From nobody Mon Feb 9 23:15:10 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6C4F4191F71 for ; Thu, 8 Aug 2024 16:16:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723133805; cv=none; b=rXxi1CW4BwOaurbtbcSfUDOC3yuTp1UmDZMKb9/0zgz3rqF8f3pJO+se8tPNxC+uVsXjO6aMe36gEng8Vgxhc8qDIDfBSKS5WRHbp+3ATUhTm2W0TrrQtfcircG0SPLhrHVNtPVCOkSMUmFdTGSM7IFT2NH+sUeKquS4kY138cs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1723133805; c=relaxed/simple; bh=hCsKKVj345+b49Ng5A8TJ2plNvQ/FuOO1K1yN5EOnjc=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=eCFXnyBer9Lt5H4NbZivFmC2p9qzg2LpKaMTMWAc5iJIwjuhQKB2ejRQfyKrl2qgmbwi1h42t5aKDEE/qu2eMg5BkK5zGCO5xnuki2sGFEjc2KSqcZkOimFgdaJTtp6PubLbx2pNN9j5Z0kkEeOqdgOg2Fsgm5/SMlABzRyhWAM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=snX+Hw3U; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--aliceryhl.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="snX+Hw3U" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-42816096cb8so14164695e9.0 for ; Thu, 08 Aug 2024 09:16:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1723133802; x=1723738602; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=FyvEzhf1vrLH4fAWxaYl8oZikM7jgsDn2qSzj+h3cIM=; b=snX+Hw3U4ZXc0XKqCI/dZbFDQrBGdKi9d/rSNk3+7Zmgc9egi+WoC11TCaL87AzWed avsVwJjzgoONVhO2qByOLqD60p1ripEKTBnx5BPW+1E8nJyx2cLJrEva3AdF2BMplnXv pJCZ/Ol8aP8X0bMMzderrp6s9d67BCE6lCGI6h6pm7B0B3qNPASgNiiFmMxFoG5UWAjP XPGN5ZNUGnCb9lq0nC2ZsDwwLonTEFCAiYPSpykXRaU/mpJEvjOK4yyRlXni5Bk9O5Ey bkIuC8Fwm7WSXD+Q6LPP3QkUM48yIHixaRJl1bsFw3uvcFl1QL4Y6gqCJc82rDKQ1LXq rI+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723133802; x=1723738602; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FyvEzhf1vrLH4fAWxaYl8oZikM7jgsDn2qSzj+h3cIM=; b=rdnYFUj/4wBTIidHO0QQ+G1ye8qUzLhgVLd+VeM9IAXthwcfb1e1kDN8XRtLLyUTS8 lwI0J3hyv/RTwwlX+JpswZGpDO4cSNcaKdt6nrt2HixeSx14j+6nbDRpzKyMEeoutYxH oz2ITY2nxHh6tOr8fIJRMxGic8nveC7/Sf75U9aJ8uBhYwKo99wFqI6kKWCRiEC/TPmL H9jR8uJlo6YSqPgr/pgWURbfm9VVsEhxuZ8h3Pm7GaXJffW8OmnkxdDMLC9ewJ+UkwR0 YvtCPw7yvSRwIyfgZ2BS678MI8G4pqBYK/FR8hGf6C5TVMfIEko7TWwYBY6Pkc4dgtRS 8omg== X-Forwarded-Encrypted: i=1; AJvYcCVmB0fmGRH7Ae7jn9OoO8OAFk3jzd25dE4dG0fDazu7JwTf9tSvE5p+AdaDrcf3mbwo5N6Nq2vDs1fGCQAwhcNeOMoK56SoGpO5Zb5U X-Gm-Message-State: AOJu0YwAkUooRoYqeGinHeeRRqpiJYXzzbNMD8p5/fhfVpTGb5nS+i0s YQKwjcY3abu0PpUepZPPthX3krpL0XGdbqP0c4AmBLqT8oYj6a1B5w24Oh+n0iFD+1a/kPEKv8A YNPzdaXAXQBJEvg== X-Google-Smtp-Source: AGHT+IHkmyDuHZogA2p1s2T21TqYXa394KS3rlas/ZBn1g6qzzI+I+OtFLK2oPA+Ii1xwIDwVrxn1wMIG8OJzMg= X-Received: from aliceryhl.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:35bd]) (user=aliceryhl job=sendgmr) by 2002:a05:600c:3b14:b0:425:671d:cef6 with SMTP id 5b1f17b1804b1-4290af3745cmr481345e9.4.1723133801757; Thu, 08 Aug 2024 09:16:41 -0700 (PDT) Date: Thu, 08 Aug 2024 16:15:48 +0000 In-Reply-To: <20240808-alice-file-v9-0-2cb7b934e0e1@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240808-alice-file-v9-0-2cb7b934e0e1@google.com> X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F X-Developer-Signature: v=1; a=openpgp-sha256; l=6528; i=aliceryhl@google.com; h=from:subject:message-id; bh=hCsKKVj345+b49Ng5A8TJ2plNvQ/FuOO1K1yN5EOnjc=; b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBmtO9YE0zx2d9qsqS/2QjFpfM7xBaU8ZUaC6QTc QnZTjRcoqWJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCZrTvWAAKCRAEWL7uWMY5 RkK5EACaHV1Ihz+jXjJgfTlljUVpOW845PnAaiF+8dB2Qzy1uJt8oILSS96rFf9ry/gmxIwrHiw