From nobody Tue Oct 7 14:08:01 2025 Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9319227453; Wed, 9 Jul 2025 08:03:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.188.120 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752048200; cv=none; b=k++uupHP1Y5DacTF8dN5JfJauaJ8WBCUl4UJOqN03Huo2Eboz4T6CoM6G61Qb0D6/9lle+piC5zQ74+p+hkKyf1dbKvfA98x/0xvbe2yqlaH8c4rp17RnI8+crTJldFoMLnB8UuugHt8htxuI2kCH9Mfw+gPX4JbbiWi67bd1+A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752048200; c=relaxed/simple; bh=W53cZJ24q3Reu6Kf/KlXzaOr0MuZsZenCAkp/3lep+A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=WOvSYjgFFlcnt3ClMrn/0s+/TCV4KeSjWu8y5GVQlNzGn3xxvZfUYml0qJE+jvAnG5c1moN3uhXZxJ5iPLjSICUc2wM5WIXHirWL6uA0PjpAdxx7fL1AeA2OaL4F0AqQyA9ndc46tBMnoqpmahbr4ZgECHL0nGgW8FfyjVNpkow= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canonical.com; spf=pass smtp.mailfrom=canonical.com; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.b=k7vSas9b; arc=none smtp.client-ip=185.125.188.120 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canonical.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=canonical.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.b="k7vSas9b" Received: from sec2-plucky-amd64.. (lau06-h06-176-136-128-80.dsl.sta.abo.bbox.fr [176.136.128.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 18B1740B83; Wed, 9 Jul 2025 08:03:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1752048186; bh=GegVEwq7J1jKHDTScl/DmglziuvOUM0DTHMMQ6JW4Hw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=k7vSas9bdZ3EbO7qaTvcEmIuaeI+5Ly1fL1842WlZYDfWZyz8/bJUd55pOGzkFbPf ZVxLbzuWFUHrUGUIGG8BtWMDAokKzKgAHk+Sq0HCP4BWpnvDN+ZYbSkTvWDlHa8PCJ /qBsagpplGLgXndDXGUr3s8DcKXbkZGWQLE6cNp7cSN+trKmcsehZFdsnQ3BRH2wky k7YaOiR/H/TA0lvn6WPwoUvRjrnUGT+xvd0zICogyO97sKKgen6OScc1vRF9pKx4bf lleE0zr5YiWCU9xH6GctWLYYuPg7tfE8qtqDLjJvW/l+0UyHAlPQ4YMfjsvKVZ7tCp B3oyjhmXau4ew== From: =?UTF-8?q?Maxime=20B=C3=A9lair?= To: linux-security-module@vger.kernel.org Cc: john.johansen@canonical.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net, kees@kernel.org, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, takedakn@nttdata.co.jp, penguin-kernel@I-love.SAKURA.ne.jp, song@kernel.org, rdunlap@infradead.org, linux-api@vger.kernel.org, apparmor@lists.ubuntu.com, linux-kernel@vger.kernel.org, =?UTF-8?q?Maxime=20B=C3=A9lair?= Subject: [PATCH v5 1/3] Wire up lsm_config_self_policy and lsm_config_system_policy syscalls Date: Wed, 9 Jul 2025 10:00:54 +0200 Message-ID: <20250709080220.110947-2-maxime.belair@canonical.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250709080220.110947-1-maxime.belair@canonical.com> References: <20250709080220.110947-1-maxime.belair@canonical.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Add support for the new lsm_config_self_policy and lsm_config_system_policy syscalls, providing a unified API for loading and modifying LSM policies, for the current user and for the entire system, respectively without requiring the LSM=E2=80=99s pseudo-filesystems. Benefits: - Works even if the LSM pseudo-filesystem isn=E2=80=99t mounted or availa= ble (e.g. in containers) - Offers a logical and unified interface rather than multiple heterogeneous pseudo-filesystems - Avoids the overhead of other kernel interfaces for better efficiency Signed-off-by: Maxime B=C3=A9lair --- arch/alpha/kernel/syscalls/syscall.tbl | 2 ++ arch/arm/tools/syscall.tbl | 2 ++ arch/m68k/kernel/syscalls/syscall.tbl | 2 ++ arch/microblaze/kernel/syscalls/syscall.tbl | 2 ++ arch/mips/kernel/syscalls/syscall_n32.tbl | 2 ++ arch/mips/kernel/syscalls/syscall_n64.tbl | 2 ++ arch/mips/kernel/syscalls/syscall_o32.tbl | 2 ++ arch/parisc/kernel/syscalls/syscall.tbl | 2 ++ arch/powerpc/kernel/syscalls/syscall.tbl | 2 ++ arch/s390/kernel/syscalls/syscall.tbl | 2 ++ arch/sh/kernel/syscalls/syscall.tbl | 2 ++ arch/sparc/kernel/syscalls/syscall.tbl | 2 ++ arch/x86/entry/syscalls/syscall_32.tbl | 2 ++ arch/x86/entry/syscalls/syscall_64.tbl | 2 ++ arch/xtensa/kernel/syscalls/syscall.tbl | 2 ++ include/linux/syscalls.h | 5 +++++ include/uapi/asm-generic/unistd.h | 6 +++++- kernel/sys_ni.c | 2 ++ security/lsm_syscalls.c | 12 ++++++++++++ tools/include/uapi/asm-generic/unistd.h | 6 +++++- tools/perf/arch/x86/entry/syscalls/syscall_64.tbl | 2 ++ 21 files changed, 61 insertions(+), 2 deletions(-) diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/sys= calls/syscall.tbl index 2dd6340de6b4..4fc75352220d 100644 --- a/arch/alpha/kernel/syscalls/syscall.tbl +++ b/arch/alpha/kernel/syscalls/syscall.tbl @@ -507,3 +507,5 @@ 575 common listxattrat sys_listxattrat 576 common removexattrat sys_removexattrat 577 common open_tree_attr sys_open_tree_attr +578 common lsm_config_self_policy sys_lsm_config_self_policy +579 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/arm/tools/syscall.tbl b/arch/arm/tools/syscall.tbl index 27c1d5ebcd91..326483cb94a4 100644 --- a/arch/arm/tools/syscall.tbl +++ b/arch/arm/tools/syscall.tbl @@ -482,3 +482,5 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/m68k/kernel/syscalls/syscall.tbl b/arch/m68k/kernel/sysca= lls/syscall.tbl index 9fe47112c586..d37364df1cd7 100644 --- a/arch/m68k/kernel/syscalls/syscall.tbl +++ b/arch/m68k/kernel/syscalls/syscall.tbl @@ -467,3 +467,5 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/microblaze/kernel/syscalls/syscall.tbl b/arch/microblaze/= kernel/syscalls/syscall.tbl index 7b6e97828e55..9d58ebfcf967 100644 --- a/arch/microblaze/kernel/syscalls/syscall.tbl +++ b/arch/microblaze/kernel/syscalls/syscall.tbl @@ -473,3 +473,5 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/s= yscalls/syscall_n32.tbl index aa70e371bb54..8627b5f56280 100644 --- a/arch/mips/kernel/syscalls/syscall_n32.tbl +++ b/arch/mips/kernel/syscalls/syscall_n32.tbl @@ -406,3 +406,5 @@ 465 n32 listxattrat sys_listxattrat 466 n32 removexattrat sys_removexattrat 467 n32 open_tree_attr sys_open_tree_attr +468 n32 lsm_config_self_policy sys_lsm_config_self_policy +469 n32 lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/mips/kernel/syscalls/syscall_n64.tbl b/arch/mips/kernel/s= yscalls/syscall_n64.tbl index 1e8c44c7b614..813207b61f58 100644 --- a/arch/mips/kernel/syscalls/syscall_n64.tbl +++ b/arch/mips/kernel/syscalls/syscall_n64.tbl @@ -382,3 +382,5 @@ 465 n64 listxattrat sys_listxattrat 466 n64 removexattrat sys_removexattrat 467 n64 open_tree_attr sys_open_tree_attr +468 n64 lsm_config_self_policy sys_lsm_config_self_policy +469 n64 lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/s= yscalls/syscall_o32.tbl index 114a5a1a6230..9cd0946b4370 100644 --- a/arch/mips/kernel/syscalls/syscall_o32.tbl +++ b/arch/mips/kernel/syscalls/syscall_o32.tbl @@ -455,3 +455,5 @@ 465 o32 listxattrat sys_listxattrat 466 o32 removexattrat sys_removexattrat 467 o32 open_tree_attr sys_open_tree_attr +468 o32 lsm_config_self_policy sys_lsm_config_self_policy +469 o32 lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/s= yscalls/syscall.tbl index 94df3cb957e9..9db01dd55793 100644 --- a/arch/parisc/kernel/syscalls/syscall.tbl +++ b/arch/parisc/kernel/syscalls/syscall.tbl @@ -466,3 +466,5 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel= /syscalls/syscall.tbl index 9a084bdb8926..97714acb39ab 100644 --- a/arch/powerpc/kernel/syscalls/syscall.tbl +++ b/arch/powerpc/kernel/syscalls/syscall.tbl @@ -558,3 +558,5 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/sysca= lls/syscall.tbl index a4569b96ef06..d2b0f14fb516 100644 --- a/arch/s390/kernel/syscalls/syscall.tbl +++ b/arch/s390/kernel/syscalls/syscall.tbl @@ -470,3 +470,5 @@ 465 common listxattrat