From: "Mickaël Salaün" <mic@digikod.net>
To: linux-security-module@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Andreas Gruenbacher" <agruenba@redhat.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"David Drysdale" <drysdale@google.com>,
"Eric Paris" <eparis@redhat.com>,
"James Morris" <james.l.morris@oracle.com>,
"Jeff Dike" <jdike@addtoit.com>, "Julien Tinnes" <jln@google.com>,
"Kees Cook" <keescook@chromium.org>,
"Michael Kerrisk" <mtk@man7.org>,
"Paul Moore" <pmoore@redhat.com>,
"Richard Weinberger" <richard@nod.at>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Tetsuo Handa" <penguin-kernel@I-love.SAKURA.ne.jp>,
"Will Drewry" <wad@chromium.org>,
linux-api@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] [RFC v1 12/17] audit,seccomp: Extend audit with seccomp state
Date: Thu, 24 Mar 2016 03:53:57 +0100 [thread overview]
Message-ID: <1458788042-26173-4-git-send-email-mic@digikod.net> (raw)
In-Reply-To: <1458788042-26173-1-git-send-email-mic@digikod.net>
Extend the audit framework to known if we are in a seccomp filter
evaluation or not.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Eric Paris <eparis@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Paul Moore <pmoore@redhat.com>
Cc: Will Drewry <wad@chromium.org>
---
include/linux/audit.h | 25 +++++++++++++++++++++++++
kernel/audit.h | 3 +++
kernel/auditsc.c | 36 ++++++++++++++++++++++++++++++++++--
kernel/seccomp.c | 21 ++++++++++++++++++---
4 files changed, 80 insertions(+), 5 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index b40ed5df5542..480df19473d9 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -230,6 +230,8 @@ extern void __audit_free(struct task_struct *task);
extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
unsigned long a2, unsigned long a3);
extern void __audit_syscall_exit(int ret_success, long ret_value);
+extern void __audit_seccomp_entry(void);
+extern void __audit_seccomp_exit(int do_free);
extern struct filename *__audit_reusename(const __user char *uptr);
extern void __audit_getname(struct filename *name);
@@ -270,17 +272,40 @@ static inline void audit_syscall_exit(void *pt_regs)
__audit_syscall_exit(success, return_code);
}
}
+
+static inline void audit_seccomp_entry(void)
+{
+ if (unlikely(current->audit_context))
+ __audit_seccomp_entry();
+}
+
+static inline void audit_seccomp_exit(int do_free)
+{
+ if (unlikely(current->audit_context))
+ __audit_seccomp_exit(do_free);
+}
+
static inline struct filename *audit_reusename(const __user char *name)
{
if (unlikely(!audit_dummy_context()))
return __audit_reusename(name);
+#ifdef CONFIG_SECURITY_SECCOMP
+ if (current->audit_context)
+ return __audit_reusename(name);
+#endif /* CONFIG_SECURITY_SECCOMP */
return NULL;
}
+
static inline void audit_getname(struct filename *name)
{
if (unlikely(!audit_dummy_context()))
__audit_getname(name);
+#ifdef CONFIG_SECURITY_SECCOMP
+ else if (current->audit_context)
+ __audit_getname(name);
+#endif /* CONFIG_SECURITY_SECCOMP */
}
+
static inline void audit_inode(struct filename *name,
const struct dentry *dentry,
unsigned int parent) {
diff --git a/kernel/audit.h b/kernel/audit.h
index cbbe6bb6496e..c63ce77b44ae 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -108,6 +108,9 @@ struct audit_proctitle {
struct audit_context {
int dummy; /* must be the first element */
int in_syscall; /* 1 if task is in a syscall */
+#ifdef CONFIG_SECURITY_SECCOMP
+ int in_seccomp; /* 1 if task is in seccomp */
+#endif
enum audit_state state, current_state;
unsigned int serial; /* serial number for record */
int major; /* syscall number */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 195ffaee50b9..dd1d9f4b1c61 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1501,7 +1501,10 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
if (!context)
return;
- BUG_ON(context->in_syscall || context->name_count);
+ BUG_ON(context->in_syscall);
+#ifndef CONFIG_SECURITY_SECCOMP
+ BUG_ON(context->name_count);
+#endif /* CONFIG_SECURITY_SECCOMP */
if (!audit_enabled)
return;
@@ -1580,6 +1583,35 @@ void __audit_syscall_exit(int success, long return_code)
tsk->audit_context = context;
}
+void __audit_seccomp_entry(void)
+{
+ struct audit_context *context = current->audit_context;
+
+ if (!context)
+ return;
+ BUG_ON(context->in_seccomp || context->name_count);
+ if (!audit_enabled)
+ return;
+
+ context->in_seccomp = 1;
+}
+
+void __audit_seccomp_exit(int do_free)
+{
+ struct audit_context *context = current->audit_context;
+
+ if (!context)
+ return;
+ BUG_ON(!context->in_seccomp);
+ if (!audit_enabled)
+ return;
+
+ BUG_ON(!context->in_seccomp);
+ context->in_seccomp = 0;
+ if (do_free)
+ audit_free_names(context);
+}
+
static inline void handle_one(const struct inode *inode)
{
#ifdef CONFIG_AUDIT_TREE
@@ -1728,7 +1760,7 @@ void __audit_getname(struct filename *name)
struct audit_context *context = current->audit_context;
struct audit_names *n;
- if (!context->in_syscall)
+ if (!context->in_syscall && !context->in_seccomp)
return;
n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 60e11863857e..a8a6ba31ecc4 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -881,7 +881,7 @@ int __secure_computing(void)
static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd)
{
u32 filter_ret, action;
- int data;
+ int data, ret;
/*
* Make sure that any changes to mode from another thread have
@@ -889,6 +889,9 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd)
*/
rmb();
+ /* Enable caching */
+ audit_seccomp_entry();
+
filter_ret = seccomp_run_filters(sd);
data = filter_ret & SECCOMP_RET_DATA;
action = filter_ret & SECCOMP_RET_ACTION;
@@ -910,13 +913,15 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd)
goto skip;
case SECCOMP_RET_TRACE:
- return filter_ret; /* Save the rest for phase 2. */
+ ret = filter_ret; /* Save the rest for phase 2. */
+ goto audit_exit;
case SECCOMP_RET_ARGEVAL:
/* Handled in seccomp_run_filters() */
BUG();
case SECCOMP_RET_ALLOW:
- return SECCOMP_PHASE1_OK;
+ ret = SECCOMP_PHASE1_OK;
+ goto audit_exit;
case SECCOMP_RET_KILL:
default:
@@ -926,7 +931,12 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd)
unreachable();
+audit_exit:
+ audit_seccomp_exit(0);
+ return ret;
+
skip:
+ audit_seccomp_exit(1);
audit_seccomp(this_syscall, 0, action);
return SECCOMP_PHASE1_SKIP;
}
@@ -1139,6 +1149,11 @@ static long seccomp_add_checker_group(unsigned int flags, const char __user *gro
unsigned long group_size, kcheckers_size, full_group_size;
long result;
+ /* FIXME: Deny unsecure path evaluation (i.e. without audit_names) for
+ * the entire task life.
