Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
@ 2019-02-28 14:06 Tetsuo Handa
  2019-03-04 13:35 ` Tetsuo Handa
  2019-03-12 18:21 ` James Morris
  0 siblings, 2 replies; 17+ messages in thread
From: Tetsuo Handa @ 2019-02-28 14:06 UTC (permalink / raw)
  To: linux-security-module, James Morris, Dmitry Vyukov
  Cc: Tetsuo Handa, syzbot, syzbot

syzbot is reporting kernel panic triggered by memory allocation fault
injection before loading TOMOYO's policy [1]. To make the fuzzing tests
useful, we need to assign a profile other than "disabled" (no-op) mode.
Therefore, let's allow syzbot to load TOMOYO's built-in policy for
"learning" mode using a kernel config option. This option must not be
enabled for kernels built for production system, for this option also
disables domain/program checks when modifying policy configuration via
/sys/kernel/security/tomoyo/ interface.

[1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95

Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com>
Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 security/tomoyo/Kconfig  | 10 ++++++++++
 security/tomoyo/common.c | 13 ++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/security/tomoyo/Kconfig b/security/tomoyo/Kconfig
index 404dce6..a00ab7e 100644
--- a/security/tomoyo/Kconfig
+++ b/security/tomoyo/Kconfig
@@ -74,3 +74,13 @@ config SECURITY_TOMOYO_ACTIVATION_TRIGGER
 	  You can override this setting via TOMOYO_trigger= kernel command line
 	  option. For example, if you pass init=/bin/systemd option, you may
 	  want to also pass TOMOYO_trigger=/bin/systemd option.
+
+config SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING
+	bool "Use insecure built-in settings for fuzzing tests."
+	default n
+	depends on SECURITY_TOMOYO
+	select SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
+	help
+	  Enabling this option forces minimal built-in policy and disables
+	  domain/program checks for run-time policy modifications. Please enable
+	  this option only if this kernel is built for doing fuzzing tests.
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 57988d9..dd3d594 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -940,7 +940,7 @@ static bool tomoyo_manager(void)
 	const char *exe;
 	const struct task_struct *task = current;
 	const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname;
-	bool found = false;
+	bool found = IS_ENABLED(CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING);
 
 	if (!tomoyo_policy_loaded)
 		return true;
@@ -2810,6 +2810,16 @@ void tomoyo_check_profile(void)
  */
 void __init tomoyo_load_builtin_policy(void)
 {
+#ifdef CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING
+	static char tomoyo_builtin_profile[] __initdata =
+		"PROFILE_VERSION=20150505\n"
+		"0-CONFIG={ mode=learning grant_log=no reject_log=yes }\n";
+	static char tomoyo_builtin_exception_policy[] __initdata =
+		"aggregator proc:/self/exe /proc/self/exe\n";
+	static char tomoyo_builtin_domain_policy[] __initdata = "";
+	static char tomoyo_builtin_manager[] __initdata = "";
+	static char tomoyo_builtin_stat[] __initdata = "";
+#else
 	/*
 	 * This include file is manually created and contains built-in policy
 	 * named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy",
@@ -2817,6 +2827,7 @@ void __init tomoyo_load_builtin_policy(void)
 	 * "tomoyo_builtin_stat" in the form of "static char [] __initdata".
 	 */
 #include "builtin-policy.h"
+#endif
 	u8 i;
 	const int idx = tomoyo_read_lock();
 
-- 
1.8.3.1


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-02-28 14:06 [PATCH] tomoyo: Add a kernel config option for fuzzing testing Tetsuo Handa
@ 2019-03-04 13:35 ` Tetsuo Handa
  2019-03-04 14:34   ` Stephen Smalley
  2019-03-12 18:21 ` James Morris
  1 sibling, 1 reply; 17+ messages in thread
From: Tetsuo Handa @ 2019-03-04 13:35 UTC (permalink / raw)
  To: James Morris; +Cc: linux-security-module

James, please include this patch for 5.1-rc1, for failing to include
this patch will prevent various trees (SELinux/Smack/AppArmor) from
proper testing due to this problem because syzbot is enabling both
TOMOYO and one of SELinux/Smack/AppArmor via lsm= boot parameter.

By including this patch and building kernels with this config option
enabled, syzbot will be able to continue proper testing.

