KZOYIH8i c0pdh9IoCgyWpGCHrcx9dJwCynBYwNJ_mIjwPAikIdRZ2JJo70Y126C.V9K4FqDX1NFVFPOt4p74 xz54wG3WGRkH61WBEvLBTGdf4_DC3C5LnknueAKnMEwVnU5vdiLbwRLHbTSX2kD3hB46iaT5wseK TGqpmh0AeDygIdVO5QesIDdZgUBJvLlhP2YPNTuo03WFjNqeiQYDCdZNuKjCNyif4DAVfcSnF1_5 Dpb7e6NAt.9UzN_Pph5IeZSVIkii2JwNxQN7z0zO.LxnDxDMhS2LueY3hvmuEh.fWBHOumVp5MY2 VWKnFvnIY1HkyU7bGNBMeVQrQ9XfhSw5OL07A4T8.uJQmjh_BvQxNIZJNmG0TLOrt8F12dz5czk. Y4HsNWcn1cL5VX9kjGFC69ShwfPtLI0uDbpdvl2PbTBM4d06hIMG18dawFY.kL8qZjB4FfSkFOZq Qn28HuBtLlZ_g5juCuG24CX9P4pwfovw6VZwMigxn.qrLnIVS1vPbfMw8sTD4HJxxvb4soDzmUUP .YSVabc5TW7JanMn9KXPKGgGCmFKYdoRy.F67CtnVmHM6VXRsX4zEXeRDOBL9MgLfsUFsxbF6Y2B 2kQGEEH_PavyW34hJCmX9Kagb1uefA.Ojgo463RGOKn6P X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Oct 2022 18:47:02 +0000 Received: by hermes--production-ne1-c47ffd5f5-mfswp (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 6ff43769a0d5883148e3027385165ea8; Tue, 25 Oct 2022 18:47:01 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v1 4/8] LSM: Maintain a table of LSM attribute data Date: Tue, 25 Oct 2022 11:45:15 -0700 Message-Id: <20221025184519.13231-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221025184519.13231-1-casey@schaufler-ca.com> References: <20221025184519.13231-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747686510704408162?= X-GMAIL-MSGID: =?utf-8?q?1747686510704408162?= As LSMs are registered add their lsm_id pointers to a table. This will be used later for attribute reporting. Signed-off-by: Casey Schaufler --- include/linux/security.h | 17 +++++++++++++++++ security/security.c | 18 ++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/include/linux/security.h b/include/linux/security.h index ca1b7109c0db..e1678594d983 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -138,6 +138,23 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +#define LSMID_ENTRIES ( \ + 1 + /* capabilities */ \ + (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_TOMOYO) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_IMA) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_YAMA) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_LOADPIN) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_SAFESETID) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_LOCKDOWN) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0)) + +extern int lsm_id; +extern struct lsm_id *lsm_idlist[]; + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); diff --git a/security/security.c b/security/security.c index b2eb0ccd954b..bf206996a2af 100644 --- a/security/security.c +++ b/security/security.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #define MAX_LSM_EVM_XATTR 2 @@ -320,6 +321,12 @@ static void __init lsm_early_task(struct task_struct *task); static int lsm_append(const char *new, char **result); +/* + * Current index to use while initializing the lsm id list. + */ +int lsm_id __lsm_ro_after_init; +struct lsm_id *lsm_idlist[LSMID_ENTRIES] __lsm_ro_after_init; + static void __init ordered_lsm_init(void) { struct lsm_info **lsm; @@ -364,6 +371,7 @@ static void __init ordered_lsm_init(void) for (lsm = ordered_lsms; *lsm; lsm++) initialize_lsm(*lsm); + init_debug("lsm count = %d\n", lsm_id); kfree(ordered_lsms); } @@ -485,6 +493,16 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, { int i; + /* + * A security module may call security_add_hooks() more + * than once. Landlock is one such case. + */ + if (lsm_id == 0 || lsm_idlist[lsm_id - 1] != lsmid) + lsm_idlist[lsm_id++] = lsmid; + + if (lsm_id > LSMID_ENTRIES) + panic("%s Too many LSMs registered.\n", __func__); + for (i = 0; i < count; i++) { hooks[i].lsmid = lsmid; hlist_add_tail_rcu(&hooks[i].list, hooks[i].head); From patchwork Tue Oct 25 18:45:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10935 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1162029wru; Tue, 25 Oct 2022 11:49:17 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5PgCqrSrX7IxOB14zti/JQHI9+nt8k8oSbw55XiDN10RXHz3jpKisR3kHSb4pr8Uz25Iyk X-Received: by 2002:a17:902:d510:b0:185:475a:4057 with SMTP id b16-20020a170902d51000b00185475a4057mr40595343plg.54.1666723757562; Tue, 25 Oct 2022 11:49:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666723757; cv=none; d=google.com; s=arc-20160816; b=L/2gj3UE/S8oJTvp2u0xWVdAZI6dno7lHqjeRZtIE5lTdWI8wkC/LlwTNXnISsnkcv Db1DJzP0HYeWE7fWjdTBvZmBcXQcCIyzENc9ffmLTQs7U3emfD9wcbdoZKj/0vUMCXzj HfHkcomcFMwBQ5lt7Ar91ZtIaQgRH2CGKEYLZVcJASHLuDOqwuAPtLqeeUB7DvsclC3E RZnomzmdk3d6+GYr/eXBzbzZG03B6bjmdk1CN3ARPOXoDuHmg76Ze8zDq9R94gj65NeG jJ8KOKvzmF9zkFauYexN8FH0xTAPfdFr9cefVSvvB+DjdMKGGW+9DZjE+vj2ZlRkditU YE7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=GsR8n5DLonAkMQhlHsNkvfFq5hr8VBPzd/KLtP3/Tbs=; b=kMq1ddyoRLpZp/Hd1YbbMM9MUjgr/yfL7kf2Ar7DC/yCayLK1Qo0S+cRaD6SPUCM5+ NJz5J0j8Ft2jjTSQfrFjMJBqjkf8wizJQ1eY24qcpCXytnVzEizuN1AgCSzp7lIxgRP0 g+Sciku1384RHZ3WMcwZ5NvWgPfNnFr0Ny2NTdgEgSiYZa9OaXBKuHoqIskqohebDMwO 4LqfW0VfKLhvjHodLYn7Q20Xpld0to5vNAss6z3IxOGqsPXgFNOzzbXYg/YbDBCxEOQX k1XTOiMyVoQ8xa1n4MSxnQJkg1lpqE2/xLNyLP3u8Vtpu6ORczzXFeHUGiX0S4NnFvOC 4LgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=TqhHtmiN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w123-20020a628281000000b00562fc008395si3613122pfd.341.2022.10.25.11.49.03; Tue, 25 Oct 2022 11:49:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=TqhHtmiN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232895AbiJYSrj (ORCPT + 99 others); Tue, 25 Oct 2022 14:47:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47360 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233044AbiJYSrM (ORCPT ); Tue, 25 Oct 2022 14:47:12 -0400 Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A6FC102501 for ; Tue, 25 Oct 2022 11:47:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723627; bh=GsR8n5DLonAkMQhlHsNkvfFq5hr8VBPzd/KLtP3/Tbs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=TqhHtmiNnou15b/izAg56BMBmlIdPkn/Q5TTjf6IfYFJJUxSo3UnmolzgXiQsRu90LksoH/rPIEgAsD1b1X/9qzCtPk7vo3kUfwziwBDYNB91OgjAOevQIXLsQB+Vxse3Aj+e6FbD2u/4TtHuf38FcfNZpTjaA1GDEA8jCvrLN2l+Vzd4dVehXDa951bOCWgOw2ejC4oX+8bjmAvbMSaaOA7YD2Qqku3TETYtFCTTyn3NoQZFUXyUJxRiieLCrZcezr83VkcTdDayN4tQ07kuWH/TPyF2uXOYEP9f5hrVUxDapN1ZPDWbAXUhsRDF3ZkJom0XWjNdne7+5DiYKFTHg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723627; bh=X9pdM0OTIyN5MN7dfjPwP9CO9vr6mwjpjQBIoFZSAZj=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=VnACgApgR+5JuVjMVA1h21DsRlkP+W3ll8sJbSwHfjmj8IKMsvk6hbGz86BWgnTNXAwY02mcSwg9ZZ1gX2k5WbSyQLEqItuuynE51YYuB1mvs8FXoFeoGYtULSEaOS1+zBWcGOpCvAv6zaNLeHbwLEFKjrxlXw1Hk1iuadEJGW0EZGtHphEt98R++W+5PeeHEK3zkwN6wikp6HaLK9nrDXV6OVbsUJG69TEsfBCk3rPPOL1lnMh/RlHXyzpf3abinlU6Z1Ka7wFxvJkPkGfpuaBntntmdQmGyyseE41m3fTpzZpUOISx1vHe96ZzziqWRvDWeBTeTRRTGTz6GkbZ+g== X-YMail-OSG: