SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@vger.kernel.org
Cc: linux-security-module@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, kvm@vger.kernel.org,
	viro@zeniv.linux.org.uk, paul@paul-moore.com, dancol@google.com,
	nnk@google.com
Subject: Re: [RFC PATCH] security,anon_inodes,kvm: enable security support for anon inodes
Date: Thu, 13 Feb 2020 14:47:35 -0500
Message-ID: <513f6230-1fb3-dbb5-5f75-53cd02b91b28@tycho.nsa.gov> (raw)
In-Reply-To: <20200213194157.5877-1-sds@tycho.nsa.gov>


[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]

On 2/13/20 2:41 PM, Stephen Smalley wrote:
> An example of a sample program and policy will follow in a follow-up
> to this patch to demonstrate the effect on userfaultfd and kvm.

Attached are example test programs and policies to demonstrate the 
change in behavior before and after this RFC patch for userfaultfd and 
kvm.  The test policies can be edited to selectively allow specific 
permissions for testing various scenarios, but with the defaults in 
them, one should see the following behavior:

sudo semodule -i kvm.cil userfaultfd.cil
make kvm userfaultfd

Before:

(no labeling/access control applied by SELinux to userfaultfd files or 
to anon inodes created by kvm)

$ ./userfaultfd
api: 170
features: 510
ioctls: 9223372036854775811

read: Resource temporarily unavailable

$ ./kvm
api version: 12

created vm

created vcpu

rax: 0
rbx: 0
rcx: 0
rdx: 1536
rdi: 0
rsi: 0
rsp: 0
rbp: 0
r8: 0
r9: 0
r10: 0
r11: 0
r12: 0
r13: 0
r14: 0
r15: 0
rip: 65520
rflags: 2

created device

checked device attr

After:

(SELinux ioctl whitelisting used to selectively deny access)

./userfaultfd
UFFDIO_API: Permission denied

$ ./kvm
api version: 12

created vm

created vcpu

KVM_GET_REGS: Permission denied

[-- Attachment #2: kvm.cil --]
[-- Type: application/vnd.ms-artgalry, Size: 1115 bytes --]

[-- Attachment #3: userfaultfd.cil --]
[-- Type: application/vnd.ms-artgalry, Size: 621 bytes --]

[-- Attachment #4: kvm.c --]
[-- Type: text/x-csrc, Size: 2234 bytes --]

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <linux/kvm.h>

void print_regs(const struct kvm_regs *regs)
{
	printf("rax: %llu\n", regs->rax);
	printf("rbx: %llu\n", regs->rbx);
	printf("rcx: %llu\n", regs->rcx);
	printf("rdx: %llu\n", regs->rdx);
	printf("rdi: %llu\n", regs->rdi);
	printf("rsi: %llu\n", regs->rsi);
	printf("rsp: %llu\n", regs->rsp);
	printf("rbp: %llu\n", regs->rbp);
	printf("r8: %llu\n", regs->r8);
	printf("r9: %llu\n", regs->r9);
	printf("r10: %llu\n", regs->r10);
	printf("r11: %llu\n", regs->r11);
	printf("r12: %llu\n", regs->r12);
	printf("r13: %llu\n", regs->r13);
	printf("r14: %llu\n", regs->r14);
	printf("r15: %llu\n", regs->r15);
	printf("rip: %llu\n", regs->rip);
	printf("rflags: %llu\n", regs->rflags);

	printf("\n");
}

void print_device_attr(const struct kvm_device_attr *dev_attr)
{
	printf("flags: %u\n", dev_attr->flags);
	printf("group: %u\n", dev_attr->group);
	printf("attr: %llu\n", dev_attr->attr);
	printf("addr: %llu\n", dev_attr->addr);

	printf("\n");
}

int main(void)
{
	int fd = open("/dev/kvm", O_RDWR);
	if (fd < 0) {
		perror("/dev/kvm");
		return -1;
	}

	int ret = ioctl(fd, KVM_GET_API_VERSION, 0);
	if (ret < 0) {
		perror("KVM_GET_API_VERSION");
		return -1;
	}

	printf("api version: %d\n\n", ret);

	int vmfd = ioctl(fd, KVM_CREATE_VM, 0);
	if (vmfd < 0) {
		perror("KVM_CREATE_VM");
		return -1;
	}

	printf("created vm\n\n");

	int vcpufd = ioctl(vmfd, KVM_CREATE_VCPU, 0);
	if (vcpufd < 0) {
		perror("KVM_CREATE_VCPU");
		return -1;
	}

	printf("created vcpu\n\n");

	struct kvm_regs regs;
	if (ioctl(vcpufd, KVM_GET_REGS, &regs) < 0) {
		perror("KVM_GET_REGS");
		return -1;
	}

	print_regs(&regs);

	struct kvm_create_device dev = {0};
	dev.type = KVM_DEV_TYPE_VFIO;

	if (ioctl(vmfd, KVM_CREATE_DEVICE, &dev) < 0) {
		perror("KVM_CREATE_DEVICE");
		return -1;
	}

	printf("created device\n\n");

	struct kvm_device_attr dev_attr = {0};
	dev_attr.group = KVM_DEV_VFIO_GROUP;
	dev_attr.attr = KVM_DEV_VFIO_GROUP_ADD;
	if (ioctl(dev.fd, KVM_HAS_DEVICE_ATTR, &dev_attr) < 0) {
		perror("KVM_HAS_DEVICE_ATTR");
		return -1;
	}

	printf("checked device attr\n\n");

	return 0;
}

[-- Attachment #5: userfaultfd.c --]
[-- Type: text/x-csrc, Size: 870 bytes --]

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>

#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/syscall.h>

#include <linux/userfaultfd.h>

void print_api(const struct uffdio_api *api)
{
	printf("api: %llu\n", api->api);
	printf("features: %llu\n", api->features);
	printf("ioctls: %llu\n", api->ioctls);

	printf("\n");
}

int main(void)
{
	long uffd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);
	if (uffd < 0) {
		perror("syscall(userfaultfd)");
		return -1;
	}

	struct uffdio_api api = {0};
	api.api = UFFD_API;
	if (ioctl(uffd, UFFDIO_API, &api) < 0) {
		perror("UFFDIO_API");
		return -1;
	}

	print_api(&api);

	struct uffd_msg msg = {0};
	ssize_t count = read(uffd, &msg, sizeof(msg));
	if (count < 0) {
		perror("read");
		return -1;
	} else if (count == 0) {
		printf("read EOF\n\n");
	}

	printf("read uffd\n\n");

	return 0;
}

  reply index

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-13 19:41 Stephen Smalley
2020-02-13 19:47 ` Stephen Smalley [this message]
2020-02-18  0:14 ` Paul Moore
2020-02-20 18:11   ` Casey Schaufler
2020-02-20 18:50     ` Daniel Colascione
2020-03-10 18:09       ` Daniel Colascione
2020-03-10 18:26         ` Stephen Smalley
2020-03-10 21:50           ` Daniel Colascione
2020-03-11 13:31             ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=513f6230-1fb3-dbb5-5f75-53cd02b91b28@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=dancol@google.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nnk@google.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git