sys_listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy sys_lsm_con= fig_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy sys_lsm_= config_system_policy diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/= syscall.tbl index 52a7652fcff6..210d7118ce16 100644 --- a/arch/sh/kernel/syscalls/syscall.tbl +++ b/arch/sh/kernel/syscalls/syscall.tbl @@ -471,3 +471,5 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/sys= calls/syscall.tbl index 83e45eb6c095..494417d80680 100644 --- a/arch/sparc/kernel/syscalls/syscall.tbl +++ b/arch/sparc/kernel/syscalls/syscall.tbl @@ -513,3 +513,5 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscal= ls/syscall_32.tbl index ac007ea00979..36c2c538e04f 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -473,3 +473,5 @@ 465 i386 listxattrat sys_listxattrat 466 i386 removexattrat sys_removexattrat 467 i386 open_tree_attr sys_open_tree_attr +468 i386 lsm_config_self_policy sys_lsm_config_self_policy +469 i386 lsm_config_system_policy sys_lsm_config_system_policy diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscal= ls/syscall_64.tbl index cfb5ca41e30d..7eefbccfe531 100644 --- a/arch/x86/entry/syscalls/syscall_64.tbl +++ b/arch/x86/entry/syscalls/syscall_64.tbl @@ -391,6 +391,8 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy =20 # # Due to a historical design error, certain syscalls are numbered differen= tly diff --git a/arch/xtensa/kernel/syscalls/syscall.tbl b/arch/xtensa/kernel/s= yscalls/syscall.tbl index f657a77314f8..90d86a54a952 100644 --- a/arch/xtensa/kernel/syscalls/syscall.tbl +++ b/arch/xtensa/kernel/syscalls/syscall.tbl @@ -438,3 +438,5 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index e5603cc91963..15b0f35c42fe 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -988,6 +988,11 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int att= r, struct lsm_ctx __user * asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx __= user *ctx, u32 size, u32 flags); asmlinkage long sys_lsm_list_modules(u64 __user *ids, u32 __user *size, u3= 2 flags); +asmlinkage long sys_lsm_config_self_policy(u32 lsm_id, u32 op, void __user= *buf, + u32 __user *size, u32 flags); +asmlinkage long sys_lsm_config_system_policy(u32 lsm_id, u32 op, void __us= er *buf, + u32 __user *size, u32 flags); + =20 /* * Architecture-specific system calls diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/u= nistd.h index 2892a45023af..021d0689c929 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -851,9 +851,13 @@ __SYSCALL(__NR_listxattrat, sys_listxattrat) __SYSCALL(__NR_removexattrat, sys_removexattrat) #define __NR_open_tree_attr 467 __SYSCALL(__NR_open_tree_attr, sys_open_tree_attr) +#define __NR_lsm_config_self_policy 468 +__SYSCALL(__NR_lsm_config_self_policy, sys_lsm_config_self_policy) +#define __NR_lsm_config_system_policy 469 +__SYSCALL(__NR_lsm_config_system_policy, sys_lsm_config_system_policy) =20 #undef __NR_syscalls -#define __NR_syscalls 468 +#define __NR_syscalls 470 =20 /* * 32 bit systems traditionally used different diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index c00a86931f8c..3ecebcd3fbe0 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -172,6 +172,8 @@ COND_SYSCALL_COMPAT(fadvise64_64); COND_SYSCALL(lsm_get_self_attr); COND_SYSCALL(lsm_set_self_attr); COND_SYSCALL(lsm_list_modules); +COND_SYSCALL(lsm_config_self_policy); +COND_SYSCALL(lsm_config_system_policy); =20 /* CONFIG_MMU only */ COND_SYSCALL(swapon); diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c index 8440948a690c..a3cb6dab8102 100644 --- a/security/lsm_syscalls.c +++ b/security/lsm_syscalls.c @@ -118,3 +118,15 @@ SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, u= 32 __user *, size, =20 return lsm_active_cnt; } + +SYSCALL_DEFINE5(lsm_config_self_policy, u32, lsm_id, u32, op, void __user = *, + buf, u32 __user *, size, u32, flags) +{ + return 0; +} + +SYSCALL_DEFINE5(lsm_config_system_policy, u32, lsm_id, u32, op, void __use= r *, + buf, u32 __user *, size, u32, flags) +{ + return 0; +} diff --git a/tools/include/uapi/asm-generic/unistd.h b/tools/include/uapi/a= sm-generic/unistd.h index 2892a45023af..021d0689c929 100644 --- a/tools/include/uapi/asm-generic/unistd.h +++ b/tools/include/uapi/asm-generic/unistd.h @@ -851,9 +851,13 @@ __SYSCALL(__NR_listxattrat, sys_listxattrat) __SYSCALL(__NR_removexattrat, sys_removexattrat) #define __NR_open_tree_attr 467 __SYSCALL(__NR_open_tree_attr, sys_open_tree_attr) +#define __NR_lsm_config_self_policy 468 +__SYSCALL(__NR_lsm_config_self_policy, sys_lsm_config_self_policy) +#define __NR_lsm_config_system_policy 469 +__SYSCALL(__NR_lsm_config_system_policy, sys_lsm_config_system_policy) =20 #undef __NR_syscalls -#define __NR_syscalls 468 +#define __NR_syscalls 470 =20 /* * 32 bit systems traditionally used different diff --git a/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl b/tools/perf= /arch/x86/entry/syscalls/syscall_64.tbl index cfb5ca41e30d..7eefbccfe531 100644 --- a/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl +++ b/tools/perf/arch/x86/entry/syscalls/syscall_64.tbl @@ -391,6 +391,8 @@ 465 common listxattrat sys_listxattrat 466 common removexattrat sys_removexattrat 467 common open_tree_attr sys_open_tree_attr +468 common lsm_config_self_policy sys_lsm_config_self_policy +469 common lsm_config_system_policy sys_lsm_config_system_policy =20 # # Due to a historical design error, certain syscalls are numbered differen= tly --=20 2.48.1 From nobody Tue Oct 7 14:08:01 2025 Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B550233159; Wed, 9 Jul 2025 08:03:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.188.120 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752048200; cv=none; b=UmVhakk9CfkqQiukW8RK2P1syU6gVH03O+ExW851gNFHX6J52Uyg7qjM837os56OA7pq+iVR0U9mfeoX1Z7kWog+8g0WzF5QU9AjAD2x4EuKWeNUUJsqMb9ZhjNjp/jMOXGwci/QOHYcpHg5yW1Fjt4mOi2bvmOwTtyB3zf0QK0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752048200; c=relaxed/simple; bh=x4XOJAz/xUompCbTQhi5sL3C9SX+0e1WQKFt5e8sQ2E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=GMRRCKf3zYvyTe1hTtesLvcU7NLBS4Qj/osNGVXjyWNggdpQPnb02f5mVPUf6CjSTppKg77qS0EGAcqWkOJulQlU9GHri8k4G3T4F8lE4p/VeQI5A+f1Qs/MAqwuocPxiX7kGrhGPEmmTOBur7pYkKqp3eZS+vn2DY76294kAAY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canonical.com; spf=pass smtp.mailfrom=canonical.com; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.b=Nu0LqSoL; arc=none smtp.client-ip=185.125.188.120 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canonical.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=canonical.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.b="Nu0LqSoL" Received: from sec2-plucky-amd64.. (lau06-h06-176-136-128-80.dsl.sta.abo.bbox.fr [176.136.128.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 7FBB240B85; Wed, 9 Jul 2025 08:03:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1752048186; bh=0cdzeTEBt3pIUt8UGBPcseJlalWxX7P/3riB9g+Rsuk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Nu0LqSoLGPoVDsGA5S0odX1I/7KpAKeQvBDAmIQim9rqetGF6t2uWUhHOQlYX85yn qO1mnaOE3jtDlRz/hBErhSLmGOPZh/xRdAyIAYqlwCPSo5uLdHA/D5Q3ApbLUAdX6C SiaKU2E23kCa7QzNMxW8LKDHDBGAax9UrG5SQo8BmkI4ZUI2Euq81HnxFxxLKcdesZ FRCYL0PuNN4/FJJ9UurFp7HFs5gRloQAmdd04ZP5sYP7Aj9RM7DRWQd3X3Nrj+2ooG BVbETw3sdDHTS3rWCdBKChfXAVcBaNcuJ3nqy0WCroiMxDfrpAicjvz2iDabTFf5y3 W1Tg52aeh/FTw== From: =?UTF-8?q?Maxime=20B=C3=A9lair?= To: linux-security-module@vger.kernel.org Cc: john.johansen@canonical.