From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8FD1DC4332F for ; Thu, 16 Sep 2021 02:59:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 730BC61186 for ; Thu, 16 Sep 2021 02:59:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233847AbhIPDA6 (ORCPT ); Wed, 15 Sep 2021 23:00:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234053AbhIPDA5 (ORCPT ); Wed, 15 Sep 2021 23:00:57 -0400 Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F295CC0613CF for ; Wed, 15 Sep 2021 19:59:36 -0700 (PDT) Received: by mail-ed1-x531.google.com with SMTP id v5so11003117edc.2 for ; Wed, 15 Sep 2021 19:59:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bK17SO3X70z4YqfpudbGkJpUfQn3wXsVxii6aCrF/hI=; b=EyxUWdCtuNTuayC9lkcXPgWleZ8bHcRF7PdMazQqlX+DjN9DeK/P5kGPXL3QuXc4XW kCgGjVmBNRQnk+BE9t74LsnVFUsl79l/tR744ZWrHrY1q1f8UXZIfqGeNr9nIVh/Q8XZ dWMhuOOQvK/PO5kIKb7pDZQmaBTkjQ3/i/zTAK5Zm+2YJjLZG5lfLuc2ORkyvnY34dye Xj+oZOtcMXWk5RLjnJN9KnknPwThumRU8WZHr0gufgDmlXKMMBoCNzRhyy4O28ek49cR P8hMd3liqmlSRporSijNz40h8Nv8X4Chbv8pQaKssVolCWCDl8dX0L29zoZoTm+1Zjjd Qr2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bK17SO3X70z4YqfpudbGkJpUfQn3wXsVxii6aCrF/hI=; b=2cbuMqlMn7Og+mW3/IUOE3YqpK3KskUTC0yYZhcGrAIQNKTQxOD8NP+NxhVHUsigYi Gxy27rBuqmQv+y6ir1MZIMAOKgG4MIEEv+7WzugiETOj31dCCOk4Mz7eVbfRoLnnZC3n fBcvTFsXGvNnBUxVUuNavj1ox8Tu9lKU3VzibssyQCQf0paBtEL1FlpkTcpO8DKmV+qY Q3bo1+4IQl2T15GInnIMwTbXh3ECJzWJXGVr57FF5LBtqXWoLBBd4jB/rMoBvAgFAJGo cio6mi+UCzquzpubQFDj9t1x2bWCCcvJGZ8NTIPB504mRrOqsWOIVzoGFYpfgRwMR7L6 AqEQ== X-Gm-Message-State: AOAM533IhvA2SLjtzUxqWZ5tKQUMCLW3ls7UkxpX7l/9kdgSfPjoB3vD h0iry5HgOvBiAFZBYcVug/z42WiDVr591Z9hAbsl X-Google-Smtp-Source: ABdhPJxYzI63Wh7B932JufxmCVl5MRmcZoWxKUOX5ts9dsculQ1nMB73xM3IEM0/sD5sdM0oPHDUFMQFvAvBgYyICR4= X-Received: by 2002:a17:907:76e7:: with SMTP id kg7mr3719013ejc.344.1631761175250; Wed, 15 Sep 2021 19:59:35 -0700 (PDT) MIME-Version: 1.0 References: <20210913140229.24797-1-omosnace@redhat.com> In-Reply-To: From: Paul Moore Date: Wed, 15 Sep 2021 22:59:23 -0400 Message-ID: Subject: Re: [PATCH v4] lockdown,selinux: fix wrong subject in some SELinux lockdown checks To: Ondrej Mosnacek Cc: linux-security-module@vger.kernel.org, James Morris , Steven Rostedt , Ingo Molnar , Steffen Klassert , Herbert Xu , "David S . Miller" , Stephen Smalley , selinux@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, x86@kernel.org, linux-acpi@vger.kernel.org, linux-cxl@vger.kernel.org, linux-efi@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-pci@vger.kernel.org, linux-pm@vger.kernel.org, linux-serial@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Casey Schaufler , Dan Williams Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org On Mon, Sep 13, 2021 at 5:05 PM Paul Moore wrote: > > On Mon, Sep 13, 2021 at 10:02 AM Ondrej Mosnacek wrote: > > > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > > lockdown") added an implementation of the locked_down LSM hook to > > SELinux, with the aim to restrict which domains are allowed to perform > > operations that would breach lockdown. > > > > However, in several places the security_locked_down() hook is called in > > situations where the current task isn't doing any action that would > > directly breach lockdown, leading to SELinux checks that are basically > > bogus. > > > > To fix this, add an explicit struct cred pointer argument to > > security_lockdown() and define NULL as a special value to pass instead > > of current_cred() in such situations. LSMs that take the subject > > credentials into account can then fall back to some default or ignore > > such calls altogether. In the SELinux lockdown hook implementation, use > > SECINITSID_KERNEL in case the cred argument is NULL. > > > > Most of the callers are updated to pass current_cred() as the cred > > pointer, thus maintaining