Re: [PATCH v4 3/3] LSM: Add context interface for proc attrs
On 06/29/2016 10:04 AM, Paul Moore wrote: > On Fri, Jun 24, 2016 at 7:29 PM, Casey Schaufler > wrote: >> Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs >> >> The /proc/.../attr/current interface is used by all three >> Linux security modules (SELinux, Smack and AppArmor) to >> report and modify the process security attribute. This is >> all fine when there is exactly one of these modules active >> and the userspace code knows which it module it is. >> It would require a major change to the "current" interface >> to provide information about more than one set of process >> security attributes. Instead, a "context" attribute is >> added, which identifies the security module that the >> information applies to. The format is: >> >> lsmname='context-value' >> >> When multiple concurrent modules are supported the >> /proc/.../attr/context interface will include the data >> for all of the active modules. >> >> lsmname1='context-value1',lsmname2='context-value2' >> >> The module specific subdirectories under attr contain context >> entries that report the information for that specific module >> in the same format. >> >> Signed-off-by: Casey Schaufler Acked-by: John Johansen >> >> --- >> Documentation/security/LSM.txt | 8 +++ >> fs/proc/base.c | 4 ++ >> security/apparmor/lsm.c| 35 +++-- >> security/security.c| 108 >> + >> security/selinux/hooks.c | 20 +++- >> security/smack/smack_lsm.c | 20 >> 6 files changed, 180 insertions(+), 15 deletions(-) > > Acked-by: Paul Moore > >> diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt >> index 125c489..af3eb11 100644 >> --- a/Documentation/security/LSM.txt >> +++ b/Documentation/security/LSM.txt >> @@ -36,6 +36,14 @@ for SELinux would be in /proc/.../attr/selinux. Using the >> files >> found directly in /proc/.../attr (e.g. current) should be avoided. >> These files remain as legacy interfaces. >> >> +The files named "context" in the attr directories contain the >> +same information as the "current" files, but formatted to >> +identify the module it comes from. >> + >> +if selinux is the active security module: >> + /proc/self/attr/context could contain selinux='unconfined_t' >> + /proc/self/attr/selinux/context could contain selinux='unconfined_t' >> + >> Based on https://lkml.org/lkml/2007/10/26/215, >> a new LSM is accepted into the kernel when its intent (a description of >> what it tries to protect against and in what cases one would expect to >> diff --git a/fs/proc/base.c b/fs/proc/base.c >> index 182bc28..df94f26 100644 >> --- a/fs/proc/base.c >> +++ b/fs/proc/base.c >> @@ -2532,6 +2532,7 @@ static const struct pid_entry selinux_attr_dir_stuff[] >> = { >> ATTR("selinux", "fscreate", S_IRUGO|S_IWUGO), >> ATTR("selinux", "keycreate",S_IRUGO|S_IWUGO), >> ATTR("selinux", "sockcreate", S_IRUGO|S_IWUGO), >> + ATTR("selinux", "context", S_IRUGO|S_IWUGO), >> }; >> LSM_DIR_OPS(selinux); >> #endif >> @@ -2539,6 +2540,7 @@ LSM_DIR_OPS(selinux); >> #ifdef CONFIG_SECURITY_SMACK >> static const struct pid_entry smack_attr_dir_stuff[] = { >> ATTR("smack", "current",S_IRUGO|S_IWUGO), >> + ATTR("smack", "context",S_IRUGO|S_IWUGO), >> }; >> LSM_DIR_OPS(smack); >> #endif >> @@ -2548,6 +2550,7 @@ static const struct pid_entry >> apparmor_attr_dir_stuff[] = { >> ATTR("apparmor", "current", S_IRUGO|S_IWUGO), >> ATTR("apparmor", "prev",S_IRUGO), >> ATTR("apparmor", "exec",S_IRUGO|S_IWUGO), >> + ATTR("apparmor", "context", S_IRUGO|S_IWUGO), >> }; >> LSM_DIR_OPS(apparmor); >> #endif >> @@ -2559,6 +2562,7 @@ static const struct pid_entry attr_dir_stuff[] = { >> ATTR(NULL, "fscreate", S_IRUGO|S_IWUGO), >> ATTR(NULL, "keycreate", S_IRUGO|S_IWUGO), >> ATTR(NULL, "sockcreate",S_IRUGO|S_IWUGO), >> + ATTR(NULL, "context"
