Commit ad4aff9e authored by Casey Schaufler's avatar Casey Schaufler Committed by Paul Moore

LSM: Create lsm_list_modules system call

Create a system call to report the list of Linux Security Modules
that are active on the system. The list is provided as an array
of LSM ID numbers.

The calling application can use this list determine what LSM
specific actions it might take. That might include choosing an
output format, determining required privilege or bypassing
security module specific behavior.
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarSerge Hallyn <serge@hallyn.com>
Reviewed-by: default avatarJohn Johansen <john.johansen@canonical.com>
Reviewed-by: default avatarMickaël Salaün <mic@digikod.net>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent a04a1198
...@@ -63,6 +63,9 @@ Get the specified security attributes of the current process ...@@ -63,6 +63,9 @@ Get the specified security attributes of the current process
.. kernel-doc:: security/lsm_syscalls.c .. kernel-doc:: security/lsm_syscalls.c
:identifiers: sys_lsm_get_self_attr :identifiers: sys_lsm_get_self_attr
.. kernel-doc:: security/lsm_syscalls.c
:identifiers: sys_lsm_list_modules
Additional documentation Additional documentation
======================== ========================
......
...@@ -954,6 +954,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int attr, struct lsm_ctx *ctx, ...@@ -954,6 +954,7 @@ asmlinkage long sys_lsm_get_self_attr(unsigned int attr, struct lsm_ctx *ctx,
size_t *size, __u32 flags); size_t *size, __u32 flags);
asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx *ctx, asmlinkage long sys_lsm_set_self_attr(unsigned int attr, struct lsm_ctx *ctx,
size_t size, __u32 flags); size_t size, __u32 flags);
asmlinkage long sys_lsm_list_modules(u64 *ids, size_t *size, u32 flags);
/* /*
* Architecture-specific system calls * Architecture-specific system calls
......
...@@ -173,6 +173,7 @@ COND_SYSCALL(fadvise64_64); ...@@ -173,6 +173,7 @@ COND_SYSCALL(fadvise64_64);
COND_SYSCALL_COMPAT(fadvise64_64); COND_SYSCALL_COMPAT(fadvise64_64);
COND_SYSCALL(lsm_get_self_attr); COND_SYSCALL(lsm_get_self_attr);
COND_SYSCALL(lsm_set_self_attr); COND_SYSCALL(lsm_set_self_attr);
COND_SYSCALL(lsm_list_modules);
/* CONFIG_MMU only */ /* CONFIG_MMU only */
COND_SYSCALL(swapon); COND_SYSCALL(swapon);
......
...@@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, ...@@ -55,3 +55,42 @@ SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *,
{ {
return security_getselfattr(attr, ctx, size, flags); return security_getselfattr(attr, ctx, size, flags);
} }
/**
* sys_lsm_list_modules - Return a list of the active security modules
* @ids: the LSM module ids
* @size: pointer to size of @ids, updated on return
* @flags: reserved for future use, must be zero
*
* Returns a list of the active LSM ids. On success this function
* returns the number of @ids array elements. This value may be zero
* if there are no LSMs active. If @size is insufficient to contain
* the return data -E2BIG is returned and @size is set to the minimum
* required size. In all other cases a negative value indicating the
* error is returned.
*/
SYSCALL_DEFINE3(lsm_list_modules, u64 __user *, ids, size_t __user *, size,
u32, flags)
{
size_t total_size = lsm_active_cnt * sizeof(*ids);
size_t usize;
int i;
if (flags)
return -EINVAL;
if (get_user(usize, size))
return -EFAULT;
if (put_user(total_size, size) != 0)
return -EFAULT;
if (usize < total_size)
return -E2BIG;
for (i = 0; i < lsm_active_cnt; i++)
if (put_user(lsm_idlist[i]->id, ids++))
return -EFAULT;
return lsm_active_cnt;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment