lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <69c5a3b0-750f-4305-b09b-715d8f472e67@aisec.fraunhofer.de>
Date: Wed, 20 Dec 2023 20:44:55 +0100
From: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
To: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@...onical.com>
CC: Christian Brauner <brauner@...nel.org>, Alexander Mikhalitsyn
	<alexander@...alicyn.com>, Alexei Starovoitov <ast@...nel.org>, Paul Moore
	<paul@...l-moore.com>, Daniel Borkmann <daniel@...earbox.net>, Andrii
 Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Song
 Liu <song@...nel.org>, Yonghong Song <yhs@...com>, John Fastabend
	<john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, Stanislav Fomichev
	<sdf@...gle.com>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
	Quentin Monnet <quentin@...valent.com>, Alexander Viro
	<viro@...iv.linux.org.uk>, Miklos Szeredi <miklos@...redi.hu>, Amir Goldstein
	<amir73il@...il.com>, "Serge E. Hallyn" <serge@...lyn.com>,
	<bpf@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<linux-fsdevel@...r.kernel.org>, <linux-security-module@...r.kernel.org>,
	<gyroidos@...ec.fraunhofer.de>
Subject: Re: [RFC PATCH v3 3/3] devguard: added device guard for mknod in
 non-initial userns

On 18.12.23 17:18, Alexander Mikhalitsyn wrote:
> On Fri, 15 Dec 2023 14:26:53 +0100
> Michael Weiß <michael.weiss@...ec.fraunhofer.de> wrote:
> 
>> On 15.12.23 13:31, Christian Brauner wrote:
>>> On Wed, Dec 13, 2023 at 03:38:13PM +0100, Michael Weiß wrote:
>>>> devguard is a simple LSM to allow CAP_MKNOD in non-initial user
>>>> namespace in cooperation of an attached cgroup device program. We
>>>> just need to implement the security_inode_mknod() hook for this.
>>>> In the hook, we check if the current task is guarded by a device
>>>> cgroup using the lately introduced cgroup_bpf_current_enabled()
>>>> helper. If so, we strip out SB_I_NODEV from the super block.
>>>>
>>>> Access decisions to those device nodes are then guarded by existing
>>>> device cgroups mechanism.
>>>>
>>>> Signed-off-by: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
>>>> ---
>>>
>>> I think you misunderstood me... My point was that I believe you don't
>>> need an additional LSM at all and no additional LSM hook. But I might be
>>> wrong. Only a POC would show.
>>
>> Yeah sorry, I got your point now.
>>
>>>
>>> Just write a bpf lsm program that strips SB_I_NODEV in the existing
>>> security_sb_set_mnt_opts() call which is guranteed to be called when a
>>> new superblock is created.
>>
>> This does not work since SB_I_NODEV is a required_iflag in
>> mount_too_revealing(). This I have already tested when writing the
>> simple LSM here. So maybe we need to drop SB_I_NODEV from required_flags
>> there, too. Would that be safe?
>>
>>>
>>> Store your device access rules in a bpf map or in the sb->s_security
>>> blob (This is where I'm fuzzy and could use a bpf LSM expert's input.).
>>>
>>> Then make that bpf lsm program kick in everytime a
>>> security_inode_mknod() and security_file_open() is called and do device
>>> access management in there. Actually, you might need to add one hook
>>> when the actual device that's about to be opened is know. 
>>> This should be where today the device access hooks are called.
>>>
>>> And then you should already be done with this. The only thing that you
>>> need is the capable check patch.
>>>
>>> You don't need that cgroup_bpf_current_enabled() per se. Device
>>> management could now be done per superblock, and not per task. IOW, you
>>> allowlist a bunch of devices that can be created and opened. Any task
>>> that passes basic permission checks and that passes the bpf lsm program
>>> may create device nodes.
>>>
>>> That's a way more natural device management model than making this a per
>>> cgroup thing. Though that could be implemented as well with this.
>>>
>>> I would try to write a bpf lsm program that does device access
>>> management with your capable() sysctl patch applied and see how far I
>>> get.
>>>
>>> I don't have the time otherwise I'd do it.
>> I'll give it a try but no promises how fast this will go.
> 
> Hi Michael,
> 
> thanks for your work on this!
> 
> If you don't mind I'm ready to help you with writing the PoC for this bpf-based approach,
> as I have touched eBPF earlier I guess I can save some your time. (I'll post it here and you will incude it
> in your patch series.)

Yeah for sure. This would be very helpful thanks.
I'll start to sort Christians patches of this thread and get the missing security
hook for the remaining checks lined up from v2 then.

> 
> Kind regards,
> Alex
> 
>>
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