From: Martin Cermak Date: Mon, 8 Dec 2025 12:20:25 +0000 (+0100) Subject: Wrap new lsm_get_self_attr and lsm_set_self_attr syscalls X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ad2f953c4132140eac15221ac0a7ca2f89b348c;p=thirdparty%2Fvalgrind.git Wrap new lsm_get_self_attr and lsm_set_self_attr syscalls Create a system call lsm_get_self_attr() to provide the security module maintained attributes of the current process. Create a system call lsm_set_self_attr() to set a security module maintained attribute of the current process. Historically these attributes have been exposed to user space via entries in procfs under /proc/self/attr. Declare lsm_get_self_attr and lsm_set_self_attr wrappers in priv_syswrap-linux.h and hook it for {amd64,arm,arm64,mips64,\ ppc32,ppc64,riscv64,s390x,x86}-linux. https://bugs.kde.org/show_bug.cgi?id=510563 --- diff --git a/NEWS b/NEWS index 0702dbc94..6583e5807 100644 --- a/NEWS +++ b/NEWS @@ -31,6 +31,7 @@ are not entered into bugzilla tend to get forgotten about or ignored. 487055 memcheck/tests/x86-linux/scalar fails running in Docker 509562 s390x: Define minimum required machine model 510416 Missing syswraps for file_getattr and file_setattr +510563 Add missing syswraps for lsm_get_self_attr and lsm_set_self_attr 510864 Add SSE4.1 PMAXSD and PMINSD instructions support for 32-bit x86 511329 Darwin and FreeBSD: Move setting of carry flag out of ML_(do_syscall_for_client_WRK) diff --git a/coregrind/m_syswrap/priv_syswrap-linux.h b/coregrind/m_syswrap/priv_syswrap-linux.h index 2c878c8c5..b02701d27 100644 --- a/coregrind/m_syswrap/priv_syswrap-linux.h +++ b/coregrind/m_syswrap/priv_syswrap-linux.h @@ -372,6 +372,8 @@ DECL_TEMPLATE(linux, sys_statmount); // Since Linux 6.10 DECL_TEMPLATE(linux, sys_mseal); +DECL_TEMPLATE(linux, sys_lsm_get_self_attr); +DECL_TEMPLATE(linux, sys_lsm_set_self_attr); // Since Linux 6.17-rc1 DECL_TEMPLATE(linux, sys_file_getattr); diff --git a/coregrind/m_syswrap/syswrap-amd64-linux.c b/coregrind/m_syswrap/syswrap-amd64-linux.c index a6e76690a..0a05d7cb5 100644 --- a/coregrind/m_syswrap/syswrap-amd64-linux.c +++ b/coregrind/m_syswrap/syswrap-amd64-linux.c @@ -909,6 +909,8 @@ static SyscallTableEntry syscall_table[] = { LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 LINXY(__NR_statmount, sys_statmount), // 457 LINXY(__NR_listmount, sys_listmount), // 458 + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), // 459 + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), // 460 LINX_(__NR_mseal, sys_mseal), // 462 LINXY(__NR_file_getattr, sys_file_getattr), // 468 LINX_(__NR_file_setattr, sys_file_setattr), // 469 diff --git a/coregrind/m_syswrap/syswrap-arm-linux.c b/coregrind/m_syswrap/syswrap-arm-linux.c index b7860710c..e923bee9c 100644 --- a/coregrind/m_syswrap/syswrap-arm-linux.c +++ b/coregrind/m_syswrap/syswrap-arm-linux.c @@ -1079,6 +1079,8 @@ static SyscallTableEntry syscall_main_table[] = { LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 LINXY(__NR_statmount, sys_statmount), // 457 LINXY(__NR_listmount, sys_listmount), // 458 + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), // 459 + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), // 460 LINX_(__NR_mseal, sys_mseal), // 