lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4ad30f21-9955-a72c-d7f0-912de6c205be@i-love.sakura.ne.jp>
Date:   Tue, 14 Dec 2021 20:36:28 +0900
From:   Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To:     Dmitry Vyukov <dvyukov@...gle.com>, takedakn@...data.co.jp,
        jmorris@...ei.org, serge@...lyn.com
Cc:     nogikh@...gle.com, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] tomoyo: Check exceeded quota early in
 tomoyo_domain_quota_is_ok().

On 2021/12/14 18:45, Dmitry Vyukov wrote:
> If tomoyo is used in a testing/fuzzing environment in learning mode,
> for lots of domains the quota will be exceeded and stay exceeded
> for prolonged periods of time. In such cases it's pointless (and slow)
> to walk the whole acl list again and again just to rediscover that
> the quota is exceeded. We already have the TOMOYO_DIF_QUOTA_WARNED flag
> that notes the overflow condition. Check it early to avoid the slowdown.

Thank you.

This patch will make a slight but user visible change.

When tomoyo_profile(domain->ns, domain->profile)->pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] is
increased (or domain->profile switches to a different profile which has larger
pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] value) after domain->flags[TOMOYO_DIF_QUOTA_WARNED] = true
is called, tomoyo_domain_quota_is_ok() will continue returning "false", and ACLs are no longer
appended.

Therefore, administrator will have to manually do domain->flags[TOMOYO_DIF_QUOTA_WARNED] = false
after increasing pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] value (or changing domain->profile).

But since the message

  WARNING: Domain '%s' has too many ACLs to hold. Stopped learning mode.

is a hint that tells administrator that "you will surely fail to try the enforcing mode on this
domain because the kernel has failed to automatically append at least one ACL to this domain",
administrator would have to retry the learning mode after increasing
pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] value (or changing domain->profile) even without this patch.

Therefore, asking administrator to also clear domain->flags[TOMOYO_DIF_QUOTA_WARNED] after
increasing pref[TOMOYO_PREF_MAX_LEARNING_ENTRY] value (or changing domain->profile) would be
tolerable...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