On 2019/02/28 23:06, Tetsuo Handa wrote:
> syzbot is reporting kernel panic triggered by memory allocation fault
> injection before loading TOMOYO's policy [1]. To make the fuzzing tests
> useful, we need to assign a profile other than "disabled" (no-op) mode.
> Therefore, let's allow syzbot to load TOMOYO's built-in policy for
> "learning" mode using a kernel config option. This option must not be
> enabled for kernels built for production system, for this option also
> disables domain/program checks when modifying policy configuration via
> /sys/kernel/security/tomoyo/ interface.
> 
> [1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95
> 
> Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com>
> Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
>  security/tomoyo/Kconfig  | 10 ++++++++++
>  security/tomoyo/common.c | 13 ++++++++++++-
>  2 files changed, 22 insertions(+), 1 deletion(-)
> 

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-04 13:35 ` Tetsuo Handa
@ 2019-03-04 14:34   ` Stephen Smalley
  2019-03-04 23:59     ` Tetsuo Handa
  0 siblings, 1 reply; 17+ messages in thread
From: Stephen Smalley @ 2019-03-04 14:34 UTC (permalink / raw)
  To: Tetsuo Handa, James Morris; +Cc: linux-security-module

On 3/4/19 8:35 AM, Tetsuo Handa wrote:
> James, please include this patch for 5.1-rc1, for failing to include
> this patch will prevent various trees (SELinux/Smack/AppArmor) from
> proper testing due to this problem because syzbot is enabling both
> TOMOYO and one of SELinux/Smack/AppArmor via lsm= boot parameter.
> 
> By including this patch and building kernels with this config option
> enabled, syzbot will be able to continue proper testing.

Could you clarify the status of upstream TOMOYO?  Is its MAINTAINERS 
entry still accurate?  Is it still actively maintained?  Its existing 
documentation (in-tree and the tomoyo.osdn.jp site) seem to suggest that 
using the pre-LSM version and/or AKARI are preferred to using the 
upstream version. Is that still true, and do you envision it changing?

> 
> On 2019/02/28 23:06, Tetsuo Handa wrote:
>> syzbot is reporting kernel panic triggered by memory allocation fault
>> injection before loading TOMOYO's policy [1]. To make the fuzzing tests
>> useful, we need to assign a profile other than "disabled" (no-op) mode.
>> Therefore, let's allow syzbot to load TOMOYO's built-in policy for
>> "learning" mode using a kernel config option. This option must not be
>> enabled for kernels built for production system, for this option also
>> disables domain/program checks when modifying policy configuration via
>> /sys/kernel/security/tomoyo/ interface.
>>
>> [1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95
>>
>> Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com>
>> Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com>
>> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
>> ---
>>   security/tomoyo/Kconfig  | 10 ++++++++++
>>   security/tomoyo/common.c | 13 ++++++++++++-
>>   2 files changed, 22 insertions(+), 1 deletion(-)
>>


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-04 14:34   ` Stephen Smalley
@ 2019-03-04 23:59     ` Tetsuo Handa
  2019-03-05  3:32       ` James Morris
  0 siblings, 1 reply; 17+ messages in thread
From: Tetsuo Handa @ 2019-03-04 23:59 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: James Morris, linux-security-module

Stephen Smalley wrote:
> On 3/4/19 8:35 AM, Tetsuo Handa wrote:
> > James, please include this patch for 5.1-rc1, for failing to include
> > this patch will prevent various trees (SELinux/Smack/AppArmor) from
> > proper testing due to this problem because syzbot is enabling both
> > TOMOYO and one of SELinux/Smack/AppArmor via lsm= boot parameter.
> > 
> > By including this patch and building kernels with this config option
> > enabled, syzbot will be able to continue proper testing.
> 
> Could you clarify the status of upstream TOMOYO?  Is its MAINTAINERS 
> entry still accurate?  Is it still actively maintained?

Mainly bugfixes and Q&A phase like
https://osdn.net/projects/tomoyo/lists/archive/users-en/2017-July/000685.html .

Now that TOMOYO can coexist with one of SELinux/Smack/AppArmor, TOMOYO users
can borrow ready-made rules from them and utilize TOMOYO's ability to generate
custom-made rules for things like
https://tomoyo.osdn.jp/1.8/ssh-protection-using-environment.html .

>                                                          Its existing 
> documentation (in-tree and the tomoyo.osdn.jp site) seem to suggest that 
> using the pre-LSM version and/or AKARI are preferred to using the 
> upstream version. Is that still true, and do you envision it changing?

