| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 May 2021 11:56:02 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Paul Moore <paul@...l-moore.com>,
Ondrej Mosnacek <omosnace@...hat.com>
Cc: linux-security-module@...r.kernel.org,
James Morris <jmorris@...ei.org>,
Steven Rostedt <rostedt@...dmis.org>,
Ingo Molnar <mingo@...hat.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
selinux@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-fsdevel@...r.kernel.org, bpf@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Casey Schaufler <casey@...aufler-ca.com>, jolsa@...hat.com,
andrii.nakryiko@...il.com
Subject: Re: [PATCH v2] lockdown,selinux: avoid bogus SELinux lockdown
permission checks
On 5/28/21 9:09 AM, Daniel Borkmann wrote:
> On 5/28/21 3:37 AM, Paul Moore wrote:
>> On Mon, May 17, 2021 at 5:22 AM Ondrej Mosnacek <omosnace@...hat.com> wrote:
>>>
>>> Commit 59438b46471a ("security,lockdown,selinux: implement SELinux
>>> lockdown") added an implementation of the locked_down LSM hook to
>>> SELinux, with the aim to restrict which domains are allowed to perform
>>> operations that would breach lockdown.
>>>
>>> However, in several places the security_locked_down() hook is called in
>>> situations where the current task isn't doing any action that would
>>> directly breach lockdown, leading to SELinux checks that are basically
>>> bogus.
>>>
>>> Since in most of these situations converting the callers such that
>>> security_locked_down() is called in a context where the current task
>>> would be meaningful for SELinux is impossible or very non-trivial (and
>>> could lead to TOCTOU issues for the classic Lockdown LSM
>>> implementation), fix this by modifying the hook to accept a struct cred
>>> pointer as argument, where NULL will be interpreted as a request for a
>>> "global", task-independent lockdown decision only. Then modify SELinux
>>> to ignore calls with cred == NULL.
>>
>> I'm not overly excited about skipping the access check when cred is
>> NULL. Based on the description and the little bit that I've dug into
>> thus far it looks like using SECINITSID_KERNEL as the subject would be
>> much more appropriate. *Something* (the kernel in most of the
>> relevant cases it looks like) is requesting that a potentially
>> sensitive disclosure be made, and ignoring it seems like the wrong
>> thing to do. Leaving the access control intact also provides a nice
>> avenue to audit these requests should users want to do that.
>
> I think the rationale/workaround for ignoring calls with cred == NULL (or the previous
> patch with the unimplemented hook) from Ondrej was two-fold, at least speaking for his
> seen tracing cases:
>
> i) The audit events that are triggered due to calls to security_locked_down()
> can OOM kill a machine, see below details [0].
>
> ii) It seems to be causing a deadlock via slow_avc_audit() -> audit_log_end()
> when presumingly trying to wake up kauditd [1].
Ondrej / Paul / Jiri: at least for the BPF tracing case specifically (I haven't looked
at the rest but it's also kind of independent), the attached fix should address both
reported issues, please take a look & test.
Thanks a lot,
Daniel
View attachment "0001-bpf-audit-lockdown-Fix-bogus-SELinux-lockdown-permis.patch" of type "text/x-patch" (9282 bytes)
Powered by blists - more mailing lists