Re: [PATCH v4 3/3] LSM: Add context interface for proc attrs
On Fri, Jun 24, 2016 at 7:29 PM, Casey Schaufler wrote: > Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs > > The /proc/.../attr/current interface is used by all three > Linux security modules (SELinux, Smack and AppArmor) to > report and modify the process security attribute. This is > all fine when there is exactly one of these modules active > and the userspace code knows which it module it is. > It would require a major change to the "current" interface > to provide information about more than one set of process > security attributes. Instead, a "context" attribute is > added, which identifies the security module that the > information applies to. The format is: > > lsmname='context-value' > > When multiple concurrent modules are supported the > /proc/.../attr/context interface will include the data > for all of the active modules. > > lsmname1='context-value1',lsmname2='context-value2' > > The module specific subdirectories under attr contain context > entries that report the information for that specific module > in the same format. > > Signed-off-by: Casey Schaufler > > --- > Documentation/security/LSM.txt | 8 +++ > fs/proc/base.c | 4 ++ > security/apparmor/lsm.c| 35 +++-- > security/security.c| 108 > + > security/selinux/hooks.c | 20 +++- > security/smack/smack_lsm.c | 20 > 6 files changed, 180 insertions(+), 15 deletions(-) Acked-by: Paul Moore > diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt > index 125c489..af3eb11 100644 > --- a/Documentation/security/LSM.txt > +++ b/Documentation/security/LSM.txt > @@ -36,6 +36,14 @@ for SELinux would be in /proc/.../attr/selinux. Using the > files > found directly in /proc/.../attr (e.g. current) should be avoided. > These files remain as legacy interfaces. > > +The files named "context" in the attr directories contain the > +same information as the "current" files, but formatted to > +identify the module it comes from. > + > +if selinux is the active security module: > + /proc/self/attr/context could contain selinux='unconfined_t' > + /proc/self/attr/selinux/context could contain selinux='unconfined_t' > + > Based on https://lkml.org/lkml/2007/10/26/215, > a new LSM is accepted into the kernel when its intent (a description of > what it tries to protect against and in what cases one would expect to > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 182bc28..df94f26 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2532,6 +2532,7 @@ static const struct pid_entry selinux_attr_dir_stuff[] > = { > ATTR("selinux", "fscreate", S_IRUGO|S_IWUGO), > ATTR("selinux", "keycreate",S_IRUGO|S_IWUGO), > ATTR("selinux", "sockcreate", S_IRUGO|S_IWUGO), > + ATTR("selinux", "context", S_IRUGO|S_IWUGO), > }; > LSM_DIR_OPS(selinux); > #endif > @@ -2539,6 +2540,7 @@ LSM_DIR_OPS(selinux); > #ifdef CONFIG_SECURITY_SMACK > static const struct pid_entry smack_attr_dir_stuff[] = { > ATTR("smack", "current",S_IRUGO|S_IWUGO), > + ATTR("smack", "context",S_IRUGO|S_IWUGO), > }; > LSM_DIR_OPS(smack); > #endif > @@ -2548,6 +2550,7 @@ static const struct pid_entry apparmor_attr_dir_stuff[] > = { > ATTR("apparmor", "current", S_IRUGO|S_IWUGO), > ATTR("apparmor", "prev",S_IRUGO), > ATTR("apparmor", "exec",S_IRUGO|S_IWUGO), > + ATTR("apparmor", "context", S_IRUGO|S_IWUGO), > }; > LSM_DIR_OPS(apparmor); > #endif > @@ -2559,6 +2562,7 @@ static const struct pid_entry attr_dir_stuff[] = { > ATTR(NULL, "fscreate", S_IRUGO|S_IWUGO), > ATTR(NULL, "keycreate", S_IRUGO|S_IWUGO), > ATTR(NULL, "sockcreate",S_IRUGO|S_IWUGO), > + ATTR(NULL, "context", S_IRUGO|S_IWUGO), > #ifdef CONFIG_SECURITY_SELINUX > DIR("selinux", S_IRUGO|S_IXUGO, > proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > index fb0fb03..5cac15f 100644 > --- a/security/apparmor/lsm.c > +++ b/security/apparmor/lsm.c > @@ -476,9 +476,13 @@ static int apparmor_getprocattr(struct task_