the same behavior. The following callers are > > modified to pass NULL as the cred pointer instead: > > 1. arch/powerpc/xmon/xmon.c > > Seems to be some interactive debugging facility. It appears that > > the lockdown hook is called from interrupt context here, so it > > should be more appropriate to request a global lockdown decision. > > 2. fs/tracefs/inode.c:tracefs_create_file() > > Here the call is used to prevent creating new tracefs entries when > > the kernel is locked down. Assumes that locking down is one-way - > > i.e. if the hook returns non-zero once, it will never return zero > > again, thus no point in creating these files. Also, the hook is > > often called by a module's init function when it is loaded by > > userspace, where it doesn't make much sense to do a check against > > the current task's creds, since the task itself doesn't actually > > use the tracing functionality (i.e. doesn't breach lockdown), just > > indirectly makes some new tracepoints available to whoever is > > authorized to use them. > > 3. net/xfrm/xfrm_user.c:copy_to_user_*() > > Here a cryptographic secret is redacted based on the value returned > > from the hook. There are two possible actions that may lead here: > > a) A netlink message XFRM_MSG_GETSA with NLM_F_DUMP set - here the > > task context is relevant, since the dumped data is sent back to > > the current task. > > b) When adding/deleting/updating an SA via XFRM_MSG_xxxSA, the > > dumped SA is broadcasted to tasks subscribed to XFRM events - > > here the current task context is not relevant as it doesn't > > represent the tasks that could potentially see the secret. > > It doesn't seem worth it to try to keep using the current task's > > context in the a) case, since the eventual data leak can be > > circumvented anyway via b), plus there is no way for the task to > > indicate that it doesn't care about the actual key value, so the > > check could generate a lot of "false alert" denials with SELinux. > > Thus, let's pass NULL instead of current_cred() here faute de > > mieux. > > > > Improvements-suggested-by: Casey Schaufler > > Improvements-suggested-by: Paul Moore > > Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") > > Acked-by: Dan Williams [cxl] > > Acked-by: Steffen Klassert [xfrm] > > Signed-off-by: Ondrej Mosnacek > > --- > > > > v4: > > - rebase on top of TODO > > - fix rebase conflicts: > > * drivers/cxl/pci.c > > - trivial: the lockdown reason was corrected in mainline > > * kernel/bpf/helpers.c, kernel/trace/bpf_trace.c > > - trivial: LOCKDOWN_BPF_READ was renamed to LOCKDOWN_BPF_READ_KERNEL > > in mainline > > * kernel/power/hibernate.c > > - trivial: !secretmem_active() was added to the condition in > > hibernation_available() > > - cover new security_locked_down() call in kernel/bpf/helpers.c > > (LOCKDOWN_BPF_WRITE_USER in BPF_FUNC_probe_write_user case) > > > > v3: https://lore.kernel.org/lkml/20210616085118.1141101-1-omosnace@redhat.com/ > > - add the cred argument to security_locked_down() and adapt all callers > > - keep using current_cred() in BPF, as the hook calls have been shifted > > to program load time (commit ff40e51043af ("bpf, lockdown, audit: Fix > > buggy SELinux lockdown permission checks")) > > - in SELinux, don't ignore hook calls where cred == NULL, but use > > SECINITSID_KERNEL as the subject instead > > - update explanations in the commit message > > > > v2: https://lore.kernel.org/lkml/20210517092006.803332-1-omosnace@redhat.com/ > > - change to a single hook based on suggestions by Casey Schaufler > > > > v1: https://lore.kernel.org/lkml/20210507114048.138933-1-omosnace@redhat.com/ > > The changes between v3 and v4 all seem sane to me, but I'm going to > let this sit for a few days in hopes that we can collect a few more > Reviewed-bys