[PATCH v14 22/23] LSM: Add /proc attr entry for full LSM context
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 24 20:16:36 UTC 2020
On 1/24/20 2:28 PM, Casey Schaufler wrote:
> On 1/24/2020 8:20 AM, Stephen Smalley wrote:
>> On 1/24/20 9:42 AM, Stephen Smalley wrote:
>>> On 1/23/20 7:23 PM, Casey Schaufler wrote:
>>>> Add an entry /proc/.../attr/context which displays the full
>>>> process security "context" in compound format:'
>>>> lsm1\0value\0lsm2\0value\0...
>>>> This entry is not writable.
>>>>
>>>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>>>> Cc: linux-api at vger.kernel.org
>>>
>>> As previously discussed, there are issues with AppArmor's implementation of getprocattr() particularly around the trailing newline that dbus-daemon and perhaps others would like to see go away in any new interface. Hence, I don't think we should implement this new API using the existing getprocattr() hook lest it also be locked into the current behavior forever.
>>
>> Also, it would be good if whatever hook is introduced to support /proc/pid/attr/context could also be leveraged by the SO_PEERCONTEXT implementation in the future so that we are guaranteed a consistent result between the two interfaces, unlike the current situation for /proc/self/attr/current versus SO_PEERSEC.
>
> I don't believe that a new hook is necessary, and that introducing one
> just to deal with a '\n' would be pedantic. We really have two rational
> options. AppArmor could drop the '\n' from their "context". Or, we can
> simply document that the /proc/pid/attr/context interface will trim any
> trailing whitespace. I understand that this would be a break from the
> notion that the LSM infrastructure does not constrain what a module uses
> for its own data. On the other hand, we have been saying that "context"s
> are strings, and ignoring trailing whitespace is usual behavior for
> strings.
Well, you can either introduce a new common underlying hook for use by
/proc/pid/attr/context and SO_PEERCONTEXT to produce the string that is
to be returned to userspace (in order to guarantee consistency in format
and allowing them to be directly compared, which I think is what the
dbus maintainers wanted), or you can modify every security module to
provide that guarantee in its existing getprocattr and getpeersec* hook
functions (SELinux already provides this guarantee; Smack and AppArmor
produce slightly different results with respect to \0 and/or \n), or you
can have the framework trim the values it gets from the security modules
before composing them. But you need to do one of those things before
this interface gets merged upstream.
Aside from the trailing newline and \0 issues, AppArmor also has a
whitespace-separated (mode) field that may or may not be present in the
contexts it presently returns, ala "/usr/sbin/cupsd (enforce)". Not
sure what they want for the new interfaces.
More information about the Linux-security-module-archive
mailing list