I guess that majority of TOMOYO users are now using the upstream version. But
pre-LSM version and/or AKARI will remain there until LKM-based LSMs becomes
officially supported, for e.g. Fedora/RHEL users will need to use AKARI because
TOMOYO is not available ( https://bugzilla.redhat.com/show_bug.cgi?id=542986 ).

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-04 23:59     ` Tetsuo Handa
@ 2019-03-05  3:32       ` James Morris
  2019-03-11 13:18         ` Tetsuo Handa
  0 siblings, 1 reply; 17+ messages in thread
From: James Morris @ 2019-03-05  3:32 UTC (permalink / raw)
  To: Tetsuo Handa; +Cc: Stephen Smalley, linux-security-module

On Tue, 5 Mar 2019, Tetsuo Handa wrote:

> I guess that majority of TOMOYO users are now using the upstream version. But
> pre-LSM version and/or AKARI will remain there until LKM-based LSMs becomes
> officially supported

You mean dynamically loadable LSMs?

There are no plans to support this.

-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-05  3:32       ` James Morris
@ 2019-03-11 13:18         ` Tetsuo Handa
  2019-03-12 17:19           ` James Morris
  0 siblings, 1 reply; 17+ messages in thread
From: Tetsuo Handa @ 2019-03-11 13:18 UTC (permalink / raw)
  To: James Morris; +Cc: Stephen Smalley, linux-security-module

On 2019/03/05 12:32, James Morris wrote:
> On Tue, 5 Mar 2019, Tetsuo Handa wrote:
> 
>> I guess that majority of TOMOYO users are now using the upstream version. But
>> pre-LSM version and/or AKARI will remain there until LKM-based LSMs becomes
>> officially supported
> 
> You mean dynamically loadable LSMs?

Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.

> 
> There are no plans to support this.

Currently you don't have a plan. But I have.

It took 10+ years to be able to allow coexisting inode based access control
and name based access control. And there are people who still cannot afford
keeping upstream LSM modules enabled.

Anyway, your question is irrelevant to whether to allow syzbot to test
TOMOYO module. syzbot already bisected this problem to an innocent
commit 89a9684ea158dd7e ("LSM: Ignore "security=" when "lsm=" is specified")
at https://syzkaller.appspot.com/bug?id=32ab41bbdc0c28643c507dd0cf1eea1a9ce67837 .
Will you send this patch to linux.git so that syzbot can test TOMOYO module?


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-11 13:18         ` Tetsuo Handa
@ 2019-03-12 17:19           ` James Morris
  2019-03-12 21:15             ` Tetsuo Handa
  0 siblings, 1 reply; 17+ messages in thread
From: James Morris @ 2019-03-12 17:19 UTC (permalink / raw)
  To: Tetsuo Handa; +Cc: Stephen Smalley, linux-security-module

On Mon, 11 Mar 2019, Tetsuo Handa wrote:

> On 2019/03/05 12:32, James Morris wrote:
> > On Tue, 5 Mar 2019, Tetsuo Handa wrote:
> > 
> >> I guess that majority of TOMOYO users are now using the upstream version. But
> >> pre-LSM version and/or AKARI will remain there until LKM-based LSMs becomes
> >> officially supported
> > 
> > You mean dynamically loadable LSMs?
> 
> Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
> utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.

What do you mean cannot afford ?

-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-02-28 14:06 [PATCH] tomoyo: Add a kernel config option for fuzzing testing Tetsuo Handa
  2019-03-04 13:35 ` Tetsuo Handa
@ 2019-03-12 18:21 ` James Morris
  2019-03-12 20:56   ` Tetsuo Handa
  1 sibling, 1 reply; 17+ messages in thread
From: James Morris @ 2019-03-12 18:21 UTC (permalink / raw)
  To: Tetsuo Handa; +Cc: linux-security-module, Dmitry Vyukov, syzbot, syzbot

On Thu, 28 Feb 2019, Tetsuo Handa wrote:

> syzbot is reporting kernel panic triggered by memory allocation fault
> injection before loading TOMOYO's policy [1]. To make the fuzzing tests
> useful, we need to assign a profile other than "disabled" (no-op) mode.
> Therefore, let's allow syzbot to load TOMOYO's built-in policy for
> "learning" mode using a kernel config option. This option must not be
> enabled for kernels built for production system, for this option also
> disables domain/program checks when modifying policy configuration via
> /sys/kernel/security/tomoyo/ interface.