and ACKs. If I don't see any objections I'll merge it > mid-week(ish) into selinux/stable-5.15 and plan on sending it to Linus > after it goes through a build/test cycle. Time's up, I just merged this into selinux/stable-5.15 and I'll send this to Linus once it passes testing. -- paul moore www.paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1AD32C433EF for ; Thu, 16 Sep 2021 03:00:26 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D63B661178 for ; Thu, 16 Sep 2021 03:00:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D63B661178 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=paul-moore.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4H91zV75Zzz3053 for ; Thu, 16 Sep 2021 13:00:22 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.a=rsa-sha256 header.s=20150623 header.b=EyxUWdCt; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=paul-moore.com (client-ip=2a00:1450:4864:20::52c; helo=mail-ed1-x52c.google.com; envelope-from=paul@paul-moore.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.a=rsa-sha256 header.s=20150623 header.b=EyxUWdCt; dkim-atps=neutral Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4H91yl16kjz2xYP for ; Thu, 16 Sep 2021 12:59:41 +1000 (AEST) Received: by mail-ed1-x52c.google.com with SMTP id t6so11071224edi.9 for ; Wed, 15 Sep 2021 19:59:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bK17SO3X70z4YqfpudbGkJpUfQn3wXsVxii6aCrF/hI=; b=EyxUWdCtuNTuayC9lkcXPgWleZ8bHcRF7PdMazQqlX+DjN9DeK/P5kGPXL3QuXc4XW kCgGjVmBNRQnk+BE9t74LsnVFUsl79l/tR744ZWrHrY1q1f8UXZIfqGeNr9nIVh/Q8XZ dWMhuOOQvK/PO5kIKb7pDZQmaBTkjQ3/i/zTAK5Zm+2YJjLZG5lfLuc2ORkyvnY34dye Xj+oZOtcMXWk5RLjnJN9KnknPwThumRU8WZHr0gufgDmlXKMMBoCNzRhyy4O28ek49cR P8hMd3liqmlSRporSijNz40h8Nv8X4Chbv8pQaKssVolCWCDl8dX0L29zoZoTm+1Zjjd Qr2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bK17SO3X70z4YqfpudbGkJpUfQn3wXsVxii6aCrF/hI=; b=Gn67adT9IVNLAWF8nJ6W4XMYqPn+xdCJ7LnQa764+oXnPol2snGmNVhkWjGVrY8OOA X+0KNIeRAhPP0PV/HfLylZnC9Ql4y06kUqUn8kCeYz+F/v+6bBPCfXf7LUJrS5Xi1wLg bHlvwwst9Gpfym8gXFLso0xY084/1+cymOqt5Ctlc+V8xhoiKCvE6TmsloJApy26/9MP y+mPKC2w6bvjNm7tcXuV92c9afYHjOXeBl5oo0iiMHWvQK8dt2ulPiqDwL/tPAeUgiIY 10aBINQVmiTGLdgR/co+mAx4+5OOtmv4edAi0yuDYvlzj3b+Nut+0QNPs1MfMPd6RDeU F3uw== X-Gm-Message-State: AOAM533G0xPzGC9XHR4b/AkAGN/dF2TucPMFtU8ExUN711zWbp1O/5iB lEj0IJnCf0GK33fWQc1hCT9xxN5NaQpYp9rbPWM6 X-Google-Smtp-Source: ABdhPJxYzI63Wh7B932JufxmCVl5MRmcZoWxKUOX5ts9dsculQ1nMB73xM3IEM0/sD5sdM0oPHDUFMQFvAvBgYyICR4= X-Received: by 2002:a17:907:76e7:: with SMTP id kg7mr3719013ejc.344.1631761175250; Wed, 15 Sep 2021 19:59:35 -0700 (PDT) MIME-Version: 1.0 References: <20210913140229.24797-1-omosnace@redhat.com> In-Reply-To: From: Paul Moore Date: Wed, 15 Sep 2021 22:59:23 -0400 Message-ID: Subject: Re: [PATCH v4] lockdown,selinux: fix wrong subject in some SELinux lockdown checks To: Ondrej Mosnacek Content-Type: text/plain; charset="UTF-8" X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-efi@vger.kernel.org, linux-pci@vger.kernel.org, linux-cxl@vger.kernel.org, Steffen Klassert , Herbert Xu , x86@kernel.org, James Morris , linux-acpi@vger.kernel.org, Ingo Molnar , linux-serial@vger.kernel.org, linux-pm@vger.kernel.org, selinux@vger.kernel.org, Steven Rostedt , Casey Schaufler , Dan Williams , netdev@vger.kernel.org, Stephen Smalley , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, bpf@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, "David S . Miller" Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Mon, Sep 13, 2021 at 5:05 PM Paul Moore wrote: > > On Mon, Sep 13, 2021 at 10:02 AM Ondrej Mosnacek wrote: > > > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > > lockdown") added an implementation of the locked_down LSM hook to > > SELinux, with the aim to restrict which domains are allowed to perform > > operations that