From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, T_DKIMWL_WL_MED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96FCEC4321D for ; Thu, 16 Aug 2018 14:16:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 469A5208FE for ; Thu, 16 Aug 2018 14:16:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="sHii2XNj" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 469A5208FE Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391734AbeHPRPO (ORCPT ); Thu, 16 Aug 2018 13:15:14 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:41909 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726312AbeHPRPO (ORCPT ); Thu, 16 Aug 2018 13:15:14 -0400 Received: by mail-oi0-f65.google.com with SMTP id k12-v6so8241877oiw.8 for ; Thu, 16 Aug 2018 07:16:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VJJtEHz/Df5gyQRZGNdlwzVmY5ghFvMgBdqhmv3aTds=; b=sHii2XNjT/MJZ0YTypRWKbWHGKKX2uAJJxkxNTN7wZ7RR+mHQPrYRBFf5A7xg/Qilp WMflr559ZnT3Hjq/RL8j8JWLwYeqFGWJYU+m3e0345+7NxpBZtl9YtQmiUVu1Wx4+VXi 5M5MWmtlasYqQ7T4ChF8n67lvzDeOWdA1t5l1fm5TvfB9jMae1i0VWmT9a23N7yk0ISh tmWJDRsR+/Ng31AWOa0eEnkgFnsvQotnl9KcOussgVybE83VzsgNCo7/TKGv/3bye4X0 u/yq6pXGGqJ5t3YsFGCkdDGUcaY04NNkS2tjr87+mXV5yCBAPb+bjBNvC86/yfz01bFF xIRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VJJtEHz/Df5gyQRZGNdlwzVmY5ghFvMgBdqhmv3aTds=; b=i5aGU23JOv6gfCkBKUuMEk4geu3dbr1Vga/ZwSNi2G9F3HxhAXyuW0N+zWHEyekbXt s6ONMsRYAzCnAfsdnZKIQ4IIqG7V6PbbwDhPsI/uAElrWDjLx4eKUJt1ykh6yUra4dmO h6KkLUdzyewmSrLSUaCdG1keUzZhjGf2U9IxRmCs6ujw8+/fXU0pUe50ZNSDyALjrKbH Al2f/A3zDznh+wpKw9/NWlcSzJmokBzoGxeZFxRcohh58C9PZp0u7Xq8hIAczPXzEbNm 9+tn5vbc7OTOJAOJ5L+GxZPX7+AlfsLy0z2XbYZBc6deKQD2xI8MNfzsEkim6r/D0WV+ kkNA== X-Gm-Message-State: AOUpUlGchiFSA6wfFW0gR5NWrpG/0s2tRVwdO5j594Z0rk/IDDkXxMtC 7cpkIaMcCDVRhQaapZbPZTo/+cnGVRt7fDZb8SsiNg== X-Google-Smtp-Source: AA+uWPx8Sp1ReJ6hSTj9Qjc80uYgsbyieXcs0Rf9tT9hNq0ilLnhpHhjCg55bGlMeOZmcbD9gn3RDEws6YUISNuKw48= X-Received: by 2002:aca:3882:: with SMTP id f124-v6mr30162447oia.195.1534428979344; Thu, 16 Aug 2018 07:16:19 -0700 (PDT) MIME-Version: 1.0 References: <20180815235355.14908-1-casey.schaufler@intel.com> <20180815235355.14908-4-casey.schaufler@intel.com> In-Reply-To: <20180815235355.14908-4-casey.schaufler@intel.com> From: Jann Horn Date: Thu, 16 Aug 2018 16:15:52 +0200 Message-ID: Subject: Re: [PATCH RFC 3/5] LSM: Security module checking for side-channel dangers To: casey.schaufler@intel.com Cc: Kernel Hardening , kernel list , linux-security-module , selinux@tycho.nsa.gov, SMACK-discuss@lists.01.org, Dave Hansen , deneen.t.dock@intel.com, kristen@linux.intel.com, Arjan van de Ven Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 16, 2018 at 11:51 AM Casey Schaufler wrote: > > From: Casey Schaufler > > The sidechannel LSM checks for cases where a side-channel > attack may be dangerous based on security attributes of tasks. > This includes: > Effective UID of the tasks is different > Capablity sets are different > Tasks are in different namespaces > An option is also provided to assert that task are never > to be considered safe. This is high paranoia, and expensive > as well. > > Signed-off-by: Casey Schaufler [...] > +static int safe_by_uid(struct task_struct *p) > +{ > + const struct cred *ccred = current->cred; > + const struct cred *pcred = p->cred; See below. [...] > +static int safe_by_capability(struct task_struct *p) > +{ > + const struct cred *ccred = current->cred; > + const struct cred *pcred = p->cred; See below. [...] > + if (current->cred->user_ns != p->cred->user_ns) > + return -EACCES; Shouldn't this access be using one of the rcu_dereference_* helpers? Something like rcu_dereference_protected(..., 1). Also, you're looking at ->cred, and you don't want to do that. ->cred are the *subjective* credentials of the task, meaning the credentials that should only be used when this task actively performs an access. Depending on what userspace is doing, an unprivileged process' ->cred will randomly flake to something with GLOBAL_ROOT_UID because of override_creds() calls - for example, if you access a file through overlayfs in certain ways, your ->cred will temporarily be overwritten by ovl_override_creds(), which mostly switches to the credentials of the filesystem's creator (iow, normally root). coredumps can also override the EUID with GLOBAL_ROOT_UID: if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) { /* Setuid core dump mode */ cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */ need_suid_safe = true; } retval = coredump_wait(siginfo->si_signo, &core_state); if (retval < 0) goto fail_creds; old_cred = override_creds(cred); Please use the objective credentials (->real_cred) instead, which are not subject to random override_creds() effects, and are designed to be used when looking at the privileges associated with an overall task (as opposed to the privileges associated with the task's current syscall context). At least for the current-> access, you probably want current_real_cred(), which has been defined for this kind of use.