I don't understand the logic here. If the cause of this is no policy 
loaded combined with running out of memory, shouldn't the no-policy issue 
be dealt with earlier?


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-12 18:21 ` James Morris
@ 2019-03-12 20:56   ` Tetsuo Handa
  2019-03-12 21:24     ` James Morris
  0 siblings, 1 reply; 17+ messages in thread
From: Tetsuo Handa @ 2019-03-12 20:56 UTC (permalink / raw)
  To: James Morris; +Cc: linux-security-module, Dmitry Vyukov, syzbot, syzbot

On 2019/03/13 3:21, James Morris wrote:
> On Thu, 28 Feb 2019, Tetsuo Handa wrote:
> 
>> syzbot is reporting kernel panic triggered by memory allocation fault
>> injection before loading TOMOYO's policy [1]. To make the fuzzing tests
>> useful, we need to assign a profile other than "disabled" (no-op) mode.
>> Therefore, let's allow syzbot to load TOMOYO's built-in policy for
>> "learning" mode using a kernel config option. This option must not be
>> enabled for kernels built for production system, for this option also
>> disables domain/program checks when modifying policy configuration via
>> /sys/kernel/security/tomoyo/ interface.
> 
> I don't understand the logic here. If the cause of this is no policy 
> loaded combined with running out of memory, shouldn't the no-policy issue 
> be dealt with earlier?
> 

This patch is for automatically loading minimal policy at boot time
in order to address the no-policy issue. By applying this patch, syzbot
can test TOMOYO module without modifying userspace to load TOMOYO's policy
when /sbin/init starts.

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-12 17:19           ` James Morris
@ 2019-03-12 21:15             ` Tetsuo Handa
  2019-03-12 21:19               ` James Morris
  2019-03-12 21:56               ` Edwin Zimmerman
  0 siblings, 2 replies; 17+ messages in thread
From: Tetsuo Handa @ 2019-03-12 21:15 UTC (permalink / raw)
  To: James Morris; +Cc: Stephen Smalley, linux-security-module

On 2019/03/13 2:19, James Morris wrote:
> On Mon, 11 Mar 2019, Tetsuo Handa wrote:
> 
>> On 2019/03/05 12:32, James Morris wrote:
>>> On Tue, 5 Mar 2019, Tetsuo Handa wrote:
>>>
>>>> I guess that majority of TOMOYO users are now using the upstream version. But
>>>> pre-LSM version and/or AKARI will remain there until LKM-based LSMs becomes
>>>> officially supported
>>>
>>> You mean dynamically loadable LSMs?
>>
>> Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
>> utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.
> 
> What do you mean cannot afford ?
> 

Some people have to set SELINUX=disabled in /etc/selinux/config or pass security=none from
the kernel command line.

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-12 21:15             ` Tetsuo Handa
@ 2019-03-12 21:19               ` James Morris
  2019-03-12 21:56               ` Edwin Zimmerman
  1 sibling, 0 replies; 17+ messages in thread
From: James Morris @ 2019-03-12 21:19 UTC (permalink / raw)
  To: Tetsuo Handa; +Cc: Stephen Smalley, linux-security-module

On Wed, 13 Mar 2019, Tetsuo Handa wrote:

> >> Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
> >> utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.
> > 
> > What do you mean cannot afford ?
> > 
> 
> Some people have to set SELINUX=disabled in /etc/selinux/config or pass security=none from
> the kernel command line.

Why do they have to do this? 

-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-12 20:56   ` Tetsuo Handa
@ 2019-03-12 21:24     ` James Morris
  2019-03-13 10:29       ` Tetsuo Handa
  0 siblings, 1 reply; 17+ messages in thread
From: James Morris @ 2019-03-12 21:24 UTC (permalink / raw)
  To: Tetsuo Handa; +Cc: linux-security-module, Dmitry Vyukov, syzbot, syzbot

On Wed, 13 Mar 2019, Tetsuo Handa wrote:

> > I don't understand the logic here. If the cause of this is no policy 
> > loaded combined with running out of memory, shouldn't the no-policy issue 
> > be dealt with earlier?
> > 
> 
> This patch is for automatically loading minimal policy at boot time
> in order to address the no-policy issue. By applying this patch, syzbot
> can test TOMOYO module without modifying userspace to load TOMOYO's policy
> when /sbin/init starts.

