lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <b68c9e1d-71c8-adf9-f7da-1b56a3d4bfbc@oracle.com>
Date:   Mon, 17 Apr 2023 16:48:57 -0700
From:   Junxiao Bi <junxiao.bi@...cle.com>
To:     Paul Moore <paul@...l-moore.com>,
        Nathan Lynch <nathanl@...ux.ibm.com>
Cc:     linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, jmorris@...ei.org,
        serge@...lyn.com, axboe@...nel.dk, konrad.wilk@...cle.com,
        joe.jin@...cle.com
Subject: Re: [PATCH V2] debugfs: allow access relay files in lockdown mode

On 4/17/23 2:56 PM, Paul Moore wrote:

> On Mon, Apr 17, 2023 at 4:39 PM Nathan Lynch<nathanl@...ux.ibm.com>  wrote:
>> Junxiao Bi<junxiao.bi@...cle.com>  writes:
>>> Relay files are used by kernel to transfer information to userspace, these
>>> files have permission 0400, but mmap is supported, so they are blocked by
>>> lockdown. But since kernel just generates the contents of those files while
>>> not reading it, it is saft to access relay files in lockdown mode.
>>>
>>> With this, blktrace can work well in lockdown mode.
>> Assuming that all relay users do not expose the kinds of information
>> that confidentiality mode tries to restrict, this change seems OK to
>> me. I think that assumption applies to blktrace; apart from that, there
>> is a handful of drivers that use relay files (I searched for
>> relay_open() call sites, maybe there is a better way).
> At the very least I see an Intel graphics driver and some network
> drivers, but like you, that was a quick search and I'm probably
> missing something.  At the very least someone needs to go audit those
> users/drivers to ensure this is safe to merge.
>
> However, regardless of what that code audit may turn up, I'm a little
> concerned that it would be all too easy to add a new relay interface
> user which isn't safe.  The check in debugfs_locked_down() is far too
> removed from the code which is using the relay interface for it to be
> likely noticed in a future case where an unsafe user is added.  This
> looks like a vulnerability waiting to happen.

I got this concern. I will make a new version to limit it to only allow 
blktrace trace files.

Thanks,

Junxiao.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