Re: [PATCH v7 01/11] LSM: Identify modules by more than name
From: Paul Moore <paul@paul-moore.com>
Date: 2023-03-30 01:10:40
Also in:
linux-security-module, lkml
On Wed, Mar 15, 2023 at 6:47 PM Casey Schaufler [off-list ref] wrote:
Create a struct lsm_id to contain identifying information about Linux Security Modules (LSMs). At inception this contains the name of the module, an identifier associated with the security module and an integer member "attrs" which identifies the API related data associated with each security module. The initial set of features maps to information that has traditionaly been available in /proc/self/attr. They are documented in a new userspace-api file. Change the security_add_hooks() interface to use this structure. Change the individual modules to maintain their own struct lsm_id and pass it to security_add_hooks(). The values are for LSM identifiers are defined in a new UAPI header file linux/lsm.h. Each existing LSM has been updated to include it's LSMID in the lsm_id. The LSM ID values are sequential, with the oldest module LSM_ID_CAPABILITY being the lowest value and the existing modules numbered in the order they were included in the main line kernel. This is an arbitrary convention for assigning the values, but none better presents itself. The value 0 is defined as being invalid. The values 1-99 are reserved for any special case uses which may arise in the future. This may include attributes of the LSM infrastructure itself, possibly related to namespacing or network attribute management. A special range is identified for such attributes to help reduce confusion for developers unfamiliar with LSMs. LSM attribute values are defined for the attributes presented by modules that are available today. As with the LSM IDs, The value 0 is defined as being invalid. The values 1-99 are reserved for any special case uses which may arise in the future. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: linux-security-module <redacted> --- Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/lsm.rst | 55 +++++++++++++++++++++++++++ MAINTAINERS | 1 + include/linux/lsm_hooks.h | 18 ++++++++- include/uapi/linux/lsm.h | 53 ++++++++++++++++++++++++++ security/apparmor/lsm.c | 8 +++- security/bpf/hooks.c | 9 ++++- security/commoncap.c | 8 +++- security/landlock/cred.c | 2 +- security/landlock/fs.c | 2 +- security/landlock/ptrace.c | 2 +- security/landlock/setup.c | 6 +++ security/landlock/setup.h | 1 + security/loadpin/loadpin.c | 9 ++++- security/lockdown/lockdown.c | 8 +++- security/safesetid/lsm.c | 9 ++++- security/security.c | 12 +++--- security/selinux/hooks.c | 9 ++++- security/smack/smack_lsm.c | 8 +++- security/tomoyo/tomoyo.c | 9 ++++- security/yama/yama_lsm.c | 8 +++- 21 files changed, 217 insertions(+), 21 deletions(-) create mode 100644 Documentation/userspace-api/lsm.rst create mode 100644 include/uapi/linux/lsm.h
...
quoted hunk ↗ jump to hunk
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 6e156d2acffc..32285ce65419 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h@@ -1665,6 +1665,20 @@ struct security_hook_heads { #undef LSM_HOOK } __randomize_layout; +/** + * struct lsm_id - Identify a Linux Security Module. + * @lsm: name of the LSM, must be approved by the LSM maintainers + * @id: LSM ID number from uapi/linux/lsm.h + * @attrs: which attributes this LSM supports + * + * Contains the information that identifies the LSM. + */ +struct lsm_id { + const u8 *lsm; + u64 id; + u64 attrs; +};
I would either start setting the 'attrs' field values in the LSMs when their 'lsm_id' struct is defined or I would leave it out of this patch and add it later in the patchset when it is used.
quoted hunk ↗ jump to hunk
diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h new file mode 100644 index 000000000000..aa3e01867739 --- /dev/null +++ b/include/uapi/linux/lsm.h@@ -0,0 +1,53 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +/* + * Linux Security Modules (LSM) - User space API + * + * Copyright (C) 2022 Casey Schaufler <casey@schaufler-ca.com> + * Copyright (C) 2022 Intel Corporation + */ + +#ifndef _UAPI_LINUX_LSM_H +#define _UAPI_LINUX_LSM_H + +/* + * ID tokens to identify Linux Security Modules (LSMs) + * + * These token values are used to uniquely identify specific LSMs + * in the kernel as well as in the kernel's LSM userspace API. + * + * A value of zero/0 is considered undefined and should not be used + * outside the kernel. Values 1-99 are reserved for potential + * future use. + */ +#define LSM_ID_UNDEF 0 +#define LSM_ID_CAPABILITY 100 +#define LSM_ID_SELINUX 101 +#define LSM_ID_SMACK 102 +#define LSM_ID_TOMOYO 103 +#define LSM_ID_IMA 104 +#define LSM_ID_APPARMOR 105 +#define LSM_ID_YAMA 106 +#define LSM_ID_LOADPIN 107 +#define LSM_ID_SAFESETID 108 +#define LSM_ID_LOCKDOWN 109 +#define LSM_ID_BPF 110 +#define LSM_ID_LANDLOCK 111 + +/* + * LSM_ATTR_XXX definitions identify different LSM attributes + * which are used in the kernel's LSM userspace API. Support + * for these attributes vary across the different LSMs. None + * are required. + * + * A value of zero/0 is considered undefined and should not be used + * outside the kernel. Values 1-99 are reserved for potential + * future use. + */ +#define LSM_ATTR_CURRENT 100 +#define LSM_ATTR_EXEC 101 +#define LSM_ATTR_FSCREATE 102 +#define LSM_ATTR_KEYCREATE 103 +#define LSM_ATTR_PREV 104 +#define LSM_ATTR_SOCKCREATE 105
We might as well add a LSM_ATTR_UNDEF for zero/0.
+#endif /* _UAPI_LINUX_LSM_H */
-- paul-moore.com