From: Kees Cook <keescook@chromium.org>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Daniel Borkmann <daniel@iogearbox.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg KH <gregkh@linuxfoundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Network Development <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-team <kernel-team@fb.com>,
Al Viro <viro@zeniv.linux.org.uk>,
David Howells <dhowells@redhat.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Hugh Dickins <hughd@google.com>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
David Airlie <airlied@linux.ie>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Peter Jones <pjones@redhat.com>,
Matthew Garrett <mjg59@google.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
Jessica Yu <jeyu@kernel.org>
Subject: Re: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper
Date: Thu, 10 May 2018 15:27:24 -0700 [thread overview]
Message-ID: <CAGXu5j+1p5ccFBjcKa3FDR4cQnbQn3cokbbhrwizoUyAAqFSTQ@mail.gmail.com> (raw)
In-Reply-To: <20180504195642.GB12838@wotan.suse.de>
On Fri, May 4, 2018 at 12:56 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> What a mighty short list of reviewers. Adding some more. My review below.
> I'd appreciate a Cc on future versions of these patches.
Me too, please. And likely linux-security-module@ and Jessica too.
> On Wed, May 02, 2018 at 09:36:01PM -0700, Alexei Starovoitov wrote:
>> Introduce helper:
>> int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
>> struct umh_info {
>> struct file *pipe_to_umh;
>> struct file *pipe_from_umh;
>> pid_t pid;
>> };
>>
>> that GPLed kernel modules (signed or unsigned) can use it to execute part
>> of its own data as swappable user mode process.
>>
>> The kernel will do:
>> - mount "tmpfs"
>> - allocate a unique file in tmpfs
>> - populate that file with [data, data + len] bytes
>> - user-mode-helper code will do_execve that file and, before the process
>> starts, the kernel will create two unix pipes for bidirectional
>> communication between kernel module and umh
>> - close tmpfs file, effectively deleting it
>> - the fork_usermode_blob will return zero on success and populate
>> 'struct umh_info' with two unix pipes and the pid of the user process
I'm trying to think how LSMs can successfully reason about the
resulting exec(). In the past, we've replaced "blob" style interfaces
with file-based interfaces (e.g. init_module() -> finit_module(),
kexec_load() -> kexec_file_load()) to better let the kernel understand
the origin of executable content. Here the intent is fine: we're
getting the exec from an already-loaded module, etc, etc. I'm trying
to think specifically about the interface.
How can the ultimate exec get tied back to the kernel module in a way
that the LSM can query? Right now the hooks hit during exec are:
kernel_read_file() and kernel_post_read_file() of tmpfs file,
bprm_set_creds(), bprm_check(), bprm_commiting_creds(),
bprm_commited_creds(). It seems silly to me for an LSM to perform
these checks at all since I would expect the _meaningful_ check to be
finit_module() of the module itself. Having a way for an LSM to know
the exec is tied to a kernel module would let them skip the nonsense
checks.
Since the process for doing the usermode_blob is defined by the kernel
module build/link/objcopy process, could we tighten the
fork_usermode_blob() interface to point to the kernel module itself,
rather than leaving it an open-ended "blob" interface? Given our
history of needing to replace blob interfaces with file interfaces,
I'm cautious to add a new blob interface. Maybe just pull all the
blob-finding/loading into the interface, and just make it something
like fork_usermode_kmod(struct module *mod, struct umh_info *info) ?
-Kees
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Daniel Borkmann <daniel@iogearbox.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg KH <gregkh@linuxfoundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Network Development <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kernel-team <kernel-team@fb.com>,
Al Viro <viro@zeniv.linux.org.uk>,
David Howells <dhowells@redhat.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Hugh Dickins <hughd@google.com>,
Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
David Airlie <airlied@li
Subject: Re: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper
Date: Thu, 10 May 2018 15:27:24 -0700 [thread overview]
Message-ID: <CAGXu5j+1p5ccFBjcKa3FDR4cQnbQn3cokbbhrwizoUyAAqFSTQ@mail.gmail.com> (raw)
In-Reply-To: <20180504195642.GB12838@wotan.suse.de>
On Fri, May 4, 2018 at 12:56 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> What a mighty short list of reviewers. Adding some more. My review below.