If syzbot is trying to test Tomoyo and this requires policy to be loaded, 
shouldn't it do that?

And again, I think the no-policy situation needs to be detected before 
you start trying to apply memory policies to running processes. Surely 
there is some much earlier point during initialization that you will 
detect that there is no policy?

-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 17+ messages in thread

* RE: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-12 21:15             ` Tetsuo Handa
  2019-03-12 21:19               ` James Morris
@ 2019-03-12 21:56               ` Edwin Zimmerman
  2019-03-13 20:00                 ` James Morris
  1 sibling, 1 reply; 17+ messages in thread
From: Edwin Zimmerman @ 2019-03-12 21:56 UTC (permalink / raw)
  To: 'Tetsuo Handa', 'James Morris'
  Cc: 'Stephen Smalley', linux-security-module

On March 12, 2019 5:15, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote
> On 2019/03/13 2:19, James Morris wrote:
> > On Mon, 11 Mar 2019, Tetsuo Handa wrote:
> >
> >> On 2019/03/05 12:32, James Morris wrote:
> >>> On Tue, 5 Mar 2019, Tetsuo Handa wrote:
> >>>
> >>>> I guess that majority of TOMOYO users are now using the upstream version. But
> >>>> pre-LSM version and/or AKARI will remain there until LKM-based LSMs becomes
> >>>> officially supported
> >>>
> >>> You mean dynamically loadable LSMs?
> >>
> >> Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
> >> utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.
> >
> > What do you mean cannot afford ?
> >
> 
> Some people have to set SELINUX=disabled in /etc/selinux/config or pass security=none from
> the kernel command line.

If you specifically don't want in-kernel LSMs, and you specifically do want an out-of-tree LSM,
there are other options. For example, you could just livepatch the security_* hooks you need, 
since you already would using an LKM-based LSM.  That would give you your
out-of-tree module and would also disable selinux on the hooks that got livepatched.


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-12 21:24     ` James Morris
@ 2019-03-13 10:29       ` Tetsuo Handa
  2019-03-13 13:17         ` Paul Moore
  0 siblings, 1 reply; 17+ messages in thread
From: Tetsuo Handa @ 2019-03-13 10:29 UTC (permalink / raw)
  To: James Morris; +Cc: linux-security-module, Dmitry Vyukov, syzbot, syzbot

On 2019/03/13 6:24, James Morris wrote:
> On Wed, 13 Mar 2019, Tetsuo Handa wrote:
> 
>>> I don't understand the logic here. If the cause of this is no policy 
>>> loaded combined with running out of memory, shouldn't the no-policy issue 
>>> be dealt with earlier?
>>>
>>
>> This patch is for automatically loading minimal policy at boot time
>> in order to address the no-policy issue. By applying this patch, syzbot
>> can test TOMOYO module without modifying userspace to load TOMOYO's policy
>> when /sbin/init starts.
> 
> If syzbot is trying to test Tomoyo and this requires policy to be loaded, 
> shouldn't it do that?

SELinux has disabled/permissive/enforcing modes.
And syzbot is testing SELinux in permissive mode, isn't it?

TOMOYO has disabled/learning/permissive/enforcing modes.
And syzbot will test TOMOYO in learning mode.

This patch is required for telling TOMOYO to run in learning mode, by
loading minimal policy, without asking userspace to run policy loader.
This patch is easier than asking syzbot users to update their filesystem
images in order to embed policy loader and minimal policy into their
filesystem images.

> 
> And again, I think the no-policy situation needs to be detected before 
> you start trying to apply memory policies to running processes. Surely 
> there is some much earlier point during initialization that you will 
> detect that there is no policy?

TOMOYO is already detecting no-policy situation. TOMOYO is calling panic()
due to "memory allocation failure before loading minimal policy".

This patch avoids panic() by automatically loading minimal policy which is
embedded into the kernel.


