lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 26 Aug 2016 07:57:18 -0700
From:   Andy Lutomirski <luto@...capital.net>
To:     Mickaël Salaün <mic@...ikod.net>
Cc:     "Eric W. Biederman" <ebiederm@...ssion.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Arnd Bergmann <arnd@...db.de>,
        Casey Schaufler <casey@...aufler-ca.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Daniel Mack <daniel@...que.org>,
        David Drysdale <drysdale@...gle.com>,
        "David S . Miller" <davem@...emloft.net>,
        Elena Reshetova <elena.reshetova@...el.com>,
        James Morris <james.l.morris@...cle.com>,
        Kees Cook <keescook@...omium.org>,
        Paul Moore <pmoore@...hat.com>,
        Sargun Dhillon <sargun@...gun.me>,
        "Serge E . Hallyn" <serge@...lyn.com>,
        Will Drewry <wad@...omium.org>,
        kernel-hardening <kernel-hardening@...ts.openwall.com>,
        Linux API <linux-api@...r.kernel.org>,
        LSM List <linux-security-module@...r.kernel.org>,
        Network Development <netdev@...r.kernel.org>
Subject: Re: [RFC v2 08/10] landlock: Handle file system comparisons

On Thu, Aug 25, 2016 at 7:10 AM, Mickaël Salaün <mic@...ikod.net> wrote:
>
> On 25/08/2016 13:12, Andy Lutomirski wrote:
>> On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün <mic@...ikod.net> wrote:
>>> Add eBPF functions to compare file system access with a Landlock file
>>> system handle:
>>> * bpf_landlock_cmp_fs_prop_with_struct_file(prop, map, map_op, file)
>>>   This function allows to compare the dentry, inode, device or mount
>>>   point of the currently accessed file, with a reference handle.
>>> * bpf_landlock_cmp_fs_beneath_with_struct_file(opt, map, map_op, file)
>>>   This function allows an eBPF program to check if the current accessed
>>>   file is the same or in the hierarchy of a reference handle.
>>>
>>> The goal of file system handle is to abstract kernel objects such as a
>>> struct file or a struct inode. Userland can create this kind of handle
>>> thanks to the BPF_MAP_UPDATE_ELEM command. The element is a struct
>>> landlock_handle containing the handle type (e.g.
>>> BPF_MAP_HANDLE_TYPE_LANDLOCK_FS_FD) and a file descriptor. This could
>>> also be any descriptions able to match a struct file or a struct inode
>>> (e.g. path or glob string).
>>
>> This needs Eric's opinion.
>>
>> Also, where do all the struct file *'s get stashed?  Are they
>> preserved in the arraymap?  What prevents reference cycles or absurdly
>> large numbers of struct files getting pinned?
>
> Yes, the struct file are kept in the arraymap and dropped when there is
> no more reference on them. Currently, the limitations are the maximum
> number of open file descriptors referring to an arraymap and the maximum
> number of eBPF Landlock programs loaded in a process
> (LANDLOCK_PROG_LIST_MAX_PAGES in kernel/seccomp.c).
>
> What kind of reference cycles have you in mind?

Shoving evil things into the arraymaps, e.g. unix sockets with
SCM_RIGHTS messages pending, eBPF program references, the arraymap fd
itself, another arraymap fd, etc.

>
> It probably needs another limit for kernel object references as well.
> What is the best option here? Add another static limitation or use an
> existing one?

Dunno.  If RLIMIT_FILE could be made to work, that would be nice.

--Andy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