From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CFF83C28CBC for ; Sat, 9 May 2020 14:56:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AD7E9208E4 for ; Sat, 9 May 2020 14:56:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Ix6qR2sP" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728188AbgEIO4i (ORCPT ); Sat, 9 May 2020 10:56:38 -0400 Received: from us-smtp-1.mimecast.com ([207.211.31.81]:45624 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728115AbgEIO4i (ORCPT ); Sat, 9 May 2020 10:56:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1589036196; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=biBEh2xyG7QOz0vWY4fM+UdTv5nwnU3LRB3gcCSBxrI=; b=Ix6qR2sPtCcFcyzRvtTh50vlUGA8puaT9k9Xn7Opv4WQc8jA6/aIXEP9OMr2j3BRpdMBS+ 7/d85EqKErBCxuTVbUAfL4+UpzzanLLGt2l+865PEfknnHJ85zGuY1tHRHnIw18DLeUakM lRMy9s3+8P1uq0FvZDJzN7irbhwtFdE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-221-MPQ1STaMOfSNwr8bvkqY-A-1; Sat, 09 May 2020 10:56:32 -0400 X-MC-Unique: MPQ1STaMOfSNwr8bvkqY-A-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 08901800D24; Sat, 9 May 2020 14:56:30 +0000 (UTC) Received: from x1-fbsd (unknown [10.3.128.4]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3CA879323; Sat, 9 May 2020 14:56:16 +0000 (UTC) Date: Sat, 9 May 2020 10:56:14 -0400 From: Rafael Aquini To: Luis Chamberlain Cc: Tso Ted , Adrian Bunk , Linus Torvalds , Greg Kroah-Hartman , Laura Abbott , Jeff Mahoney , Jiri Kosina , Jessica Yu , Takashi Iwai , Ann Davis , Richard Palethorpe , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, kexec@lists.infradead.org, linux-fsdevel@vger.kernel.org, dyoung@redhat.com, bhe@redhat.com, corbet@lwn.net, keescook@chromium.org, akpm@linux-foundation.org, cai@lca.pw, rdunlap@infradead.org Subject: Re: [PATCH v2] kernel: add panic_on_taint Message-ID: <20200509145614.GA6704@x1-fbsd> References: <20200507180631.308441-1-aquini@redhat.com> <20200507182257.GX11244@42.do-not-panic.com> <20200507184307.GF205881@optiplex-lnx> <20200507184705.GG205881@optiplex-lnx> <20200507203340.GZ11244@42.do-not-panic.com> <20200507220606.GK205881@optiplex-lnx> <20200507222558.GA11244@42.do-not-panic.com> <20200508124719.GB367616@optiplex-lnx> <20200509034854.GI11244@42.do-not-panic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200509034854.GI11244@42.do-not-panic.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 09, 2020 at 03:48:54AM +0000, Luis Chamberlain wrote: > On Fri, May 08, 2020 at 08:47:19AM -0400, Rafael Aquini wrote: > > On Thu, May 07, 2020 at 10:25:58PM +0000, Luis Chamberlain wrote: > > > On Thu, May 07, 2020 at 06:06:06PM -0400, Rafael Aquini wrote: > > > > On Thu, May 07, 2020 at 08:33:40PM +0000, Luis Chamberlain wrote: > > > > > I *think* that a cmdline route to enable this would likely remove the > > > > > need for the kernel config for this. But even with Vlastimil's work > > > > > merged, I think we'd want yet-another value to enable / disable this > > > > > feature. Do we need yet-another-taint flag to tell us that this feature > > > > > was enabled? > > > > > > > > > > > > > I guess it makes sense to get rid of the sysctl interface for > > > > proc_on_taint, and only keep it as a cmdline option. > > > > > > That would be easier to support and k3eps this simple. > > > > > > > But the real issue seems to be, regardless we go with a cmdline-only option > > > > or not, the ability of proc_taint() to set any arbitrary taint flag > > > > other than just marking the kernel with TAINT_USER. > > > > > > I think we would have no other option but to add a new TAINT flag so > > > that we know that the taint flag was modified by a user. Perhaps just > > > re-using TAINT_USER when proc_taint() would suffice. > > > > > > > We might not need an extra taint flag if, perhaps, we could make these > > two features mutually exclusive. The idea here is that bitmasks added > > via panic_on_taint get filtered out in proc_taint(), so a malicious > > user couldn't exploit the latter interface to easily panic the system, > > when the first one is also in use. > > I get it, however I I can still see the person who enables enabling > panic-on-tain wanting to know if proc_taint() was used. So even if > it was not on their mask, if it was modified that seems like important > information for a bug report analysis. > For that purpose (tracking user taints) I think sth between these lines would work: diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 8a176d8727a3..651a82c13621 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2602,6 +2602,9 @@ int proc_douintvec(struct ctl_table *table, int write, do_proc_douintvec_conv, NULL); } +/* track which taint bits were set by the user */ +static unsigned long user_tainted; + /* * Taint values can only be increased * This means we can safely use a temporary. @@ -2629,11 +2632,20 @@ static int proc_taint(struct ctl_table *table, int write, */ int i; for (i = 0; i < BITS_PER_LONG && tmptaint >> i; i++) { - if ((tmptaint >> i) & 1) + if ((tmptaint >> i) & 1) { + set_bit(i, &user_tainted); add_taint(i, LOCKDEP_STILL_OK); + } } } + /* + * Users