would breach lockdown. > > > > However, in several places the security_locked_down() hook is called in > > situations where the current task isn't doing any action that would > > directly breach lockdown, leading to SELinux checks that are basically > > bogus. > > > > To fix this, add an explicit struct cred pointer argument to > > security_lockdown() and define NULL as a special value to pass instead > > of current_cred() in such situations. LSMs that take the subject > > credentials into account can then fall back to some default or ignore > > such calls altogether. In the SELinux lockdown hook implementation, use > > SECINITSID_KERNEL in case the cred argument is NULL. > > > > Most of the callers are updated to pass current_cred() as the cred > > pointer, thus maintaining the same behavior. The following callers are > > modified to pass NULL as the cred pointer instead: > > 1. arch/powerpc/xmon/xmon.c > > Seems to be some interactive debugging facility. It appears that > > the lockdown hook is called from interrupt context here, so it > > should be more appropriate to request a global lockdown decision. > > 2. fs/tracefs/inode.c:tracefs_create_file() > > Here the call is used to prevent creating new tracefs entries when > > the kernel is locked down. Assumes that locking down is one-way - > > i.e. if the hook returns non-zero once, it will never return zero > > again, thus no point in creating these files. Also, the hook is > > often called by a module's init function when it is loaded by > > userspace, where it doesn't make much sense to do a check against > > the current task's creds, since the task itself doesn't actually > > use the tracing functionality (i.e. doesn't breach lockdown), just > > indirectly makes some new tracepoints available to whoever is > > authorized to use them. > > 3. net/xfrm/xfrm_user.c:copy_to_user_*() > > Here a cryptographic secret is redacted based on the value returned > > from the hook. There are two possible actions that may lead here: > > a) A netlink message XFRM_MSG_GETSA with NLM_F_DUMP set - here the > > task context is relevant, since the dumped data is sent back to > > the current task. > > b) When adding/deleting/updating an SA via XFRM_MSG_xxxSA, the > > dumped SA is broadcasted to tasks subscribed to XFRM events - > > here the current task context is not relevant as it doesn't > > represent the tasks that could potentially see the secret. > > It doesn't seem worth it to try to keep using the current task's > > context in the a) case, since the eventual data leak can be > > circumvented anyway via b), plus there is no way for the task to > > indicate that it doesn't care about the actual key value, so the > > check could generate a lot of "false alert" denials with SELinux. > > Thus, let's pass NULL instead of current_cred() here faute de > > mieux. > > > > Improvements-suggested-by: Casey Schaufler > > Improvements-suggested-by: Paul Moore > > Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") > > Acked-by: Dan Williams [cxl] > > Acked-by: Steffen Klassert [xfrm] > > Signed-off-by: Ondrej Mosnacek > > --- > > > > v4: > > - rebase on top of TODO > > - fix rebase conflicts: > > * drivers/cxl/pci.c > > - trivial: the lockdown reason was corrected in mainline > > * kernel/bpf/helpers.c, kernel/trace/bpf_trace.c > > - trivial: LOCKDOWN_BPF_READ was renamed to LOCKDOWN_BPF_READ_KERNEL > > in mainline > > * kernel/power/hibernate.c > > - trivial: !secretmem_active() was added to the condition in > > hibernation_available() > > - cover new security_locked_down() call in kernel/bpf/helpers.c > > (LOCKDOWN_BPF_WRITE_USER in BPF_FUNC_probe_write_user case) > > > > v3: https://lore.kernel.org/lkml/20210616085118.1141101-1-omosnace@redhat.com/ > > - add the cred argument to security_locked_down() and