Re: [PATCH v9 07/11] LSM: Helpers for attribute names and filling an lsm_ctx

Linux-api Archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: paul@paul-moore.com, linux-security-module@vger.kernel.org,
	jmorris@namei.org, john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org,
	linux-api@vger.kernel.org, mic@digikod.net
Subject: Re: [PATCH v9 07/11] LSM: Helpers for attribute names and filling an lsm_ctx
Date: Fri, 21 Apr 2023 12:46:51 -0700	[thread overview]
Message-ID: <6442e82c.170a0220.ac293.63bf@mx.google.com> (raw)
In-Reply-To: <20230421174259.2458-8-casey@schaufler-ca.com>

On Fri, Apr 21, 2023 at 10:42:55AM -0700, Casey Schaufler wrote:
> Add lsm_name_to_attr(), which translates a text string to a
> LSM_ATTR value if one is available.
> 
> Add lsm_fill_user_ctx(), which fills a struct lsm_ctx, including
> the trailing attribute value. The .len value is padded to a multiple
> of 64 bits
> 
> All are used in module specific components of LSM system calls.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
>  include/linux/security.h | 13 ++++++++++++
>  security/lsm_syscalls.c  | 24 ++++++++++++++++++++++
>  security/security.c      | 43 ++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 80 insertions(+)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index f7292890b6a2..c96fb56159e3 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -263,6 +263,7 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb);
>  /* prototypes */
>  extern int security_init(void);
>  extern int early_security_init(void);
> +extern u64 lsm_name_to_attr(const char *name);
>  
>  /* Security operations */
>  int security_binder_set_context_mgr(const struct cred *mgr);
> @@ -491,6 +492,8 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
>  int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
>  int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
>  int security_locked_down(enum lockdown_reason what);
> +int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context,
> +		      size_t context_size, u64 id, u64 flags);
>  #else /* CONFIG_SECURITY */
>  
>  static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> @@ -508,6 +511,11 @@ static inline  int unregister_blocking_lsm_notifier(struct notifier_block *nb)
>  	return 0;
>  }
>  
> +static inline u64 lsm_name_to_attr(const char *name)
> +{
> +	return 0;

I think this should return LSM_ATTR_UNDEF instead of literal 0.

> +}
> +
>  static inline void security_free_mnt_opts(void **mnt_opts)
>  {
>  }
> @@ -1420,6 +1428,11 @@ static inline int security_locked_down(enum lockdown_reason what)
>  {
>  	return 0;
>  }
> +static inline int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context,
> +				    size_t context_size, u64 id, u64 flags)
> +{
> +	return 0;

Shouldn't this either error or fill in an empty context?

> +}
>  #endif	/* CONFIG_SECURITY */
>  
>  #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
> index 6efbe244d304..67106f642422 100644
> --- a/security/lsm_syscalls.c
> +++ b/security/lsm_syscalls.c
> @@ -17,6 +17,30 @@
>  #include <linux/lsm_hooks.h>
>  #include <uapi/linux/lsm.h>
>  
> +/**
> + * lsm_name_to_attr - map an LSM attribute name to its ID
> + * @name: name of the attribute
> + *
> + * Returns the LSM attribute value associated with @name, or 0 if
> + * there is no mapping.
> + */
> +u64 lsm_name_to_attr(const char *name)
> +{
> +	if (!strcmp(name, "current"))
> +		return LSM_ATTR_CURRENT;
> +	if (!strcmp(name, "exec"))
> +		return LSM_ATTR_EXEC;
> +	if (!strcmp(name, "fscreate"))
> +		return LSM_ATTR_FSCREATE;
> +	if (!strcmp(name, "keycreate"))
> +		return LSM_ATTR_KEYCREATE;
> +	if (!strcmp(name, "prev"))
> +		return LSM_ATTR_PREV;
> +	if (!strcmp(name, "sockcreate"))
> +		return LSM_ATTR_SOCKCREATE;
> +	return 0;

LSM_ATTR_UNDEF again?

> +}
> +
>  /**
>   * sys_lsm_set_self_attr - Set current task's security module attribute
>   * @attr: which attribute to set
> diff --git a/security/security.c b/security/security.c
> index bc3f166b4bff..759f3d977d2e 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -752,6 +752,49 @@ static int lsm_superblock_alloc(struct super_block *sb)
>  	return 0;
>  }
>  
> +/**
> + * lsm_fill_user_ctx - Fill a user space lsm_ctx structure
> + * @ctx: an LSM context to be filled
> + * @context: the new context value
> + * @context_size: the size of the new context value
> + * @id: LSM id
> + * @flags: LSM defined flags
> + *
> + * Fill all of the fields in a user space lsm_ctx structure.
> + * Caller is assumed to have verified that @ctx has enough space
> + * for @context.
> + *
> + * The total length is padded to a multiple of 64 bits.

