--- v38
+++ v29
@@ -1,66 +1,337 @@
-Send an identifier for the security module interface_lsm
-along with the security context. This allows the receiver
-to verify that the receiver and the sender agree on which
-security module's context is being used. If they don't
-agree the message is rejected.
+Add an entry /proc/.../attr/context which displays the full
+process security "context" in compound format:
+ lsm1\0value\0lsm2\0value\0...
+This entry is not writable.
+A security module may decide that its policy does not allow
+this information to be displayed. In this case none of the
+information will be displayed.
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Cc: linux-api@vger.kernel.org
+Cc: linux-doc@vger.kernel.org
---
- drivers/android/binder.c | 21 +++++++++++++++++++++
- drivers/android/binder_internal.h | 1 +
- 2 files changed, 22 insertions(+)
+ Documentation/ABI/testing/procfs-attr-context | 14 ++++
+ Documentation/security/lsm.rst | 14 ++++
+ fs/proc/base.c | 1 +
+ include/linux/lsm_hooks.h | 6 ++
+ security/apparmor/include/procattr.h | 2 +-
+ security/apparmor/lsm.c | 8 +-
+ security/apparmor/procattr.c | 22 +++---
+ security/security.c | 79 +++++++++++++++++++
+ security/selinux/hooks.c | 2 +-
+ security/smack/smack_lsm.c | 2 +-
+ 10 files changed, 135 insertions(+), 15 deletions(-)
+ create mode 100644 Documentation/ABI/testing/procfs-attr-context
-diff --git a/drivers/android/binder.c b/drivers/android/binder.c
-index 5cfdaec0f9b5..ff8f35b9bd1b 100644
---- a/drivers/android/binder.c
-+++ b/drivers/android/binder.c
-@@ -3222,6 +3222,7 @@ static void binder_transaction(struct binder_proc *proc,
- ALIGN(extra_buffers_size, sizeof(void *)) -
- ALIGN(lsmctx.len, sizeof(u64));
-
-+ t->security_interface = lsm_task_ilsm(current);
- t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
- err = binder_alloc_copy_to_buffer(&target_proc->alloc,
- t->buffer, buf_offset,
-@@ -4667,6 +4668,26 @@ static int binder_thread_read(struct binder_proc *proc,
-
- tr.secctx = t->security_ctx;
- if (t->security_ctx) {
-+ int to_ilsm = lsm_task_ilsm(current);
-+ int from_ilsm = t->security_interface;
-+
-+ if (to_ilsm == LSMBLOB_INVALID)
-+ to_ilsm = 0;
-+ if (from_ilsm == LSMBLOB_INVALID)
-+ from_ilsm = 0;
-+ /*
-+ * The sender provided a security context from
-+ * a different security module than the one this
-+ * process wants to report if these don't match.
-+ */
-+ if (from_ilsm != to_ilsm) {
-+ if (t_from)
-+ binder_thread_dec_tmpref(t_from);
-+
-+ binder_cleanup_transaction(t, "security context mismatch",
-+ BR_FAILED_REPLY);
-+ return -EINVAL;
+diff --git a/Documentation/ABI/testing/procfs-attr-context b/Documentation/ABI/testing/procfs-attr-context
+new file mode 100644
+index 000000000000..40da1c397c30
+--- /dev/null
++++ b/Documentation/ABI/testing/procfs-attr-context
+@@ -0,0 +1,14 @@
++What: /proc/*/attr/context
++Contact: linux-security-module@vger.kernel.org,
++Description: The current security information used by all Linux
++ security module (LSMs) that are active on the system.
++ The details of permissions required to read from
++ this interface and hence obtain the security state
++ of the task identified is dependent on the LSMs that
++ are active on the system.
++ A process cannot write to this interface.
++ The data provided by this interface will have the form:
++ lsm_name\0lsm_data\0[lsm_name\0lsm_data\0]...
++ where lsm_name is the name of the LSM and the following
++ lsm_data is the process data for that LSM.
++Users: LSM user-space
+diff --git a/Documentation/security/lsm.rst b/Documentation/security/lsm.rst
+index b77b4a540391..070225ae6ceb 100644
+--- a/Documentation/security/lsm.rst
++++ b/Documentation/security/lsm.rst
+@@ -143,3 +143,17 @@ separated list of the active security modules.
+ The file ``/proc/pid/attr/interface_lsm`` contains the name of the security
+ module for which the ``/proc/pid/attr/current`` interface will
+ apply. This interface can be written to.
++
++The infrastructure does provide an interface for the special
++case where multiple security modules provide a process context.
++This is provided in compound context format.
++
++- `lsm\0value\0lsm\0value\0`
++
++The `lsm` and `value` fields are NUL-terminated bytestrings.
++Each field may contain whitespace or non-printable characters.
++The NUL bytes are included in the size of a compound context.
++The context ``Bell\0Secret\0Biba\0Loose\0`` has a size of 23.