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-13 10:29       ` Tetsuo Handa
@ 2019-03-13 13:17         ` Paul Moore
  2019-03-25 21:09           ` Tetsuo Handa
  0 siblings, 1 reply; 17+ messages in thread
From: Paul Moore @ 2019-03-13 13:17 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: James Morris, linux-security-module, Dmitry Vyukov, syzbot, syzbot

On Wed, Mar 13, 2019 at 6:29 AM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> On 2019/03/13 6:24, James Morris wrote:
> > On Wed, 13 Mar 2019, Tetsuo Handa wrote:
> >
> >>> I don't understand the logic here. If the cause of this is no policy
> >>> loaded combined with running out of memory, shouldn't the no-policy issue
> >>> be dealt with earlier?
> >>>
> >>
> >> This patch is for automatically loading minimal policy at boot time
> >> in order to address the no-policy issue. By applying this patch, syzbot
> >> can test TOMOYO module without modifying userspace to load TOMOYO's policy
> >> when /sbin/init starts.
> >
> > If syzbot is trying to test Tomoyo and this requires policy to be loaded,
> > shouldn't it do that?
>
> SELinux has disabled/permissive/enforcing modes.
> And syzbot is testing SELinux in permissive mode, isn't it?

I've lost track of what syzbot currently does, but in the beginning it
ran with SELinux enabled (probably in permissive mode, but that isn't
important here) without a policy loaded and that caused a handful of
problems which we have since fixed.  While it is not recommended, you
should be able to safely run a SELinux enabled system without a policy
loaded.

> TOMOYO has disabled/learning/permissive/enforcing modes.
> And syzbot will test TOMOYO in learning mode.
>
> This patch is required for telling TOMOYO to run in learning mode, by
> loading minimal policy, without asking userspace to run policy loader.
> This patch is easier than asking syzbot users to update their filesystem
> images in order to embed policy loader and minimal policy into their
> filesystem images.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 17+ messages in thread

* RE: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-12 21:56               ` Edwin Zimmerman
@ 2019-03-13 20:00                 ` James Morris
  0 siblings, 0 replies; 17+ messages in thread
From: James Morris @ 2019-03-13 20:00 UTC (permalink / raw)
  To: Edwin Zimmerman
  Cc: 'Tetsuo Handa', 'Stephen Smalley', linux-security-module

On Tue, 12 Mar 2019, Edwin Zimmerman wrote:

> On March 12, 2019 5:15, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> wrote
> > >> Yes. As long as upstream can't accept all LSM modules, and some people cannot afford
> > >> utilizing upstream LSM modules, LKM-based LSMs will be needed by such people.
> > >
> > > What do you mean cannot afford ?
> > >
> > 
> > Some people have to set SELINUX=disabled in /etc/selinux/config or pass security=none from
> > the kernel command line.
> 
> If you specifically don't want in-kernel LSMs, and you specifically do want an out-of-tree LSM,
> there are other options. For example, you could just livepatch the security_* hooks you need, 
> since you already would using an LKM-based LSM.  That would give you your
> out-of-tree module and would also disable selinux on the hooks that got livepatched.
> 

Ahh, ok, this is about out of tree LSMs.

This has been discussed many times over the years and the answer is always 
the same: we will not add infrastructure to the kernel to support out of 
tree code.  This is a long-standing tenet of the Linux kernel.



-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH] tomoyo: Add a kernel config option for fuzzing testing.
  2019-03-13 13:17         ` Paul Moore
@ 2019-03-25 21:09           ` Tetsuo Handa
  0 siblings, 0 replies; 17+ messages in thread
From: Tetsuo Handa @ 2019-03-25 21:09 UTC (permalink / raw)
  To: James Morris
  Cc: Paul Moore, linux-security-module, Dmitry Vyukov, syzbot, syzbot

James,

I think that nothing prevents this patch.


^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, back to index

Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-28 14:06 [PATCH] tomoyo: Add a kernel config option for fuzzing testing Tetsuo Handa
2019-03-04 13:35 ` Tetsuo Handa
2019-03-04 14:34   ` Stephen Smalley
2019-03-04 23:59     ` Tetsuo Handa
2019-03-05  3:32       ` James Morris
2019-03-11 13:18         ` Tetsuo Handa
2019-03-12 17:19           ` James Morris
2019-03-12 21:15             ` Tetsuo Handa
2019-03-12 21:19               ` James Morris
2019-03-12 21:56               ` Edwin Zimmerman
2019-03-13 20:00                 ` James Morris
2019-03-12 18:21 ` James Morris
2019-03-12 20:56   ` Tetsuo Handa
2019-03-12 21:24     ` James Morris
2019-03-13 10:29       ` Tetsuo Handa
2019-03-13 13:17         ` Paul Moore
2019-03-25 21:09           ` Tetsuo Handa

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git