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net, kees@kernel.org, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, takedakn@nttdata.co.jp, penguin-kernel@I-love.SAKURA.ne.jp, song@kernel.org, rdunlap@infradead.org, linux-api@vger.kernel.org, apparmor@lists.ubuntu.com, linux-kernel@vger.kernel.org, =?UTF-8?q?Maxime=20B=C3=A9lair?= Subject: [PATCH v5 2/3] lsm: introduce security_lsm_config_*_policy hooks Date: Wed, 9 Jul 2025 10:00:55 +0200 Message-ID: <20250709080220.110947-3-maxime.belair@canonical.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250709080220.110947-1-maxime.belair@canonical.com> References: <20250709080220.110947-1-maxime.belair@canonical.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Define two new LSM hooks: security_lsm_config_self_policy and security_lsm_config_system_policy and wire them into the corresponding lsm_config_*_policy() syscalls so that LSMs can register a unified interface for policy management. This initial, minimal implementation only supports the LSM_POLICY_LOAD operation to limit changes. Signed-off-by: Maxime B=C3=A9lair --- include/linux/lsm_hook_defs.h | 4 +++ include/linux/security.h | 20 ++++++++++++ include/uapi/linux/lsm.h | 8 +++++ security/lsm_syscalls.c | 17 ++++++++-- security/security.c | 60 +++++++++++++++++++++++++++++++++++ 5 files changed, 107 insertions(+), 2 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index bf3bbac4e02a..fca490444643 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -464,3 +464,7 @@ LSM_HOOK(int, 0, bdev_alloc_security, struct block_devi= ce *bdev) LSM_HOOK(void, LSM_RET_VOID, bdev_free_security, struct block_device *bdev) LSM_HOOK(int, 0, bdev_setintegrity, struct block_device *bdev, enum lsm_integrity_type type, const void *value, size_t size) +LSM_HOOK(int, -EINVAL, lsm_config_self_policy, u32 lsm_id, u32 op, + void __user *buf, size_t size, u32 flags) +LSM_HOOK(int, -EINVAL, lsm_config_system_policy, u32 lsm_id, u32 op, + void __user *buf, size_t size, u32 flags) diff --git a/include/linux/security.h b/include/linux/security.h index cc9b54d95d22..54acaee4a994 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -581,6 +581,11 @@ void security_bdev_free(struct block_device *bdev); int security_bdev_setintegrity(struct block_device *bdev, enum lsm_integrity_type type, const void *value, size_t size); +int security_lsm_config_self_policy(u32 lsm_id, u32 op, void __user *buf, + size_t size, u32 flags); +int security_lsm_config_system_policy(u32 lsm_id, u32 op, void __user *buf, + size_t size, u32 flags); + #else /* CONFIG_SECURITY */ =20 /** @@ -1603,6 +1608,21 @@ static inline int security_bdev_setintegrity(struct = block_device *bdev, return 0; } =20 +static inline int security_lsm_config_self_policy(u32 lsm_id, u32 op, + void __user *buf, + size_t size, u32 flags) +{ + + return -EOPNOTSUPP; +} + +static inline int security_lsm_config_system_policy(u32 lsm_id, u32 op, + void __user *buf, + size_t size, u32 flags) +{ + + return -EOPNOTSUPP; +} #endif /* CONFIG_SECURITY */ =20 #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h index 938593dfd5da..2b9432a30cdc 100644 --- a/include/uapi/linux/lsm.h +++ b/include/uapi/linux/lsm.h @@ -90,4 +90,12 @@ struct lsm_ctx { */ #define LSM_FLAG_SINGLE 0x0001 =20 +/* + * LSM_POLICY_XXX definitions identify the different operations + * to configure LSM policies + */ + +#define LSM_POLICY_UNDEF 0 +#define LSM_POLICY_LOAD 100 + #endif /* _UAPI_LINUX_LSM_H */ diff --git a/security/lsm_syscalls.c b/security/lsm_syscalls.c index a3cb6dab8102..dd016ba6976c 100644 --- a/security/lsm_syscalls.c +++ b/security/lsm_syscalls.c @@ -122,11 +122,24 @@ SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, = u32 __user *, size, SYSCALL_DEFINE5(lsm_config_self_policy, u32, lsm_id, u32, op, void __user = *, buf, u32 __user *, size, u32, flags) { - return 0; + size_t usize; + + if (get_user(usize, size)) + return -EFAULT; + + return security_lsm_config_self_policy(lsm_id, op, buf, usize, flags); } =20 SYSCALL_DEFINE5(lsm_config_system_policy, u32, lsm_id, u32, op, void __use= r *, buf, u32 __user *, size, u32, flags) { - return 0; + size_t usize; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + if (get_user(usize, size)) + return -EFAULT; + + return security_lsm_config_system_policy(lsm_id, op, buf, usize, flags); } diff --git a/security/security.c b/security/security.c index fb57e8fddd91..166d7d9936d0 100644 --- a/security/security.c +++ b/security/security.c @@ -5883,6 +5883,66 @@ int security_bdev_setintegrity(struct block_device *= bdev, } EXPORT_SYMBOL(security_bdev_setintegrity); =20 +/** + * security_lsm_config_self_policy() - Configure caller's LSM policies + * @lsm_id: id of the LSM to target + * @op: Operation to perform (one of the LSM_POLICY_XXX values) + * @buf: userspace pointer to policy data + * @size: size of @buf + * @flags: lsm policy configuration flags + * + * Configure the policies of a LSM for the current domain/user. This notab= ly + * allows to update them even when the lsmfs is unavailable or restricted. + * Currently, only LSM_POLICY_LOAD is supported. + * + * Return: Returns 0 on success, error on failure. + */ +int security_lsm_config_self_policy(u32 lsm_id, u32 op, void __user *buf, + size_t size, u32 flags) +{ + int rc =3D LSM_RET_DEFAULT(lsm_config_self_policy); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, lsm_config_self_policy) { + if ((scall->hl->lsmid->id) =3D=3D lsm_id) { + rc =3D scall->hl->hook.lsm_config_self_policy(lsm_id, op, buf, size, fl= ags); + break; + } + } + + return rc; +} + +/** + * security_lsm_config_system_policy() - Configure system LSM policies + * @lsm_id: id of the lsm to target + * @op: Operation to perform (one of the LSM_POLICY_XXX values) + * @buf: userspace pointer to policy data + * @size: size of @buf + * @flags: lsm policy configuration flags + * + * Configure the policies of a LSM for the whole system. This notably allo= ws + * to update them even when the lsmfs is unavailable or restricted. Curren= tly, + * only LSM_POLICY_LOAD is supported. + * + * Return: Returns 0 on success, error on failure. + */ +int security_lsm_config_system_policy(u32 lsm_id, u32 op, void __user *buf, + size_t size, u32 flags) +{ + int rc =3D LSM_RET_DEFAULT(lsm_config_system_policy); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, lsm_config_system_policy) { + if ((scall->hl->lsmid->id) =3D=3D lsm_id) { + rc =3D scall->hl->hook.lsm_config_system_policy(lsm_id, op, buf, size, = flags); + break; + } + } + + return rc; +} + #ifdef CONFIG_PERF_EVENTS /** * security_perf_event_open() - Check if a perf event open is allowed --=20 2.48.1 From nobody Tue Oct 7 14:08:01 2025 Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D5F9A23534D; Wed, 9 Jul 2025 08:03:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.188.120 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752048200; cv=none; b=nNeK/z1hGGijERKEHPLMxFDQ40M0KMybrrNTmEqLB2kcpmBFicCryP7B9Qva7zqpyg9Fj8kqDfLfAYbtZs6OkGMTz4ZTAa2Pgh2gpjj9A0dYxzmhyTyWZlUVqf44fpvcx521Pc6q8UGlWJHW7Nx9yDjkzO7AE1DLdDM41BvP75w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752048200; c=relaxed/simple; bh=4JJLPTYx8q0+pQ+uuk33YSsvu+67oscs+9zmj+yPkTw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=nJXPRMLMl5iuVMyuVXvW8O8Jl6NC7hRIVSLyO24Xcl2f6C5MT+ywQZvnnsxLD2RAaDudzt1zRtEK7ZAuLP2hlUVMR1QBFtQlNFCCZCPu9sFf2iVw61Fjti4FD+xaJqI5AbCRCWokE06rwqOJEI6+VSpooaiCPMgOREZcRrcR17U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canonical.com; spf=pass smtp.mailfrom=canonical.com; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.b=HT6kxBQ4; arc=none smtp.client-ip=185.125.188.120 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=canonical.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=canonical.