++
++The file ``/proc/pid/attr/context`` provides the security
++context of the identified process.
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 65da9d2f3060..b87977f0488b 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -2824,6 +2824,7 @@ static const struct pid_entry attr_dir_stuff[] = {
+ ATTR(NULL, "keycreate", 0666),
+ ATTR(NULL, "sockcreate", 0666),
+ ATTR(NULL, "interface_lsm", 0666),
++ ATTR(NULL, "context", 0444),
+ #ifdef CONFIG_SECURITY_SMACK
+ DIR("smack", 0555,
+ proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
+diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
+index d2c4bc94d47f..f6ffe8b069e2 100644
+--- a/include/linux/lsm_hooks.h
++++ b/include/linux/lsm_hooks.h
+@@ -1397,6 +1397,12 @@
+ * @pages contains the number of pages.
+ * Return 0 if permission is granted.
+ *
++ * @getprocattr:
++ * Provide the named process attribute for display in special files in
++ * the /proc/.../attr directory. Attribute naming and the data displayed
++ * is at the discretion of the security modules. The exception is the
++ * "context" attribute, which will contain the security context of the
++ * task as a nul terminated text string without trailing whitespace.
+ * @ismaclabel:
+ * Check if the extended attribute specified by @name
+ * represents a MAC label. Returns 1 if name is a MAC
+diff --git a/security/apparmor/include/procattr.h b/security/apparmor/include/procattr.h
+index 31689437e0e1..03dbfdb2f2c0 100644
+--- a/security/apparmor/include/procattr.h
++++ b/security/apparmor/include/procattr.h
+@@ -11,7 +11,7 @@
+ #ifndef __AA_PROCATTR_H
+ #define __AA_PROCATTR_H
+
+-int aa_getprocattr(struct aa_label *label, char **string);
++int aa_getprocattr(struct aa_label *label, char **string, bool newline);
+ int aa_setprocattr_changehat(char *args, size_t size, int flags);
+
+ #endif /* __AA_PROCATTR_H */
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 4237536106aa..65a004597e53 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -602,6 +602,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
+ const struct cred *cred = get_task_cred(task);
+ struct aa_task_ctx *ctx = task_ctx(current);
+ struct aa_label *label = NULL;
++ bool newline = true;
+
+ if (strcmp(name, "current") == 0)
+ label = aa_get_newest_label(cred_label(cred));
+@@ -609,11 +610,14 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
+ label = aa_get_newest_label(ctx->previous);
+ else if (strcmp(name, "exec") == 0 && ctx->onexec)
+ label = aa_get_newest_label(ctx->onexec);
+- else
++ else if (strcmp(name, "context") == 0) {
++ label = aa_get_newest_label(cred_label(cred));
++ newline = false;
++ } else
+ error = -EINVAL;
+
+ if (label)
+- error = aa_getprocattr(label, value);
++ error = aa_getprocattr(label, value, newline);
+
+ aa_put_label(label);
+ put_cred(cred);
+diff --git a/security/apparmor/procattr.c b/security/apparmor/procattr.c
+index c929bf4a3df1..be3b083d9b74 100644
+--- a/security/apparmor/procattr.c
++++ b/security/apparmor/procattr.c
+@@ -20,6 +20,7 @@
+ * aa_getprocattr - Return the profile information for @profile
+ * @profile: the profile to print profile info about (NOT NULL)
+ * @string: Returns - string containing the profile info (NOT NULL)
++ * @newline: Should a newline be added to @string.
+ *
+ * Returns: length of @string on success else error on failure
+ *
+@@ -30,20 +31,21 @@
+ *
+ * Returns: size of string placed in @string else error code on failure
+ */
+-int aa_getprocattr(struct aa_label *label, char **string)
++int aa_getprocattr(struct aa_label *label, char **string, bool newline)
+ {
+ struct aa_ns *ns = labels_ns(label);
+ struct aa_ns *current_ns = aa_get_current_ns();
++ int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED;
+ int len;
+
+ if (!aa_ns_visible(current_ns, ns, true)) {
+ aa_put_ns(current_ns);
+ return -EACCES;
+ }
++ if (newline)
++ flags |= FLAG_SHOW_MODE;
+
+- len = aa_label_snxprint(NULL, 0, current_ns, label,
+- FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
+- FLAG_HIDDEN_UNCONFINED);
++ len = aa_label_snxprint(NULL, 0, current_ns, label, flags);
+ AA_BUG(len < 0);
+
+ *string = kmalloc(len + 2, GFP_KERNEL);
+@@ -52,19 +54,19 @@ int aa_getprocattr(struct aa_label *label, char **string)
+ return -ENOMEM;
+ }
+
+- len = aa_label_snxprint(*string, len + 2, current_ns, label,
+- FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
+- FLAG_HIDDEN_UNCONFINED);
++ len = aa_label_snxprint(*string, len + 2, current_ns, label, flags);
+ if (len < 0) {
+ aa_put_ns(current_ns);
+ return len;
+ }
+
+- (*string)[len] = '\n';
+- (*string)[len + 1] = 0;
++ if (newline) {
++ (*string)[len] = '\n';
++ (*string)[++len] = 0;
++ }
+
+ aa_put_ns(current_ns);
+- return len + 1;
++ return len;
+ }
+
+ /**
+diff --git a/security/security.c b/security/security.c
+index 96b1d9c37d49..798e887b18fe 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -802,6 +802,57 @@ static int lsm_superblock_alloc(struct super_block *sb)
+ return 0;
+ }
+
++/**
++ * append_ctx - append a lsm/context pair to a compound context
++ * @ctx: the existing compound context
++ * @ctxlen: size of the old context, including terminating nul byte
++ * @lsm: new lsm name, nul terminated
++ * @new: new context, possibly nul terminated
++ * @newlen: maximum size of @new
++ *
++ * replace @ctx with a new compound context, appending @newlsm and @new
++ * to @ctx. On exit the new data replaces the old, which is freed.
