lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0f7b4d58-86da-066e-78d1-92974a488150@schaufler-ca.com>
Date:   Fri, 8 Sep 2017 09:52:58 -0700
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     Stephen Smalley <sds@...ho.nsa.gov>, james.l.morris@...cle.com
Cc:     gregkh@...uxfoundation.org, serge@...lyn.com, paul@...l-moore.com,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, selinux@...ho.nsa.gov
Subject: Re: [PATCH] usb,signal,security: only pass the cred, not the secid,
 to kill_pid_info_as_cred and security_task_kill

On 9/8/2017 9:40 AM, Stephen Smalley wrote:
> commit d178bc3a708f39cbfefc3fab37032d3f2511b4ec ("user namespace: usb:
>  make usb urbs user namespace aware (v2)") changed kill_pid_info_as_uid
> to kill_pid_info_as_cred, saving and passing a cred structure instead of
> uids.

That's a change I've wanted to make for some time,
but was never confident that the cred would remain
valid.

>   Since the secid can be obtained from the cred, drop the secid fields
> from the usb_dev_state and async structures, and drop the secid argument to
> kill_pid_info_as_cred.  Replace the secid argument to security_task_kill
> with the cred.

Perfect.

>   Update SELinux, Smack, and AppArmor to use the cred, which
> avoids the need for Smack and AppArmor to use a secid at all in this hook.
> Further changes to Smack might still be required to take full advantage of
> this change, since it should now be possible to perform capability
> checking based on the supplied cred.  The changes to Smack and AppArmor
> have only been compile-tested.

I will run some tests on Smack. I don't expect to implement
the additional privilege checks at this time.