omd.OqcVM1kxn0jOgXIoooUYtXb8LSPkFedjLI4zl8x6EpN.QANDUbqqCkT7uzI 15rNjfPBRFH75tGExO8eCjh7dMo4geH2Cz56rxwGpcfl18t4X017.F9pFFVNXoSMoZaUFQGhHZ1d 1mTqeLXXtSI1vISwtmdLQuPJsFsqlMvRIFb204LR2ikS7LySWIw0LQDiu6XX3LTU5DZYbklHKRNT ktB4GrmyP.qi2jJOJehT7M9a3JeRAclrUyO2LZfqCD74p35C1j57Rrtasbk647vlnMcM0joJEhv4 k4ZqToRbyVWGR4yf_wjEDcAGoiMUAxGLxRAf1zTRMsV_TfUsuzUdYBVWWZg3YOooPMqVa3J06uga QJYpK.jgoPBflfSoVWDVH1RGsgZnEWxOg6804tiUstgJFn0E8wwdE4wBa8titQpJKytjUcObBdhs ICXsmz.dd4llhFaIcYu5QBy8GOq2amtN1NJ0qB1qSJMaWO1XStIPOXC9vFXHHDaxDKqdOlKZ8oFF PVy.dEpb9JAvqfjl4K_G052uaZl2rhbH5LOB2TXgEu2LDxbj07naWgV1TU165jKNghV7x0yA6eRP wNP_PqDk_qtXqlib.qPfeWMTjeXWzgrbR7kMZ8b0rMjQsd8IqZdusC1b7MdN6yQq8Aju0EyEXMPU Lo2uNKQ8ixpTS7kb77TanK1qpD3en5L3bIE4c3I9KCXRHn7NQg1AHFtZG2uEPECOIdv0SWEMOHsd a5kJifK2tLgmpl4rZv8zOopqqxNtJ6Fz4EadJ2_MisJ2JdsNkCPSlMr58rglR5z8cvJ8u7JDH0vF sxlAduk3WbzPfoDbM3HfDy8F7G44vFbL8TzyDHnhl8WSYXXElDlZd4AgGX0JVgIWmKP0EWsQ5VvN tKPwBOXbVDnTUH91OKL_MLKUaS0yCgEM8UFIYOVCcu7JI8.KA8EnhYoKHWOMuf0ZKHtuhF_3fJAv 7b2TQNgzZJy1aMyxe4Lycis1G9cP02iZIRUzBBPoPZqG7QAPO1DfbggTEMrGf25wQE8itEL2AgDC bphyTl4aZ_wi70NeGbXks..mN7m6erGDkYHMOwBMpIAWXzFD6YzfcjrkI8P4I55iEiGAEJBM0JSJ mV_2iLO6rm9RtgPudZI3W_Pew.W_63IgY2c0AY2FupmbniQFnqTibWPziTo4bwMnceK0ENTc1oU. 2ySZc58c44gcE.TaRZwxM5KPLi6k9DK_4ZaASJ4BHJmzTfu059l2thDfNt4gw33JgtmUrPQhZaBT HO_IZrPRM.zeIopjUIB3c.23gYkqCYuFgdpE_dsa9HM1qzCANCmpw5I6U8oMYipcDYfas5YwM8a. R08I3KmT8xY4LRpcjjD_OYJLgdtgwjZhNSOWo1moWI6BmWoBuWqi0j766hgUKJSN_8VMsAA40TkG es9WV5yrxQJK_S7Q6JPFPmkYAnJUuMDl_LunUFHvZsttcfwween5qDj1urPH7TzW_CU7gC8W2dH. 2fD9j8g4RRHCLATbOq5Ono.SD77l.Q_aiHX6B2uSUG09Ok5YPfjVE06PNXHrpi_Lok4NRCUygb6I UT1By4KLha2lnzlJNE9Anxa2JEsncQ8Bu73ON3.FAhWKOHAmBI7BdSUSguAGGKbDsZ.VC8TYQc28 mGu3Nq1GzJuOtGhNXA5aSblydB5fYyLM3wU7uENqyQ9W5gt.62LTqqT1.j6tRktcKixzlInt6.K7 P8se5Eoc3l2boU244BAbLT9I3Qr0mqRM9__TD0nGNLO1LsohSUa13s_9QaPk8_uaWS9SWqlT9OKW 7Fetwp8rDIMzsh45tW2J3i1vUnGiBphmhJ.CbP2qQXllS9UPYxvcbeEby7vutGT1xOczip9atGuU 9xM8UXZLc19dxxz8nK7JZb2nnfm8gBxE_2C7ix2yKtPmeBc_tv.h_colEaStolfklMHVbYZ3g.8e yVmYvlZ_XqXW3GeRg8ckYnOBRdVHptMPO_DKkROJdDjYrioPchrwtVTCEhKsy55zizJKG4V6ppDZ EUbOvsdxZeaK0EcH2q0UKoAhS2FoWe5NU9X_a.96Rd2W4ukaPB3d7ChpS9KfWIVtNBpd7WKfxQAP 9fkenDbnZ510KVNyVAuyPRNFb_24RX7fCK2H7hMyj4rNxPomMsj55Ag3401YnQXNzqDTsWH4ZA0L jmy7lyizSEg6b7PDxMBUdY2llhPR1gzVh9ArehbAFewf51H_uX7gdo3v10Q1QrsctydisvumkuG5 oNwGDC2v.JKhO6QJBxT7UUKuypRHtwCyqjmgEO41f0I8oF2lAn6sboh3tJTnC56DwkR_9epH.jRM hmYpssqVJ6GbR.BjmQAa6jrjp X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Oct 2022 18:47:07 +0000 Received: by hermes--production-ne1-c47ffd5f5-mfswp (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 6ff43769a0d5883148e3027385165ea8; Tue, 25 Oct 2022 18:47:02 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v1 5/8] proc: Use lsmids instead of lsm names for attrs Date: Tue, 25 Oct 2022 11:45:16 -0700 Message-Id: <20221025184519.13231-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221025184519.13231-1-casey@schaufler-ca.com> References: <20221025184519.13231-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747686530556242539?= X-GMAIL-MSGID: =?utf-8?q?1747686530556242539?= Use the LSM ID number instead of the LSM name to identify which security module's attibute data should be shown in /proc/self/attr. The security_[gs]etprocattr() functions have been changed to expect the LSM ID. The change from a string comparison to an integer comparison in these functions will provide a minor performance improvement. Signed-off-by: Casey Schaufler --- fs/proc/base.c | 29 +++++++++++++++-------------- fs/proc/internal.h | 2 +- include/linux/security.h | 11 +++++------ security/security.c | 11 +++++------ 4 files changed, 26 insertions(+), 27 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 9e479d7d202b..e3dfcb9d68f2 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -96,6 +96,7 @@ #include #include #include +#include #include #include "internal.h" #include "fd.h" @@ -145,10 +146,10 @@ struct pid_entry { NOD(NAME, (S_IFREG|(MODE)), \ NULL, &proc_single_file_operations, \ { .proc_show = show } ) -#define ATTR(LSM, NAME, MODE) \ +#define ATTR(LSMID, NAME, MODE) \ NOD(NAME, (S_IFREG|(MODE)), \ NULL, &proc_pid_attr_operations, \ - { .lsm = LSM }) + { .lsmid = LSMID }) /* * Count the number of hardlinks for the pid_entry table, excluding the . @@ -2730,7 +2731,7 @@ static ssize_t proc_pid_attr_read(struct file * file, char __user * buf, if (!task) return -ESRCH; - length = security_getprocattr(task, PROC_I(inode)->op.lsm, + length = security_getprocattr(task, PROC_I(inode)->op.lsmid, file->f_path.dentry->d_name.name, &p); put_task_struct(task); @@ -2788,7 +2789,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, if (rv < 0) goto out_free; - rv = security_setprocattr(PROC_I(inode)->op.lsm, + rv = security_setprocattr(PROC_I(inode)->op.lsmid, file->f_path.dentry->d_name.name, page, count); mutex_unlock(¤t->signal->cred_guard_mutex); @@ -2837,27 +2838,27 @@ static const struct inode_operations proc_##LSM##_attr_dir_inode_ops = { \ #ifdef CONFIG_SECURITY_SMACK static const struct pid_entry smack_attr_dir_stuff[] = { - ATTR("smack", "current", 0666), + ATTR(LSM_ID_SMACK, "current", 0666), }; LSM_DIR_OPS(smack); #endif #ifdef CONFIG_SECURITY_APPARMOR static const struct pid_entry apparmor_attr_dir_stuff[] = { - ATTR("apparmor", "current", 0666), - ATTR("apparmor", "prev", 0444), - ATTR("apparmor", "exec", 0666), + ATTR(LSM_ID_APPARMOR, "current", 0666), + ATTR(LSM_ID_APPARMOR, "prev", 0444), + ATTR(LSM_ID_APPARMOR, "exec", 0666), }; LSM_DIR_OPS(apparmor); #endif static const struct pid_entry attr_dir_stuff[] = { - ATTR(NULL, "current", 0666), - ATTR(NULL, "prev", 0444), - ATTR(NULL, "exec", 0666), - ATTR(NULL, "fscreate", 0666), - ATTR(NULL, "keycreate", 0666), - ATTR(NULL, "sockcreate", 0666), + ATTR(LSM_ID_INVALID, "current", 0666), + ATTR(LSM_ID_INVALID, "prev", 0444), + ATTR(LSM_ID_INVALID, "exec", 0666), + ATTR(LSM_ID_INVALID, "fscreate", 0666), + ATTR(LSM_ID_INVALID, "keycreate", 0666), + ATTR(LSM_ID_INVALID, "sockcreate", 0666), #ifdef CONFIG_SECURITY_SMACK DIR("smack", 0555, proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops), diff --git a/fs/proc/internal.h b/fs/proc/internal.h index b701d0207edf..18db9722c81b 100644 --- a/fs/proc/internal.h +++ b/fs/proc/internal.h @@ -92,7 +92,7 @@ union proc_op { int (*proc_show)(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task); - const char *lsm; + int lsmid; }; struct proc_inode { diff --git a/include/linux/security.h b/include/linux/security.h index e1678594d983..8e0bf4a88553 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -481,10 +481,9 @@ int security_sem_semctl(struct kern_ipc_perm *sma, int cmd); int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, unsigned nsops, int alter); void security_d_instantiate(struct dentry *dentry, struct inode *inode); -int security_getprocattr(struct task_struct *p, const char *lsm, const char *name, +int security_getprocattr(struct task_struct *p, int lsmid, const char *name, char **value); -int security_setprocattr(const char *lsm, const char *name, void *value, - size_t size); +int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); @@ -1325,14 +1324,14 @@ static inline void security_d_instantiate(struct dentry *dentry, struct inode *inode) { } -static inline int security_getprocattr(struct task_struct *p, const char *lsm, +static inline int security_getprocattr(struct task_struct *p, int lsmid, const char *name, char **value) { return -EINVAL; } -static inline int security_setprocattr(const char *lsm, char *name, - void *value, size_t size) +static inline int security_setprocattr(int lsmid, char *name, void *value, + size_t size) { return -EINVAL; } diff --git a/security/security.c b/security/security.c index bf206996a2af..29d4fc6f789d 100644 --- a/security/security.c +++ b/security/security.c @@ -2082,26 +2082,25 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode) } EXPORT_SYMBOL(security_d_instantiate); -int security_getprocattr(struct task_struct *p, const char *lsm, - const char *name, char **value) +int security_getprocattr(struct task_struct *p, int lsmid, const char *name, + char **value) { struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) + if (lsmid != LSM_ID_INVALID && lsmid != hp->lsmid->id) continue; return hp->hook.getprocattr(p, name, value); } return LSM_RET_DEFAULT(getprocattr); } -int security_setprocattr(const char *lsm, const char *name, void *value, - size_t size) +int security_setprocattr(int lsmid, const char *name, void *value, size_t size) { struct security_hook_list *hp; hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { - if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm)) + if (lsmid != LSM_ID_INVALID && lsmid != hp->lsmid->id) continue; return hp->hook.setprocattr(name, value, size); } From patchwork Tue Oct 25 18:45:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10936 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1162062wru; Tue, 25 Oct 2022 11:49:21 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5aggtcohGO4wf5hIPa9P7wYxQ0zklyoLN/duCaKPBoVyoL6cLi3Zi5aS6owvHNh0Xz1iTH X-Received: by 2002:a17:90b:4a47:b0:212:f7ef:1bd6 with SMTP id lb7-20020a17090b4a4700b00212f7ef1bd6mr17883669pjb.79.1666723761583; Tue, 25 Oct 2022 11:49:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666723761; cv=none; d=google.com; s=arc-20160816; b=rsRN+9yotq9Xk336MZkmgqazahMpAwS/YRh1ZgJJufpw6SxHz8+Tsx6Cc4kCZXscTC naUk+EaAaiAUlPCs5rSeMMUQRWV39Fw+BWxNY/Tj+qhgabU37OGmETKIeUOPAYrVKGTq LwSZoPBg4unv5U74lFw0dSX5vHKsl7elbjFwgqq8Lzxw6h1K0M/ihMmxmrYGYOsUr/oL HGbpaqVCt6T3SdhARk/0NylZCHrA1oyO9zVK9viziwATBdBFTGjWdHr7r7SyFbv7Sn4R ZOmmAhRxWpwgEXaiVPpXfoYpjgoW9q8AzkIRMfL8kXrRs1D9dBME7iNB4pBBYCGBXvEh 3pOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=MYVnYQAqwebDz0miOy37feqwOXhB7i3YuIaSkuEhvQQ=; b=CLi6vuVgBXzxPdFtYDFEWpCM4SvLIHt46LHVmn0xUTGnpzkBmPKXNKjVSQJq1+slVW rxp/TdXhhRxDHrOBTqvVQnOBnWmfIdmyb1RDtA9h25kWZfLbnKBgjvZBKQN44d1MC4iV u3DaxRzudydQ82v46c3K6/7iTvbRaPjvP1tjh+n31O2yZ5lYV4DfDqZiQfnsFiHPbnlo 1OGJJEDnLZRfY2dIMNSRaC9Vq8ovOx+qgti9rB1pFLrrcwI0O8n1dHf9QBdHfgsB8xbp rMf1NLbEsVbOiDekRcPuhYwe9GGEc68gU6PbmyZo3Q3ypuUnyHNyiZdlSxPWzNGFEuZn cjlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=R3MbgXa9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bm9-20020a656e89000000b0046174e5ceaasi4183353pgb.656.2022.10.25.11.49.07; Tue, 25 Oct 2022 11:49:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=R3MbgXa9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232896AbiJYSsl (ORCPT + 99 others); Tue, 25 Oct 2022 14:48:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232883AbiJYSsj (ORCPT ); Tue, 25 Oct 2022 14:48:39 -0400 Received: from sonic306-27.consmr.mail.ne1.yahoo.com (sonic306-27.consmr.mail.ne1.yahoo.com [66.163.189.89]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09E399259F for ; Tue, 25 Oct 2022 11:48:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723717; bh=MYVnYQAqwebDz0miOy37feqwOXhB7i3YuIaSkuEhvQQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=R3MbgXa9a7X5Rej2ENquCjuJsOG2+PIsigRKcSlqmEjW6utoqjqA0XNMc26csdPNqnRwbqvkETVbddjjUKoyG8Vv5fiej/YmMSWuYcssXA9Rv2bKbDJmzcCjFx8V0pH1h3CiijV6ttfFoeKKbqwmtw/llathBU1iBIV+axI9Qn8I5/eTq/rSkxRd0BsmZuY9/9bylCam1fGrZcs2F65dieiI3fU0uQrfh5SVEwiBPAmxpzcr/nMiwhz4iqDJLySqpli0AG5heZa29g97LAAvFaGbh0sNyTINLgybrc3aC8pZzyEHL4xxxE7RpFLsNm3VLBdVE9m3WI+bxgr8nKfb1w== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723717; bh=bfDso65oLufcEC/GuN5piWYMA5uc+VKD0DGLMdT1oh6=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GcdW0LCLbl+u8+yQmA7fHlIn9QVA4N6JJF7glHTW36wTlN3MY1ZIpi9otFvw2802yyotzyWQ9/oROh9XsZW2qXL/dqPN3B1KJOR+mZhDRSCtxvqefwPPDTsqC4+2VOJa6SZkoTcYJxh8yi3RmPihaboBLSt09QA2xVNZZpxdkJkvv2pAkMJloZxZrlJ1KUY2DIjoBrx0k9YKw7NRQVoYknafuXThM1OGcBTZGYwCWGSHKUEpMCCH+rmEtVNVlj8xih8W2uhmk/XtsU5nla3GSfY+dA1v+VZhfszkmHfnBl9bFS6NYtaOEpDKIpXy3S1XM+cz+mJ/lAwFy0zsmKX6Xg== X-YMail-OSG: ky_okX8VM1ksw4jZDlIHOUZtpA4Clqv3czk3YRh6Nj9aJDBV0xWDRJ3yTEnJ6Bh _dDtu4mptJqHsRJaDjsUZh7wTSPCIBji6vSxF7HX8UXKPfEx4rNde2ziCU.g9yT5Bdi7QgQ1_FxQ vRpuAWDrqJDzrfE1W7v7Rpac2K5ZDFn4Xe73wcDp6SgyU5jjHJM3eZ19Fki9yFs2vScQxdLsTk43 pLzIpW03kGd0Gz6fhmOVlD.enWscqW3K6SnXjjht_ih2aTFQMGNNhL4G2jeY1k8oKT4RAVd3TrzX SfhDOHgbC_3QBIUxMLcYmpNmWT6yM.MlK1LeYcFdeSnBLc6Iza55XD7chYBKTZ0xqlC.1uFq3uNV pX7..0zGrV3brUvQO1KKWTdaXFPBQ8yenQNaACkCsWQBIqZBrlyNeFhQMCT8lMOfLaCy3yxIMz8B v4drcA2093UMPrPawTH0EbcCZeYHOfoLKtAHhraEVeW9wpx_8ez7tnaQB_txj6yoX8Mxf8PeHEvm 9lJe.y5yO2ALcA21Je24Ycujl7tcBSN4_k3P2EkAz3G2jY6ch0B2hQxzHfCRnqNN1gNHJe9Pc9o3 Zb8D5SnZ1ao5v8MPjDCnvLW_T2gHfdY6uGFdkbSaxWSPn1ypLRFI.TvpB1CMC0vIM89NTErOqH0P T307_fltDI9iidb1I5HiItngPg24JanqZy29yq7o3KCypuGjinCP7CF1aipUmxHaLePSnn0gPMDJ 6lC7qJKrHiIURtCzWwWVEoeOgRoxDWwhAg__PO3fvLtQEbRlJXlf0U99G4U.8wJ.xdaBoeyQPPth ezYlhmM231Q5aeu7WbiT2MWwMPLREUrT5_VmJfW_dDB8rloK3tlNI568GS3XXsS4Xq.soZISkY9R 5UsX8l.Q39j0mGJMcwsf_TkbyEwspHYgaRH3G6B0RScpcAVcYyEsMxME.52vjU_1vrcS2lf8T4Mt RdzvQ2tSzLxiSkcZnCBB.Jg1BI4KONciI6ykjOplHDRNUoeHDWmfNWSXGpNlY0ughln02aGKTQHS Hww_FErrD_H4Rw11siMGC176F4si86V5A2Z71ZMiRJrtl3hXpksqinFeKnph1Rcos16r8539r0p7 iLwqdkWiJeRg03NjEIfw.5iQLjV8xJu0tkp.EYp6GPILNXFTZz5Tb4kHk3D2LfKAjtjlldgE82Qq 5hwIyv1rpk.VxLgJtiFYU6ihUMDpLQW1re4zXFm4ebDxWOy32XZRshRSb0jM_BTqicjzJmzrD2Xl N4oHbOL1v2bd1B.zFAuw9MmHTKYv0sIj1rwF2vS73opR9t8mtLx8qo6a_vcpCQQbXcyVGF1ypZ56 woXU6_..hLVCO9KO1skG8jplZiJ6Bo7M6.5fKG_bzgIneX.4BquA24yDr6wVoD8TEPwoIM5PyfWA 