[PATCH v4 3/3] LSM: Add context interface for proc attrs
Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs The /proc/.../attr/current interface is used by all three Linux security modules (SELinux, Smack and AppArmor) to report and modify the process security attribute. This is all fine when there is exactly one of these modules active and the userspace code knows which it module it is. It would require a major change to the "current" interface to provide information about more than one set of process security attributes. Instead, a "context" attribute is added, which identifies the security module that the information applies to. The format is: lsmname='context-value' When multiple concurrent modules are supported the /proc/.../attr/context interface will include the data for all of the active modules. lsmname1='context-value1',lsmname2='context-value2' The module specific subdirectories under attr contain context entries that report the information for that specific module in the same format. Signed-off-by: Casey Schaufler --- Documentation/security/LSM.txt | 8 +++ fs/proc/base.c | 4 ++ security/apparmor/lsm.c| 35 +++-- security/security.c| 108 + security/selinux/hooks.c | 20 +++- security/smack/smack_lsm.c | 20 6 files changed, 180 insertions(+), 15 deletions(-) diff --git a/Documentation/security/LSM.txt b/Documentation/security/LSM.txt index 125c489..af3eb11 100644 --- a/Documentation/security/LSM.txt +++ b/Documentation/security/LSM.txt @@ -36,6 +36,14 @@ for SELinux would be in /proc/.../attr/selinux. Using the files found directly in /proc/.../attr (e.g. current) should be avoided. These files remain as legacy interfaces. +The files named "context" in the attr directories contain the +same information as the "current" files, but formatted to +identify the module it comes from. + +if selinux is the active security module: + /proc/self/attr/context could contain selinux='unconfined_t' + /proc/self/attr/selinux/context could contain selinux='unconfined_t' + Based on https://lkml.org/lkml/2007/10/26/215, a new LSM is accepted into the kernel when its intent (a description of what it tries to protect against and in what cases one would expect to diff --git a/fs/proc/base.c b/fs/proc/base.c index 182bc28..df94f26 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2532,6 +2532,7 @@ static const struct pid_entry selinux_attr_dir_stuff[] = { ATTR("selinux", "fscreate", S_IRUGO|S_IWUGO), ATTR("selinux", "keycreate",S_IRUGO|S_IWUGO), ATTR("selinux", "sockcreate", S_IRUGO|S_IWUGO), + ATTR("selinux", "context", S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(selinux); #endif @@ -2539,6 +2540,7 @@ LSM_DIR_OPS(selinux); #ifdef CONFIG_SECURITY_SMACK static const struct pid_entry smack_attr_dir_stuff[] = { ATTR("smack", "current",S_IRUGO|S_IWUGO), + ATTR("smack", "context",S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(smack); #endif @@ -2548,6 +2550,7 @@ static const struct pid_entry apparmor_attr_dir_stuff[] = { ATTR("apparmor", "current", S_IRUGO|S_IWUGO), ATTR("apparmor", "prev",S_IRUGO), ATTR("apparmor", "exec",S_IRUGO|S_IWUGO), + ATTR("apparmor", "context", S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(apparmor); #endif @@ -2559,6 +2562,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "fscreate", S_IRUGO|S_IWUGO), ATTR(NULL, "keycreate", S_IRUGO|S_IWUGO), ATTR(NULL, "sockcreate",S_IRUGO|S_IWUGO), + ATTR(NULL, "context", S_IRUGO|S_IWUGO), #ifdef CONFIG_SECURITY_SELINUX DIR("selinux", S_IRUGO|S_IXUGO, proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index fb0fb03..5cac15f 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -476,9 +476,13 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, const struct cred *cred = get_task_cred(task); struct aa_task_cxt *cxt = cred_cxt(cred); struct aa_profile *profile = NULL; + char *vp; + char *np; if (strcmp(name, "current") == 0) profile = aa_get_newest_profile(cxt->profile); + else if (strcmp(name, "context") == 0) + profile = aa_get_newest_profile(cxt->profile); else if (strcmp(name, "prev") == 0 && cxt->previous) profile = a
Re: [PATCH v4 3/3] LSM: Add context interface for proc attrs
On 6/24/2016 12:15 PM, Paul Moore wrote: > On Thu, Jun 23, 2016 at 5:11 PM, Casey Schaufler > wrote: >> Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs >> >> The /proc/.../attr/current interface is used by all three >> Linux security modules (SELinux, Smack and AppArmor) to >> report and modify the process security attribute. This is >> all fine when there is exactly one of these modules active >> and the userspace code knows which it module it is. >> It would require a major change to the "current" interface >> to provide information about more than one set of process >> security attributes. Instead, a "context" attribute is >> added, which identifies the security module that the >> information applies to. The format is: >> >> lsmname='context-value' >> >> When multiple concurrent modules are supported the >> /proc/.../attr/context interface will include the data >> for all of the active modules. >> >> lsmname1='context-value1'lsmname2='context-value2' >> >> The module specific subdirectories under attr contain context >> entries that report the information for that specific module >> in the same format. > I think a delimiter between the different LSMs would be a good idea. > A comma seems like a safe choice at the moment. It's unnecessary and makes for more complicated code in both directions, but everyone seems wedded to a delimiter. I'll propose a v5 with a delimiter. >
Re: [PATCH v4 3/3] LSM: Add context interface for proc attrs
On Thu, Jun 23, 2016 at 5:11 PM, Casey Schaufler wrote: > Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs > > The /proc/.../attr/current interface is used by all three > Linux security modules (SELinux, Smack and AppArmor) to > report and modify the process security attribute. This is > all fine when there is exactly one of these modules active > and the userspace code knows which it module it is. > It would require a major change to the "current" interface > to provide information about more than one set of process > security attributes. Instead, a "context" attribute is > added, which identifies the security module that the > information applies to. The format is: > > lsmname='context-value' > > When multiple concurrent modules are supported the > /proc/.../attr/context interface will include the data > for all of the active modules. > > lsmname1='context-value1'lsmname2='context-value2' > > The module specific subdirectories under attr contain context > entries that report the information for that specific module > in the same format. I think a delimiter between the different LSMs would be a good idea. A comma seems like a safe choice at the moment. -- paul moore www.paul-moore.com
