rust: security: add abstraction for secctx

Add an abstraction for viewing the string representation of a security
context.

This is needed by Rust Binder because it has a feature where a process
can view the string representation of the security context for incoming
transactions. The process can use that to authenticate incoming
transactions, and since the feature is provided by the kernel, the
process can trust that the security context is legitimate.

This abstraction makes the following assumptions about the C side:
* When a call to `security_secid_to_secctx` is successful, it returns a
  pointer and length. The pointer references a byte string and is valid
  for reading for that many bytes.
* The string may be referenced until `security_release_secctx` is
  called.
* If CONFIG_SECURITY is set, then the three methods mentioned in
  rust/helpers are available without a helper. (That is, they are not a
  #define or `static inline`.)

Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Reviewed-by: Gary Guo <gary@garyguo.net>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://lore.kernel.org/r/20240915-alice-file-v10-5-88484f7a3dcf@google.com
Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
This commit is contained in:
Alice Ryhl 2024-09-15 14:31:31 +00:00 committed by Christian Brauner
parent a3df991d3d
commit 94d356c033
No known key found for this signature in database
GPG Key ID: 91C61BC06578DCA2
6 changed files with 105 additions and 0 deletions

View File

@ -21,6 +21,7 @@
#include <linux/phy.h> #include <linux/phy.h>
#include <linux/refcount.h> #include <linux/refcount.h>
#include <linux/sched.h> #include <linux/sched.h>
#include <linux/security.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/wait.h> #include <linux/wait.h>
#include <linux/workqueue.h> #include <linux/workqueue.h>

View File

@ -19,6 +19,7 @@
#include "page.c" #include "page.c"
#include "rbtree.c" #include "rbtree.c"
#include "refcount.c" #include "refcount.c"
#include "security.c"
#include "signal.c" #include "signal.c"
#include "slab.c" #include "slab.c"
#include "spinlock.c" #include "spinlock.c"

20
rust/helpers/security.c Normal file
View File

@ -0,0 +1,20 @@
// SPDX-License-Identifier: GPL-2.0
#include <linux/security.h>
#ifndef CONFIG_SECURITY
void rust_helper_security_cred_getsecid(const struct cred *c, u32 *secid)
{
security_cred_getsecid(c, secid);
}
int rust_helper_security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
return security_secid_to_secctx(secid, secdata, seclen);
}
void rust_helper_security_release_secctx(char *secdata, u32 seclen)
{
security_release_secctx(secdata, seclen);
}
#endif

View File

@ -52,6 +52,14 @@ impl Credential {
unsafe { &*ptr.cast() } unsafe { &*ptr.cast() }
} }
/// Get the id for this security context.
pub fn get_secid(&self) -> u32 {
let mut secid = 0;
// SAFETY: The invariants of this type ensures that the pointer is valid.
unsafe { bindings::security_cred_getsecid(self.0.get(), &mut secid) };
secid
}
/// Returns the effective UID of the given credential. /// Returns the effective UID of the given credential.
pub fn euid(&self) -> bindings::kuid_t { pub fn euid(&self) -> bindings::kuid_t {
// SAFETY: By the type invariant, we know that `self.0` is valid. Furthermore, the `euid` // SAFETY: By the type invariant, we know that `self.0` is valid. Furthermore, the `euid`

View File

@ -47,6 +47,7 @@ pub mod page;
pub mod prelude; pub mod prelude;
pub mod print; pub mod print;
pub mod rbtree; pub mod rbtree;
pub mod security;
mod static_assert; mod static_assert;
#[doc(hidden)] #[doc(hidden)]
pub mod std_vendor; pub mod std_vendor;

74
rust/kernel/security.rs Normal file
View File

@ -0,0 +1,74 @@
// SPDX-License-Identifier: GPL-2.0
// Copyright (C) 2024 Google LLC.
//! Linux Security Modules (LSM).
//!
//! C header: [`include/linux/security.h`](srctree/include/linux/security.h).
use crate::{
bindings,
error::{to_result, Result},
};
/// A security context string.
///
/// # Invariants
///
/// The `secdata` and `seclen` fields correspond to a valid security context as returned by a
/// successful call to `security_secid_to_secctx`, that has not yet been destroyed by calling
/// `security_release_secctx`.
pub struct SecurityCtx {
secdata: *mut core::ffi::c_char,
seclen: usize,
}
impl SecurityCtx {
/// Get the security context given its id.
pub fn from_secid(secid: u32) -> Result<Self> {
let mut secdata = core::ptr::null_mut();
let mut seclen = 0u32;
// SAFETY: Just a C FFI call. The pointers are valid for writes.
to_result(unsafe { bindings::security_secid_to_secctx(secid, &mut secdata, &mut seclen) })?;
// INVARIANT: If the above call did not fail, then we have a valid security context.
Ok(Self {
secdata,
seclen: seclen as usize,
})
}
/// Returns whether the security context is empty.
pub fn is_empty(&self) -> bool {
self.seclen == 0
}
/// Returns the length of this security context.
pub fn len(&self) -> usize {
self.seclen
}
/// Returns the bytes for this security context.
pub fn as_bytes(&self) -> &[u8] {
let ptr = self.secdata;
if ptr.is_null() {
debug_assert_eq!(self.seclen, 0);
// We can't pass a null pointer to `slice::from_raw_parts` even if the length is zero.
return &[];
}
// SAFETY: The call to `security_secid_to_secctx` guarantees that the pointer is valid for
// `seclen` bytes. Furthermore, if the length is zero, then we have ensured that the
// pointer is not null.
unsafe { core::slice::from_raw_parts(ptr.cast(), self.seclen) }
}
}
impl Drop for SecurityCtx {
fn drop(&mut self) {
// SAFETY: By the invariant of `Self`, this frees a pointer that came from a successful
// call to `security_secid_to_secctx` and has not yet been destroyed by
// `security_release_secctx`.
unsafe { bindings::security_release_secctx(self.secdata, self.seclen as u32) };
}
}