lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87ppk5w0dt.fsf@x220.int.ebiederm.org>
Date:	Fri, 25 Apr 2014 14:43:42 -0700
From:	ebiederm@...ssion.com (Eric W. Biederman)
To:	Al Viro <viro@...IV.linux.org.uk>
Cc:	Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
	Oleg Nesterov <oleg@...hat.com>,
	Dmitry Kasatkin <d.kasatkin@...sung.com>,
	linux-security-module <linux-security-module@...r.kernel.org>,
	John Johansen <john.johansen@...onical.com>,
	Mimi Zohar <zohar@...ux.vnet.ibm.com>,
	James Morris <jmorris@...ei.org>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	kernel-team <kernel-team@...ts.ubuntu.com>
Subject: Re: Kernel panic at Ubuntu: IMA + Apparmor

Al Viro <viro@...IV.linux.org.uk> writes:

> On Fri, Apr 25, 2014 at 01:45:17PM -0700, Eric W. Biederman wrote:
>
>> IMA-appraisal is fundamentally broken because I can take a mandatory
>> file lock and prevent IMA-apprasial.
>> 
>> Using kernel_read is what allows this.
>> 
>> > Isn't it a clear motivating case???
>> 
>> kernel_read is not appropriate for IMA use.  The rest of this is just
>> the messenger.
>> 
>> IMA needs to use a cousin of kernel_read that operates at a lower level
>> than vfs_read.  A function that all of the permission checks and the
>> fsnotify work.
>
> It's worse than that, actually ;-/  IMA hooks in __fput() have interesting
> interplay with revoke-related stuff as well.  Another very messy thing in
> the same area is that it actually does ->read() from under ->i_mutex, leading
> to all kinds of interesting locking issues...
>
> I doubt that your "let's open-code vfs_read() guts" would be a good idea;
> if nothing else, it might make more sense to make rw_verify_area() skip
> the mandlock and security theatre when called in such situation.
>
> What a mess... ;-/

Agreed.

All I really meant is that vfs_read does too much, so it probably needs
to be refactored for this case.  But fsnotify_read, add_rchar, and
inc_syscr all seem inappropriate.  

So I think we might be able to get away with something like this:

ssize_t __vfs_read(struct file *file, char __user *buf, size_t count, loff_t *pos)
{
	ssize_t ret;

	if (!(file->f_mode & FMODE_READ))
		return -EBADF;
	if (!file->f_op->read && !file->f_op->aio_read)
		return -EINVAL;
	if (unlikely(!access_ok(VERIFY_WRITE, buf, count)))
		return -EFAULT;

	if (ret >= 0) {
		count = ret;
		if (file->f_op->read)
			ret = file->f_op->read(file, buf, count, pos);
		else
			ret = do_sync_read(file, buf, count, pos);
	}

	return ret;
}


How much of the rest we do really would seem to depend on how valuable
the sanity checks are.

This area of code keeps evolving enough that I don't see how we could
possibly avoid going through helper functions to figure out which file
ops we want to use this week.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