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.b="HT6kxBQ4" Received: from sec2-plucky-amd64.. (lau06-h06-176-136-128-80.dsl.sta.abo.bbox.fr [176.136.128.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id EAA7C40B92; Wed, 9 Jul 2025 08:03:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1752048187; bh=NAj0RMMcIgbyb5/RDFYXtmxJLkjCwS5SYe3TagY2Tko=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=HT6kxBQ48v4c9BP3H0TtRcmUltEcRT74DOk+oNsY/+AgFid3l+L9m+raQxETNM7VN xc8CCHxqlUGhBp+lTV0yi235osvOw2swTIdCQePqcfE3gmB82Dtd/KUhkJNSv3BBjE GQIb2U+pjm3KpF4TClwaf0JMGnZTvxlx5yPTClZ4vuo/N7sGN/hef/DHFi6wW6NvpA FNfaCtQ/d/xCBEusEYaUfkN9k3lWFQdO0zyHCAQmF/UTihW8lKWkMFvbLSjSSSXs2J wfumA/JdOle7UK9q6lsMergNoV5M0iS3sITZ+nuaAtRr94E8YSghJgREovaU5XSrhm T7GG44u3Y4V3Q== From: =?UTF-8?q?Maxime=20B=C3=A9lair?= To: linux-security-module@vger.kernel.org Cc: john.johansen@canonical.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, mic@digikod.net, kees@kernel.org, stephen.smalley.work@gmail.com, casey@schaufler-ca.com, takedakn@nttdata.co.jp, penguin-kernel@I-love.SAKURA.ne.jp, song@kernel.org, rdunlap@infradead.org, linux-api@vger.kernel.org, apparmor@lists.ubuntu.com, linux-kernel@vger.kernel.org, =?UTF-8?q?Maxime=20B=C3=A9lair?= Subject: [PATCH v5 3/3] AppArmor: add support for lsm_config_self_policy and lsm_config_system_policy Date: Wed, 9 Jul 2025 10:00:56 +0200 Message-ID: <20250709080220.110947-4-maxime.belair@canonical.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250709080220.110947-1-maxime.belair@canonical.com> References: <20250709080220.110947-1-maxime.belair@canonical.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Enable users to manage AppArmor policies through the new hooks lsm_config_self_policy and lsm_config_system_policy. lsm_config_self_policy allows stacking existing policies in the kernel. This ensures that it can only further restrict the caller and can never be used to gain new privileges. lsm_config_system_policy allows loading or replacing AppArmor policies in any AppArmor namespace. Signed-off-by: Maxime B=C3=A9lair --- security/apparmor/apparmorfs.c | 31 ++++++++++ security/apparmor/include/apparmor.h | 4 ++ security/apparmor/include/apparmorfs.h | 3 + security/apparmor/lsm.c | 84 ++++++++++++++++++++++++++ 4 files changed, 122 insertions(+) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 6039afae4bfc..6df43299b045 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -439,6 +439,37 @@ static ssize_t policy_update(u32 mask, const char __us= er *buf, size_t size, return error; } =20 +/** + * aa_profile_load_ns_name - load a profile into the current namespace ide= ntified by name + * @name: The name of the namesapce to load the policy in. "" for root_ns + * @name_size: size of @name. 0 For root ns + * @buf: buffer containing the user-provided policy + * @size: size of @buf + * @ppos: position pointer in the file + * + * Returns: 0 on success, negative value on error + */ +ssize_t aa_profile_load_ns_name(char *name, size_t name_size, const void _= _user *buf, + size_t size, loff_t *ppos) +{ + struct aa_ns *ns; + + if (name_size =3D=3D 0) + ns =3D aa_get_ns(root_ns); + else + ns =3D aa_lookupn_ns(root_ns, name, name_size); + + if (!ns) + return -EINVAL; + + int error =3D policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, + buf, size, ppos, ns); + + aa_put_ns(ns); + + return error >=3D 0 ? 