Re: [PATCH v4 3/3] LSM: Add context interface for proc attrs
On 6/23/2016 2:49 PM, Kees Cook wrote: > On Thu, Jun 23, 2016 at 2:11 PM, Casey Schaufler > wrote: >> Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs >> >> The /proc/.../attr/current interface is used by all three >> Linux security modules (SELinux, Smack and AppArmor) to >> report and modify the process security attribute. This is >> all fine when there is exactly one of these modules active >> and the userspace code knows which it module it is. >> It would require a major change to the "current" interface >> to provide information about more than one set of process >> security attributes. Instead, a "context" attribute is >> added, which identifies the security module that the >> information applies to. The format is: >> >> lsmname='context-value' >> >> When multiple concurrent modules are supported the >> /proc/.../attr/context interface will include the data >> for all of the active modules. >> >> lsmname1='context-value1'lsmname2='context-value2' >> >> The module specific subdirectories under attr contain context >> entries that report the information for that specific module >> in the same format. >> >> Signed-off-by: Casey Schaufler >> >> --- >> fs/proc/base.c | 4 ++ >> security/apparmor/lsm.c| 34 +-- >> security/security.c| 100 >> + >> security/selinux/hooks.c | 22 +- >> security/smack/smack_lsm.c | 21 ++ >> 5 files changed, 167 insertions(+), 14 deletions(-) >> >> diff --git a/fs/proc/base.c b/fs/proc/base.c >> index 182bc28..df94f26 100644 >> --- a/fs/proc/base.c >> +++ b/fs/proc/base.c >> @@ -2532,6 +2532,7 @@ static const struct pid_entry selinux_attr_dir_stuff[] >> = { >> ATTR("selinux", "fscreate", S_IRUGO|S_IWUGO), >> ATTR("selinux", "keycreate",S_IRUGO|S_IWUGO), >> ATTR("selinux", "sockcreate", S_IRUGO|S_IWUGO), >> + ATTR("selinux", "context", S_IRUGO|S_IWUGO), >> }; >> LSM_DIR_OPS(selinux); >> #endif >> @@ -2539,6 +2540,7 @@ LSM_DIR_OPS(selinux); >> #ifdef CONFIG_SECURITY_SMACK >> static const struct pid_entry smack_attr_dir_stuff[] = { >> ATTR("smack", "current",S_IRUGO|S_IWUGO), >> + ATTR("smack", "context",S_IRUGO|S_IWUGO), >> }; >> LSM_DIR_OPS(smack); >> #endif >> @@ -2548,6 +2550,7 @@ static const struct pid_entry >> apparmor_attr_dir_stuff[] = { >> ATTR("apparmor", "current", S_IRUGO|S_IWUGO), >> ATTR("apparmor", "prev",S_IRUGO), >> ATTR("apparmor", "exec",S_IRUGO|S_IWUGO), >> + ATTR("apparmor", "context", S_IRUGO|S_IWUGO), >> }; >> LSM_DIR_OPS(apparmor); >> #endif >> @@ -2559,6 +2562,7 @@ static const struct pid_entry attr_dir_stuff[] = { >> ATTR(NULL, "fscreate", S_IRUGO|S_IWUGO), >> ATTR(NULL, "keycreate", S_IRUGO|S_IWUGO), >> ATTR(NULL, "sockcreate",S_IRUGO|S_IWUGO), >> + ATTR(NULL, "context", S_IRUGO|S_IWUGO), >> #ifdef CONFIG_SECURITY_SELINUX >> DIR("selinux", S_IRUGO|S_IXUGO, >> proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), >> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c >> index fb0fb03..3790a7d 100644 >> --- a/security/apparmor/lsm.c >> +++ b/security/apparmor/lsm.c >> @@ -479,6 +479,8 @@ static int apparmor_getprocattr(struct task_struct >> *task, char *name, >> >> if (strcmp(name, "current") == 0) >> profile = aa_get_newest_profile(cxt->profile); >> + else if (strcmp(name, "context") == 0) >> + profile = aa_get_newest_profile(cxt->profile); >> else if (strcmp(name, "prev") == 0 && cxt->previous) >> profile = aa_get_newest_profile(cxt->previous); >> else if (strcmp(name, "exec") == 0 && cxt->onexec) >> @@ -486,8 +488,29 @@ static int apparmor_getprocattr(struct task_struct >> *task, char *name, >> else >> error = -EINVAL; >> >>
