[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221123195744.7738-1-casey@schaufler-ca.com>
Date: Wed, 23 Nov 2022 11:57:35 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: casey.schaufler@...el.com, paul@...l-moore.com,
linux-security-module@...r.kernel.org
Cc: casey@...aufler-ca.com, jmorris@...ei.org, keescook@...omium.org,
john.johansen@...onical.com, penguin-kernel@...ove.sakura.ne.jp,
stephen.smalley.work@...il.com, linux-kernel@...r.kernel.org,
linux-api@...r.kernel.org, mic@...ikod.net
Subject: [PATCH v1 0/8] LSM: Two basic syscalls
Add two system calls for the Linux Security Module ABI.
lsm_self_attr() provides the security module specific attributes
that have previously been visible in the /proc/self/attr directory.
For each attribute that is set on the current process the system
call will return an LSM identifier, an attribute identifier and
the value of the attribute. The LSM and attribute identifier values
are defined in include/uapi/linux/lsm.h
lsm_module_list() provides the LSM identifiers, in order, of the
security modules that are active on the system. This has been
available in the securityfs file /sys/kernel/security/lsm.
Patch 0001 changes the LSM registration from passing the name
of the module to passing a lsm_id structure that contains the
name of the module.
Patch 0002 adds an LSM identifier number to the lsm_id structure.
Patch 0003 adds an attribute identifier to the lsm_id.
Patch 0004 adds the registered lsm_ids to a table.
Patch 0005 changes security_[gs]etprocattr() to use LSM IDs instead
of LSM names.
Patch 0006 implements lsm_self_attr().
Patch 0007 implements lsm_module_list().
Patch 0008 wires up the two syscalls.
Casey Schaufler (8):
LSM: Identify modules by more than name
LSM: Add an LSM identifier for external use
LSM: Identify the process attributes for each module
LSM: Maintain a table of LSM attribute data
proc: Use lsmids instead of lsm names for attrs
LSM: lsm_self_attr syscall for LSM self attributes
LSM: Create lsm_module_list system call
lsm: wireup syscalls lsm_self_attr and lsm_module_list
arch/alpha/kernel/syscalls/syscall.tbl | 2 +
arch/arm/tools/syscall.tbl | 2 +
arch/arm64/include/asm/unistd32.h | 2 +
arch/ia64/kernel/syscalls/syscall.tbl | 2 +
arch/m68k/kernel/syscalls/syscall.tbl | 2 +
arch/microblaze/kernel/syscalls/syscall.tbl | 2 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 2 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 2 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 2 +
arch/parisc/kernel/syscalls/syscall.tbl | 2 +
arch/powerpc/kernel/syscalls/syscall.tbl | 2 +
arch/s390/kernel/syscalls/syscall.tbl | 2 +
arch/sh/kernel/syscalls/syscall.tbl | 2 +
arch/sparc/kernel/syscalls/syscall.tbl | 2 +
arch/x86/entry/syscalls/syscall_32.tbl | 2 +
arch/x86/entry/syscalls/syscall_64.tbl | 2 +
arch/xtensa/kernel/syscalls/syscall.tbl | 2 +
fs/proc/base.c | 29 +--
fs/proc/internal.h | 2 +-
include/linux/lsm_hooks.h | 13 +-
include/linux/security.h | 28 ++-
include/linux/syscalls.h | 3 +
include/uapi/asm-generic/unistd.h | 5 +-
include/uapi/linux/lsm.h | 67 ++++++
kernel/sys_ni.c | 4 +
security/Makefile | 1 +
security/apparmor/lsm.c | 9 +-
security/bpf/hooks.c | 13 +-
security/commoncap.c | 8 +-
security/landlock/cred.c | 2 +-
security/landlock/fs.c | 2 +-
security/landlock/ptrace.c | 2 +-
security/landlock/setup.c | 6 +
security/landlock/setup.h | 1 +
security/loadpin/loadpin.c | 9 +-
security/lockdown/lockdown.c | 8 +-
security/lsm_syscalls.c | 194 ++++++++++++++++++
security/safesetid/lsm.c | 9 +-
security/security.c | 37 +++-
security/selinux/hooks.c | 11 +-
security/smack/smack_lsm.c | 9 +-
security/tomoyo/tomoyo.c | 9 +-
security/yama/yama_lsm.c | 8 +-
.../arch/mips/entry/syscalls/syscall_n64.tbl | 2 +
.../arch/powerpc/entry/syscalls/syscall.tbl | 2 +
.../perf/arch/s390/entry/syscalls/syscall.tbl | 2 +
.../arch/x86/entry/syscalls/syscall_64.tbl | 2 +
47 files changed, 484 insertions(+), 47 deletions(-)
create mode 100644 include/uapi/linux/lsm.h
create mode 100644 security/lsm_syscalls.c
base-commit: 247f34f7b80357943234f93f247a1ae6b6c3a740
--
2.37.3
Powered by blists - more mailing lists