tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

LSM: Helpers for attribute names and filling lsm_ctx

Add lsm_name_to_attr(), which translates a text string to a
LSM_ATTR value if one is available.

Add lsm_fill_user_ctx(), which fills a struct lsm_ctx, including
the trailing attribute value.

Both are used in module specific components of LSM system calls.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Casey Schaufler and committed by
Paul Moore e1ca7129 5f423759

+79
+14
include/linux/security.h
··· 32 32 #include <linux/string.h> 33 33 #include <linux/mm.h> 34 34 #include <linux/sockptr.h> 35 + #include <uapi/linux/lsm.h> 35 36 36 37 struct linux_binprm; 37 38 struct cred; ··· 265 264 /* prototypes */ 266 265 extern int security_init(void); 267 266 extern int early_security_init(void); 267 + extern u64 lsm_name_to_attr(const char *name); 268 268 269 269 /* Security operations */ 270 270 int security_binder_set_context_mgr(const struct cred *mgr); ··· 492 490 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); 493 491 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); 494 492 int security_locked_down(enum lockdown_reason what); 493 + int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context, 494 + size_t context_size, u64 id, u64 flags); 495 495 #else /* CONFIG_SECURITY */ 496 496 497 497 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) ··· 509 505 static inline int unregister_blocking_lsm_notifier(struct notifier_block *nb) 510 506 { 511 507 return 0; 508 + } 509 + 510 + static inline u64 lsm_name_to_attr(const char *name) 511 + { 512 + return LSM_ATTR_UNDEF; 512 513 } 513 514 514 515 static inline void security_free_mnt_opts(void **mnt_opts) ··· 1423 1414 static inline int security_locked_down(enum lockdown_reason what) 1424 1415 { 1425 1416 return 0; 1417 + } 1418 + static inline int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context, 1419 + size_t context_size, u64 id, u64 flags) 1420 + { 1421 + return -EOPNOTSUPP; 1426 1422 } 1427 1423 #endif /* CONFIG_SECURITY */ 1428 1424
+24
security/lsm_syscalls.c
··· 18 18 #include <uapi/linux/lsm.h> 19 19 20 20 /** 21 + * lsm_name_to_attr - map an LSM attribute name to its ID 22 + * @name: name of the attribute 23 + * 24 + * Returns the LSM attribute value associated with @name, or 0 if 25 + * there is no mapping. 26 + */ 27 + u64 lsm_name_to_attr(const char *name) 28 + { 29 + if (!strcmp(name, "current")) 30 + return LSM_ATTR_CURRENT; 31 + if (!strcmp(name, "exec")) 32 + return LSM_ATTR_EXEC; 33 + if (!strcmp(name, "fscreate")) 34 + return LSM_ATTR_FSCREATE; 35 + if (!strcmp(name, "keycreate")) 36 + return LSM_ATTR_KEYCREATE; 37 + if (!strcmp(name, "prev")) 38 + return LSM_ATTR_PREV; 39 + if (!strcmp(name, "sockcreate")) 40 + return LSM_ATTR_SOCKCREATE; 41 + return LSM_ATTR_UNDEF; 42 + } 43 + 44 + /** 21 45 * sys_lsm_set_self_attr - Set current task's security module attribute 22 46 * @attr: which attribute to set 23 47 * @ctx: the LSM contexts
+41
security/security.c
··· 771 771 return 0; 772 772 } 773 773 774 + /** 775 + * lsm_fill_user_ctx - Fill a user space lsm_ctx structure 776 + * @ctx: an LSM context to be filled 777 + * @context: the new context value 778 + * @context_size: the size of the new context value 779 + * @id: LSM id 780 + * @flags: LSM defined flags 781 + * 782 + * Fill all of the fields in a user space lsm_ctx structure. 783 + * Caller is assumed to have verified that @ctx has enough space 784 + * for @context. 785 + * 786 + * Returns 0 on success, -EFAULT on a copyout error, -ENOMEM 787 + * if memory can't be allocated. 788 + */ 789 + int lsm_fill_user_ctx(struct lsm_ctx __user *ctx, void *context, 790 + size_t context_size, u64 id, u64 flags) 791 + { 792 + struct lsm_ctx *lctx; 793 + size_t locallen = struct_size(lctx, ctx, context_size); 794 + int rc = 0; 795 + 796 + lctx = kzalloc(locallen, GFP_KERNEL); 797 + if (lctx == NULL) 798 + return -ENOMEM; 799 + 800 + lctx->id = id; 801 + lctx->flags = flags; 802 + lctx->ctx_len = context_size; 803 + lctx->len = locallen; 804 + 805 + memcpy(lctx->ctx, context, context_size); 806 + 807 + if (copy_to_user(ctx, lctx, locallen)) 808 + rc = -EFAULT; 809 + 810 + kfree(lctx); 811 + 812 + return rc; 813 + } 814 + 774 815 /* 775 816 * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and 776 817 * can be accessed with: