lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8b5f2cc8-4a3e-8e33-9161-4a68a61e9ad7@schaufler-ca.com>
Date:   Mon, 13 Sep 2021 17:16:59 -0700
From:   Casey Schaufler <casey@...aufler-ca.com>
To:     Paul Moore <paul@...l-moore.com>
Cc:     Jiang Wang <jiang.wang@...edance.com>,
        Andrii Nakryiko <andrii@...nel.org>,
        Jakub Sitnicki <jakub@...udflare.com>,
        John Fastabend <john.fastabend@...il.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Security Module list 
        <linux-security-module@...r.kernel.org>
Subject: Re: Regression in unix stream sockets with the Smack LSM

On 9/13/2021 4:47 PM, Paul Moore wrote:
> On Mon, Sep 13, 2021 at 6:53 PM Casey Schaufler <casey@...aufler-ca.com> wrote:
>> Commit 77462de14a43f4d98dbd8de0f5743a4e02450b1d
>>
>>         af_unix: Add read_sock for stream socket types
>>
>> introduced a regression in UDS socket connections for the Smack LSM.
>> I have not tracked done the details of why the change broke the code,
>> but this is where bisecting the kernel indicates the problem lies, and
>> I have verified that reverting this change repairs the problem.
>>
>> You can verify the problem with the Smack test suite:
>>
>>         https://github.com/smack-team/smack-testsuite.git
>>
>> The failing test is tests/uds-access.sh.
>>
>> I have not looked to see if there's a similar problem with SELinux.
>> There may be, but if there isn't it doesn't matter, there's still a
>> bug.
> FWIW, the selinux-testsuite tests ran clean today with v5.15-rc1 (it
> looks like this code is only in v5.15) but as Casey said, a regression
> is a regression.
>
> Casey, what actually fails on the Smack system with this commit?

It's a simple
	"socat - UNIX-LISTEN:path"
	"socat - UNIX-CONNECT:path"

In one case the processes have the same Smack label,
and that usually succeeds. I'm trying to track down exactly when
it doesn't. The case where the processes have different Smack labels
but a rule allows them mutual write access always fails. I *think*
that's because the underlying UDS code is now requiring read access it
didn't used to. I'm trying to track that down, too. 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