lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHC9VhS3LpJ_x7ZfdV83KY3U49XFGMLejz7rsiEH19rzyUfD-w@mail.gmail.com>
Date:   Mon, 17 Apr 2023 17:56:42 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Nathan Lynch <nathanl@...ux.ibm.com>
Cc:     Junxiao Bi <junxiao.bi@...cle.com>, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, jmorris@...ei.org,
        serge@...lyn.com, axboe@...nel.dk, konrad.wilk@...cle.com,
        joe.jin@...cle.com
Subject: Re: [PATCH V2] debugfs: allow access relay files in lockdown mode

On Mon, Apr 17, 2023 at 4:39 PM Nathan Lynch <nathanl@...ux.ibm.com> wrote:
> Junxiao Bi <junxiao.bi@...cle.com> writes:
> > Relay files are used by kernel to transfer information to userspace, these
> > files have permission 0400, but mmap is supported, so they are blocked by
> > lockdown. But since kernel just generates the contents of those files while
> > not reading it, it is saft to access relay files in lockdown mode.
> >
> > With this, blktrace can work well in lockdown mode.
>
> Assuming that all relay users do not expose the kinds of information
> that confidentiality mode tries to restrict, this change seems OK to
> me. I think that assumption applies to blktrace; apart from that, there
> is a handful of drivers that use relay files (I searched for
> relay_open() call sites, maybe there is a better way).

At the very least I see an Intel graphics driver and some network
drivers, but like you, that was a quick search and I'm probably
missing something.  At the very least someone needs to go audit those
users/drivers to ensure this is safe to merge.

However, regardless of what that code audit may turn up, I'm a little
concerned that it would be all too easy to add a new relay interface
user which isn't safe.  The check in debugfs_locked_down() is far too
removed from the code which is using the relay interface for it to be
likely noticed in a future case where an unsafe user is added.  This
looks like a vulnerability waiting to happen.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