with SYS_ADMIN capability can fiddle with any arbitrary + * taint flag through this interface. + * If that's the case, we also need to mark the kernel "tainted by user" + */ + add_taint(TAINT_USER, LOCKDEP_STILL_OK); + return err; } I don't think, though, it's panic_on_taint work to track that. I posted a v3 for this feature with a way to select if one wants to avoid user forced taints triggering panic() for flags also set for panic_on_taint. Cheers, -- Rafael From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from us-smtp-2.mimecast.com ([207.211.31.81] helo=us-smtp-delivery-1.mimecast.com) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jXQu6-0007ol-0D for kexec@lists.infradead.org; Sat, 09 May 2020 14:56:39 +0000 Date: Sat, 9 May 2020 10:56:14 -0400 From: Rafael Aquini Subject: Re: [PATCH v2] kernel: add panic_on_taint Message-ID: <20200509145614.GA6704@x1-fbsd> References: <20200507180631.308441-1-aquini@redhat.com> <20200507182257.GX11244@42.do-not-panic.com> <20200507184307.GF205881@optiplex-lnx> <20200507184705.GG205881@optiplex-lnx> <20200507203340.GZ11244@42.do-not-panic.com> <20200507220606.GK205881@optiplex-lnx> <20200507222558.GA11244@42.do-not-panic.com> <20200508124719.GB367616@optiplex-lnx> <20200509034854.GI11244@42.do-not-panic.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200509034854.GI11244@42.do-not-panic.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Luis Chamberlain Cc: linux-doc@vger.kernel.org, Takashi Iwai , Jeff Mahoney , bhe@redhat.com, corbet@lwn.net, Laura Abbott , dyoung@redhat.com, Ann Davis , Richard Palethorpe , keescook@chromium.org, Jiri Kosina , cai@lca.pw, Adrian Bunk , Tso Ted , Jessica Yu , Greg Kroah-Hartman , rdunlap@infradead.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, akpm@linux-foundation.org, Linus Torvalds On Sat, May 09, 2020 at 03:48:54AM +0000, Luis Chamberlain wrote: > On Fri, May 08, 2020 at 08:47:19AM -0400, Rafael Aquini wrote: > > On Thu, May 07, 2020 at 10:25:58PM +0000, Luis Chamberlain wrote: > > > On Thu, May 07, 2020 at 06:06:06PM -0400, Rafael Aquini wrote: > > > > On Thu, May 07, 2020 at 08:33:40PM +0000, Luis Chamberlain wrote: > > > > > I *think* that a cmdline route to enable this would likely remove the > > > > > need for the kernel config for this. But even with Vlastimil's work > > > > > merged, I think we'd want yet-another value to enable / disable this > > > > > feature. Do we need yet-another-taint flag to tell us that this feature > > > > > was enabled? > > > > > > > > > > > > > I guess it makes sense to get rid of the sysctl interface for > > > > proc_on_taint, and only keep it as a cmdline option. > > > > > > That would be easier to support and k3eps this simple. > > > > > > > But the real issue seems to be, regardless we go with a cmdline-only option > > > > or not, the ability of proc_taint() to set any arbitrary taint flag > > > > other than just marking the kernel with TAINT_USER. > > > > > > I think we would have no other option but to add a new TAINT flag so > > > that we know that the taint flag was modified by a user. Perhaps just > > > re-using TAINT_USER when proc_taint() would suffice. > > > > > > > We might not need an extra taint flag if, perhaps, we could make these > > two features mutually exclusive. The idea here is that bitmasks added > > via panic_on_taint get filtered out in proc_taint(), so a malicious > > user couldn't exploit the latter interface to easily panic the system, > > when the first one is also in use. > > I get it, however I I can still see the person who enables enabling > panic-on-tain wanting to know if proc_taint() was used. So even if > it was not on their mask, if it was modified that seems like important > information for a bug report analysis. > For that purpose (tracking user taints) I think sth between these lines would work: diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 8a176d8727a3..651a82c13621 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2602,6 +2602,9 @@ int proc_douintvec(struct ctl_table *table, int write, do_proc_douintvec_conv, NULL); } +/* track which taint bits were set by the user */ +static unsigned long user_tainted; + /* * Taint values can only be increased * This means we can safely use a temporary. @@ -2629,11 +2632,20 @@ static int proc_taint(struct ctl_table *table, int write, */ int i; for (i = 0; i < BITS_PER_LONG && tmptaint >> i; i++) { - if ((tmptaint >> i) & 1) + if ((tmptaint >> i) & 1) { + set_bit(i, &user_tainted); add_taint(i, LOCKDEP_STILL_OK); + } } } + /* + * Users with SYS_ADMIN capability can fiddle with any arbitrary + * taint flag through this interface. + * If that's the case, we also need to mark the kernel "tainted by user" + */ + add_taint(TAINT_USER, LOCKDEP_STILL_OK); + return err; } I don't think, though, it's panic_on_taint work to track that. I posted a v3 for this feature with a way to select if one wants to avoid user forced taints triggering panic() for flags also set for panic_on_taint. Cheers, -- Rafael _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec