[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <563ae8b4-753a-179d-4f6d-94d2dd058f3b@schaufler-ca.com>
Date: Fri, 30 Aug 2019 15:09:17 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: David Howells <dhowells@...hat.com>, viro@...iv.linux.org.uk
Cc: Stephen Smalley <sds@...ho.nsa.gov>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
nicolas.dichtel@...nd.com, raven@...maw.net,
Christian Brauner <christian@...uner.io>,
keyrings@...r.kernel.org, linux-usb@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-api@...r.kernel.org,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
casey@...aufler-ca.com
Subject: Re: [PATCH 00/11] Keyrings, Block and USB notifications [ver #7]
On 8/30/2019 6:57 AM, David Howells wrote:
> Here's a set of patches to add a general notification queue concept and to
> add sources of events for:
>
> (1) Key/keyring events, such as creating, linking and removal of keys.
>
> (2) General device events (single common queue) including:
>
> - Block layer events, such as device errors
>
> - USB subsystem events, such as device/bus attach/remove, device
> reset, device errors.
>
> Tests for the key/keyring events can be found on the keyutils next branch:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/log/?h=next
I'm having trouble with the "make install" on Fedora. Is there an
unusual dependency?
>
> Notifications are done automatically inside of the testing infrastructure
> on every change to that every test makes to a key or keyring.
>
> Manual pages can be found there also, including pages for watch_queue(7)
> and the watch_devices(2) system call (these should be transferred to the
> manpages package if taken upstream).
>
> LSM hooks are included:
>
> (1) A set of hooks are provided that allow an LSM to rule on whether or
> not a watch may be set. Each of these hooks takes a different
> "watched object" parameter, so they're not really shareable. The LSM
> should use current's credentials. [Wanted by SELinux & Smack]
>
> (2) A hook is provided to allow an LSM to rule on whether or not a
> particular message may be posted to a particular queue. This is given
> the credentials from the event generator (which may be the system) and
> the watch setter. [Wanted by Smack]
>
> I've provided a preliminary attempt to provide SELinux and Smack with
> implementations of some of these hooks.
>
>
> Design decisions:
>
> (1) A misc chardev is used to create and open a ring buffer:
>
> fd = open("/dev/watch_queue", O_RDWR);
>
> which is then configured and mmap'd into userspace:
>
> ioctl(fd, IOC_WATCH_QUEUE_SET_SIZE, BUF_SIZE);
> ioctl(fd, IOC_WATCH_QUEUE_SET_FILTER, &filter);
> buf = mmap(NULL, BUF_SIZE * page_size, PROT_READ | PROT_WRITE,
> MAP_SHARED, fd, 0);
>
> The fd cannot be read or written (though there is a facility to use
> write to inject records for debugging) and userspace just pulls data
> directly out of the buffer.
>
> (2) The ring index pointers are stored inside the ring and are thus
> accessible to userspace. Userspace should only update the tail
> pointer and never the head pointer or risk breaking the buffer. The
> kernel checks that the pointers appear valid before trying to use
> them. A 'skip' record is maintained around the pointers.
>
> (3) poll() can be used to wait for data to appear in the buffer.
>
> (4) Records in the buffer are binary, typed and have a length so that they
> can be of varying size.
>
> This means that multiple heterogeneous sources can share a common
> buffer. Tags may be specified when a watchpoint is created to help
> distinguish the sources.
>
> (5) The queue is reusable as there are 16 million types available, of
> which I've used just a few, so there is scope for others to be used.
>
> (6) Records are filterable as types have up to 256 subtypes that can be
> individually filtered. Other filtration is also available.
>
> (7) Each time the buffer is opened, a new buffer is created - this means
> that there's no interference between watchers.
>
> (8) When recording a notification, the kernel will not sleep, but will
> rather mark a queue as overrun if there's insufficient space, thereby
> avoiding userspace causing the kernel to hang.
>
> (9) The 'watchpoint' should be specific where possible, meaning that you
> specify the object that you want to watch.
>
> (10) The buffer is created and then watchpoints are attached to it, using
> one of:
>
> keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fd, 0x01);
> watch_devices(fd, 0x02, 0);
>
> where in both cases, fd indicates the queue and the number after is a
> tag between 0 and 255.
>
> (11) The watch must be removed if either the watch buffer is destroyed or
> the watched object is destroyed.
>
>
> Things I want to avoid:
>
> (1) Introducing features that make the core VFS dependent on the network
> stack or networking namespaces (ie. usage of netlink).
>
> (2) Dumping all this stuff into dmesg and having a daemon that sits there
> parsing the output and distributing it as this then puts the
> responsibility for security into userspace and makes handling
> namespaces tricky. Further, dmesg might not exist or might be
> inaccessible inside a container.
>
> (3) Letting users see events they shouldn't be able to see.
>
>
> The patches can be found here also:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=notifications-core
>
> Changes:
>
> ver #7:
>
> (*) Removed the 'watch' argument from the security_watch_key() and
> security_watch_devices() hooks as current_cred() can be used instead
> of watch->cred.
>
> ver #6:
>
> (*) Fix mmap bug in watch_queue driver.
>
> (*) Add an extended removal notification that can transmit an identifier
> to userspace (such as a key ID).
>
> (*) Don't produce a instantiation notification in mark_key_instantiated()
> but rather do it in the caller to prevent key updates from producing
> an instantiate notification as well as an update notification.
>
> (*) Set the right number of filters in the sample program.
>
> (*) Provide preliminary hook implementations for SELinux and Smack.
>
> ver #5:
>
> (*) Split the superblock watch and mount watch parts out into their own
> branch (notifications-mount) as they really need certain fsinfo()
> attributes.
