lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Oct 2022 05:31:20 -0700 From: John Johansen <john.johansen@...onical.com> To: Paul Moore <paul@...l-moore.com>, Casey Schaufler <casey@...aufler-ca.com> Cc: netdev@...r.kernel.org, Alexei Starovoitov <alexei.starovoitov@...il.com>, linux-security-module@...r.kernel.org, selinux@...r.kernel.org Subject: Re: [PATCH] lsm: make security_socket_getpeersec_stream() sockptr_t safe On 10/10/22 15:00, Paul Moore wrote: > On Mon, Oct 10, 2022 at 5:58 PM Paul Moore <paul@...l-moore.com> wrote: >> >> Commit 4ff09db1b79b ("bpf: net: Change sk_getsockopt() to take the >> sockptr_t argument") made it possible to call sk_getsockopt() >> with both user and kernel address space buffers through the use of >> the sockptr_t type. Unfortunately at the time of conversion the >> security_socket_getpeersec_stream() LSM hook was written to only >> accept userspace buffers, and in a desire to avoid having to change >> the LSM hook the commit author simply passed the sockptr_t's >> userspace buffer pointer. Since the only sk_getsockopt() callers >> at the time of conversion which used kernel sockptr_t buffers did >> not allow SO_PEERSEC, and hence the >> security_socket_getpeersec_stream() hook, this was acceptable but >> also very fragile as future changes presented the possibility of >> silently passing kernel space pointers to the LSM hook. >> >> There are several ways to protect against this, including careful >> code review of future commits, but since relying on code review to >> catch bugs is a recipe for disaster and the upstream eBPF maintainer >> is "strongly against defensive programming", this patch updates the >> LSM hook, and all of the implementations to support sockptr_t and >> safely handle both user and kernel space buffers. >> >> Signed-off-by: Paul Moore <paul@...l-moore.com> >> --- >> include/linux/lsm_hook_defs.h | 2 +- >> include/linux/lsm_hooks.h | 4 ++-- >> include/linux/security.h | 11 +++++++---- >> net/core/sock.c | 3 ++- >> security/apparmor/lsm.c | 29 +++++++++++++---------------- >> security/security.c | 6 +++--- >> security/selinux/hooks.c | 13 ++++++------- >> security/smack/smack_lsm.c | 19 ++++++++++--------- >> 8 files changed, 44 insertions(+), 43 deletions(-) > > Casey and John, could you please look over the Smack and AppArmor bits > of this patch when you get a chance? I did my best on the conversion, > but I would appreciate a review by the experts :) > yes, I plan to look at it this weekend
Powered by blists - more mailing lists