7Fn.qqoONF9DOJEHbbXn.w_1kdvxPLt7ki8gNO0eC8Ipdno_bdBKBSvgeSs8weccLj1gRtsVv9f6 _mcLRWcyMdF6e17.rgW25OgViJp7kOmF72zslxpjv.4.zgFbeH5SVMiYNPD7slyolgD62y.sG_em 3D1V12E8drQ4xchBn9IrNLjnxYHz8alUbFqJPCXqV1OQLkgQKciBgQwguMavPcVXH3bcMYq1Sc3c LRH9uHDNG8Fs_aq0gMGq4dDpOpd_w9_ktm_CXysyKw5YuisFxDwwZTGU7t_Dh47.uagUDh5fUjPF PKQ9gUU6XXDC.mnlWYO6jSbcVE_ruWENwhvVgEWLR0XjUOqtf4NmhYc7wu0_8UN0Ovg7h3CUkkMD 5SO8kCrTx0AuxwrTaULajJdobaH2qJ33b00q7Pv2Kkh2xHdgExDfuP5DX4iUHGq.01bkMex6T3VH ZVOr1XpCaMako898geW4dj3TMUBpskAsklpCExBpTtMkCzoM2bVo1QBboCdxGXiopgWpdg6Z48FC Xoom3NZ2o58gxNlFaHdYqmONw9q0VuQiVf9ux5vn3FykzGG5LGlGNw3LFAmCrqSo2kdD8IRWaKZW 0D4WjQUhW1fCre4n3RLrvBB.8fBO5O_FPuyvVk351v5TQ9GKZ4ce1V54vNh7SEaEWZgBEkpCbEJQ 248v16w627hndPZWLijItPs1VZ5Or7v_.vslOO7toBzbdpzYsmMOwWbMLnX3M.0.kUqsccY7QkD5 LZnuxt4Krza6Hobxf.ULSuhL4vqthpoLyLqiljuvv5tshCAywIGFU7HNEj5LbxhkW8Qs2wW21D.v 5fsIqLBzvQmmek5h0O27hDMnjrX92XF.Gej.McEr4s1AkiDJCCcXbcE98G7FvvbPTfqaSEDlF_qW TMmcHOoyQd.ZLGD1VJ6uGRjH3EQ-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Oct 2022 18:48:37 +0000 Received: by hermes--production-gq1-754cb59848-jkt9q (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID d383105834ed78a52d504d4d360854e7; Tue, 25 Oct 2022 18:48:35 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v1 6/8] LSM: lsm_self_attr syscall for LSM self attributes Date: Tue, 25 Oct 2022 11:45:17 -0700 Message-Id: <20221025184519.13231-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221025184519.13231-1-casey@schaufler-ca.com> References: <20221025184519.13231-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747686534924528078?= X-GMAIL-MSGID: =?utf-8?q?1747686534924528078?= Create a system call lsm_self_attr() to provide the security module maintained attributes of the current process. Historically these attributes have been exposed to user space via entries in procfs under /proc/self/attr. Attributes are provided as a collection of lsm_ctx structures which are placed into a user supplied buffer. Each structure identifys the security module providing the attribute, which of the possible attributes is provided, the size of the attribute, and finally the attribute value. The format of the attribute value is defined by the security module, but will always be \0 terminated. The ctx_len value will be larger than strlen(ctx). ------------------------------ | unsigned int id | ------------------------------ | unsigned int flags | ------------------------------ | __kernel_size_t ctx_len | ------------------------------ | unsigned char ctx[ctx_len] | ------------------------------ | unsigned int id | ------------------------------ | unsigned int flags | ------------------------------ | __kernel_size_t ctx_len | ------------------------------ | unsigned char ctx[ctx_len] | ------------------------------ Signed-off-by: Casey Schaufler --- include/linux/syscalls.h | 2 + include/uapi/linux/lsm.h | 21 ++++++ kernel/sys_ni.c | 3 + security/Makefile | 1 + security/lsm_syscalls.c | 156 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 183 insertions(+) create mode 100644 security/lsm_syscalls.c diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index a34b0f9a9972..2d9033e9e5a0 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -71,6 +71,7 @@ struct clone_args; struct open_how; struct mount_attr; struct landlock_ruleset_attr; +struct lsm_cxt; enum landlock_rule_type; #include @@ -1056,6 +1057,7 @@ asmlinkage long sys_memfd_secret(unsigned int flags); asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long len, unsigned long home_node, unsigned long flags); +asmlinkage long sys_lsm_self_attr(struct lsm_ctx *ctx, size_t *size, int flags); /* * Architecture-specific system calls diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h index 61e13b1b9ece..1d27fb5b7746 100644 --- a/include/uapi/linux/lsm.h +++ b/include/uapi/linux/lsm.h @@ -9,6 +9,27 @@ #ifndef _UAPI_LINUX_LSM_H #define _UAPI_LINUX_LSM_H +#include +#include + +/** + * struct lsm_ctx - LSM context + * @id: the LSM id number, see LSM_ID_XXX + * @flags: context specifier and LSM specific flags + * @ctx_len: the size of @ctx + * @ctx: the LSM context, a nul terminated string + * + * @ctx in a nul terminated string. + * (strlen(@ctx) < @ctx_len) is always true. + * (strlen(@ctx) == @ctx_len + 1) is not guaranteed. + */ +struct lsm_ctx { + unsigned int id; + unsigned int flags; + __kernel_size_t ctx_len; + unsigned char ctx[]; +}; + /* * ID values to identify security modules. * A system may use more than one security module. diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index 860b2dcf3ac4..0fdb0341251d 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -262,6 +262,9 @@ COND_SYSCALL_COMPAT(recvmsg); /* mm/nommu.c, also with MMU */ COND_SYSCALL(mremap); +/* security/lsm_syscalls.c */ +COND_SYSCALL(lsm_self_attr); + /* security/keys/keyctl.c */ COND_SYSCALL(add_key); COND_SYSCALL(request_key); diff --git a/security/Makefile b/security/Makefile index 18121f8f85cd..59f238490665 100644 --- a/security/Makefile +++ b/security/Makefile @@ -7,6 +7,7 @@ obj-$(CONFIG_KEYS) += keys/ # always enable default capabilities obj-y += commoncap.o +obj-$(CONFIG_SECURITY) += lsm_syscalls.o obj-$(CONFIG_MMU) += min_addr.o # Object file lists diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c new file mode 100644 index 000000000000..da0fab7065e2 --- /dev/null +++ b/security/lsm_syscalls.c @@ -0,0 +1,156 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * System calls implementing the Linux Security Module API. + * + * Copyright (C) 2022 Casey Schaufler + * Copyright (C) Intel Corporation + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct feature_map { + char *name; + int feature; +}; + +static const struct feature_map lsm_attr_names[] = { + { .name = "current", .feature = LSM_ATTR_CURRENT, }, + { .name = "exec", .feature = LSM_ATTR_EXEC, }, + { .name = "fscreate", .feature = LSM_ATTR_FSCREATE, }, + { .name = "keycreate", .feature = LSM_ATTR_KEYCREATE, }, + { .name = "prev", .feature = LSM_ATTR_PREV, }, + { .name = "sockcreate", .feature = LSM_ATTR_SOCKCREATE, }, +}; + +/** + * lsm_self_attr - Return current task's security module attributes + * @ctx: the LSM contexts + * @size: size of @ctx, updated on return + * @flags: reserved for future use, must be zero + * + * Returns the calling task's LSM contexts. On success this + * function returns the number of @ctx array elements. This value + * may be zero if there are no LSM contexts assigned. If @size is + * insufficient to contain the return data -E2BIG is returned and + * @size is set to the minimum required size. In all other cases + * a negative value indicating the error is returned. + */ +SYSCALL_DEFINE3(lsm_self_attr, + struct lsm_ctx __user *, ctx, + size_t __user *, size, + int, flags) +{ + struct lsm_ctx *final = NULL; + struct lsm_ctx *interum; + struct lsm_ctx *ip; + void *curr; + char **interum_ctx; + char *cp; + size_t total_size = 0; + int count = 0; + int attr; + int len; + int rc = 0; + int i; + + interum = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_id * + sizeof(*interum), GFP_KERNEL); + if (interum == NULL) + return -ENOMEM; + ip = interum; + + interum_ctx = kzalloc(ARRAY_SIZE(lsm_attr_names) * lsm_id * + sizeof(*interum_ctx), GFP_KERNEL); + if (interum_ctx == NULL) { + kfree(interum); + return -ENOMEM; + } + + for (attr = 0; attr < ARRAY_SIZE(lsm_attr_names); attr++) { + for (i = 0; i < lsm_id; i++) { + if ((lsm_idlist[i]->features & + lsm_attr_names[attr].feature) == 0) + continue; + + len = security_getprocattr(current, lsm_idlist[i]->id, + lsm_attr_names[attr].name, + &cp); + if (len <= 0) + continue; + + ip->id = lsm_idlist[i]->id; + ip->flags = lsm_attr_names[attr].feature; + /* space for terminating \0 is allocated below */ + ip->ctx_len = len + 1; + interum_ctx[count] = cp; + /* + * Security modules have been inconsistent about + * including the \0 terminator in the size. The + * context len has been adjusted to ensure there + * is one. + * At least one security module adds a \n at the + * end of a context to make it look nicer. Change + * that to a \0 so that user space doesn't have to + * work around it. Because of this meddling it is + * safe to assume that lsm_ctx.name is terminated + * and that strlen(lsm_ctx.name) < lsm.ctx_len. + */ + total_size += sizeof(*interum) + ip->ctx_len; + cp = strnchr(cp, len, '\n'); + if (cp != NULL) + *cp = '\0'; + ip++; + count++; + } + } + + if (count == 0) + goto free_out; + + final = kzalloc(total_size, GFP_KERNEL); + if (final == NULL) { + rc = -ENOMEM; + goto free_out; + } + + curr = final; + ip = interum; + for (i = 0; i < count; i++) { + memcpy(curr, ip, sizeof(*interum)); + curr += sizeof(*interum); + memcpy(curr, interum_ctx[i], ip->ctx_len); + curr += ip->ctx_len; + ip++; + } + + if (get_user(len, size)) { + rc = -EFAULT; + goto free_out; + } + if (total_size > len) { + rc = -ERANGE; + goto free_out; + } + if (copy_to_user(ctx, final, total_size) != 0 || + put_user(total_size, size) != 0) + rc = -EFAULT; + else + rc = count; + +free_out: + for (i = 0; i < count; i++) + kfree(interum_ctx[i]); + kfree(interum_ctx); + kfree(interum); + kfree(final); + return rc; +} From patchwork Tue Oct 25 18:45:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10938 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1164849wru; Tue, 25 Oct 2022 11:57:09 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4vrWvejya+3lVdxEZt0cfDwOtsOo7m7TrwPfioP4b4JREo1uFVwbvfpC04jBrs6H3V5WPj X-Received: by 2002:aa7:ce09:0:b0:461:5406:20e4 with SMTP id d9-20020aa7ce09000000b00461540620e4mr21367637edv.5.1666724229486; Tue, 25 Oct 2022 11:57:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666724229; cv=none; d=google.com; s=arc-20160816; b=pMdw4Uc1v2q3QrfhYVcGA6zKm/a/r0amwWbXztWT+HgrTXsGSB8FtDb9/SDHpNawIR J/eVYhSnYfzTVI9S8nfahWNK/uZzhMeVjTZVyJGXossqeYURVlGbSLj2jqieTcLSDCMd XB+anBAadLvvU30gY6bnZX4t9VTcDvUtS5zNudzNjgZ82sd4xE4O6tjmmtfsIbeisJYy 6WOvQxlmLU4nv3egrS09YFI3GDEoJgHlmB+xqd4aytGvf5ei8vxYOuIWa3X72NdBFEZz Q7f+Ip6Qpcy8wlyjvpYRCtlcijkn1CMw8+LFLL0uxxFTENY5IgNonDtzI1cNzJ4ATm5P pTmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=JPTHbEtDzTcWk/IoC5WyCw9rcLntJ6rErxAyipdRKeU=; b=UvTLCds9D6oe9JSH6UqeqtxJ/8bfOPInfFWiI206muuHtLP1T6OCh1HHMAfb/mbq0e t+6M077H0Pks28ohJ5QW51Is9hfY3U63Xu8RL+EoZObC6/WIPg2b72gCPgcqL2xWmQjP nJvY3nM3yfpHrw81wR36zLbo7c7MpNMss6iOT/qmHYYfHoJXEs6D7ioA2SfnJLKeatlo pJfbFlxOg6rt//cn6/DJuLUo3dDH9Ouqq4PyohrIv3DICCPtzALIoCblQ52a2CQ7Tb89 UOYZ6zDwtVAQVVUjuHsx6Fin0ViKHkeIbukwKBFYC56p7anfdTlreRJfHVwWUo9tJyPa FHCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=lSggReZT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y7-20020aa7d507000000b00461aa80dfa8si3166792edq.429.2022.10.25.11.56.21; Tue, 25 Oct 2022 11:57:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=lSggReZT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233018AbiJYSs4 (ORCPT + 99 others); Tue, 25 Oct 2022 14:48:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232925AbiJYSsx (ORCPT ); Tue, 25 Oct 2022 14:48:53 -0400 Received: from sonic308-15.consmr.mail.ne1.yahoo.com (sonic308-15.consmr.mail.ne1.yahoo.com [66.163.187.38]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F364112A8E for ; Tue, 25 Oct 2022 11:48:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723722; bh=JPTHbEtDzTcWk/IoC5WyCw9rcLntJ6rErxAyipdRKeU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=lSggReZTz5kDfnICBhX8FyrtzBVmDIoW3/WiqiNrl/gUkCSZTE8iO2qzIyLJHU7DCAnx8mgay2IFLPqXOFrOsMVAkgSPPBLOqWeoEvVZut07UnTkhqaobdW7aKJeXumO4OQJYE1Po1oMIvBc0sxJfSIBtarC9hgnQr4pknOnkxKmCKhozHbLmb78o3ZZZowuWkAtJYgtpkhT+seJmJok9vnV8be/z+Sz86KeZ677KF4epus7NqBIRv3TMK6vnZ6PW/N8GVaGtr2piRAAmO6XbI1Vq6Nov+IaHyi07l4saDVJH2YGujoMzWvaiqbWlissFG8fFxfJunywHJjWBUpteQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723722; bh=ZEOoJatGzl2RbmJboUKjJf/CVMhYAtR/7Y6CjIuIpbA=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=ZTWyNylBgWI3m1eTa65aQrNE4a9vuBPh9kFaAkcTkdri97hQFQ81TXvI82pCqFELYB/3xvjMJWhIwvYW8R8tOcqAO3zv0lQdwmzzYJO2fXTX3gsfnkS/dNuRslqnz4zfRzxkKM/IoifgSq16loMNulnn/223JboqBQwEn2VYKo6s4xh3Ym+Yslqv9yGRlEinmU4aHAoaBq5FGtniNkQpvKoL9QbreVd02b4V/A9MPY85jWD0gR8LhJWrgaqVJ5LDB7uXlyRVT1IomAb89MRcTcms72XZ8ErATQy/M7DOqbGuI48Sr7ze2uZq412SC8FV2vQixAI08iAOR99UZHZ6Lg== X-YMail-OSG: Y9r3dB4VM1na2Unf9Sof7gjYoY83BIozuKcju44Sfh0vDdj1zt03DxJapCNZ4Dw zPDyjYvcX3IlaV60a3bY6x2pcOACBQcPrycGa82.uSUfzPPGLEg6CjDJzdY7llf5iwXLgtUhRjkR ZOOJbt6NFH9bvgGSHhsypxm170ffTBCxCSVkzhz9f.lc4D6Sb4hmgI6zJx8BjUqQUbz5ohYvA9MX nyE2g_YbLsCbz11N5jTGd38z280daBrTw80ZL97hamPWKdmuYrOiAnRSUA57gKeYWlGcI6O3ZJwH BHPaT78L1tNH8ugsYW83JuTAETUToO2.gf9mikRz.Gt3PaMJVj96Ze7S7uPDTpEG.SYZHyoCMEuo HpEl6PpMNXJ__10pR0TeK9t6ceBXKGvOLVZtcPbF9Jz8_ua1jfxVO90jPIuCYPMLReQBh_aQuXO4 BLIqfYyxk_YzT.Ndn73CgMDDCO.r48wg6.aRRoJhexMVVm0O_igHYLxbvzk9YyvEm_kyJ1D5bz9g G35nstvzEB3onviouwo_CF9LPtMcGkRxH2Gv2jdaRcEccdynJCC4HpClrjqzTIVDD74hqFhOWFTH 8gQPkiE3gxoNGdr0JhfoXpCUO2sBI.w1Q76_lsnDKenjhfJrH0VrzxoOn_Z5oxGrrF7ibwr6kKQg XAjKEPlktJ.jBvhZHSFfNia.KMQ.7H8Fv7z51QfPrsAcXNpno.TN6J3Hcz_20HlaPF8Hl_6RorGP ZBG2X69Aap7J4Cwi5S.ccH6xSyOaUftJLVbl0ZLeigi5upNN71K8YFe7HKY2zf9JNCpT.6hyf7ml uLSPBsxoN.QVk4h_qSuD__0gg9TwlP0klUsIio7FzUvJlF6PYBZCAf0fAgSD0wZoraXdiYgL2ogu mQ6llf6Ov7OT8HUHz_Ewx6Tt1AHIu79L.MKdzg5yRdVZ.Ji93AZLv.oEyjm1Ur_jpGvvU7PXpSPo 1BH7nGefDJrPtQXjei8B_4xIXUrH_OwToBCra6gipH.80UY9mMxOVF2reuzE8pKecsYowdkusKvx