[PATCH v8 07/11] LSM: Helpers for attribute names and filling an lsm_ctx

Casey Schaufler casey at schaufler-ca.com
Tue Apr 18 22:43:14 UTC 2023


On 4/18/2023 2:51 PM, Paul Moore wrote:
> On Tue, Apr 11, 2023 at 12:02 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> Add lsm_name_to_attr(), which translates a text string to a
>> LSM_ATTR value if one is available.
>>
>> Add lsm_fill_user_ctx(), which fills a struct lsm_ctx, including
>> the trailing attribute value. The .len value is padded to a multiple
>> of the size of the structure for alignment.
>>
>> All are used in module specific components of LSM system calls.
>>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> ---
>>  include/linux/security.h | 13 +++++++++++
>>  security/lsm_syscalls.c  | 24 ++++++++++++++++++++
>>  security/security.c      | 48 ++++++++++++++++++++++++++++++++++++++++
>>  3 files changed, 85 insertions(+)
> ..
>
>> diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c
>> index 6efbe244d304..67106f642422 100644
>> --- a/security/lsm_syscalls.c
>> +++ b/security/lsm_syscalls.c
>> @@ -17,6 +17,30 @@
>>  #include <linux/lsm_hooks.h>
>>  #include <uapi/linux/lsm.h>
>>
>> +/**
>> + * lsm_name_to_attr - map an LSM attribute name to its ID
>> + * @name: name of the attribute
>> + *
>> + * Returns the LSM attribute value associated with @name, or 0 if
>> + * there is no mapping.
>> + */
>> +u64 lsm_name_to_attr(const char *name)
>> +{
>> +       if (!strcmp(name, "current"))
>> +               return LSM_ATTR_CURRENT;
>> +       if (!strcmp(name, "exec"))
>> +               return LSM_ATTR_EXEC;
>> +       if (!strcmp(name, "fscreate"))
>> +               return LSM_ATTR_FSCREATE;
>> +       if (!strcmp(name, "keycreate"))
>> +               return LSM_ATTR_KEYCREATE;
>> +       if (!strcmp(name, "prev"))
>> +               return LSM_ATTR_PREV;
>> +       if (!strcmp(name, "sockcreate"))
>> +               return LSM_ATTR_SOCKCREATE;
>> +       return 0;
>> +}
> Thank you :)

It didn't hurt all that badly.

>
>>  /**
>>   * sys_lsm_set_self_attr - Set current task's security module attribute
>>   * @attr: which attribute to set
>> diff --git a/security/security.c b/security/security.c
>> index bfe9a1a426b2..453f3ff591ec 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -752,6 +752,54 @@ static int lsm_superblock_alloc(struct super_block *sb)
>>         return 0;
>>  }
>>
>> +/**
>> + * lsm_fill_user_ctx - Fill a user space lsm_ctx structure
>> + * @ctx: an LSM context to be filled
>> + * @context: the new context value
>> + * @context_size: the size of the new context value
>> + * @id: LSM id
>> + * @flags: LSM defined flags
>> + *
>> + * Fill all of the fields in a user space lsm_ctx structure.
>> + * Caller is assumed to have verified that @ctx has enough space
>> + * for @context.
>> + *
>> + * The total length is padded to an integral number of lsm_ctx.
> Considering that lsm_ctx is variable length I'm not sure that makes a
> lot of sense, how about we pad the total length so that the @ctx entry
> is a multiple of 64-bits?

64 is fine.

>   If needed we can always change this later
> as the lsm_ctx struct is inherently variable in length and userspace
> will need to deal with the buffer regardless of alignment.
>
>> + * Returns 0 on success, -EFAULT on a copyout error.
>> + */
>> +int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context,
>> +                     size_t context_size, u64 id, u64 flags)
>> +{
>> +       struct lsm_ctx *lctx;
>> +       size_t locallen;
>> +       u8 *composite;
>> +       int rc = 0;
>> +
>> +       locallen = sizeof(*ctx);
>> +       if (context_size)
>> +               locallen += sizeof(*ctx) * ((context_size / sizeof(*ctx)) + 1);
> It seems cleaner to use the kernel's ALIGN() macro:

Indeed. I'll do it.

>
>   /* ensure the lsm_ctx length is a multiple of 64-bits */
>   locallen = ALIGN(sizeof(*ctx) + context_size, 8);
>   lctx = kzalloc(locallen, GFP_KERNEL)
>   if (!lctx)
>     return -ENOMEM;
>
>> +       composite = kzalloc(locallen, GFP_KERNEL);
>> +       if (composite == NULL)
>> +               return -ENOMEM;
>> +
>> +       lctx = (struct lsm_ctx *)composite;
>> +       lctx->id = id;
>> +       lctx->flags = flags;
>> +       lctx->ctx_len = context_size;
>> +       lctx->len = locallen;
>> +
>> +       memcpy(composite + sizeof(*lctx), context, context_size);
> Is there a problem with doing `memcpy(lctx->ctx, context,
> context_size)` in place of the memcpy above?

Nope.

>   That is easier to read
> and we can get rid of @composite.

Point.

>> +       if (copy_to_user(ctx, composite, locallen))
>> +               rc = -EFAULT;
>> +
>> +       kfree(composite);
>> +
>> +       return rc;
>> +}
> I understand Mickaël asked you to do a single copy_to_user(), but I'm
> not sure it is worth it if we have to add a temporary buffer
> allocation like that.  How about something like below (v7 with some
> tweaks/padding)?  You could be a bit more clever with the memset if
> you want, I was just typing this up quickly ...

I prefer two copies to the allocation myself. I'll incorporate this.

>
> int lsm_fill_user_ctx(...)
> {
>   struct lsm_ctx lctx;
>
>   /* ensure the lctx length is a multiple of 64-bits */
>   lctx.len = ALIGN(sizeof(lctx) + context_size, 8);
>
>   lctx.id = id;
>   lctx.flags = flags;
>   lctx.ctx_len = context_size;
>
>   memset(ctx, 0, lctx.len);
>   if (copy_to_user(ctx, &lctx, sizeof(lctx))
>     return -EFAULT;
>   if (copy_to_user(&ctx[1], context, context_size)
>     return -EFAULT;
>
>   return 0;
> }
>
> --
> paul-moore.com



More information about the Linux-security-module-archive mailing list