lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhTs=cHcsi15qFsMqtGZxm2bkTb2AOsbrERePwUT3N0uJQ@mail.gmail.com>
Date:   Mon, 10 Apr 2023 19:37:24 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Mickaël Salaün <mic@...ikod.net>
Cc:     Casey Schaufler <casey@...aufler-ca.com>,
        linux-security-module@...r.kernel.org, jmorris@...ei.org,
        keescook@...omium.org, john.johansen@...onical.com,
        penguin-kernel@...ove.sakura.ne.jp, stephen.smalley.work@...il.com,
        linux-kernel@...r.kernel.org, linux-api@...r.kernel.org
Subject: Re: [PATCH v7 05/11] LSM: Create lsm_list_modules system call

On Mon, Apr 3, 2023 at 8:04 AM Mickaël Salaün <mic@...ikod.net> wrote:
>
> It looks like you missed my preview reviews on these patches.

For reference, I believe this is Mickaël's review of the associated v6 patch:

https://lore.kernel.org/linux-security-module/1ca41f67-ffa1-56c2-b4ee-f5deece95130@digikod.net/

> On 15/03/2023 23:46, Casey Schaufler wrote:
> > Create a system call to report the list of Linux Security Modules
> > that are active on the system. The list is provided as an array
> > of LSM ID numbers.
> >
> > The calling application can use this list determine what LSM
> > specific actions it might take. That might include chosing an
> > output format, determining required privilege or bypassing
> > security module specific behavior.
> >
> > Signed-off-by: Casey Schaufler <casey@...aufler-ca.com>
> > ---
> >   Documentation/userspace-api/lsm.rst |  3 +++
> >   include/linux/syscalls.h            |  1 +
> >   kernel/sys_ni.c                     |  1 +
> >   security/lsm_syscalls.c             | 39 +++++++++++++++++++++++++++++
> >   4 files changed, 44 insertions(+)
> >
> > diff --git a/Documentation/userspace-api/lsm.rst b/Documentation/userspace-api/lsm.rst
> > index b45e402302b3..a86e3817f062 100644
> > --- a/Documentation/userspace-api/lsm.rst
> > +++ b/Documentation/userspace-api/lsm.rst
> > @@ -63,6 +63,9 @@ Get the specified security attributes of the current process
> >   .. kernel-doc:: security/lsm_syscalls.c
> >       :identifiers: sys_lsm_get_self_attr
> >
> > +.. kernel-doc:: security/lsm_syscalls.c
> > +    :identifiers: sys_lsm_list_modules
> > +
> >   Additional documentation
> >   ========================
> >
> > diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
> > index 3feca00cb0c1..f755c583f949 100644
> > --- a/include/linux/syscalls.h
> > +++ b/include/linux/syscalls.h
> > @@ -1063,6 +1063,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int attr, struct lsm_ctx *ctx,
> >                                     size_t *size, __u64 flags);
> >   asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx *ctx,
> >                                     __u64 flags);
> > +asmlinkage long sys_lsm_list_modules(u64 *ids, size_t *size, u32 flags);
> >
> >   /*
> >    * Architecture-specific system calls
> > diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
> > index d03c78ef1562..ceb3d21a62d0 100644
> > --- a/kernel/sys_ni.c
> > +++ b/kernel/sys_ni.c
> > @@ -265,6 +265,7 @@ COND_SYSCALL(mremap);
> >   /* security/lsm_syscalls.c */
> >   COND_SYSCALL(lsm_get_self_attr);
> >   COND_SYSCALL(lsm_set_self_attr);
> > +COND_SYSCALL(lsm_list_modules);
> >
> >   /* security/keys/keyctl.c */
> >   COND_SYSCALL(add_key);
> > diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
> > index feee31600219..6efbe244d304 100644
> > --- a/security/lsm_syscalls.c
> > +++ b/security/lsm_syscalls.c
> > @@ -53,3 +53,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *,
> >   {
> >       return security_getselfattr(attr, ctx, size, flags);
> >   }
> > +
> > +/**
> > + * sys_lsm_list_modules - Return a list of the active security modules
> > + * @ids: the LSM module ids
> > + * @size: size of @ids, updated on return
> > + * @flags: reserved for future use, must be zero
> > + *
> > + * Returns a list of the active LSM ids. On success this function
> > + * returns the number of @ids array elements. This value may be zero
> > + * if there are no LSMs active. If @size is insufficient to contain
> > + * the return data -E2BIG is returned and @size is set to the minimum
> > + * required size. In all other cases a negative value indicating the
> > + * error is returned.
> > + */
> > +SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size,
> > +             u32, flags)
> > +{
> > +     size_t total_size = lsm_active_cnt * sizeof(*ids);
> > +     size_t usize;
> > +     int i;
> > +
> > +     if (flags)
> > +             return -EINVAL;
> > +
> > +     if (get_user(usize, size))
> > +             return -EFAULT;
> > +
> > +     if (put_user(total_size, size) != 0)
> > +             return -EFAULT;
> > +
> > +     if (usize < total_size)
> > +             return -E2BIG;
> > +
> > +     for (i = 0; i < lsm_active_cnt; i++)
> > +             if (put_user(lsm_idlist[i]->id, ids++))
> > +                     return -EFAULT;
> > +
> > +     return lsm_active_cnt;
> > +}

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