aRVGQ2XkClJANxY2gwjqKFbN99_ME_RbG0NB1pV8DLP0zLno7uzaESMUHruXYszG5jDNKvCA4pKh HOpJtWuapBLwAKDSaQiSGb9HKoZ_8zJ2YwOmjJkujzzTfMi8KN4T_ycgi13K43n_40Qp9yZwOm7_ wH9sj9aZsjf9DtQP1FaFAE0hKzMFAcMKB9XrnUZV.4S0qiddB3fiFT7zF4lfF4ZQb6dVbyDw7c8A tjfXyty7MbIfdOHSxRVNwUkBCCIZUQjS8vFchTFYPjCh5lTKarec9qE8BcvMceJX.IUvh21vJsxv VRoaV2S7e7Y2Nc_beMh_NizAAXz8AeXhMMq3Dkm53sqVikkrOlhyHpv2O3FR8f.psLc1HA2Rr1eb qz2Iy97PZSYIg7UpB95bGTBpZEESV0wkBB_kK5K7f7r9uEWsMS4MNHIhJYuPAe5NzagavDw3dDRF dkdtJBGUVayDnnlGc92icd5VAx2AMafgFVl76Ei67vBYCpnSGIGLzhomDszVvlzD6RIizKuqyUoK dvQVSbtQLb3zxbzWs0gog2sgDf.uk1Zn9CZrDnxkbPdTgTkMnaILYRE3Q7yeo7FwMFeA48K5fJH_ zBOjuW6LwGdZZVEzKy3s9eWLAkPgdBBOdHFBOTj751VvSnCMETc1zWxoF5eeUGYM4qQyblbytGEb EMKRW_r4yDfY8PXaEXKXfjnO5wsOmXl7O0bZiPANSLiPHwxXAx2_3ur7W2eghLBufCJDuHgkxK9o qvfcc8S1brHF87BMaPVrM2YeU0pviogJrRhTn5dONPpCq4WtNb9UyHmWS9TPHPkLcShll75S7_vV Kg14Zt2z2Qu0jhoI9nPv72aqBLCJqjfeWrDFBw7KjhJCaDlWr8PzsOjLDLLkULgtQXaNUSDzqMcM 6jv4qlXD4qWf61o0Rp0r6JVX8k2gDlS.2eo5J5JJ3QEl75VnKpuwo1_wF9Xq9y9OV8nzSZKUys_2 gGJ6ZFrx50CVt10vigX9WNcheP0x.bLkOd9Fup1KT3cvz2yE8jXJ1mZJmeZ6tXv52G2C_XT1vtr3 kWLaAzOXUOy3YgBYzBUlggiDPdfN.yZBXAqOmNxXdB3OCApSTRDsf_JHFq5Sjl6uMmh5xz1XC2pe 56dpKmfo4MN33GfdSEi.DULsN6Gx.ih1RqrzgNRyUayAaGIiDPq65fi16DLfW6AkJZM2RZhZBhvb AeRnMjEHltXZv3EeaG8QrQuSPFHe_lmgOoOMuZr2gBDQ8Rg-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Oct 2022 18:48:42 +0000 Received: by hermes--production-gq1-754cb59848-jkt9q (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID d383105834ed78a52d504d4d360854e7; Tue, 25 Oct 2022 18:48:37 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v1 7/8] LSM: Create lsm_module_list system call Date: Tue, 25 Oct 2022 11:45:18 -0700 Message-Id: <20221025184519.13231-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221025184519.13231-1-casey@schaufler-ca.com> References: <20221025184519.13231-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747687025741008386?= X-GMAIL-MSGID: =?utf-8?q?1747687025741008386?= Create a system call to report the list of Linux Security Modules that are active on the system. The list is provided as an array of LSM ID numbers. The calling application can use this list determine what LSM specific actions it might take. That might include chosing an output format, determining required privilege or bypassing security module specific behavior. Signed-off-by: Casey Schaufler --- include/linux/syscalls.h | 1 + kernel/sys_ni.c | 1 + security/lsm_syscalls.c | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 2d9033e9e5a0..02bb82142e24 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -1058,6 +1058,7 @@ asmlinkage long sys_set_mempolicy_home_node(unsigned long start, unsigned long l unsigned long home_node, unsigned long flags); asmlinkage long sys_lsm_self_attr(struct lsm_ctx *ctx, size_t *size, int flags); +asmlinkage long sys_lsm_module_list(unsigned int *ids, size_t *size, int flags); /* * Architecture-specific system calls diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index 0fdb0341251d..bde9e74a3473 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -264,6 +264,7 @@ COND_SYSCALL(mremap); /* security/lsm_syscalls.c */ COND_SYSCALL(lsm_self_attr); +COND_SYSCALL(lsm_module_list); /* security/keys/keyctl.c */ COND_SYSCALL(add_key); diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c index da0fab7065e2..cd5db370b974 100644 --- a/security/lsm_syscalls.c +++ b/security/lsm_syscalls.c @@ -154,3 +154,41 @@ SYSCALL_DEFINE3(lsm_self_attr, kfree(final); return rc; } + +/** + * lsm_module_list - Return a list of the active security modules + * @ids: the LSM module ids + * @size: size of @ids, updated on return + * @flags: reserved for future use, must be zero + * + * Returns a list of the active LSM ids. On success this function + * returns the number of @ids array elements. This value may be zero + * if there are no LSMs active. If @size is insufficient to contain + * the return data -E2BIG is returned and @size is set to the minimum + * required size. In all other cases a negative value indicating the + * error is returned. + */ +SYSCALL_DEFINE3(lsm_module_list, + unsigned int __user *, ids, + size_t __user *, size, + unsigned int, flags) +{ + size_t total_size = lsm_id * sizeof(*ids); + size_t usize; + int i; + + if (get_user(usize, size)) + return -EFAULT; + + if (put_user(total_size, size) != 0) + return -EFAULT; + + if (usize < total_size) + return -E2BIG; + + for (i = 0; i < lsm_id; i++) + if (put_user(lsm_idlist[i]->id, ids++)) + return -EFAULT; + + return lsm_id; +} From patchwork Tue Oct 25 18:45:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 10937 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1163032wru; Tue, 25 Oct 2022 11:52:23 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5Ud6KljaAjD4zX2pCAESn6GSGAFG1wJ1/evrE2f4TQ29OwVKkmeekpwsZf27d7tQn/Zvol X-Received: by 2002:aa7:8210:0:b0:56b:8b4b:e5e with SMTP id k16-20020aa78210000000b0056b8b4b0e5emr18016629pfi.58.1666723942874; Tue, 25 Oct 2022 11:52:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666723942; cv=none; d=google.com; s=arc-20160816; b=dC0u6Y+4Lq9ejjHXT4RFsFN8cojZPTjg9UUc2UjBCEq86ydz8dep5p8T372W0CHJ2c iPad5Q/A6wf+m3e/9ZHJo6HKbjMzbOHR2qtUY5DcI2K7Q505b9VH4dxSQbg6sr1sAHtn zkzPhaXm0hXLM9HA47liwComjdzSSs8j5475NAQ3w1Zz9I3DDDaBaWubgQHXDvBdXVj+ I5zc05WNAVuMZdjgquSYcaD+s7E1JhndEjsEuzIZl1wsxrU/hndqNHvtkThUz1hszygG eZUSTx2c2bxs5fs7xzqFf1CnV8pkIMXHk0RlLGaODYIgNEJCMUqSYjZfSOwOWG5AqfBb F8mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ol1pIH4ci4A8s6ujxzI53vrv6ZOj4gMh0L/Sc5n98Gc=; b=Puxylw7KwOAsptGCfz3fIyiayZesuzt3SObuh2JcI2k4lchlg7WLz9a8Zt4Av3KHCa 8ItI9+3oIrmeKTo0hotOZV5d4U4rco7XndVh30aZjdHYZTkVwvLv9VJeyyurjhcrE50Z +VSdUKXnZ/+vCRt66iNXnKIcB9Pf9nkvZUPqveG7dWuvGcRWR3+Dpdq9FklklpceY2K8 44g5UvfoIB+glk/gzYlcl2kFyMnKGehyUaNEydT5q8TQvNLZMCw70Fvkxd6VCDXc+FvB 9fxYEFk/qHKKWGZ+tsu1xDTiM0s2AF3UMfHxXkp/8iRu6JQdzPMdlqB8fPzA5NFy0Ekt QocQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=nRD6gwl4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k62-20020a17090a4cc400b00212d5631badsi11981124pjh.55.2022.10.25.11.52.09; Tue, 25 Oct 2022 11:52:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=nRD6gwl4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232925AbiJYStF (ORCPT + 99 others); Tue, 25 Oct 2022 14:49:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58222 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232935AbiJYSsx (ORCPT ); Tue, 25 Oct 2022 14:48:53 -0400 Received: from sonic316-26.consmr.mail.ne1.yahoo.com (sonic316-26.consmr.mail.ne1.yahoo.com [66.163.187.152]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE890115433 for ; Tue, 25 Oct 2022 