SN2sGEu8i45LQxi8EKKoh+ZDFZh0kk3wZmV0ohJJZoU/MeZOb5su37mPwdxyjnX8a0h/uZehVQW h4rO+rpOGduW+6z69asSsirObCS1UFpcb+L3NSJl60jWBwuvjzbq8eg45rsusgQTK6KOBeGY5uT OPICAZFzVgrVqXuJw9kqfW8KbAjan6f998UhZwgmDzES1g1JMTivRBWE6UKPlrmgnH0Cg0HB5dY z9gkGTXZei0Il2a9opIsQCMrAAILCckGLtsvRY0U77YEeqlXeTJ/Rd+GQLWQwdYiYSSpj+nv54G zh1D7hDL6xVZdM2G/qYK4GU0zp3Evz8H9r8Y9xVf6pU238ekksef7nQhsidiT0ZrqBnnXIYwZ3K A4jzWhR8lAWBfN5Q9i3v/tU8Oyg7gcf0xLv6KXqPfYkHfiBMiBDC2Vtcic8Ln2txSmCLMvlSzz8 uosqpaSqvZ3c2uGS55r08SIBPvtkr8oHtHOmEbQ4fafcEpY9vB+QLmmohui1YBWjfC4jj915UNT hewLHkTQiOQiSBL6DXSu92VjRb6V2c7EfrFvz5Q8v09w1ldxqNDHeQR+SE6w2aGi2AVsXCVIDX6 N9bGwPY7Kv+EJzw== X-Mailer: b4 0.13.0 Message-ID: <20240808-alice-file-v9-5-2cb7b934e0e1@google.com> Subject: [PATCH v9 5/8] rust: security: add abstraction for secctx From: Alice Ryhl To: Miguel Ojeda , Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , "=?utf-8?q?Bj=C3=B6rn_Roy_Baron?=" , Benno Lossin , Andreas Hindborg , Peter Zijlstra , Alexander Viro , Christian Brauner , Greg Kroah-Hartman , "=?utf-8?q?Arve_Hj=C3=B8nnev=C3=A5g?=" , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan Cc: Dan Williams , Matthew Wilcox , Thomas Gleixner , Daniel Xu , Martin Rodriguez Reboredo , Trevor Gross , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, linux-fsdevel@vger.kernel.org, Alice Ryhl , Kees Cook Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Add an abstraction for viewing the string representation of a security context. This is needed by Rust Binder because it has a feature where a process can view the string representation of the security context for incoming transactions. The process can use that to authenticate incoming transactions, and since the feature is provided by the kernel, the process can trust that the security context is legitimate. Reviewed-by: Benno Lossin Reviewed-by: Martin Rodriguez Reboredo Reviewed-by: Trevor Gross Reviewed-by: Gary Guo Signed-off-by: Alice Ryhl --- rust/bindings/bindings_helper.h | 1 + rust/helpers.c | 21 ++++++++++++ rust/kernel/cred.rs | 8 +++++ rust/kernel/lib.rs | 1 + rust/kernel/security.rs | 74 +++++++++++++++++++++++++++++++++++++= ++++ 5 files changed, 105 insertions(+) diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helpe= r.h index 81bd1c2db7c9..7db502f5ff5e 100644 --- a/rust/bindings/bindings_helper.h +++ b/rust/bindings/bindings_helper.h @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include diff --git a/rust/helpers.c b/rust/helpers.c index a63f6b614725..33d12d45e4f6 100644 --- a/rust/helpers.c +++ b/rust/helpers.c @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -220,6 +221,26 @@ void rust_helper_put_cred(const struct cred *cred) } EXPORT_SYMBOL_GPL(rust_helper_put_cred); =20 +#ifndef CONFIG_SECURITY +void rust_helper_security_cred_getsecid(const struct cred *c, u32 *secid) +{ + security_cred_getsecid(c, secid); +} +EXPORT_SYMBOL_GPL(rust_helper_security_cred_getsecid); + +int rust_helper_security_secid_to_secctx(u32 secid, char **secdata, u32 *s= eclen) +{ + return security_secid_to_secctx(secid, secdata, seclen); +} +EXPORT_SYMBOL_GPL(rust_helper_security_secid_to_secctx); + +void rust_helper_security_release_secctx(char *secdata, u32 seclen) +{ + security_release_secctx(secdata, seclen); +} +EXPORT_SYMBOL_GPL(rust_helper_security_release_secctx); +#endif + /* * `bindgen` binds the C `size_t` type as the Rust `usize` type, so we can * use it in contexts where Rust expects a `usize` like slice (array) indi= ces. diff --git a/rust/kernel/cred.rs