> I'd appreciate a Cc on future versions of these patches.
Me too, please. And likely linux-security-module@ and Jessica too.
> On Wed, May 02, 2018 at 09:36:01PM -0700, Alexei Starovoitov wrote:
>> Introduce helper:
>> int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
>> struct umh_info {
>> struct file *pipe_to_umh;
>> struct file *pipe_from_umh;
>> pid_t pid;
>> };
>>
>> that GPLed kernel modules (signed or unsigned) can use it to execute part
>> of its own data as swappable user mode process.
>>
>> The kernel will do:
>> - mount "tmpfs"
>> - allocate a unique file in tmpfs
>> - populate that file with [data, data + len] bytes
>> - user-mode-helper code will do_execve that file and, before the process
>> starts, the kernel will create two unix pipes for bidirectional
>> communication between kernel module and umh
>> - close tmpfs file, effectively deleting it
>> - the fork_usermode_blob will return zero on success and populate
>> 'struct umh_info' with two unix pipes and the pid of the user process
I'm trying to think how LSMs can successfully reason about the
resulting exec(). In the past, we've replaced "blob" style interfaces
with file-based interfaces (e.g. init_module() -> finit_module(),
kexec_load() -> kexec_file_load()) to better let the kernel understand
the origin of executable content. Here the intent is fine: we're
getting the exec from an already-loaded module, etc, etc. I'm trying
to think specifically about the interface.
How can the ultimate exec get tied back to the kernel module in a way
that the LSM can query? Right now the hooks hit during exec are:
kernel_read_file() and kernel_post_read_file() of tmpfs file,
bprm_set_creds(), bprm_check(), bprm_commiting_creds(),
bprm_commited_creds(). It seems silly to me for an LSM to perform
these checks at all since I would expect the _meaningful_ check to be
finit_module() of the module itself. Having a way for an LSM to know
the exec is tied to a kernel module would let them skip the nonsense
checks.
Since the process for doing the usermode_blob is defined by the kernel
module build/link/objcopy process, could we tighten the
fork_usermode_blob() interface to point to the kernel module itself,
rather than leaving it an open-ended "blob" interface? Given our
history of needing to replace blob interfaces with file interfaces,
I'm cautious to add a new blob interface. Maybe just pull all the
blob-finding/loading into the interface, and just make it something
like fork_usermode_kmod(struct module *mod, struct umh_info *info) ?
-Kees
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper
Date: Thu, 10 May 2018 15:27:24 -0700 [thread overview]
Message-ID: <CAGXu5j+1p5ccFBjcKa3FDR4cQnbQn3cokbbhrwizoUyAAqFSTQ@mail.gmail.com> (raw)
In-Reply-To: <20180504195642.GB12838@wotan.suse.de>
On Fri, May 4, 2018 at 12:56 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> What a mighty short list of reviewers. Adding some more. My review below.
> I'd appreciate a Cc on future versions of these patches.
Me too, please. And likely linux-security-module@ and Jessica too.
> On Wed, May 02, 2018 at 09:36:01PM -0700, Alexei Starovoitov wrote:
>> Introduce helper:
>> int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
>> struct umh_info {
>> struct file *pipe_to_umh;
>> struct file *pipe_from_umh;
>> pid_t pid;
>> };
>>
>> that GPLed kernel modules (signed or unsigned) can use it to execute part
>> of its own data as swappable user mode process.
>>
>> The kernel will do:
>> - mount "tmpfs"
>> - allocate a unique file in tmpfs
>> - populate that file with [data, data + len] bytes
>> - user-mode-helper code will do_execve that file and, before the process
>> starts, the kernel will create two unix pipes for bidirectional
>> communication between kernel module and umh
>> - close tmpfs file, effectively deleting it
>> - the fork_usermode_blob will return zero on success and populate
>> 'struct umh_info' with two unix pipes and the pid of the user process
I'm trying to think how LSMs can successfully reason about the
resulting exec(). In the past, we've replaced "blob" style interfaces
with file-based interfaces (e.g. init_module() -> finit_module(),
kexec_load() -> kexec_file_load()) to better let the kernel understand
the origin of executable content. Here the intent is fine: we're
getting the exec from an already-loaded module, etc, etc. I'm trying
to think specifically about the interface.