Re: [PATCH v4 3/3] LSM: Add context interface for proc attrs
On Thu, Jun 23, 2016 at 2:11 PM, Casey Schaufler wrote: > Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs > > The /proc/.../attr/current interface is used by all three > Linux security modules (SELinux, Smack and AppArmor) to > report and modify the process security attribute. This is > all fine when there is exactly one of these modules active > and the userspace code knows which it module it is. > It would require a major change to the "current" interface > to provide information about more than one set of process > security attributes. Instead, a "context" attribute is > added, which identifies the security module that the > information applies to. The format is: > > lsmname='context-value' > > When multiple concurrent modules are supported the > /proc/.../attr/context interface will include the data > for all of the active modules. > > lsmname1='context-value1'lsmname2='context-value2' > > The module specific subdirectories under attr contain context > entries that report the information for that specific module > in the same format. > > Signed-off-by: Casey Schaufler > > --- > fs/proc/base.c | 4 ++ > security/apparmor/lsm.c| 34 +-- > security/security.c| 100 > + > security/selinux/hooks.c | 22 +- > security/smack/smack_lsm.c | 21 ++ > 5 files changed, 167 insertions(+), 14 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 182bc28..df94f26 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2532,6 +2532,7 @@ static const struct pid_entry selinux_attr_dir_stuff[] > = { > ATTR("selinux", "fscreate", S_IRUGO|S_IWUGO), > ATTR("selinux", "keycreate",S_IRUGO|S_IWUGO), > ATTR("selinux", "sockcreate", S_IRUGO|S_IWUGO), > + ATTR("selinux", "context", S_IRUGO|S_IWUGO), > }; > LSM_DIR_OPS(selinux); > #endif > @@ -2539,6 +2540,7 @@ LSM_DIR_OPS(selinux); > #ifdef CONFIG_SECURITY_SMACK > static const struct pid_entry smack_attr_dir_stuff[] = { > ATTR("smack", "current",S_IRUGO|S_IWUGO), > + ATTR("smack", "context",S_IRUGO|S_IWUGO), > }; > LSM_DIR_OPS(smack); > #endif > @@ -2548,6 +2550,7 @@ static const struct pid_entry apparmor_attr_dir_stuff[] > = { > ATTR("apparmor", "current", S_IRUGO|S_IWUGO), > ATTR("apparmor", "prev",S_IRUGO), > ATTR("apparmor", "exec",S_IRUGO|S_IWUGO), > + ATTR("apparmor", "context", S_IRUGO|S_IWUGO), > }; > LSM_DIR_OPS(apparmor); > #endif > @@ -2559,6 +2562,7 @@ static const struct pid_entry attr_dir_stuff[] = { > ATTR(NULL, "fscreate", S_IRUGO|S_IWUGO), > ATTR(NULL, "keycreate", S_IRUGO|S_IWUGO), > ATTR(NULL, "sockcreate",S_IRUGO|S_IWUGO), > + ATTR(NULL, "context", S_IRUGO|S_IWUGO), > #ifdef CONFIG_SECURITY_SELINUX > DIR("selinux", S_IRUGO|S_IXUGO, > proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > index fb0fb03..3790a7d 100644 > --- a/security/apparmor/lsm.c > +++ b/security/apparmor/lsm.c > @@ -479,6 +479,8 @@ static int apparmor_getprocattr(struct task_struct *task, > char *name, > > if (strcmp(name, "current") == 0) > profile = aa_get_newest_profile(cxt->profile); > + else if (strcmp(name, "context") == 0) > + profile = aa_get_newest_profile(cxt->profile); > else if (strcmp(name, "prev") == 0 && cxt->previous) > profile = aa_get_newest_profile(cxt->previous); > else if (strcmp(name, "exec") == 0 && cxt->onexec) > @@ -486,8 +488,29 @@ static int apparmor_getprocattr(struct task_struct > *task, char *name, > else > error = -EINVAL; > > - if (profile) > - error = aa_getprocattr(profile, value); > + if (profile) { > + if (strcmp(name, "context") == 0) { > + char *vp; > + char *np; > + > + error = aa_getprocattr(profile, &vp); > + i