11:48:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723723; bh=ol1pIH4ci4A8s6ujxzI53vrv6ZOj4gMh0L/Sc5n98Gc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=nRD6gwl48+hiEb1nP+qRaJrA25othUqyvKrmyGuX4mYXL2d2/3u9oYkFXTCE+mB+V5npYHz24j0Mr6Hy0nizbY/bBZ2g5npAAJ6Lvldd3Cwp/HpVipxHHvPBFAAd93SNR+jVOiYXYAyrwbli3MmbXoIVm0E4ZIIuKgtIY7RVWpYxIoC4hWwt3h3wPhK02hiQxtcQVEQxgD0MY95mTWzofB6+lPVtyCf9JeMuKV0THhs7U1yZrxd4evJ30N9jrE4eo/vPIDohOy2hg0/3YX4ZQh8SC7pEqyn4Nab9xuUS5JP1Thbn6wuN6zSVSYBuPvoSVr3oc8O8/CItU9HNwzHXcg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1666723723; bh=cKjk+tGNjKE2ILWVDvLp45hKxcrDsIQQ3J3GJnzX0Xn=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Ty1nNGZ7h7UG9jvzi+E2mH/fBfLGM1lKoZsYtpnVmf5zZCSKZxKyA3NwiMSu+2ufWLiEaRnJm57vLZua1PGxRaRv2Nr7gwjB2VYDgx0+kcGqACb/cdLO5XGRB/8t4DHE92qf6KrDJf3xGKB9gyCrlaMQ4NvnOciHdO+L6SXvMdQK43LmdCzbPVlonBvcEmJD952KN/+0L0xJbOH6vMQf43HeNwv+uMgf0VcyNFuIFAAjK97uGWlXJGB033j655dnfsAkfJZigNKlIzzUjKXKta+Cjyx90bQ1Hpp1D18xQaEGsI5F/Xy85ielxZG4lpmow2eE2rCm4X3eXP2V3LAQRA== X-YMail-OSG: s42lKF0VM1llYIA12O.5XUJnKCO9jImTtD3jKp6SC.MDXHYxSwerN5mA5BZWmrJ 3uEvJNeBwMFnnlkPLNV572fxgZXsp9LNK4HYU63RN1FA.mou8o6ozmq4ThPTj_pYXfYPaxUAvPFt 0xCdVB5F5vZdaTd4uPbotWWXSae0UI7CGckB7YXjzopby7mLHM6guAftQh7IyNTiy7wy6xB1oxl1 2v8i4fXmn5IvUpsdkasv_vvctiP97DJbAJBRY2Fw.ShTxWciWm.anc6BcEWycMSB7u6DEDMvZhxT F31BOqtJtvWyl5wawrj4QszA.VDOW31mXzteB82OtxsHh3EcQZo0tTyXzIVDj1p1xUolZevtRgSs 12ci706C9B_wka3iwd9XGXaP8gElkhkTgC1rNMY1v7YiVtUmf.6BAGoJ8O7fszXCSJeJafQlM_2Q iHVzH8KOfTWyhG1tQaCrjjEFKEWt03sJ2BUqvWDWKrz.FuvFEjgY6ATKw7MJ9Vxshb2I9c5sWgai xL1z1IvI2P5JLBf97wCHbBQwzGZKAmruyHdX.IfF2Ic0o64QlNKDWGSPknAgMZNv4go_csqQEVQH rQdwbyWRQU7yrpMKffNPPr.pCWg5vs4y4auKxp8Sed62efpQlTjCeyxh7rC4BJq34G4v0c4wDRjv gRBDPJgRD9twyWX1LlPJXQXZ1UPtbVx9qs5d0Eg2a1XS0P1JDTYo9BIbXDFMlgqu2wZrR6ziLEMs qp.sm.Mlt_aAqkvi4RxiDHTQMW7LCJMtzsdX9dNXDoj7YKjks.TIS08wR_4bJJdhJndU9V76dIjs FAKdsfOT3NuUH4U9yxGU1hTV.jxgxgqbfQqdI_R1FSStKPQ2ggX_J0JskoIxo_gXld9c744GJC0Y LjTH3hgFpx57gCIg5IUTwB59k5PHobSXyd5IOfjr436yvUlv2brf.DMbsd_AD5T71tApHrurt36Y FTTmiKfLadOWNlcCy0rkdeIGapFVxO3KK62eNTKjEs115BHYl8L53Zil6.k.1rQVfDnMFE7vPc6P 4KjXaZPVU4.7X8cELUdSOYoNz2F.8t.Pew0xWHK1UuddW4MWuZgR7lpfUI7ELSHvdhSHY9Unzs.i 9.DRztqJ6ALqULb_s1_dqU5dA1EYbUTxzUVD5KczrlJYil5IaF9deO_3LrozV0yvzPcIA2Wnuikm otk7e5ku_y7lbbsHzVe.1zS8mbduKyE1eR3CHyB_z0HrETwp7B4idjYVMFBvOe6vh6fOi_PSjWq6 d2Y3kn6hT0KzT2sfenyLQxDXSpZiwj_uRABSwIx1dPPxdtXP.9vMjncqDv6wJ6oECb11hXqlV34Z ERz5NmPA8CEIcjTfQBpZCeTwozKtJk4QQrUADaH8S9VKthM83HfW0sDsghK5pioE18iu_uYrqr2O ghOcWlaUlH_u3LS6z.H4CgbQS246wPujk_EKJGuGGy2sx7YZ8.bpJVwfeJdOVKi05.T3tmhnZiFs BT95LwYhei3AiJqXy2yHw.T4SFAdZps6LdXOnMfqIEkntI8F_IF_AFSFX2bVI2aDVFNyyA0vTp8X YGiAAZwZiA5Xwoh2YZzwAtMTdgz1kltdN7gpNOBy65zbAG0C7hOF5OmRhp5BifuFN9BfVCxkquJ6 wIoJL_RT2k7RuewLylAPQr0_buuzLOSgHlPz1ZNNWWoc9PJbyzdmQ8VLv7NcqGwlTc0K1eA6xF01 aN_8.RarHv.EOvneJ_vBUBnUnhkGtDJ8lq2NYupohTG0G7Z5.XoKnbfF2t1Y1JfHJm6AJTpMcDb4 BKu4gpzNCyF8EJ7RL0xOhD14OasvJA9e2G.ULwBBQT3cBuijEzJfh1zNwcdIFgei3y_bAC3ELYag 80L3GroOI_f3uIbHnLLUpc0EOm.Iqfw8VCQD6m5I_V1Kn2x2MtP4dq.1P9JwjTmUn88u8WX5NUlG xfD7ECm3jkiO1hz5TwsP4LtfaHr1f64E9W.FiyMK7.VBTHe6vAppGViZDSlTF9AqHbVZAqyUvHZ4 by3i4l.jryk7bKIxpbRSj4ps9Gr_G7W.jo9gaCa8mchhqhJqoni8jQHYM3k2Eq3nla.piN76vnLn sRT99bZ3fp_Uvaj1fq650L88.X5VSa6tCeVvSHOoMmAQg7nVLGZlDM6gCQkm4vronCNFlveRuV_b Ed3gIbz08WeSAWHLfM3vFQXx9onW0ZiIo4ViDiJG0FqTCdqj1fXo9qYJNr9lMcwadB3z8w7BsMuq dXYQChbsxHUatRVTofB27aYy03R1xXTgokmISzUnQKApCj.PGMugnkM8kriPSqDi305It4CC_MS1 9yeBLvxKm6OCi89DTDFNffZJ0Dw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Tue, 25 Oct 2022 18:48:43 +0000 Received: by hermes--production-gq1-754cb59848-jkt9q (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID d383105834ed78a52d504d4d360854e7; Tue, 25 Oct 2022 18:48:38 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: casey@schaufler-ca.com, jmorris@namei.org, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, mic@digikod.net Subject: [PATCH v1 8/8] lsm: wireup syscalls lsm_self_attr and lsm_module_list Date: Tue, 25 Oct 2022 11:45:19 -0700 Message-Id: <20221025184519.13231-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20221025184519.13231-1-casey@schaufler-ca.com> References: <20221025184519.13231-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747686724699101612?= X-GMAIL-MSGID: =?utf-8?q?1747686724699101612?= Wireup two syscalls for Linux Security Modules. Signed-off-by: Casey Schaufler Acked-by: Geert Uytterhoeven # m68k --- arch/alpha/kernel/syscalls/syscall.tbl | 2 ++ arch/arm/tools/syscall.tbl | 2 ++ arch/arm64/include/asm/unistd32.h | 2 ++ arch/ia64/kernel/syscalls/syscall.tbl | 2 ++ arch/m68k/kernel/syscalls/syscall.tbl | 2 ++ arch/microblaze/kernel/syscalls/syscall.tbl | 2 ++ arch/mips/kernel/syscalls/syscall_n32.tbl | 2 ++ arch/mips/kernel/syscalls/syscall_n64.tbl | 2 ++ arch/mips/kernel/syscalls/syscall_o32.tbl | 2 ++ arch/parisc/kernel/syscalls/syscall.tbl | 2 ++ arch/powerpc/kernel/syscalls/syscall.tbl | 2 ++ arch/s390/kernel/syscalls/syscall.tbl | 2 ++ arch/sh/kernel/syscalls/syscall.tbl | 2 ++ arch/sparc/kernel/syscalls/syscall.tbl | 2 ++ arch/x86/entry/syscalls/syscall_32.tbl | 2 ++ arch/x86/entry/syscalls/syscall_64.tbl | 2 ++ arch/xtensa/kernel/syscalls/syscall.tbl | 2 ++ include/uapi/asm-generic/unistd.h | 5 ++++- tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl | 2 ++ tools/perf/arch/powerpc/entry/syscalls/syscall.tbl | 2 ++ tools/perf/arch/s390/entry/syscalls/syscall.tbl | 2 ++ tools/perf/arch/x86/entry/syscalls/syscall_64.tbl | 2 ++ 22 files changed, 46 insertions(+), 1 deletion(-) diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl index 8ebacf37a8cf..41e4f3704ccf 100644 --- a/arch/alpha/kernel/syscalls/syscall.tbl +++ b/arch/alpha/kernel/syscalls/syscall.tbl @@ -490,3 +490,5 @@ 558 common process_mrelease sys_process_mrelease 559 common futex_waitv sys_futex_waitv 560 common set_mempolicy_home_node sys_ni_syscall +561 common lsm_self_attr sys_lsm_self_attr +562 common lsm_module_list sys_lsm_module_list diff --git a/arch/arm/tools/syscall.tbl b/arch/arm/tools/syscall.tbl index ac964612d8b0..20d551be0b67 100644 --- a/arch/arm/tools/syscall.tbl +++ b/arch/arm/tools/syscall.tbl @@ -464,3 +464,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h index 604a2053d006..366451dc8307 100644 --- a/arch/arm64/include/asm/unistd32.h +++ b/arch/arm64/include/asm/unistd32.h @@ -907,6 +907,8 @@ __SYSCALL(__NR_process_mrelease, sys_process_mrelease) __SYSCALL(__NR_futex_waitv, sys_futex_waitv) #define __NR_set_mempolicy_home_node 450 __SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node) +#define __NR_lsm_attr_set 451 +__SYSCALL(__NR_lsm_attr_set, sys_lsm_attr_set) /* * Please add new compat syscalls above this comment and update diff --git a/arch/ia64/kernel/syscalls/syscall.tbl b/arch/ia64/kernel/syscalls/syscall.tbl