lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a5dc3f59-edc2-825a-31f6-7914c97a14d8@schaufler-ca.com>
Date:   Tue, 14 Sep 2021 15:14:44 -0700
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     Paul Moore <paul@...l-moore.com>
Cc:     Jiang Wang <jiang.wang@...edance.com>,
        Andrii Nakryiko <andrii@...nel.org>,
        Jakub Sitnicki <jakub@...udflare.com>,
        John Fastabend <john.fastabend@...il.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Security Module list 
        <linux-security-module@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: Regression in unix stream sockets with the Smack LSM

On 9/13/2021 4:47 PM, Paul Moore wrote:
> On Mon, Sep 13, 2021 at 6:53 PM Casey Schaufler <casey@...aufler-ca.com> wrote:
>> Commit 77462de14a43f4d98dbd8de0f5743a4e02450b1d
>>
>>         af_unix: Add read_sock for stream socket types
>>
>> introduced a regression in UDS socket connections for the Smack LSM.
>> I have not tracked done the details of why the change broke the code,
>> but this is where bisecting the kernel indicates the problem lies, and
>> I have verified that reverting this change repairs the problem.
>>
>> You can verify the problem with the Smack test suite:
>>
>>         https://github.com/smack-team/smack-testsuite.git
>>
>> The failing test is tests/uds-access.sh.
>>
>> I have not looked to see if there's a similar problem with SELinux.
>> There may be, but if there isn't it doesn't matter, there's still a
>> bug.
> FWIW, the selinux-testsuite tests ran clean today with v5.15-rc1 (it
> looks like this code is only in v5.15) but as Casey said, a regression
> is a regression.
>
> Casey, what actually fails on the Smack system with this commit?

I reran the bisection and got a different answer, but the same set of
suspects. The change:

commit 94531cfcbe79c3598acf96806627b2137ca32eb9

    af_unix: Add unix_stream_proto for sockmap

came up this time. The two suspect patches are related.

The Smack access check on UDS stream sockets is behaving erratically,
as if it's using random data to make its checks. I can run the same
test on the same system with the same kernel and get different results.
The trivial test, where the Smack labels are the same, sometimes fails.
But not always.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