Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
  • * Re: [PATCH v2 0/6] Harden userfaultfd
           [not found] <20200211225547.235083-1-dancol@google.com>
           [not found] ` <9ae20f6e-c5c0-4fd7-5b61-77218d19480b@schaufler-ca.com>
    @ 2020-02-12  7:50 ` Kees Cook
      2020-02-12 16:54   ` Jann Horn
      2020-02-12 17:12   ` Daniel Colascione
      2020-02-14  3:26 ` [PATCH 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
      2 siblings, 2 replies; 55+ messages in thread
    From: Kees Cook @ 2020-02-12  7:50 UTC (permalink / raw)
      To: Daniel Colascione
      Cc: timmurray, nosh, nnk, lokeshgidra, linux-kernel, linux-api,
    	selinux, Andrea Arcangeli, Mike Rapoport, Peter Xu, Jann Horn,
    	linux-security-module
    
    Hi!
    
    Firstly, thanks for working on this! It's been on my TODO list for a
    while. :)
    
    Casey already recommended including the LSM list to CC (since this is a
    new LSM -- there are many LSMs). Additionally, the series should
    probably be sent _to_ the userfaultfd maintainers:
    	Andrea Arcangeli <aarcange@redhat.com>
    	Mike Rapoport <rppt@linux.ibm.com>
    and I'd also CC a couple other people that have done recent work:
    	Peter Xu <peterx@redhat.com>
    	Jann Horn <jannh@google.com>
    
    More notes below...
    
    On Tue, Feb 11, 2020 at 02:55:41PM -0800, Daniel Colascione wrote:
    > Userfaultfd in unprivileged contexts could be potentially very
    > useful. We'd like to harden userfaultfd to make such unprivileged use
    > less risky. This patch series allows SELinux to manage userfaultfd
    > file descriptors and allows administrators to limit userfaultfd to
    > servicing user-mode faults, increasing the difficulty of using
    > userfaultfd in exploit chains invoking delaying kernel faults.
    
    I actually think these are two very different goals and likely the
    series could be split into two for them. One is LSM hooking of
    userfaultfd and the SELinux attachment, and the other is the user-mode
    fault restrictions. And they would likely go via separate trees (LSM
    through James's LSM tree, and probably akpm's -mm tree for the sysctl).
    
    > A new anon_inodes interface allows callers to opt into SELinux
    > management of anonymous file objects. In this mode, anon_inodes
    > creates new ephemeral inodes for anonymous file objects instead of
    > reusing a singleton dummy inode. A new LSM hook gives security modules
    > an opportunity to configure and veto these ephemeral inodes.
    > 
    > Existing anon_inodes users must opt into the new functionality.
    > 
    > Daniel Colascione (6):
    >   Add a new flags-accepting interface for anonymous inodes
    >   Add a concept of a "secure" anonymous file
    >   Teach SELinux about a new userfaultfd class
    >   Wire UFFD up to SELinux
    
    The above is the first "series"... I don't have much opinion about it,
    though I do like the idea of making userfaultfd visible to the LSM.
    
    >   Let userfaultfd opt out of handling kernel-mode faults
    >   Add a new sysctl for limiting userfaultfd to user mode faults
    
    Now this I'm very interested in. Can you go into more detail about two
    things:
    
    - What is the threat being solved? (I understand the threat, but detailing
      it in the commit log is important for people who don't know it. Existing
      commit cefdca0a86be517bc390fc4541e3674b8e7803b0 gets into some of the
      details already, but I'd like to see reference to external sources like
      https://duasynt.com/blog/linux-kernel-heap-spray)
    
    - Why is this needed in addition to the existing vm.unprivileged_userfaultfd
      sysctl? (And should this maybe just be another setting for that
      sysctl, like "2"?)
    
    As to the mechanics of the change, I'm not sure I like the idea of adding
    a UAPI flag for this. Why not just retain the permission check done at
    open() and if kernelmode faults aren't allowed, ignore them? This would
    require no changes to existing programs and gains the desired defense.
    (And, I think, the sysctl value could be bumped to "2" as that's a
    better default state -- does qemu actually need kernelmode traps?)
    
    Thanks again for the patches!
    