>
> Signed-off-by: Stephen Smalley <sds@...ho.nsa.gov>
> ---
>  drivers/usb/core/devio.c     | 10 ++--------
>  include/linux/lsm_hooks.h    |  5 +++--
>  include/linux/sched/signal.h |  2 +-
>  include/linux/security.h     |  4 ++--
>  kernel/signal.c              |  6 +++---
>  security/apparmor/lsm.c      | 17 ++++++++++++-----
>  security/security.c          |  4 ++--
>  security/selinux/hooks.c     |  7 +++++--
>  security/smack/smack_lsm.c   | 12 +++++-------
>  9 files changed, 35 insertions(+), 32 deletions(-)
>
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index ebe2759..b44f74c 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -78,7 +78,6 @@ struct usb_dev_state {
>  	const struct cred *cred;
>  	void __user *disccontext;
>  	unsigned long ifclaimed;
> -	u32 secid;
>  	u32 disabled_bulk_eps;
>  	bool privileges_dropped;
>  	unsigned long interface_allowed_mask;
> @@ -108,7 +107,6 @@ struct async {
>  	struct usb_memory *usbm;
>  	unsigned int mem_usage;
>  	int status;
> -	u32 secid;
>  	u8 bulk_addr;
>  	u8 bulk_status;
>  };
> @@ -596,7 +594,6 @@ static void async_completed(struct urb *urb)
>  	struct usb_dev_state *ps = as->ps;
>  	struct siginfo sinfo;
>  	struct pid *pid = NULL;
> -	u32 secid = 0;
>  	const struct cred *cred = NULL;
>  	int signr;
>  
> @@ -612,7 +609,6 @@ static void async_completed(struct urb *urb)
>  		sinfo.si_addr = as->userurb;
>  		pid = get_pid(as->pid);
>  		cred = get_cred(as->cred);
> -		secid = as->secid;
>  	}
>  	snoop(&urb->dev->dev, "urb complete\n");
>  	snoop_urb(urb->dev, as->userurb, urb->pipe, urb->actual_length,
> @@ -626,7 +622,7 @@ static void async_completed(struct urb *urb)
>  	spin_unlock(&ps->lock);
>  
>  	if (signr) {
> -		kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred, secid);
> +		kill_pid_info_as_cred(sinfo.si_signo, &sinfo, pid, cred);
>  		put_pid(pid);
>  		put_cred(cred);
>  	}
> @@ -1023,7 +1019,6 @@ static int usbdev_open(struct inode *inode, struct file *file)
>  	init_waitqueue_head(&ps->wait);
>  	ps->disc_pid = get_pid(task_pid(current));
>  	ps->cred = get_current_cred();
> -	security_task_getsecid(current, &ps->secid);
>  	smp_wmb();
>  	list_add_tail(&ps->list, &dev->filelist);
>  	file->private_data = ps;
> @@ -1733,7 +1728,6 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
>  	as->ifnum = ifnum;
>  	as->pid = get_pid(task_pid(current));
>  	as->cred = get_current_cred();
> -	security_task_getsecid(current, &as->secid);
>  	snoop_urb(ps->dev, as->userurb, as->urb->pipe,
>  			as->urb->transfer_buffer_length, 0, SUBMIT,
>  			NULL, 0);
> @@ -2609,7 +2603,7 @@ static void usbdev_remove(struct usb_device *udev)
>  			sinfo.si_code = SI_ASYNCIO;
>  			sinfo.si_addr = ps->disccontext;
>  			kill_pid_info_as_cred(ps->discsignr, &sinfo,
> -					ps->disc_pid, ps->cred, ps->secid);
> +					ps->disc_pid, ps->cred);
>  		}
>  	}
>  }
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index ce02f76..b0b663b2 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -674,7 +674,8 @@
>   *	@p contains the task_struct for process.
>   *	@info contains the signal information.
>   *	@sig contains the signal value.
> - *	@secid contains the sid of the process where the signal originated
> + *	@cred contains the cred of the process where the signal originated, or
> + *	NULL if the current task is the originator.
>   *	Return 0 if permission is granted.
>   * @task_prctl:
>   *	Check permission before performing a process control operation on the
> @@ -1533,7 +1534,7 @@ union security_list_options {
>  	int (*task_getscheduler)(struct task_struct *p);
>  	int (*task_movememory)(struct task_struct *p);
>  	int (*task_kill)(struct task_struct *p, struct siginfo *info,
> -				int sig, u32 secid);
> +				int sig, const struct cred *cred);
>  	int (*task_prctl)(int option, unsigned long arg2, unsigned long arg3,
>  				unsigned long arg4, unsigned long arg5);
>  	void (*task_to_inode)(struct task_struct *p, struct inode *inode);
> diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h
> index 2a0dd40..ae4fe12 100644
> --- a/include/linux/sched/signal.h
> +++ b/include/linux/sched/signal.h
> @@ -290,7 +290,7 @@ extern int force_sig_info(int, struct siginfo *, struct task_struct *);
>  extern int __kill_pgrp_info(int sig, struct siginfo *info, struct pid *pgrp);
>  extern int kill_pid_info(int sig, struct siginfo *info, struct pid *pid);
>  extern int kill_pid_info_as_cred(int, struct siginfo *, struct pid *,
> -				const struct cred *, u32);
> +				const struct cred *);
>  extern int kill_pgrp(struct pid *pid, int sig, int priv);
>  extern int kill_pid(struct pid *pid, int sig, int priv);
>  extern __must_check bool do_notify_parent(struct task_struct *, int);
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 458e24b..9655621 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -347,7 +347,7 @@ int security_task_setscheduler(struct task_struct *p);
>  int security_task_getscheduler(struct task_struct *p);
>  int security_task_movememory(struct task_struct *p);
>  int security_task_kill(struct task_struct *p, struct siginfo *info,
> -			int sig, u32 secid);
> +			int sig, const struct cred *cred);
