From: Casey Schaufler <casey@schaufler-ca.com>
To: "Paul Moore" <paul@paul-moore.com>, "Mickaël Salaün" <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org, jmorris@namei.org,
serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
linux-api@vger.kernel.org,
Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH v12 04/11] LSM: syscalls for current process attributes
Date: Sun, 30 Jul 2023 15:34:25 -0700 [thread overview]
Message-ID: <2882094d-3551-09c3-a192-ce9b3f80758e@schaufler-ca.com> (raw)
In-Reply-To: <CAHC9VhRvNLYE6aQJ9-LReLGQ5304j7wC4MLN1B7X8LV=2zgyXQ@mail.gmail.com>
On 7/21/2023 3:28 PM, Paul Moore wrote:
> On Tue, Jul 11, 2023 at 11:36 AM Mickaël Salaün <mic@digikod.net> wrote:
>> On 29/06/2023 21:55, Casey Schaufler wrote:
>>
> ...
>>> +/**
>>> + * security_setselfattr - Set an LSM attribute on the current process.
>>> + * @attr: which attribute to set
>>> + * @ctx: the user-space source for the information
>>> + * @size: the size of the data
>>> + * @flags: reserved for future use, must be 0
>>> + *
>>> + * Set an LSM attribute for the current process. The LSM, attribute
>>> + * and new value are included in @ctx.
>>> + *
>>> + * Returns 0 on success, -EINVAL if the input is inconsistent, -EFAULT
>>> + * if the user buffer is inaccessible or an LSM specific failure.
>>> + */
>>> +int security_setselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
>>> + size_t size, u32 flags)
>>> +{
>>> + struct security_hook_list *hp;
>>> + struct lsm_ctx lctx;
>>> +
>>> + if (flags)
>>> + return -EINVAL;
>>> + if (size < sizeof(*ctx))
>>> + return -EINVAL;
>>> + if (copy_from_user(&lctx, ctx, sizeof(*ctx)))
>> I'd suggest to handle all the user space copy here and pass a kernel
>> pointer to each LSM hook calls (and handle kmalloc and kfree here, if
>> needed).
> Agreed. I thought I mentioned something like that at one point, maybe
> not. In general we should do whatever user/kernel copying and sanity
> checking in the LSM layer that we can; there will be somethings we
> can't check, but those that we can, we should.
That is in direct conflict with the "thin LSM" concept. My recollection,
and it could be wrong, was that you wanted the user space copy in the
LSM specific code. Maybe I'm wrong. I will move it into the infrastructure.
It will make the code simpler.
next prev parent reply other threads:[~2023-07-30 22:34 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230629195535.2590-1-casey.ref@schaufler-ca.com>
2023-06-29 19:55 ` [PATCH v12 00/11] LSM: Three basic syscalls Casey Schaufler
2023-06-29 19:55 ` [PATCH v12 01/11] LSM: Identify modules by more than name Casey Schaufler
2023-07-11 15:35 ` Mickaël Salaün
2023-06-29 19:55 ` [PATCH v12 02/11] LSM: Maintain a table of LSM attribute data Casey Schaufler
2023-07-11 15:35 ` Mickaël Salaün
2023-07-14 19:42 ` Casey Schaufler
2023-07-21 21:40 ` Paul Moore
2023-06-29 19:55 ` [PATCH v12 03/11] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2023-07-11 15:36 ` Mickaël Salaün
2023-06-29 19:55 ` [PATCH v12 04/11] LSM: syscalls for current process attributes Casey Schaufler
2023-07-11 15:36 ` Mickaël Salaün
2023-07-14 21:59 ` Casey Schaufler
2023-07-21 22:28 ` Paul Moore
2023-07-30 22:34 ` Casey Schaufler [this message]
2023-06-29 19:55 ` [PATCH v12 05/11] LSM: Create lsm_list_modules system call Casey Schaufler
2023-07-11 15:36 ` Mickaël Salaün
2023-07-14 22:10 ` Casey Schaufler
2023-06-29 19:55 ` [PATCH v12 06/11] LSM: wireup Linux Security Module syscalls Casey Schaufler
2023-07-11 15:37 ` Mickaël Salaün
2023-06-29 19:55 ` [PATCH v12 07/11] LSM: Helpers for attribute names and filling lsm_ctx Casey Schaufler
2023-06-30 2:14 ` [PATCH v12 7/11] " Paul Moore
2023-06-30 17:11 ` Casey Schaufler
2023-06-30 18:23 ` Paul Moore
2023-06-29 19:55 ` [PATCH v12 08/11] Smack: implement setselfattr and getselfattr hooks Casey Schaufler
2023-06-30 2:14 ` [PATCH v12 8/11] " Paul Moore
2023-06-30 17:10 ` Casey Schaufler
2023-06-29 19:55 ` [PATCH v12 09/11] AppArmor: Add selfattr hooks Casey Schaufler
2023-06-29 19:55 ` [PATCH v12 10/11] SELinux: " Casey Schaufler
2023-07-11 15:37 ` Mickaël Salaün
2023-06-29 19:55 ` [PATCH v12 11/11] LSM: selftests for Linux Security Module syscalls Casey Schaufler
2023-07-11 18:16 ` Mickaël Salaün
2023-06-30 2:14 ` [PATCH v12 0/11] LSM: Three basic syscalls Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2882094d-3551-09c3-a192-ce9b3f80758e@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).