462 LINXY(__NR_file_getattr, sys_file_getattr), // 468 LINX_(__NR_file_setattr, sys_file_setattr), // 469 diff --git a/coregrind/m_syswrap/syswrap-arm64-linux.c b/coregrind/m_syswrap/syswrap-arm64-linux.c index 890bb7b8f..9b6e05dbc 100644 --- a/coregrind/m_syswrap/syswrap-arm64-linux.c +++ b/coregrind/m_syswrap/syswrap-arm64-linux.c @@ -860,6 +860,8 @@ static SyscallTableEntry syscall_main_table[] = { LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 LINXY(__NR_statmount, sys_statmount), // 457 LINXY(__NR_listmount, sys_listmount), // 458 + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), // 459 + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), // 460 LINX_(__NR_mseal, sys_mseal), // 462 LINXY(__NR_file_getattr, sys_file_getattr), // 468 LINX_(__NR_file_setattr, sys_file_setattr), // 469 diff --git a/coregrind/m_syswrap/syswrap-linux.c b/coregrind/m_syswrap/syswrap-linux.c index 3bfbef761..7186cf0c4 100644 --- a/coregrind/m_syswrap/syswrap-linux.c +++ b/coregrind/m_syswrap/syswrap-linux.c @@ -4637,6 +4637,45 @@ PRE(sys_file_setattr) PRE_MEM_READ("file_setattr(ufattr)", ARG3, ARG4); } +PRE(sys_lsm_get_self_attr) +{ + // * sys_lsm_get_self_attr - Return current task's security module attributes + // * @attr: which attribute to return + // * @ctx: the user-space destination for the information, or NULL + // * @size: pointer to the size of space available to receive the data + // * @flags: special handling options. LSM_FLAG_SINGLE indicates that only + // * attributes associated with the LSM identified in the passed @ctx be + // * reported. + // SYSCALL_DEFINE4(lsm_get_self_attr, unsigned int, attr, struct lsm_ctx __user *, + // ctx, u32 __user *, size, u32, flags) + PRINT("sys_lsm_get_self_attr ( %#" FMT_REGWORD "x, %#" FMT_REGWORD "x, %" FMT_REGWORD "u, %#" FMT_REGWORD "x)", ARG1, ARG2, ARG3, ARG4); + PRE_REG_READ4(long, "lsm_get_self_attr", unsigned int, attr, struct vki_lsm_ctx *, ctx, __vki_u32 *, size, __vki_u32, flags); + if (ML_(safe_to_deref)((__vki_u32 *)ARG3,sizeof(__vki_u32))) { + PRE_MEM_READ("lsm_get_self_attr(size)", ARG3, sizeof(__vki_u32)); + PRE_MEM_READ("lsm_get_self_attr(ctx)", ARG2, *(__vki_u32 *)ARG3); + } +} + +POST(sys_lsm_get_self_attr) +{ + POST_MEM_WRITE((Addr)ARG3, sizeof(__vki_u32)); + POST_MEM_WRITE(ARG2, *(__vki_u32 *)ARG3); +} + +PRE(sys_lsm_set_self_attr) +{ + // * sys_lsm_set_self_attr - Set current task's security module attribute + // * @attr: which attribute to set + // * @ctx: the LSM contexts + // * @size: size of @ctx + // * @flags: reserved for future use + // SYSCALL_DEFINE4(lsm_set_self_attr, unsigned int, attr, struct lsm_ctx __user *, + // ctx, u32, size, u32, flags) + PRINT("sys_lsm_get_self_attr ( %#" FMT_REGWORD "x, %#" FMT_REGWORD "x, %" FMT_REGWORD "u, %#" FMT_REGWORD "x)", ARG1, ARG2, ARG3, ARG4); + PRE_REG_READ4(long, "lsm_set_self_attr", unsigned int, attr, struct vki_lsm_ctx *, ctx, __vki_u32 *, size, __vki_u32, flags); + PRE_MEM_READ("lsm_get_self_attr(ctx)", ARG2, ARG3); +} + PRE(sys_syncfs) { *flags |= SfMayBlock; diff --git a/coregrind/m_syswrap/syswrap-mips32-linux.c b/coregrind/m_syswrap/syswrap-mips32-linux.c index 5541f4c72..43c9b861d 100644 --- a/coregrind/m_syswrap/syswrap-mips32-linux.c +++ b/coregrind/m_syswrap/syswrap-mips32-linux.c @@ -1188,6 +1188,8 @@ static SyscallTableEntry syscall_main_table[] = { LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 LINXY(__NR_statmount, sys_statmount), // 457 LINXY(__NR_listmount, sys_listmount), // 458 + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), // 459 + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), // 460 LINX_(__NR_mseal, sys_mseal), // 462 LINXY(__NR_file_getattr, sys_file_getattr), // 468 LINX_(__NR_file_setattr, sys_file_setattr), // 469 diff --git a/coregrind/m_syswrap/syswrap-mips64-linux.c b/coregrind/m_syswrap/syswrap-mips64-linux.c index 57a522d87..d78e59842 100644 --- a/coregrind/m_syswrap/syswrap-mips64-linux.c +++ b/coregrind/m_syswrap/syswrap-mips64-linux.c @@ -797,6 +797,8 @@ static SyscallTableEntry syscall_main_table[] = { LINXY (__NR_userfaultfd, sys_userfaultfd), LINXY (__NR_statmount, sys_statmount), LINXY (__NR_listmount, sys_listmount), + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), LINX_ (__NR_mseal, sys_mseal), LINX_ (__NR_futex_waitv, sys_futex_waitv), LINXY (__NR_quotactl_fd, sys_quotactl_fd), diff --git a/coregrind/m_syswrap/syswrap-nanomips-linux.c b/coregrind/m_syswrap/syswrap-nanomips-linux.c index ac4d6aa7e..e5c642572 100644 --- a/coregrind/m_syswrap/syswrap-nanomips-linux.c +++ b/coregrind/m_syswrap/syswrap-nanomips-linux.c @@ -823,6 +823,8 @@ static SyscallTableEntry syscall_main_table[] = { LINX_ (__NR_fchmodat2, sys_fchmodat2), LINXY (__NR_statmount, sys_statmount), LINXY (__NR_listmount, sys_listmount), + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), LINX_ (__NR_mseal, sys_mseal), LINX_ (__NR_futex_waitv, sys_futex_waitv), LINXY (__NR_file_getattr, sys_file_getattr), diff --git a/coregrind/m_syswrap/syswrap-ppc32-linux.c b/coregrind/m_syswrap/syswrap-ppc32-linux.c index d3b84a57d..82b67afe3 100644 --- a/coregrind/m_syswrap/syswrap-ppc32-linux.c +++ b/coregrind/m_syswrap/syswrap-ppc32-linux.c @@ -1087,6 +1087,8 @@ static SyscallTableEntry syscall_table[] = { LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 LINXY (__NR_statmount, sys_statmount), // 457 LINXY (__NR_listmount, sys_listmount), // 458 + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), // 459 + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), // 460 LINX_ (__NR_mseal, sys_mseal), // 462 LINXY (__NR_file_getattr, sys_file_getattr), // 468 LINX_ (__NR_file_setattr, sys_file_setattr), // 469 diff --git a/coregrind/m_syswrap/syswrap-ppc64-linux.c b/coregrind/m_syswrap/syswrap-ppc64-linux.c index 56b16bb8f..445ee30f3 100644 --- a/coregrind/m_syswrap/syswrap-ppc64-linux.c +++ b/coregrind/m_syswrap/syswrap-ppc64-linux.c @@ -1065,6 +1065,8 @@ static SyscallTableEntry syscall_table[] = { LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 LINXY (__NR_statmount, sys_statmount), // 457 LINXY (__NR_listmount, sys_listmount), // 458 + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), // 459 + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), // 460 LINX_ (__NR_mseal, sys_mseal), // 462 LINXY (__NR_file_getattr, sys_file_getattr), // 468 LINX_ (__NR_file_setattr, sys_file_setattr), // 469 diff --git a/coregrind/m_syswrap/syswrap-riscv64-linux.c