Why?

> + *
> + * Returns 0 on success, -EFAULT on a copyout error, -ENOMEM
> + * if memory can't be allocated.
> + */
> +int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context,
> +		      size_t context_size, u64 id, u64 flags)
> +{
> +	struct lsm_ctx *lctx;
> +	size_t locallen = ALIGN(context_size + sizeof(*lctx), 8);

Instead of the open-coded addition, since you're dealing with a flexible
array structure:

	size_t locallen = ALIGN(struct_size(lctx, ctx, context_size), 8);

> +	int rc = 0;
> +
> +	lctx = kzalloc(locallen, GFP_KERNEL);
> +	if (lctx == NULL)
> +		return -ENOMEM;
> +
> +	lctx->id = id;
> +	lctx->flags = flags;
> +	lctx->ctx_len = context_size;
> +	lctx->len = locallen;
> +
> +	memcpy(&lctx[1], context, context_size);

Eek, no: there is no "second struct lsm_ctx" -- this may trip memcpy
overflow checks under certain conditions. You're wanting to copy to
the flexible array at the end, so this should be explicitly performed so
the compiler knows what's going on:

	memcpy(lctx->ctx, context, context_size);

> +
> +	if (copy_to_user(ctx, lctx, locallen))
> +		rc = -EFAULT;
> +
> +	kfree(lctx);
> +
> +	return rc;
> +}
> +
>  /*
>   * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and
>   * can be accessed with:
> -- 
> 2.39.2
> 

-- 
Kees Cook

next prev parent reply	other threads:[~2023-04-21 19:46 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20230421174259.2458-1-casey.ref@schaufler-ca.com>
2023-04-21 17:42 ` [PATCH v9 00/11] LSM: Three basic syscalls Casey Schaufler
2023-04-21 17:42   ` [PATCH v9 01/11] LSM: Identify modules by more than name Casey Schaufler
2023-04-21 19:14     ` Kees Cook
2023-04-21 17:42   ` [PATCH v9 02/11] LSM: Maintain a table of LSM attribute data Casey Schaufler
2023-04-21 19:20     ` Kees Cook
2023-04-27 15:31       ` Casey Schaufler
2023-04-23  8:04     ` kernel test robot
2023-04-21 17:42   ` [PATCH v9 03/11] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2023-04-21 19:21     ` Kees Cook
2023-04-21 17:42   ` [PATCH v9 04/11] LSM: syscalls for current process attributes Casey Schaufler
2023-04-21 19:36     ` Kees Cook
2023-04-26  1:12       ` Casey Schaufler
2023-04-22 13:12     ` kernel test robot
2023-04-22 16:59     ` kernel test robot
2023-04-21 17:42   ` [PATCH v9 05/11] LSM: Create lsm_list_modules system call Casey Schaufler
2023-04-21 19:38     ` Kees Cook
2023-04-21 17:42   ` [PATCH v9 06/11] LSM: wireup Linux Security Module syscalls Casey Schaufler
2023-04-21 19:38     ` Kees Cook
2023-04-21 17:42   ` [PATCH v9 07/11] LSM: Helpers for attribute names and filling an lsm_ctx Casey Schaufler
2023-04-21 19:46     ` Kees Cook [this message]
2023-04-21 17:42   ` [PATCH v9 08/11] Smack: implement setselfattr and getselfattr hooks Casey Schaufler
2023-04-21 19:49     ` Kees Cook
2023-04-21 17:42   ` [PATCH v9 09/11] AppArmor: Add selfattr hooks Casey Schaufler
2023-04-21 19:54     ` Kees Cook
2023-04-22  1:23     ` kernel test robot
2023-04-22 14:55     ` kernel test robot
2023-04-21 17:42   ` [PATCH v9 10/11] SELinux: " Casey Schaufler
2023-04-21 19:57     ` Kees Cook
2023-04-21 17:42   ` [PATCH v9 11/11] LSM: selftests for Linux Security Module syscalls Casey Schaufler
2023-04-21 20:01     ` Kees Cook
2023-04-27 16:00       ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6442e82c.170a0220.ac293.63bf@mx.google.com \
    --to=keescook@chromium.org \
    --cc=casey@schaufler-ca.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).