lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20230420215331.88326-1-junxiao.bi@oracle.com>
Date:   Thu, 20 Apr 2023 14:53:30 -0700
From:   Junxiao Bi <junxiao.bi@...cle.com>
To:     linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-block@...r.kernel.org
Cc:     paul@...l-moore.com, nathanl@...ux.ibm.com, axboe@...nel.dk,
        jmorris@...ei.org, serge@...lyn.com, konrad.wilk@...cle.com,
        joe.jin@...cle.com, junxiao.bi@...cle.com
Subject: [PATCH V4 1/2] debugfs: provide a way for relay user bypass lockdown

Relay files in debugfs is used to export information from kernel to
userspace, relay user should tell whether the exported information
is safe to access in lockdown mode or not. The access will be denied
by default.

v4 <- v3:
refactor the code to make code more foolproof.

v3 <- v2:
allow only blktrace trace file instead of relay files
https://lore.kernel.org/all/20230418172656.33583-1-junxiao.bi@oracle.com/

v2 <- v1:
Fix build error when CONFIG_RELAY is not defined.
Reported-by: kernel test robot <lkp@...el.com>
Link: https://lore.kernel.org/oe-kbuild-all/202304121714.6mahd9EW-lkp@intel.com/
Signed-off-by: Junxiao Bi <junxiao.bi@...cle.com>
---
 fs/debugfs/file.c     | 11 +++++++++++
 include/linux/relay.h | 16 ++++++++++++++++
 kernel/relay.c        | 17 +++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 1f971c880dde..e12dd8634dc6 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -21,6 +21,7 @@
 #include <linux/pm_runtime.h>
 #include <linux/poll.h>
 #include <linux/security.h>
+#include <linux/relay.h>
 
 #include "internal.h"
 
@@ -142,6 +143,13 @@ EXPORT_SYMBOL_GPL(debugfs_file_put);
  * Only permit access to world-readable files when the kernel is locked down.
  * We also need to exclude any file that has ways to write or alter it as root
  * can bypass the permissions check.
+ * Exception:
+ * Relay files in debugfs are used by kernel to transfer data from kernel to
+ * userspace, these files are with permission 0400, but mmap is supported, so
+ * the access is blocked by default. But there are relay users like blktrace
+ * which will only export none security sensitive info to userspace, so provide
+ * a way for relay user to hook in to tell whether accessing the file in lockdown
+ * mode is safe or not.
  */
 static int debugfs_locked_down(struct inode *inode,
 			       struct file *filp,
@@ -154,6 +162,9 @@ static int debugfs_locked_down(struct inode *inode,
 	    !real_fops->mmap)
 		return 0;
 
+	if (relay_bypass_lockdown(inode, real_fops))
+		return 0;
+
 	if (security_locked_down(LOCKDOWN_DEBUGFS))
 		return -EPERM;
 
diff --git a/include/linux/relay.h b/include/linux/relay.h
index 72b876dd5cb8..0fd1fb638434 100644
--- a/include/linux/relay.h
+++ b/include/linux/relay.h
@@ -147,6 +147,19 @@ struct rchan_callbacks
 	 * This callback is mandatory.
 	 */
 	int (*remove_buf_file)(struct dentry *dentry);
+
+	/*
+	 * bypass_lockdown - check whether file can be accessed in lockdown mode.
+	 *
+	 * Called during file open. It depends on each relay user to tell whether
+	 * accessing the file is safe or not in lockdown mode.
+	 *
+	 * The callback should return "true" if allowing access, "false" if not.
+	 *
+	 * This callback is optional. If not set, accessing the file will be
+	 * denied in lockdown mode.
+	 */
+	bool (*bypass_lockdown)(struct inode *inode);
 };
 
 /*
@@ -279,8 +292,11 @@ extern const struct file_operations relay_file_operations;
 
 #ifdef CONFIG_RELAY
 int relay_prepare_cpu(unsigned int cpu);
+extern bool relay_bypass_lockdown(struct inode *inode,
+				 const struct file_operations *fops);
 #else
 #define relay_prepare_cpu     NULL
+#define relay_bypass_lockdown(inode, fops)    (false)
 #endif
 
 #endif /* _LINUX_RELAY_H */
diff --git a/kernel/relay.c b/kernel/relay.c
index 9aa70ae53d24..d5a76566ef62 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -1234,6 +1234,23 @@ static ssize_t relay_file_splice_read(struct file *in,
 	return ret;
 }
 
+bool relay_bypass_lockdown(struct inode *inode,
+				 const struct file_operations *fops)
+{
+	struct rchan_buf *buf;
+
+	/* Not a relay file */
+	if (fops != &relay_file_operations)
+		return false;
+
+	buf = (struct rchan_buf *)inode->i_private;
+	if (!buf->chan->cb->bypass_lockdown)
+		return false;
+
+	return buf->chan->cb->bypass_lockdown(inode);
+}
+EXPORT_SYMBOL_GPL(relay_bypass_lockdown);
+
 const struct file_operations relay_file_operations = {
 	.open		= relay_file_open,
 	.poll		= relay_file_poll,
-- 
2.24.3 (Apple Git-128)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