lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240307-fehlten-gewinn-18c93d5fb9e6@brauner>
Date: Thu, 7 Mar 2024 11:17:13 +0100
From: Christian Brauner <brauner@...nel.org>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Günther Noack <gnoack@...gle.com>, 
	Jann Horn <jannh@...gle.com>, Paul Moore <paul@...l-moore.com>, 
	Kees Cook <keescook@...omium.org>, Konstantin Meskhidze <konstantin.meskhidze@...wei.com>, 
	"Serge E . Hallyn" <serge@...lyn.com>, linux-kernel@...r.kernel.org, 
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH] landlock: Use f_cred in security_file_open() hook

On Thu, Mar 07, 2024 at 10:52:03AM +0100, Mickaël Salaün wrote:
> Use landlock_cred(file->f_cred)->domain instead of
> landlock_get_current_domain() in security_file_open() hook
> implementation.
> 
> This should not change the current behavior but could avoid potential
> race conditions in case of current task's credentials change.

I have no problem with the patch but I'm curious how that credential
change could happen behind your back?

> 
> This will also ensure consistency with upcoming audit support relying on
> file->f_cred.
> 
> Add and use a new get_fs_domain() helper to mask non-filesystem domains.
> 
> file->f_cred is set by path_openat()/alloc_empty_file()/init_file() just
> before calling security_file_alloc().
> 
> Cc: Christian Brauner <brauner@...nel.org>
> Cc: Günther Noack <gnoack@...gle.com>
> Cc: Jann Horn <jannh@...gle.com>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Paul Moore <paul@...l-moore.com>
> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> Link: https://lore.kernel.org/r/20240307095203.1467189-1-mic@digikod.net
> ---
>  security/landlock/fs.c | 18 +++++++++++-------
>  1 file changed, 11 insertions(+), 7 deletions(-)
> 
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index 6f0bf1434a2c..c15559432d3d 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -248,15 +248,18 @@ get_handled_fs_accesses(const struct landlock_ruleset *const domain)
>  	       LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
>  }
>  
> -static const struct landlock_ruleset *get_current_fs_domain(void)
> +static const struct landlock_ruleset *
> +get_fs_domain(const struct landlock_ruleset *const domain)
>  {
> -	const struct landlock_ruleset *const dom =
> -		landlock_get_current_domain();
> -
> -	if (!dom || !get_raw_handled_fs_accesses(dom))
> +	if (!domain || !get_raw_handled_fs_accesses(domain))
>  		return NULL;
>  
> -	return dom;
> +	return domain;
> +}
> +
> +static const struct landlock_ruleset *get_current_fs_domain(void)
> +{
> +	return get_fs_domain(landlock_get_current_domain());
>  }
>  
>  /*
> @@ -1334,7 +1337,8 @@ static int hook_file_open(struct file *const file)
>  	layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
>  	access_mask_t open_access_request, full_access_request, allowed_access;
>  	const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE;
> -	const struct landlock_ruleset *const dom = get_current_fs_domain();
> +	const struct landlock_ruleset *const dom =
> +		get_fs_domain(landlock_cred(file->f_cred)->domain);
>  
>  	if (!dom)
>  		return 0;
> -- 
> 2.44.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