+ */
+ if (!current->audit_context)
+ return -EPERM;
if (!task_no_new_privs(current) &&
security_capable_noaudit(current_cred(),
current_user_ns(), CAP_SYS_ADMIN) != 0)
--
2.8.0.rc3
next prev parent reply other threads:[~2016-03-24 2:53 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-24 1:46 [kernel-hardening] [RFC v1 00/17] seccomp-object: From attack surface reduction to sandboxing Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] [RFC v1 01/17] um: Export the sys_call_table Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] [RFC v1 02/17] seccomp: Fix typo Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] [RFC v1 03/17] selftest/seccomp: Fix the flag name SECCOMP_FILTER_FLAG_TSYNC Mickaël Salaün
2016-03-24 4:35 ` [kernel-hardening] " Kees Cook
2016-03-29 15:35 ` Shuah Khan
2016-03-29 18:46 ` [kernel-hardening] [PATCH 1/2] " Mickaël Salaün
2016-03-29 19:06 ` [kernel-hardening] " Shuah Khan
2016-03-24 1:46 ` [kernel-hardening] [RFC v1 04/17] selftest/seccomp: Fix the seccomp(2) signature Mickaël Salaün
2016-03-24 4:36 ` [kernel-hardening] " Kees Cook
2016-03-29 15:38 ` Shuah Khan
2016-03-29 18:51 ` [kernel-hardening] [PATCH 2/2] " Mickaël Salaün
2016-03-29 19:07 ` [kernel-hardening] " Shuah Khan
2016-03-24 1:46 ` [kernel-hardening] [RFC v1 05/17] security/seccomp: Add LSM and create arrays of syscall metadata Mickaël Salaün
2016-03-24 15:47 ` [kernel-hardening] " Casey Schaufler
2016-03-24 16:01 ` Casey Schaufler
2016-03-24 21:31 ` Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] [RFC v1 06/17] seccomp: Add the SECCOMP_ADD_CHECKER_GROUP command Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] [RFC v1 07/17] seccomp: Add seccomp object checker evaluation Mickaël Salaün
2016-03-24 1:46 ` [kernel-hardening] [RFC v1 08/17] selftest/seccomp: Remove unknown_ret_is_kill_above_allow test Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] [RFC v1 09/17] selftest/seccomp: Extend seccomp_data until matches[6] Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] [RFC v1 10/17] selftest/seccomp: Add field_is_valid_syscall test Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] [RFC v1 11/17] selftest/seccomp: Add argeval_open_whitelist test Mickaël Salaün
2016-03-24 2:53 ` Mickaël Salaün [this message]
2016-03-24 2:53 ` [kernel-hardening] [RFC v1 13/17] selftest/seccomp: Rename TRACE_poke to TRACE_poke_sys_read Mickaël Salaün
2016-03-24 2:53 ` [kernel-hardening] [RFC v1 14/17] selftest/seccomp: Make tracer_poke() more generic Mickaël Salaün
2016-03-24 2:54 ` [kernel-hardening] [RFC v1 15/17] selftest/seccomp: Add argeval_toctou_argument test Mickaël Salaün
2016-03-24 2:54 ` [kernel-hardening] [RFC v1 16/17] security/seccomp: Protect against filesystem TOCTOU Mickaël Salaün
2016-03-24 2:54 ` [kernel-hardening] [RFC v1 17/17] selftest/seccomp: Add argeval_toctou_filesystem test Mickaël Salaün
2016-03-24 16:24 ` [kernel-hardening] Re: [RFC v1 00/17] seccomp-object: From attack surface reduction to sandboxing Kees Cook
2016-03-27 5:03 ` Loganaden Velvindron
2016-04-20 18:21 ` Mickaël Salaün
2016-04-26 22:46 ` Kees Cook
2016-04-28 2:36 ` Kees Cook
2016-04-28 23:45 ` Mickaël Salaün
2016-05-21 12:58 ` Mickaël Salaün
2016-05-02 22:19 ` James Morris
2016-05-21 15:19 ` Daniel Borkmann
2016-05-22 21:30 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1458788042-26173-4-git-send-email-mic@digikod.net \
--to=mic@digikod.net \
--cc=agruenba@redhat.com \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=drysdale@google.com \
--cc=eparis@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=jdike@addtoit.com \
--cc=jln@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mtk@man7.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=pmoore@redhat.com \
--cc=richard@nod.at \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).