On 5/28/21 9:09 AM, Daniel Borkmann wrote: > On 5/28/21 3:37 AM, Paul Moore wrote: >> On Mon, May 17, 2021 at 5:22 AM Ondrej Mosnacek wrote: >>> >>> Commit 59438b46471a ("security,lockdown,selinux: implement SELinux >>> lockdown") added an implementation of the locked_down LSM hook to >>> SELinux, with the aim to restrict which domains are allowed to perform >>> operations that would breach lockdown. >>> >>> However, in several places the security_locked_down() hook is called in >>> situations where the current task isn't doing any action that would >>> directly breach lockdown, leading to SELinux checks that are basically >>> bogus. >>> >>> Since in most of these situations converting the callers such that >>> security_locked_down() is called in a context where the current task >>> would be meaningful for SELinux is impossible or very non-trivial (and >>> could lead to TOCTOU issues for the classic Lockdown LSM >>> implementation), fix this by modifying the hook to accept a struct cred >>> pointer as argument, where NULL will be interpreted as a request for a >>> "global", task-independent lockdown decision only. Then modify SELinux >>> to ignore calls with cred == NULL. >> >> I'm not overly excited about skipping the access check when cred is >> NULL.  Based on the description and the little bit that I've dug into >> thus far it looks like using SECINITSID_KERNEL as the subject would be >> much more appropriate.  *Something* (the kernel in most of the >> relevant cases it looks like) is requesting that a potentially >> sensitive disclosure be made, and ignoring it seems like the wrong >> thing to do.  Leaving the access control intact also provides a nice >> avenue to audit these requests should users want to do that. > > I think the rationale/workaround for ignoring calls with cred == NULL (or the previous > patch with the unimplemented hook) from Ondrej was two-fold, at least speaking for his > seen tracing cases: > >   i) The audit events that are triggered due to calls to security_locked_down() >      can OOM kill a machine, see below details [0]. > >  ii) It seems to be causing a deadlock via slow_avc_audit() -> audit_log_end() >      when presumingly trying to wake up kauditd [1]. Ondrej / Paul / Jiri: at least for the BPF tracing case specifically (I haven't looked at the rest but it's also kind of independent), the attached fix should address both reported issues, please take a look & test. Thanks a lot, Daniel