How can the ultimate exec get tied back to the kernel module in a way
that the LSM can query? Right now the hooks hit during exec are:
kernel_read_file() and kernel_post_read_file() of tmpfs file,
bprm_set_creds(), bprm_check(), bprm_commiting_creds(),
bprm_commited_creds(). It seems silly to me for an LSM to perform
these checks at all since I would expect the _meaningful_ check to be
finit_module() of the module itself. Having a way for an LSM to know
the exec is tied to a kernel module would let them skip the nonsense
checks.
Since the process for doing the usermode_blob is defined by the kernel
module build/link/objcopy process, could we tighten the
fork_usermode_blob() interface to point to the kernel module itself,
rather than leaving it an open-ended "blob" interface? Given our
history of needing to replace blob interfaces with file interfaces,
I'm cautious to add a new blob interface. Maybe just pull all the
blob-finding/loading into the interface, and just make it something
like fork_usermode_kmod(struct module *mod, struct umh_info *info) ?
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-05-10 22:27 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-03 4:36 [PATCH v2 net-next 0/4] bpfilter Alexei Starovoitov
2018-05-03 4:36 ` [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper Alexei Starovoitov
2018-05-04 19:56 ` Luis R. Rodriguez
2018-05-04 19:56 ` Luis R. Rodriguez
2018-05-04 19:56 ` Luis R. Rodriguez
2018-05-05 1:37 ` Alexei Starovoitov
2018-05-05 1:37 ` Alexei Starovoitov
2018-05-05 1:37 ` Alexei Starovoitov
2018-05-07 18:39 ` Luis R. Rodriguez
2018-05-07 18:39 ` Luis R. Rodriguez
2018-05-07 18:39 ` Luis R. Rodriguez
2018-05-09 2:25 ` Alexei Starovoitov
2018-05-09 2:25 ` Alexei Starovoitov
2018-05-09 2:25 ` Alexei Starovoitov
2018-05-10 22:27 ` Kees Cook [this message]
2018-05-10 22:27 ` Kees Cook
2018-05-10 22:27 ` Kees Cook
2018-05-10 23:16 ` Alexei Starovoitov
2018-05-10 23:16 ` Alexei Starovoitov
2018-05-10 23:16 ` Alexei Starovoitov
2018-05-05 4:48 ` Jann Horn
2018-05-05 16:24 ` Alexei Starovoitov
2018-05-03 4:36 ` [PATCH v2 net-next 2/4] net: add skeleton of bpfilter kernel module Alexei Starovoitov
2018-05-03 14:23 ` Edward Cree
2018-05-05 1:00 ` Alexei Starovoitov
2018-05-07 15:24 ` Harald Welte
2018-05-07 15:50 ` David Miller
2018-05-07 18:51 ` Luis R. Rodriguez
2018-05-07 18:51 ` Luis R. Rodriguez
2018-05-07 18:51 ` Luis R. Rodriguez
2018-05-09 2:29 ` Alexei Starovoitov
2018-05-09 2:29 ` Alexei Starovoitov
2018-05-09 2:29 ` Alexei Starovoitov
2018-05-03 4:36 ` [PATCH RFC v2 net-next 3/4] bpfilter: add iptable get/set parsing Alexei Starovoitov
2018-05-03 4:36 ` [PATCH RFC v2 net-next 4/4] bpfilter: rough bpfilter codegen example hack Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5j+1p5ccFBjcKa3FDR4cQnbQn3cokbbhrwizoUyAAqFSTQ@mail.gmail.com \
--to=keescook@chromium.org \
--cc=airlied@linux.ie \
--cc=akpm@linux-foundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hughd@google.com \
--cc=jani.nikula@linux.intel.com \
--cc=jeyu@kernel.org \
--cc=joonas.lahtinen@linux.intel.com \
--cc=kernel-team@fb.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=luto@amacapital.net \
--cc=mcgrof@kernel.org \
--cc=mjg59@google.com \
--cc=netdev@vger.kernel.org \
--cc=pjones@redhat.com \
--cc=rjw@rjwysocki.net \
--cc=rodrigo.vivi@intel.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.