adapt all callers > > - keep using current_cred() in BPF, as the hook calls have been shifted > > to program load time (commit ff40e51043af ("bpf, lockdown, audit: Fix > > buggy SELinux lockdown permission checks")) > > - in SELinux, don't ignore hook calls where cred == NULL, but use > > SECINITSID_KERNEL as the subject instead > > - update explanations in the commit message > > > > v2: https://lore.kernel.org/lkml/20210517092006.803332-1-omosnace@redhat.com/ > > - change to a single hook based on suggestions by Casey Schaufler > > > > v1: https://lore.kernel.org/lkml/20210507114048.138933-1-omosnace@redhat.com/ > > The changes between v3 and v4 all seem sane to me, but I'm going to > let this sit for a few days in hopes that we can collect a few more > Reviewed-bys and ACKs. If I don't see any objections I'll merge it > mid-week(ish) into selinux/stable-5.15 and plan on sending it to Linus > after it goes through a build/test cycle. Time's up, I just merged this into selinux/stable-5.15 and I'll send this to Linus once it passes testing. -- paul moore www.paul-moore.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail-ed1-x52e.google.com ([2a00:1450:4864:20::52e]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mQhcg-00AENA-0O for kexec@lists.infradead.org; Thu, 16 Sep 2021 02:59:40 +0000 Received: by mail-ed1-x52e.google.com with SMTP id n10so10936608eda.10 for ; Wed, 15 Sep 2021 19:59:36 -0700 (PDT) MIME-Version: 1.0 References: <20210913140229.24797-1-omosnace@redhat.com> In-Reply-To: From: Paul Moore Date: Wed, 15 Sep 2021 22:59:23 -0400 Message-ID: Subject: Re: [PATCH v4] lockdown,selinux: fix wrong subject in some SELinux lockdown checks List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Ondrej Mosnacek Cc: linux-security-module@vger.kernel.org, James Morris , Steven Rostedt , Ingo Molnar , Steffen Klassert , Herbert Xu , "David S . Miller" , Stephen Smalley , selinux@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, x86@kernel.org, linux-acpi@vger.kernel.org, linux-cxl@vger.kernel.org, linux-efi@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-pci@vger.kernel.org, linux-pm@vger.kernel.org, linux-serial@vger.kernel.org, bpf@vger.kernel.org, netdev@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Casey Schaufler , Dan Williams On Mon, Sep 13, 2021 at 5:05 PM Paul Moore wrote: > > On Mon, Sep 13, 2021 at 10:02 AM Ondrej Mosnacek wrote: > > > > Commit 59438b46471a ("security,lockdown,selinux: implement SELinux > > lockdown") added an implementation of the locked_down LSM hook to > > SELinux, with the aim to restrict which domains are allowed to perform > > operations that would breach lockdown. > > > > However, in several places the security_locked_down() hook is called in > > situations where the current task isn't doing any action that would > > directly breach lockdown, leading to SELinux checks that are basically > > bogus. > > > > To fix this, add an explicit struct cred pointer argument to > > security_lockdown() and define NULL as a special value to pass instead > > of current_cred() in such situations. LSMs that take the subject > > credentials into account can then fall back to some default or ignore > > such calls altogether. In the SELinux lockdown hook implementation, use > > SECINITSID_KERNEL in case the cred argument is NULL. > > > > Most of the callers are updated to pass current_cred() as the cred > > pointer, thus maintaining the same behavior. The following callers are > > modified to pass NULL as the cred pointer instead: > > 1. arch/powerpc/xmon/xmon.c > > Seems to be some interactive debugging facility. It appears that > > the lockdown hook is called from interrupt context here, so it > > should be more appropriate to request a global lockdown decision. > > 