[PATCH v4 3/3] LSM: Add context interface for proc attrs
Subject: [PATCH v4 3/3] LSM: Add context interface for proc attrs The /proc/.../attr/current interface is used by all three Linux security modules (SELinux, Smack and AppArmor) to report and modify the process security attribute. This is all fine when there is exactly one of these modules active and the userspace code knows which it module it is. It would require a major change to the "current" interface to provide information about more than one set of process security attributes. Instead, a "context" attribute is added, which identifies the security module that the information applies to. The format is: lsmname='context-value' When multiple concurrent modules are supported the /proc/.../attr/context interface will include the data for all of the active modules. lsmname1='context-value1'lsmname2='context-value2' The module specific subdirectories under attr contain context entries that report the information for that specific module in the same format. Signed-off-by: Casey Schaufler --- fs/proc/base.c | 4 ++ security/apparmor/lsm.c| 34 +-- security/security.c| 100 + security/selinux/hooks.c | 22 +- security/smack/smack_lsm.c | 21 ++ 5 files changed, 167 insertions(+), 14 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 182bc28..df94f26 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2532,6 +2532,7 @@ static const struct pid_entry selinux_attr_dir_stuff[] = { ATTR("selinux", "fscreate", S_IRUGO|S_IWUGO), ATTR("selinux", "keycreate",S_IRUGO|S_IWUGO), ATTR("selinux", "sockcreate", S_IRUGO|S_IWUGO), + ATTR("selinux", "context", S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(selinux); #endif @@ -2539,6 +2540,7 @@ LSM_DIR_OPS(selinux); #ifdef CONFIG_SECURITY_SMACK static const struct pid_entry smack_attr_dir_stuff[] = { ATTR("smack", "current",S_IRUGO|S_IWUGO), + ATTR("smack", "context",S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(smack); #endif @@ -2548,6 +2550,7 @@ static const struct pid_entry apparmor_attr_dir_stuff[] = { ATTR("apparmor", "current", S_IRUGO|S_IWUGO), ATTR("apparmor", "prev",S_IRUGO), ATTR("apparmor", "exec",S_IRUGO|S_IWUGO), + ATTR("apparmor", "context", S_IRUGO|S_IWUGO), }; LSM_DIR_OPS(apparmor); #endif @@ -2559,6 +2562,7 @@ static const struct pid_entry attr_dir_stuff[] = { ATTR(NULL, "fscreate", S_IRUGO|S_IWUGO), ATTR(NULL, "keycreate", S_IRUGO|S_IWUGO), ATTR(NULL, "sockcreate",S_IRUGO|S_IWUGO), + ATTR(NULL, "context", S_IRUGO|S_IWUGO), #ifdef CONFIG_SECURITY_SELINUX DIR("selinux", S_IRUGO|S_IXUGO, proc_selinux_attr_dir_inode_ops, proc_selinux_attr_dir_ops), diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index fb0fb03..3790a7d 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -479,6 +479,8 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, if (strcmp(name, "current") == 0) profile = aa_get_newest_profile(cxt->profile); + else if (strcmp(name, "context") == 0) + profile = aa_get_newest_profile(cxt->profile); else if (strcmp(name, "prev") == 0 && cxt->previous) profile = aa_get_newest_profile(cxt->previous); else if (strcmp(name, "exec") == 0 && cxt->onexec) @@ -486,8 +488,29 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, else error = -EINVAL; - if (profile) - error = aa_getprocattr(profile, value); + if (profile) { + if (strcmp(name, "context") == 0) { + char *vp; + char *np; + + error = aa_getprocattr(profile, &vp); + if (error > 0) { + error += 12; + *value = kzalloc(error, GFP_KERNEL); + if (*value == NULL) + error = -ENOMEM; + else { + sprintf(*value, "apparmor='%s'", vp); + np = strchr(*value, '\n'); + if (np != NULL) { + np[0] = '\''; +