| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Jul 2020 13:37:41 +0200
From: Hans de Goede <hdegoede@...hat.com>
To: Kees Cook <keescook@...omium.org>, James Morris <jmorris@...ei.org>
Cc: Luis Chamberlain <mcgrof@...nel.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
Scott Branden <scott.branden@...adcom.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Rafael J. Wysocki" <rafael@...nel.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Jessica Yu <jeyu@...nel.org>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
Casey Schaufler <casey@...aufler-ca.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Peter Zijlstra <peterz@...radead.org>,
Matthew Garrett <matthewgarrett@...gle.com>,
David Howells <dhowells@...hat.com>,
Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
Randy Dunlap <rdunlap@...radead.org>,
"Joel Fernandes (Google)" <joel@...lfernandes.org>,
KP Singh <kpsingh@...gle.com>, Dave Olsthoorn <dave@...aar.me>,
Peter Jones <pjones@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Stephen Boyd <stephen.boyd@...aro.org>,
Paul Moore <paul@...l-moore.com>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH 0/4] Fix misused kernel_read_file() enums
Hi,
On 7/8/20 1:01 PM, Hans de Goede wrote:
> Hi,
>
> On 7/7/20 10:19 AM, Kees Cook wrote:
>> Hi,
>>
>> In looking for closely at the additions that got made to the
>> kernel_read_file() enums, I noticed that FIRMWARE_PREALLOC_BUFFER
>> and FIRMWARE_EFI_EMBEDDED were added, but they are not appropriate
>> *kinds* of files for the LSM to reason about. They are a "how" and
>> "where", respectively. Remove these improper aliases and refactor the
>> code to adapt to the changes.
>>
>> Additionally adds in missing calls to security_kernel_post_read_file()
>> in the platform firmware fallback path (to match the sysfs firmware
>> fallback path) and in module loading. I considered entirely removing
>> security_kernel_post_read_file() hook since it is technically unused,
>> but IMA probably wants to be able to measure EFI-stored firmware images,
>> so I wired it up and matched it for modules, in case anyone wants to
>> move the module signature checks out of the module core and into an LSM
>> to avoid the current layering violations.
>>
>> This touches several trees, and I suspect it would be best to go through
>> James's LSM tree.
>>
>> Thanks!
>
>
> I've done some quick tests on this series to make sure that
> the efi embedded-firmware support did not regress.
> That still works fine, so this series is;
>
> Tested-by: Hans de Goede <hdegoede@...hat.com>
I made a mistake during testing I was not actually running the
kernel with the patches added.
After fixing that I did find a problem, patch 4/4:
"module: Add hook for security_kernel_post_read_file()"
Breaks module-loading for me. This is with the 4 patches
on top of 5.8.0-rc4, so this might just be because I'm
not using the right base.
With patch 4/4 reverted things work fine for me.
So, please only add my Tested-by to patches 1-3.
Regards,
Hans
>> Kees Cook (4):
>> firmware_loader: EFI firmware loader must handle pre-allocated buffer
>> fs: Remove FIRMWARE_PREALLOC_BUFFER from kernel_read_file() enums
>> fs: Remove FIRMWARE_EFI_EMBEDDED from kernel_read_file() enums
>> module: Add hook for security_kernel_post_read_file()
>>
>> drivers/base/firmware_loader/fallback_platform.c | 12 ++++++++++--
>> drivers/base/firmware_loader/main.c | 5 ++---
>> fs/exec.c | 7 ++++---
>> include/linux/fs.h | 3 +--
>> include/linux/lsm_hooks.h | 6 +++++-
>> kernel/module.c | 7 ++++++-
>> security/integrity/ima/ima_main.c | 6 ++----
>> 7 files changed, 30 insertions(+), 16 deletions(-)
>>
Powered by blists - more mailing lists