2. fs/tracefs/inode.c:tracefs_create_file() > > Here the call is used to prevent creating new tracefs entries when > > the kernel is locked down. Assumes that locking down is one-way - > > i.e. if the hook returns non-zero once, it will never return zero > > again, thus no point in creating these files. Also, the hook is > > often called by a module's init function when it is loaded by > > userspace, where it doesn't make much sense to do a check against > > the current task's creds, since the task itself doesn't actually > > use the tracing functionality (i.e. doesn't breach lockdown), just > > indirectly makes some new tracepoints available to whoever is > > authorized to use them. > > 3. net/xfrm/xfrm_user.c:copy_to_user_*() > > Here a cryptographic secret is redacted based on the value returned > > from the hook. There are two possible actions that may lead here: > > a) A netlink message XFRM_MSG_GETSA with NLM_F_DUMP set - here the > > task context is relevant, since the dumped data is sent back to > > the current task. > > b) When adding/deleting/updating an SA via XFRM_MSG_xxxSA, the > > dumped SA is broadcasted to tasks subscribed to XFRM events - > > here the current task context is not relevant as it doesn't > > represent the tasks that could potentially see the secret. > > It doesn't seem worth it to try to keep using the current task's > > context in the a) case, since the eventual data leak can be > > circumvented anyway via b), plus there is no way for the task to > > indicate that it doesn't care about the actual key value, so the > > check could generate a lot of "false alert" denials with SELinux. > > Thus, let's pass NULL instead of current_cred() here faute de > > mieux. > > > > Improvements-suggested-by: Casey Schaufler > > Improvements-suggested-by: Paul Moore > > Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") > > Acked-by: Dan Williams [cxl] > > Acked-by: Steffen Klassert [xfrm] > > Signed-off-by: Ondrej Mosnacek > > --- > > > > v4: > > - rebase on top of TODO > > - fix rebase conflicts: > > * drivers/cxl/pci.c > > - trivial: the lockdown reason was corrected in mainline > > * kernel/bpf/helpers.c, kernel/trace/bpf_trace.c > > - trivial: LOCKDOWN_BPF_READ was renamed to LOCKDOWN_BPF_READ_KERNEL > > in mainline > > * kernel/power/hibernate.c > > - trivial: !secretmem_active() was added to the condition in > > hibernation_available() > > - cover new security_locked_down() call in kernel/bpf/helpers.c > > (LOCKDOWN_BPF_WRITE_USER in BPF_FUNC_probe_write_user case) > > > > v3: https://lore.kernel.org/lkml/20210616085118.1141101-1-omosnace@redhat.com/ > > - add the cred argument to security_locked_down() and adapt all callers > > - keep using current_cred() in BPF, as the hook calls have been shifted > > to program load time (commit ff40e51043af ("bpf, lockdown, audit: Fix > > buggy SELinux lockdown permission checks")) > > - in SELinux, don't ignore hook calls where cred == NULL, but use > > SECINITSID_KERNEL as the subject instead > > - update explanations in the commit message > > > > v2: https://lore.kernel.org/lkml/20210517092006.803332-1-omosnace@redhat.com/ > > - change to a single hook based on suggestions by Casey Schaufler > > > > v1: https://lore.kernel.org/lkml/20210507114048.138933-1-omosnace@redhat.com/ > > The changes between v3 and v4 all seem sane to me, but I'm going to > let this sit for a few days in hopes that we can collect a few more > Reviewed-bys and ACKs. If I don't see any objections I'll merge it > mid-week(ish) into selinux/stable-5.15 and plan on sending it to Linus > after it goes through a build/test cycle. Time's up, I just merged this into selinux/stable-5.15 and I'll send this to Linus once it passes testing. -- paul moore www.paul-moore.com _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec