| Message ID | 20180926203446.2004-4-casey.schaufler@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | LSM: Support ptrace sidechannel access checks | expand |
On Wed, Sep 26, 2018, 4:35 PM Casey Schaufler <casey.schaufler@intel.com> wrote: > From: Casey Schaufler <casey@schaufler-ca.com> > > A ptrace access check with mode PTRACE_MODE_SCHED gets called > from process switching code. This precludes the use of audit or avc, > as the locking is incompatible. The only available check that > can be made without using avc is a comparison of the secids. > This is not very satisfactory as it will indicate possible > vulnerabilies much too aggressively. > We already have a flag to disable audit. What locking conflict is presented by the avc, which uses rcu? > Signed-off-by: Casey Schaufler <casey.schaufler@intel.com> > --- > security/selinux/hooks.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index ad9a9b8e9979..160239791007 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2267,6 +2267,8 @@ static int selinux_ptrace_access_check(struct > task_struct *child, > u32 sid = current_sid(); > u32 csid = task_sid(child); > > + if (mode & PTRACE_MODE_SCHED) > + return sid == csid ? 0 : -EACCES; > if (mode & PTRACE_MODE_READ) > return avc_has_perm(&selinux_state, > sid, csid, SECCLASS_FILE, FILE__READ, > NULL); > -- > 2.17.1 > > <div dir="auto"><div><div class="gmail_quote"><div dir="ltr">On Wed, Sep 26, 2018, 4:35 PM Casey Schaufler <<a href="mailto:casey.schaufler@intel.com">casey.schaufler@intel.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">From: Casey Schaufler <<a href="mailto:casey@schaufler-ca.com" target="_blank" rel="noreferrer">casey@schaufler-ca.com</a>><br> <br> A ptrace access check with mode PTRACE_MODE_SCHED gets called<br> from process switching code. This precludes the use of audit or avc,<br> as the locking is incompatible. The only available check that<br> can be made without using avc is a comparison of the secids.<br> This is not very satisfactory as it will indicate possible<br> vulnerabilies much too aggressively.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">We already have a flag to disable audit. What locking conflict is presented by the avc, which uses rcu? </div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br> Signed-off-by: Casey Schaufler <<a href="mailto:casey.schaufler@intel.com" target="_blank" rel="noreferrer">casey.schaufler@intel.com</a>><br> ---<br> security/selinux/hooks.c | 2 ++<br> 1 file changed, 2 insertions(+)<br> <br> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c<br> index ad9a9b8e9979..160239791007 100644<br> --- a/security/selinux/hooks.c<br> +++ b/security/selinux/hooks.c<br> @@ -2267,6 +2267,8 @@ static int selinux_ptrace_access_check(struct task_struct *child,<br> u32 sid = current_sid();<br> u32 csid = task_sid(child);<br> <br> + if (mode & PTRACE_MODE_SCHED)<br> + return sid == csid ? 0 : -EACCES;<br> if (mode & PTRACE_MODE_READ)<br> return avc_has_perm(&selinux_state,<br> sid, csid, SECCLASS_FILE, FILE__READ, NULL);<br> -- <br> 2.17.1<br> <br> </blockquote></div></div></div>
> -----Original Message----- > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] > Sent: Thursday, September 27, 2018 8:50 AM > To: Schaufler, Casey <casey.schaufler@intel.com>; kernel- > hardening@lists.openwall.com; linux-kernel@vger.kernel.org; linux-security- > module@vger.kernel.org; selinux@tycho.nsa.gov; Hansen, Dave > <dave.hansen@intel.com>; Dock, Deneen T <deneen.t.dock@intel.com>; > kristen@linux.intel.com; arjan@linux.intel.com; Paul Moore <paul@paul- > moore.com> > Subject: Re: [PATCH v5 3/5] SELinux: Prepare for PTRACE_MODE_SCHED > > On 09/26/2018 04:34 PM, Casey Schaufler wrote: > > From: Casey Schaufler <casey@schaufler-ca.com> > > > > A ptrace access check with mode PTRACE_MODE_SCHED gets called > > from process switching code. This precludes the use of audit or avc, > > as the locking is incompatible. The only available check that > > can be made without using avc is a comparison of the secids. > > This is not very satisfactory as it will indicate possible > > vulnerabilies much too aggressively. > Can you document (in the patch description and/or in the inline > documentation in lsm_hooks.h) what locks can be safely used when this > hook is called with PTRACE_MODE_SCHED? rcu_read_lock() seemingly must > be safe since it is being called by task_sid() below. Are any other > locking primitives safe? Peter Zijlstra <peterz@infradead.org> had this comment on locking in the SELinux ptrace path. avc_has_perm_noaudit() security_compute_av() read_lock(&state->ss->policy_rwlock); avc_insert() spin_lock_irqsave(); avc_denied() avc_update_node() spin_lock_irqsave(); under the scheduler's raw_spinlock_t, which are invalid lock nestings. I don't know that it would be impossible to address these issues, but as many people have noted over the years I am not now nor have ever been an expert on locking. > > Does the PTRACE_MODE_SCHED check have to occur while holding the > scheduler lock, or could it be performed before taking the lock? My understanding is that the lock is required. > Can you cite the commit or patch posting (e.g. from lore or patchwork) > that defines PTRACE_MODE_SCHED and its usage as part of the patch > description for context? Is this based on the v7 patchset, e.g. > https://lore.kernel.org/lkml/nycvar.YFH.7.76.1809251437340.15880@cbobk.fhf > r.pm/ Yes, that's the one. Sorry, I should have identified that. > > > > > Signed-off-by: Casey Schaufler <casey.schaufler@intel.com> > > --- > > security/selinux/hooks.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index ad9a9b8e9979..160239791007 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -2267,6 +2267,8 @@ static int selinux_ptrace_access_check(struct > task_struct *child, > > u32 sid = current_sid(); > > u32 csid = task_sid(child); > > > > + if (mode & PTRACE_MODE_SCHED) > > + return sid == csid ? 0 : -EACCES; > IIUC, this logic is essentially the same as the uid-based check, > including the fact that even a "privileged" process is not given any > special handling since they always return false from ptrace_has_cap() > for PTRACE_MODE_SCHED. If they are ok with applying IBPB whenever uids > differ, then doing so whenever sids/contexts differ does not seem like > an onerous thing. > > > > if (mode & PTRACE_MODE_READ) > > return avc_has_perm(&selinux_state, > > sid, csid, SECCLASS_FILE, FILE__READ, > NULL); > >
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad9a9b8e9979..160239791007 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2267,6 +2267,8 @@ static int selinux_ptrace_access_check(struct task_struct *child, u32 sid = current_sid(); u32 csid = task_sid(child); + if (mode & PTRACE_MODE_SCHED) + return sid == csid ? 0 : -EACCES; if (mode & PTRACE_MODE_READ) return avc_has_perm(&selinux_state, sid, csid, SECCLASS_FILE, FILE__READ, NULL);