0 : error; +} + /* .load file hook fn to load policy */ static ssize_t profile_load(struct file *f, const char __user *buf, size_t= size, loff_t *pos) diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/inclu= de/apparmor.h index f83934913b0f..1d9a2881a8b9 100644 --- a/security/apparmor/include/apparmor.h +++ b/security/apparmor/include/apparmor.h @@ -62,5 +62,9 @@ extern unsigned int aa_g_path_max; #define AA_DEFAULT_CLEVEL 0 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ =20 +/* Syscall-related buffer size limits */ + +#define AA_PROFILE_NAME_MAX_SIZE (1 << 9) +#define AA_PROFILE_MAX_SIZE (1 << 28) =20 #endif /* __APPARMOR_H */ diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/inc= lude/apparmorfs.h index 1e94904f68d9..fd415afb7659 100644 --- a/security/apparmor/include/apparmorfs.h +++ b/security/apparmor/include/apparmorfs.h @@ -112,6 +112,9 @@ int __aafs_profile_mkdir(struct aa_profile *profile, st= ruct dentry *parent); void __aafs_ns_rmdir(struct aa_ns *ns); int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *n= ame, struct dentry *dent); +ssize_t aa_profile_load_ns_name(char *name, size_t name_len, const void __= user *buf, + size_t size, loff_t *ppos); + =20 struct aa_loaddata; =20 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 9b6c2f157f83..0ce40290f44e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1275,6 +1275,86 @@ static int apparmor_socket_shutdown(struct socket *s= ock, int how) return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); } =20 +/** + * apparmor_lsm_config_self_policy - Stack a profile + * @lsm_id: AppArmor ID (LSM_ID_APPARMOR). Unused here + * @op: operation to perform. Currently, only LSM_POLICY_LOAD is supported + * @buf: buffer containing the user-provided name of the profile to stack + * @size: size of @buf + * @flags: reserved for future use; must be zero + * + * Returns: 0 on success, negative value on error + */ +static int apparmor_lsm_config_self_policy(u32 lsm_id, u32 op, void __user= *buf, + size_t size, u32 flags) +{ + char *name; + long name_size; + int ret; + + if (op !=3D LSM_POLICY_LOAD || flags) + return -EOPNOTSUPP; + if (size =3D=3D 0) + return -EINVAL; + if (size > AA_PROFILE_NAME_MAX_SIZE) + return -E2BIG; + + name =3D kmalloc(size, GFP_KERNEL); + if (!name) + return -ENOMEM; + + + name_size =3D strncpy_from_user(name, buf, size); + if (name_size < 0) { + kfree(name); + return name_size; + } + + ret =3D aa_change_profile(name, AA_CHANGE_STACK); + + kfree(name); + + return ret; +} + +/** + * apparmor_lsm_config_system_policy - Load or replace a system policy + * @lsm_id: AppArmor ID (LSM_ID_APPARMOR). Unused here + * @op: operation to perform. Currently, only LSM_POLICY_LOAD is supported + * @buf: user-supplied buffer in the form "\0" + * is the namespace to load the policy into (empty string for = root) + * is the policy to load + * @size: size of @buf + * @flags: reserved for future uses; must be zero + * + * Returns: 0 on success, negative value on error + */ +static int apparmor_lsm_config_system_policy(u32 lsm_id, u32 op, void __us= er *buf, + size_t size, u32 flags) +{ + loff_t pos =3D 0; // Partial writing is not currently supported + char ns_name[AA_PROFILE_NAME_MAX_SIZE]; + size_t ns_size; + size_t max_ns_size =3D min(size, AA_PROFILE_NAME_MAX_SIZE); + + if (op !=3D LSM_POLICY_LOAD || flags) + return -EOPNOTSUPP; + if (size < 2) + return -EINVAL; + if (size > AA_PROFILE_MAX_SIZE) + return -E2BIG; + + ns_size =3D strncpy_from_user(ns_name, buf, max_ns_size); + if (ns_size < 0) + return ns_size; + if (ns_size =3D=3D max_ns_size) + return -E2BIG; + + return aa_profile_load_ns_name(ns_name, ns_size, buf + ns_size + 1, + size - ns_size - 1, &pos); +} + + #ifdef CONFIG_NETWORK_SECMARK /** * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk @@ -1483,6 +1563,10 @@ static struct security_hook_list apparmor_hooks[] __= ro_after_init =3D { LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), + + LSM_HOOK_INIT(lsm_config_self_policy, apparmor_lsm_config_self_policy), + LSM_HOOK_INIT(lsm_config_system_policy, + apparmor_lsm_config_system_policy), #ifdef CONFIG_NETWORK_SECMARK LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), #endif --=20 2.48.1