b/rust/kernel/cred.rs index acee04768927..92659649e932 100644 --- a/rust/kernel/cred.rs +++ b/rust/kernel/cred.rs @@ -52,6 +52,14 @@ pub unsafe fn from_ptr<'a>(ptr: *const bindings::cred) -= > &'a Credential { unsafe { &*ptr.cast() } } =20 + /// Get the id for this security context. + pub fn get_secid(&self) -> u32 { + let mut secid =3D 0; + // SAFETY: The invariants of this type ensures that the pointer is= valid. + unsafe { bindings::security_cred_getsecid(self.0.get(), &mut secid= ) }; + secid + } + /// Returns the effective UID of the given credential. pub fn euid(&self) -> bindings::kuid_t { // SAFETY: By the type invariant, we know that `self.0` is valid. = Furthermore, the `euid` diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs index c9ce44812d21..86fc957f61eb 100644 --- a/rust/kernel/lib.rs +++ b/rust/kernel/lib.rs @@ -45,6 +45,7 @@ pub mod page; pub mod prelude; pub mod print; +pub mod security; mod static_assert; #[doc(hidden)] pub mod std_vendor; diff --git a/rust/kernel/security.rs b/rust/kernel/security.rs new file mode 100644 index 000000000000..2522868862a1 --- /dev/null +++ b/rust/kernel/security.rs @@ -0,0 +1,74 @@ +// SPDX-License-Identifier: GPL-2.0 + +// Copyright (C) 2024 Google LLC. + +//! Linux Security Modules (LSM). +//! +//! C header: [`include/linux/security.h`](srctree/include/linux/security.= h). + +use crate::{ + bindings, + error::{to_result, Result}, +}; + +/// A security context string. +/// +/// # Invariants +/// +/// The `secdata` and `seclen` fields correspond to a valid security conte= xt as returned by a +/// successful call to `security_secid_to_secctx`, that has not yet been d= estroyed by calling +/// `security_release_secctx`. +pub struct SecurityCtx { + secdata: *mut core::ffi::c_char, + seclen: usize, +} + +impl SecurityCtx { + /// Get the security context given its id. + pub fn from_secid(secid: u32) -> Result { + let mut secdata =3D core::ptr::null_mut(); + let mut seclen =3D 0u32; + // SAFETY: Just a C FFI call. The pointers are valid for writes. + to_result(unsafe { bindings::security_secid_to_secctx(secid, &mut = secdata, &mut seclen) })?; + + // INVARIANT: If the above call did not fail, then we have a valid= security context. + Ok(Self { + secdata, + seclen: seclen as usize, + }) + } + + /// Returns whether the security context is empty. + pub fn is_empty(&self) -> bool { + self.seclen =3D=3D 0 + } + + /// Returns the length of this security context. + pub fn len(&self) -> usize { + self.seclen + } + + /// Returns the bytes for this security context. + pub fn as_bytes(&self) -> &[u8] { + let ptr =3D self.secdata; + if ptr.is_null() { + debug_assert_eq!(self.seclen, 0); + // We can't pass a null pointer to `slice::from_raw_parts` eve= n if the length is zero. + return &[]; + } + + // SAFETY: The call to `security_secid_to_secctx` guarantees that = the pointer is valid for + // `seclen` bytes. Furthermore, if the length is zero, then we hav= e ensured that the + // pointer is not null. + unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) } + } +} + +impl Drop for SecurityCtx { + fn drop(&mut self) { + // SAFETY: By the invariant of `Self`, this frees a pointer that c= ame from a successful + // call to `security_secid_to_secctx` and has not yet been destroy= ed by + // `security_release_secctx`. + unsafe { bindings::security_release_secctx(self.secdata, self.secl= en as u32) }; + } +} --=20 2.46.0.rc2.264.g509ed76dc8-goog