>
> (*) Rearrange the watch notification UAPI header to push the length down
> to bits 0-5 and remove the lost-message bits. The userspace's watch
> ID tag is moved to bits 8-15 and then the message type is allocated
> all of bits 16-31 for its own purposes.
>
> The lost-message bit is moved over to the header, rather than being
> placed in the next message to be generated and given its own word so
> it can be cleared with xchg(,0) for parisc.
>
> (*) The security_post_notification() hook is no longer called with the
> spinlock held and softirqs disabled - though the RCU readlock is still
> held.
>
> (*) Buffer pages are now accounted towards RLIMIT_MEMLOCK and CAP_IPC_LOCK
> will skip the overuse check.
>
> (*) The buffer is marked VM_DONTEXPAND.
>
> (*) Save the watch-setter's creds in struct watch and give that to the LSM
> hook for posting a message.
>
> ver #4:
>
> (*) Split the basic UAPI bits out into their own patch and then split the
> LSM hooks out into an intermediate patch. Add LSM hooks for setting
> watches.
>
> Rename the *_notify() system calls to watch_*() for consistency.
>
> ver #3:
>
> (*) I've added a USB notification source and reformulated the block
> notification source so that there's now a common watch list, for which
> the system call is now device_notify().
>
> I've assigned a pair of unused ioctl numbers in the 'W' series to the
> ioctls added by this series.
>
> I've also added a description of the kernel API to the documentation.
>
> ver #2:
>
> (*) I've fixed various issues raised by Jann Horn and GregKH and moved to
> krefs for refcounting. I've added some security features to try and
> give Casey Schaufler the LSM control he wants.
>
> David
> ---
> David Howells (11):
> uapi: General notification ring definitions
> security: Add hooks to rule on setting a watch
> security: Add a hook for the point of notification insertion
> General notification queue with user mmap()'able ring buffer
> keys: Add a notification facility
> Add a general, global device notification watch list
> block: Add block layer notifications
> usb: Add USB subsystem notifications
> Add sample notification program
> selinux: Implement the watch_key security hook
> smack: Implement the watch_key and post_notification hooks [untested]
>
>
> Documentation/ioctl/ioctl-number.rst | 1
> Documentation/security/keys/core.rst | 58 ++
> Documentation/watch_queue.rst | 460 ++++++++++++++
> arch/alpha/kernel/syscalls/syscall.tbl | 1
> arch/arm/tools/syscall.tbl | 1
> arch/ia64/kernel/syscalls/syscall.tbl | 1
> arch/m68k/kernel/syscalls/syscall.tbl | 1
> arch/microblaze/kernel/syscalls/syscall.tbl | 1
> arch/mips/kernel/syscalls/syscall_n32.tbl | 1
> arch/mips/kernel/syscalls/syscall_n64.tbl | 1
> arch/mips/kernel/syscalls/syscall_o32.tbl | 1
> arch/parisc/kernel/syscalls/syscall.tbl | 1
> arch/powerpc/kernel/syscalls/syscall.tbl | 1
> arch/s390/kernel/syscalls/syscall.tbl | 1
> arch/sh/kernel/syscalls/syscall.tbl | 1
> arch/sparc/kernel/syscalls/syscall.tbl | 1
> arch/x86/entry/syscalls/syscall_32.tbl | 1
> arch/x86/entry/syscalls/syscall_64.tbl | 1
> arch/xtensa/kernel/syscalls/syscall.tbl | 1
> block/Kconfig | 9
> block/blk-core.c | 29 +
> drivers/base/Kconfig | 9
> drivers/base/Makefile | 1
> drivers/base/watch.c | 90 +++
> drivers/misc/Kconfig | 13
> drivers/misc/Makefile | 1
> drivers/misc/watch_queue.c | 893 +++++++++++++++++++++++++++
> drivers/usb/core/Kconfig | 9
> drivers/usb/core/devio.c | 56 ++
> drivers/usb/core/hub.c | 4
> include/linux/blkdev.h | 15
> include/linux/device.h | 7
> include/linux/key.h | 3
> include/linux/lsm_audit.h | 1
> include/linux/lsm_hooks.h | 38 +
> include/linux/security.h | 32 +
> include/linux/syscalls.h | 1
> include/linux/usb.h | 18 +
> include/linux/watch_queue.h | 94 +++
> include/uapi/asm-generic/unistd.h | 4
> include/uapi/linux/keyctl.h | 2
> include/uapi/linux/watch_queue.h | 183 ++++++
> kernel/sys_ni.c | 1
> samples/Kconfig | 6
> samples/Makefile | 1
> samples/watch_queue/Makefile | 8
> samples/watch_queue/watch_test.c | 233 +++++++
> security/keys/Kconfig | 9
> security/keys/compat.c | 3
> security/keys/gc.c | 5
> security/keys/internal.h | 30 +
> security/keys/key.c | 38 +
> security/keys/keyctl.c | 99 +++
> security/keys/keyring.c | 20 -
> security/keys/request_key.c | 4
> security/security.c | 23 +
> security/selinux/hooks.c | 14
> security/smack/smack_lsm.c | 82 ++
> 58 files changed, 2593 insertions(+), 30 deletions(-)
> create mode 100644 Documentation/watch_queue.rst
> create mode 100644 drivers/base/watch.c
> create mode 100644 drivers/misc/watch_queue.c
> create mode 100644 include/linux/watch_queue.h
> create mode 100644 include/uapi/linux/watch_queue.h
> create mode 100644 samples/watch_queue/Makefile
> create mode 100644 samples/watch_queue/watch_test.c
>
Powered by blists - more mailing lists