>  int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
>  			unsigned long arg4, unsigned long arg5);
>  void security_task_to_inode(struct task_struct *p, struct inode *inode);
> @@ -1015,7 +1015,7 @@ static inline int security_task_movememory(struct task_struct *p)
>  
>  static inline int security_task_kill(struct task_struct *p,
>  				     struct siginfo *info, int sig,
> -				     u32 secid)
> +				     const struct cred *cred)
>  {
>  	return 0;
>  }
> diff --git a/kernel/signal.c b/kernel/signal.c
> index caed913..a397bb9 100644
> --- a/kernel/signal.c
> +++ b/kernel/signal.c
> @@ -762,7 +762,7 @@ static int check_kill_permission(int sig, struct siginfo *info,
>  		}
>  	}
>  
> -	return security_task_kill(t, info, sig, 0);
> +	return security_task_kill(t, info, sig, NULL);
>  }
>  
>  /**
> @@ -1348,7 +1348,7 @@ static int kill_as_cred_perm(const struct cred *cred,
>  
>  /* like kill_pid_info(), but doesn't use uid/euid of "current" */
>  int kill_pid_info_as_cred(int sig, struct siginfo *info, struct pid *pid,
> -			 const struct cred *cred, u32 secid)
> +			 const struct cred *cred)
>  {
>  	int ret = -EINVAL;
>  	struct task_struct *p;
> @@ -1367,7 +1367,7 @@ int kill_pid_info_as_cred(int sig, struct siginfo *info, struct pid *pid,
>  		ret = -EPERM;
>  		goto out_unlock;
>  	}
> -	ret = security_task_kill(p, info, sig, secid);
> +	ret = security_task_kill(p, info, sig, cred);
>  	if (ret)
>  		goto out_unlock;
>  
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index cc5ab23..2fbec6d 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -718,16 +718,23 @@ static int apparmor_task_setrlimit(struct task_struct *task,
>  }
>  
>  static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
> -			      int sig, u32 secid)
> +			      int sig, const struct cred *cred)
>  {
>  	struct aa_label *cl, *tl;
>  	int error;
>  
> -	if (secid)
> -		/* TODO: after secid to label mapping is done.
> -		 *  Dealing with USB IO specific behavior
> +	if (cred) {
> +		/*
> +		 * Dealing with USB IO specific behavior
>  		 */
> -		return 0;
> +		cl = aa_get_newest_cred_label(cred);
> +		tl = aa_get_task_label(target);
> +		error = aa_may_signal(cl, tl, sig);
> +		aa_put_label(cl);
> +		aa_put_label(tl);
> +		return error;
> +	}
> +
>  	cl = __begin_current_label_crit_section();
>  	tl = aa_get_task_label(target);
>  	error = aa_may_signal(cl, tl, sig);
> diff --git a/security/security.c b/security/security.c
> index 55b5997..3b67842 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1118,9 +1118,9 @@ int security_task_movememory(struct task_struct *p)
>  }
>  
>  int security_task_kill(struct task_struct *p, struct siginfo *info,
> -			int sig, u32 secid)
> +			int sig, const struct cred *cred)
>  {
> -	return call_int_hook(task_kill, 0, p, info, sig, secid);
> +	return call_int_hook(task_kill, 0, p, info, sig, cred);
>  }
>  
>  int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 45943e1..68bc634 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4041,16 +4041,19 @@ static int selinux_task_movememory(struct task_struct *p)
>  }
>  
>  static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
> -				int sig, u32 secid)
> +				int sig, const struct cred *cred)
>  {
> +	u32 secid;
>  	u32 perm;
>  
>  	if (!sig)
>  		perm = PROCESS__SIGNULL; /* null signal; existence test */
>  	else
>  		perm = signal_to_av(sig);
> -	if (!secid)
> +	if (!cred)
>  		secid = current_sid();
> +	else
> +		secid = cred_sid(cred);
>  	return avc_has_perm(secid, task_sid(p), SECCLASS_PROCESS, perm, NULL);
>  }
>  
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 463af86..65fcede 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -2259,15 +2259,13 @@ static int smack_task_movememory(struct task_struct *p)
>   * @p: the task object
>   * @info: unused
>   * @sig: unused
> - * @secid: identifies the smack to use in lieu of current's
> + * @cred: identifies the cred to use in lieu of current's
>   *
>   * Return 0 if write access is permitted
>   *
> - * The secid behavior is an artifact of an SELinux hack
> - * in the USB code. Someday it may go away.
>   */
>  static int smack_task_kill(struct task_struct *p, struct siginfo *info,
> -			   int sig, u32 secid)
> +			   int sig, const struct cred *cred)
>  {
>  	struct smk_audit_info ad;
>  	struct smack_known *skp;
> @@ -2283,17 +2281,17 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
>  	 * Sending a signal requires that the sender
>  	 * can write the receiver.
>  	 */
> -	if (secid == 0) {
> +	if (cred == NULL) {
>  		rc = smk_curacc(tkp, MAY_DELIVER, &ad);
>  		rc = smk_bu_task(p, MAY_DELIVER, rc);
>  		return rc;
>  	}
>  	/*
> -	 * If the secid isn't 0 we're dealing with some USB IO
> +	 * If the cred isn't NULL we're dealing with some USB IO
>  	 * specific behavior. This is not clean. For one thing
>  	 * we can't take privilege into account.
>  	 */
> -	skp = smack_from_secid(secid);
> +	skp = smk_of_task(cred->security);
>  	rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
>  	rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
>  	return rc;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