index 72c929d9902b..a2ccef8e1eb1 100644 --- a/arch/ia64/kernel/syscalls/syscall.tbl +++ b/arch/ia64/kernel/syscalls/syscall.tbl @@ -371,3 +371,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/arch/m68k/kernel/syscalls/syscall.tbl b/arch/m68k/kernel/syscalls/syscall.tbl index b1f3940bc298..59b977b3fa04 100644 --- a/arch/m68k/kernel/syscalls/syscall.tbl +++ b/arch/m68k/kernel/syscalls/syscall.tbl @@ -450,3 +450,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/arch/microblaze/kernel/syscalls/syscall.tbl b/arch/microblaze/kernel/syscalls/syscall.tbl index 820145e47350..82c39a22e38b 100644 --- a/arch/microblaze/kernel/syscalls/syscall.tbl +++ b/arch/microblaze/kernel/syscalls/syscall.tbl @@ -456,3 +456,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl index 253ff994ed2e..f973b69e7dbe 100644 --- a/arch/mips/kernel/syscalls/syscall_n32.tbl +++ b/arch/mips/kernel/syscalls/syscall_n32.tbl @@ -389,3 +389,5 @@ 448 n32 process_mrelease sys_process_mrelease 449 n32 futex_waitv sys_futex_waitv 450 n32 set_mempolicy_home_node sys_set_mempolicy_home_node +451 n32 lsm_self_attr sys_lsm_self_attr +452 n32 lsm_module_list sys_lsm_module_list diff --git a/arch/mips/kernel/syscalls/syscall_n64.tbl b/arch/mips/kernel/syscalls/syscall_n64.tbl index 3f1886ad9d80..567035293634 100644 --- a/arch/mips/kernel/syscalls/syscall_n64.tbl +++ b/arch/mips/kernel/syscalls/syscall_n64.tbl @@ -365,3 +365,5 @@ 448 n64 process_mrelease sys_process_mrelease 449 n64 futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 n64 lsm_self_attr sys_lsm_self_attr +452 n64 lsm_module_list sys_lsm_module_list diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl index 8f243e35a7b2..22019aa08696 100644 --- a/arch/mips/kernel/syscalls/syscall_o32.tbl +++ b/arch/mips/kernel/syscalls/syscall_o32.tbl @@ -438,3 +438,5 @@ 448 o32 process_mrelease sys_process_mrelease 449 o32 futex_waitv sys_futex_waitv 450 o32 set_mempolicy_home_node sys_set_mempolicy_home_node +451 o32 lsm_self_attr sys_lsm_self_attr +452 o32 lsm_module_list sys_lsm_module_list diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl index 8a99c998da9b..e52c292923f6 100644 --- a/arch/parisc/kernel/syscalls/syscall.tbl +++ b/arch/parisc/kernel/syscalls/syscall.tbl @@ -448,3 +448,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl index e9e0df4f9a61..099489ee5c45 100644 --- a/arch/powerpc/kernel/syscalls/syscall.tbl +++ b/arch/powerpc/kernel/syscalls/syscall.tbl @@ -534,3 +534,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 nospu set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl index 799147658dee..eaba1ed5654e 100644 --- a/arch/s390/kernel/syscalls/syscall.tbl +++ b/arch/s390/kernel/syscalls/syscall.tbl @@ -453,3 +453,5 @@ 448 common process_mrelease sys_process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list sys_lsm_module_list diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl index 2de85c977f54..b84c60d96f78 100644 --- a/arch/sh/kernel/syscalls/syscall.tbl +++ b/arch/sh/kernel/syscalls/syscall.tbl @@ -453,3 +453,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl index 4398cc6fb68d..f0831bf811e3 100644 --- a/arch/sparc/kernel/syscalls/syscall.tbl +++ b/arch/sparc/kernel/syscalls/syscall.tbl @@ -496,3 +496,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index 320480a8db4f..259509a0e23d 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -455,3 +455,5 @@ 448 i386 process_mrelease sys_process_mrelease 449 i386 futex_waitv sys_futex_waitv 450 i386 set_mempolicy_home_node sys_set_mempolicy_home_node +451 i386 lsm_self_attr sys_lsm_self_attr +452 i386 lsm_module_list sys_lsm_module_list diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl index c84d12608cd2..40b35e7069a7 100644 --- a/arch/x86/entry/syscalls/syscall_64.tbl +++ b/arch/x86/entry/syscalls/syscall_64.tbl @@ -372,6 +372,8 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list # # Due to a historical design error, certain syscalls are numbered differently diff --git a/arch/xtensa/kernel/syscalls/syscall.tbl b/arch/xtensa/kernel/syscalls/syscall.tbl index 52c94ab5c205..f0c76d05b768 100644 --- a/arch/xtensa/kernel/syscalls/syscall.tbl +++ b/arch/xtensa/kernel/syscalls/syscall.tbl @@ -421,3 +421,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h index 45fa180cc56a..aa66718e1b48 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -886,8 +886,11 @@ __SYSCALL(__NR_futex_waitv, sys_futex_waitv) #define __NR_set_mempolicy_home_node 450 __SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node) +#define __NR_lsm_self_attr 451 +__SYSCALL(__NR_lsm_self_attr, sys_lsm_self_attr) + #undef __NR_syscalls -#define __NR_syscalls 451 +#define __NR_syscalls 452 /* * 32 bit systems traditionally used different diff --git a/tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl b/tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl index 3f1886ad9d80..567035293634 100644 --- a/tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl +++ b/tools/perf/arch/mips/entry/syscalls/syscall_n64.tbl @@ -365,3 +365,5 @@ 448 n64 process_mrelease sys_process_mrelease 449 n64 futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 n64 lsm_self_attr sys_lsm_self_attr +452 n64 lsm_module_list sys_lsm_module_list diff --git a/tools/perf/arch/powerpc/entry/syscalls/syscall.tbl b/tools/perf/arch/powerpc/entry/syscalls/syscall.tbl index 2bca64f96164..7b779080acbe 100644 --- a/tools/perf/arch/powerpc/entry/syscalls/syscall.tbl +++ b/tools/perf/arch/powerpc/entry/syscalls/syscall.tbl @@ -530,3 +530,5 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 nospu set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list diff --git a/tools/perf/arch/s390/entry/syscalls/syscall.tbl b/tools/perf/arch/s390/entry/syscalls/syscall.tbl index 799147658dee..eaba1ed5654e 100644 --- a/tools/perf/arch/s390/entry/syscalls/syscall.tbl +++ b/tools/perf/arch/s390/entry/syscalls/syscall.tbl @@ -453,3 +453,5 @@ 448 common process_mrelease sys_process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list sys_lsm_module_list diff --git a/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl b/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl index c84d12608cd2..40b35e7069a7 100644 --- a/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl +++ b/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl @@ -372,6 +372,8 @@ 448 common process_mrelease sys_process_mrelease 449 common futex_waitv sys_futex_waitv 450 common set_mempolicy_home_node sys_set_mempolicy_home_node +451 common lsm_self_attr sys_lsm_self_attr +452 common lsm_module_list sys_lsm_module_list # # Due to a historical design error, certain syscalls are numbered differently