    -Kees
    
    > 
    >  Documentation/admin-guide/sysctl/vm.rst | 13 ++++
    >  fs/anon_inodes.c                        | 89 +++++++++++++++++--------
    >  fs/userfaultfd.c                        | 29 ++++++--
    >  include/linux/anon_inodes.h             | 27 ++++++--
    >  include/linux/lsm_hooks.h               |  8 +++
    >  include/linux/security.h                |  2 +
    >  include/linux/userfaultfd_k.h           |  3 +
    >  include/uapi/linux/userfaultfd.h        |  9 +++
    >  kernel/sysctl.c                         |  9 +++
    >  security/security.c                     |  8 +++
    >  security/selinux/hooks.c                | 68 +++++++++++++++++++
    >  security/selinux/include/classmap.h     |  2 +
    >  12 files changed, 229 insertions(+), 38 deletions(-)
    > 
    > -- 
    > 2.25.0.225.g125e21ebc7-goog
    > 
    
    -- 
    Kees Cook
    
    ^ permalink raw reply	[flat|nested] 55+ messages in thread
  • * [PATCH 0/3] SELinux support for anonymous inodes and UFFD
           [not found] <20200211225547.235083-1-dancol@google.com>
           [not found] ` <9ae20f6e-c5c0-4fd7-5b61-77218d19480b@schaufler-ca.com>
      2020-02-12  7:50 ` Kees Cook
    @ 2020-02-14  3:26 ` Daniel Colascione
      2020-02-14  3:26   ` [PATCH 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
                         ` (7 more replies)
      2 siblings, 8 replies; 55+ messages in thread
    From: Daniel Colascione @ 2020-02-14  3:26 UTC (permalink / raw)
      To: timmurray, selinux, linux-security-module, linux-fsdevel,
    	linux-kernel, kvm, viro, paul, nnk, sds, lokeshgidra
      Cc: Daniel Colascione
    
    Userfaultfd in unprivileged contexts could be potentially very
    useful. We'd like to harden userfaultfd to make such unprivileged use
    less risky. This patch series allows SELinux to manage userfaultfd
    file descriptors and in the future, other kinds of
    anonymous-inode-based file descriptor.  SELinux policy authors can
    apply policy types to anonymous inodes by providing name-based
    transition rules keyed off the anonymous inode internal name (
    "[userfaultfd]" in the case of userfaultfd(2) file descriptors) and
    applying policy to the new SIDs thus produced.
    
    Inside the kernel, a pair of new anon_inodes interface,
    anon_inode_getfile_secure and anon_inode_getfd_secure, allow callers
    to opt into this SELinux management. In this new "secure" mode,
    anon_inodes creates new ephemeral inodes for anonymous file objects
    instead of reusing the normal anon_inodes singleton dummy inode. A new
    LSM hook gives security modules an opportunity to configure and veto
    these ephemeral inodes.
    
    This patch series is one of two fork of [1] and is an
    alternative to [2].
    
    The primary difference between the two patch series is that this
    partch series creates a unique inode for each "secure" anonymous
    inode, while the other patch series ([2]) continues using the
    singleton dummy anonymous inode and adds a way to attach SELinux
    security information directly to file objects.
    
    I prefer the approach in this patch series because 1) it's a smaller
    patch than [2], and 2) it produces a more regular security
    architecture: in this patch series, secure anonymous inodes aren't
    S_PRIVATE and they maintain the SELinux property that the label for a
    file is in its inode. We do need an additional inode per anonymous
    file, but per-struct-file inode creation doesn't seem to be a problem
    for pipes and sockets.
    
    The previous version of this feature ([1]) created a new SELinux
    security class for userfaultfd file descriptors. This version adopts
    the generic transition-based approach of [2].
    
    This patch series also differs from [2] in that it doesn't affect all
    anonymous inodes right away --- instead requiring anon_inodes callers
    to opt in --- but this difference isn't one of basic approach. The
    important question to resolve is whether we should be creating new
    inodes or enhancing per-file data.
    
    [1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/
    [2] https://lore.kernel.org/linux-fsdevel/20200213194157.5877-1-sds@tycho.nsa.gov/
    
    Daniel Colascione (3):
      Add a new LSM-supporting anonymous inode interface
      Teach SELinux about anonymous inodes
      Wire UFFD up to SELinux
    
     fs/anon_inodes.c            | 196 ++++++++++++++++++++++++++++--------
     fs/userfaultfd.c            |  34 +++++--
     include/linux/anon_inodes.h |  13 +++
     include/linux/lsm_hooks.h   |   9 ++
     include/linux/security.h    |   4 +
     security/security.c         |  10 ++
     security/selinux/hooks.c    |  57 +++++++++++
     7 files changed, 274 insertions(+), 49 deletions(-)
    
    -- 
    2.25.0.265.gbab2e86ba0-goog
    
    
    ^ permalink raw reply	[flat|nested] 55+ messages in thread

  • end of thread, back to index
    
    Thread overview: 55+ messages (download: mbox.gz / follow: Atom feed)
    -- links below jump to the message on this page --
         [not found] <20200211225547.235083-1-dancol@google.com>
         [not found] ` <9ae20f6e-c5c0-4fd7-5b61-77218d19480b@schaufler-ca.com>
    2020-02-11 23:27   ` [PATCH v2 0/6] Harden userfaultfd Daniel Colascione
    2020-02-12 16:09     ` Stephen Smalley
    2020-02-21 17:56     ` James Morris
    2020-02-12  7:50 ` Kees Cook
    2020-02-12 16:54   ` Jann Horn
    2020-02-12 17:14     ` Peter Xu
    2020-02-12 19:41       ` Andrea Arcangeli
    2020-02-12 20:04         ` Daniel Colascione
    2020-02-12 23:41           ` Andrea Arcangeli
    2020-02-12 17:12   ` Daniel Colascione
    2020-02-14  3:26 ` [PATCH 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
    2020-02-14  3:26   ` [PATCH 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
    2020-02-14  3:26   ` [PATCH 2/3] Teach SELinux about anonymous inodes Daniel Colascione
    2020-02-14 16:39     ` Stephen Smalley
    2020-02-14 17:21       ` Daniel Colascione
    2020-02-14 18:02         ` Stephen Smalley
    2020-02-14 18:08           ` Stephen Smalley
    2020-02-14 20:24             ` Stephen Smalley
    2020-02-14  3:26   ` [PATCH 3/3] Wire UFFD up to SELinux Daniel Colascione
    2020-03-25 23:02   ` [PATCH v2 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
    2020-03-25 23:02   ` [PATCH v2 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
    2020-03-26 13:53     ` Stephen Smalley
    2020-03-25 23:02   ` [PATCH v2 2/3] Teach SELinux about anonymous inodes Daniel Colascione
    2020-03-26 13:58     ` Stephen Smalley
    2020-03-26 17:59       ` Daniel Colascione
    2020-03-26 17:37     ` Stephen Smalley
    2020-03-25 23:02   ` [PATCH v2 3/3] Wire UFFD up to SELinux Daniel Colascione
    2020-03-25 23:49     ` Casey Schaufler
    2020-03-26 18:14   ` [PATCH v3 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
    2020-03-26 18:14     ` [PATCH v3 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
    2020-03-26 19:00       ` Stephen Smalley
    2020-03-26 18:14     ` [PATCH v3 2/3] Teach SELinux about anonymous inodes Daniel Colascione
    2020-03-26 19:02       ` Stephen Smalley
    2020-03-26 18:14     ` [PATCH v3 3/3] Wire UFFD up to SELinux Daniel Colascione
    2020-03-26 20:06     ` [PATCH v4 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
    2020-03-26 20:06       ` [PATCH v4 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
    2020-03-27 13:40         ` Stephen Smalley
    2020-03-26 20:06       ` [PATCH v4 2/3] Teach SELinux about anonymous inodes Daniel Colascione
    2020-03-27 13:41         ` Stephen Smalley
    2020-03-26 20:06       ` [PATCH v4 3/3] Wire UFFD up to SELinux Daniel Colascione
    2020-04-01 21:39       ` [PATCH v5 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
    2020-04-01 21:39         ` [PATCH v5 1/3] Add a new LSM-supporting anonymous inode interface Daniel Colascione
    2020-05-07 16:02           ` James Morris
    2020-04-01 21:39         ` [PATCH v5 2/3] Teach SELinux about anonymous inodes Daniel Colascione
    2020-04-01 21:39         ` [PATCH v5 3/3] Wire UFFD up to SELinux Daniel Colascione
    2020-04-13 13:29         ` [PATCH v5 0/3] SELinux support for anonymous inodes and UFFD Daniel Colascione
    2020-04-22 16:55           ` James Morris
    2020-04-22 17:12             ` Casey Schaufler
    2020-04-23 22:24               ` Casey Schaufler
    2020-04-27 16:18                 ` Casey Schaufler
    2020-04-27 16:48                   ` Stephen Smalley
    2020-04-27 17:12                     ` Casey Schaufler
    2020-04-29 17:02                     ` Stephen Smalley
    2020-04-27 17:15             ` Casey Schaufler
    2020-04-27 19:40               ` Stephen Smalley
    

    Linux-Security-Module Archive on lore.kernel.org
    
    Archives are clonable:
    	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git
    
    	# If you have public-inbox 1.1+ installed, you may
    	# initialize and index your mirror using the following commands:
    	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
    		linux-security-module@vger.kernel.org
    	public-inbox-index linux-security-module
    
    Example config snippet for mirrors
    
    Newsgroup available over NNTP:
    	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module
    
    
    AGPL code for this site: git clone https://public-inbox.org/public-inbox.git