b/coregrind/m_syswrap/syswrap-riscv64-linux.c index 3774c797e..92e279485 100644 --- a/coregrind/m_syswrap/syswrap-riscv64-linux.c +++ b/coregrind/m_syswrap/syswrap-riscv64-linux.c @@ -608,6 +608,8 @@ static SyscallTableEntry syscall_main_table[] = { LINX_(__NR_fchmodat2, sys_fchmodat2), /* 452 */ LINXY(__NR_statmount, sys_statmount), /* 457 */ LINXY(__NR_listmount, sys_listmount), /* 458 */ + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), /* 459 */ + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), /* 460 */ LINX_(__NR_mseal, sys_mseal), /* 462 */ LINXY(__NR_file_getattr, sys_file_getattr), /* 468 */ LINX_(__NR_file_setattr, sys_file_setattr), /* 469 */ diff --git a/coregrind/m_syswrap/syswrap-s390x-linux.c b/coregrind/m_syswrap/syswrap-s390x-linux.c index 8d45a55b1..0b5d436b0 100644 --- a/coregrind/m_syswrap/syswrap-s390x-linux.c +++ b/coregrind/m_syswrap/syswrap-s390x-linux.c @@ -900,6 +900,8 @@ static SyscallTableEntry syscall_table[] = { LINX_ (__NR_fchmodat2, sys_fchmodat2), // 452 LINXY (__NR_statmount, sys_statmount), // 457 LINXY (__NR_listmount, sys_listmount), // 458 + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), // 459 + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), // 460 LINX_ (__NR_mseal, sys_mseal), // 462 LINXY (__NR_file_getattr, sys_file_getattr), // 468 LINX_ (__NR_file_setattr, sys_file_setattr), // 469 diff --git a/coregrind/m_syswrap/syswrap-x86-linux.c b/coregrind/m_syswrap/syswrap-x86-linux.c index b6224321f..1165304da 100644 --- a/coregrind/m_syswrap/syswrap-x86-linux.c +++ b/coregrind/m_syswrap/syswrap-x86-linux.c @@ -1690,6 +1690,8 @@ static SyscallTableEntry syscall_table[] = { LINX_(__NR_fchmodat2, sys_fchmodat2), // 452 LINXY(__NR_statmount, sys_statmount), // 457 LINXY(__NR_listmount, sys_listmount), // 458 + LINXY(__NR_lsm_get_self_attr, sys_lsm_get_self_attr), // 459 + LINX_(__NR_lsm_set_self_attr, sys_lsm_set_self_attr), // 460 LINX_(__NR_mseal, sys_mseal), // 462 LINXY(__NR_file_getattr, sys_file_getattr), // 468 LINX_(__NR_file_setattr, sys_file_setattr), // 469 diff --git a/include/vki/vki-linux.h b/include/vki/vki-linux.h index e0636378c..bb6b8d72d 100644 --- a/include/vki/vki-linux.h +++ b/include/vki/vki-linux.h @@ -5661,6 +5661,18 @@ struct vki_dqinfo { __vki_u32 dqi_valid; }; +//---------------------------------------------------------------------- +// From uapi/linux/lsm.h +//---------------------------------------------------------------------- + +struct vki_lsm_ctx { + __vki_u64 id; + __vki_u64 flags; + __vki_u64 len; + __vki_u64 ctx_len; + __vki_u8 ctx[]; /* __counted_by(ctx_len); */ +}; + /*--------------------------------------------------------------------*/ /*--- end ---*/ /*--------------------------------------------------------------------*/ diff --git a/include/vki/vki-scnums-shared-linux.h b/include/vki/vki-scnums-shared-linux.h index 704e6378c..231372af4 100644 --- a/include/vki/vki-scnums-shared-linux.h +++ b/include/vki/vki-scnums-shared-linux.h @@ -60,6 +60,8 @@ #define __NR_fchmodat2 452 #define __NR_statmount 457 #define __NR_listmount 458 +#define __NR_lsm_get_self_attr 459 +#define __NR_lsm_set_self_attr 460 #define __NR_mseal 462 #define __NR_file_getattr 468 #define __NR_file_setattr 469