++ * @ctxlen is set to the new size, which includes a trailing nul byte.
++ *
++ * Returns 0 on success, -ENOMEM if no memory is available.
++ */
++static int append_ctx(char **ctx, int *ctxlen, const char *lsm, char *new,
++ int newlen)
++{
++ char *final;
++ size_t llen;
++ size_t nlen;
++ size_t flen;
++
++ llen = strlen(lsm) + 1;
++ /*
++ * A security module may or may not provide a trailing nul on
++ * when returning a security context. There is no definition
++ * of which it should be, and there are modules that do it
++ * each way.
++ */
++ nlen = strnlen(new, newlen);
++
++ flen = *ctxlen + llen + nlen + 1;
++ final = kzalloc(flen, GFP_KERNEL);
++
++ if (final == NULL)
++ return -ENOMEM;
++
++ if (*ctxlen)
++ memcpy(final, *ctx, *ctxlen);
++
++ memcpy(final + *ctxlen, lsm, llen);
++ memcpy(final + *ctxlen + llen, new, nlen);
++
++ kfree(*ctx);
++
++ *ctx = final;
++ *ctxlen = flen;
++
++ return 0;
++}
++
+ /*
+ * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and
+ * can be accessed with:
+@@ -2235,6 +2286,10 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ char **value)
+ {
+ struct security_hook_list *hp;
++ char *final = NULL;
++ char *cp;
++ int rc = 0;
++ int finallen = 0;
+ int ilsm = lsm_task_ilsm(current);
+ int slot = 0;
+
+@@ -2262,6 +2317,30 @@ int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+ return -ENOMEM;
+ }
+
++ if (!strcmp(name, "context")) {
++ hlist_for_each_entry(hp, &security_hook_heads.getprocattr,
++ list) {
++ rc = hp->hook.getprocattr(p, "context", &cp);
++ if (rc == -EINVAL)
++ continue;
++ if (rc < 0) {
++ kfree(final);
++ return rc;
+ }
- cmd = BR_TRANSACTION_SEC_CTX;
- trsize = sizeof(tr);
- }
-diff --git a/drivers/android/binder_internal.h b/drivers/android/binder_internal.h
-index abe19d88c6ec..152d0b55e050 100644
---- a/drivers/android/binder_internal.h
-+++ b/drivers/android/binder_internal.h
-@@ -528,6 +528,7 @@ struct binder_transaction {
- long saved_priority;
- kuid_t sender_euid;
- struct list_head fd_fixups;
-+ int security_interface;
- binder_uintptr_t security_ctx;
- /**
- * @lock: protects @from, @to_proc, and @to_thread
++ rc = append_ctx(&final, &finallen, hp->lsmid->lsm,
++ cp, rc);
++ kfree(cp);
++ if (rc < 0) {
++ kfree(final);
++ return rc;
++ }
++ }
++ if (final == NULL)
++ return -EINVAL;
++ *value = final;
++ return finallen;
++ }
++
+ hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
+ if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
+ continue;
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index c3e5fcedae0b..ec045d9e240a 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -6462,7 +6462,7 @@ static int selinux_getprocattr(struct task_struct *p,
+ goto bad;
+ }
+
+- if (!strcmp(name, "current"))
++ if (!strcmp(name, "current") || !strcmp(name, "context"))
+ sid = __tsec->sid;
+ else if (!strcmp(name, "prev"))
+ sid = __tsec->osid;
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 711fb49b4d5f..bd46921b9d28 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3477,7 +3477,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
+ char *cp;
+ int slen;
+
+- if (strcmp(name, "current") != 0)
++ if (strcmp(name, "current") != 0 && strcmp(name, "context") != 0)
+ return -EINVAL;
+
+ cp = kstrdup(skp->smk_known, GFP_KERNEL);
--
-2.37.3
+2.31.1