| Message ID | 1555067094-9861-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [(resend)] tomoyo: Add a kernel config option for fuzzing testing. | expand |
James, will you apply this patch and "[PATCH 3/3] tomoyo: Check address length before reading address family" and "[PATCH] tomoyo: Change pathname calculation for read-only filesystems." ? On 2019/04/12 20:04, Tetsuo Handa wrote: > syzbot is reporting kernel panic triggered by memory allocation fault > injection before loading TOMOYO's policy [1]. To make the fuzzing tests > useful, we need to assign a profile other than "disabled" (no-op) mode. > Therefore, let's allow syzbot to load TOMOYO's built-in policy for > "learning" mode using a kernel config option. This option must not be > enabled for kernels built for production system, for this option also > disables domain/program checks when modifying policy configuration via > /sys/kernel/security/tomoyo/ interface. > > [1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95 > > Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com> > Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com> > Reported-by: syzbot <syzbot+2ee3f8974c2e7dc69feb@syzkaller.appspotmail.com> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > --- > security/tomoyo/Kconfig | 10 ++++++++++ > security/tomoyo/common.c | 13 ++++++++++++- > 2 files changed, 22 insertions(+), 1 deletion(-)
On Mon, 22 Apr 2019, Tetsuo Handa wrote: > James, will you apply this patch and > "[PATCH 3/3] tomoyo: Check address length before reading address family" and > "[PATCH] tomoyo: Change pathname calculation for read-only filesystems." ? On the 2nd one, did we see any feedback from Al? > > On 2019/04/12 20:04, Tetsuo Handa wrote: > > syzbot is reporting kernel panic triggered by memory allocation fault > > injection before loading TOMOYO's policy [1]. To make the fuzzing tests > > useful, we need to assign a profile other than "disabled" (no-op) mode. > > Therefore, let's allow syzbot to load TOMOYO's built-in policy for > > "learning" mode using a kernel config option. This option must not be > > enabled for kernels built for production system, for this option also > > disables domain/program checks when modifying policy configuration via > > /sys/kernel/security/tomoyo/ interface. > > > > [1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95 > > > > Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com> > > Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com> > > Reported-by: syzbot <syzbot+2ee3f8974c2e7dc69feb@syzkaller.appspotmail.com> > > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > > --- > > security/tomoyo/Kconfig | 10 ++++++++++ > > security/tomoyo/common.c | 13 ++++++++++++- > > 2 files changed, 22 insertions(+), 1 deletion(-) >
On 2019/04/23 7:52, James Morris wrote: > On Mon, 22 Apr 2019, Tetsuo Handa wrote: > >> James, will you apply this patch and >> "[PATCH 3/3] tomoyo: Check address length before reading address family" and >> "[PATCH] tomoyo: Change pathname calculation for read-only filesystems." ? > > On the 2nd one, did we see any feedback from Al? > Not yet. I wonder he has any comment... But I believe there is no reason to delay this patch and "[PATCH 3/3] tomoyo: Check address length before reading address family" patch because these two patches are needed for avoiding crashes by syzbot's testing.
On Fri, 12 Apr 2019, Tetsuo Handa wrote: > syzbot is reporting kernel panic triggered by memory allocation fault > injection before loading TOMOYO's policy [1]. To make the fuzzing tests > useful, we need to assign a profile other than "disabled" (no-op) mode. > Therefore, let's allow syzbot to load TOMOYO's built-in policy for > "learning" mode using a kernel config option. This option must not be > enabled for kernels built for production system, for this option also > disables domain/program checks when modifying policy configuration via > /sys/kernel/security/tomoyo/ interface. > > [1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95 > > Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com> > Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com> > Reported-by: syzbot <syzbot+2ee3f8974c2e7dc69feb@syzkaller.appspotmail.com> > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> > --- > security/tomoyo/Kconfig | 10 ++++++++++ > security/tomoyo/common.c | 13 ++++++++++++- > 2 files changed, 22 insertions(+), 1 deletion(-) > Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-tomoyo
diff --git a/security/tomoyo/Kconfig b/security/tomoyo/Kconfig index 404dce6..a00ab7e 100644 --- a/security/tomoyo/Kconfig +++ b/security/tomoyo/Kconfig @@ -74,3 +74,13 @@ config SECURITY_TOMOYO_ACTIVATION_TRIGGER You can override this setting via TOMOYO_trigger= kernel command line option. For example, if you pass init=/bin/systemd option, you may want to also pass TOMOYO_trigger=/bin/systemd option. + +config SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING + bool "Use insecure built-in settings for fuzzing tests." + default n + depends on SECURITY_TOMOYO + select SECURITY_TOMOYO_OMIT_USERSPACE_LOADER + help + Enabling this option forces minimal built-in policy and disables + domain/program checks for run-time policy modifications. Please enable + this option only if this kernel is built for doing fuzzing tests. diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 57988d9..dd3d594 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c @@ -940,7 +940,7 @@ static bool tomoyo_manager(void) const char *exe; const struct task_struct *task = current; const struct tomoyo_path_info *domainname = tomoyo_domain()->domainname; - bool found = false; + bool found = IS_ENABLED(CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING); if (!tomoyo_policy_loaded) return true; @@ -2810,6 +2810,16 @@ void tomoyo_check_profile(void) */ void __init tomoyo_load_builtin_policy(void) { +#ifdef CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING + static char tomoyo_builtin_profile[] __initdata = + "PROFILE_VERSION=20150505\n" + "0-CONFIG={ mode=learning grant_log=no reject_log=yes }\n"; + static char tomoyo_builtin_exception_policy[] __initdata = + "aggregator proc:/self/exe /proc/self/exe\n"; + static char tomoyo_builtin_domain_policy[] __initdata = ""; + static char tomoyo_builtin_manager[] __initdata = ""; + static char tomoyo_builtin_stat[] __initdata = ""; +#else /* * This include file is manually created and contains built-in policy * named "tomoyo_builtin_profile", "tomoyo_builtin_exception_policy", @@ -2817,6 +2827,7 @@ void __init tomoyo_load_builtin_policy(void) * "tomoyo_builtin_stat" in the form of "static char [] __initdata". */ #include "builtin-policy.h" +#endif u8 i; const int idx = tomoyo_read_lock();
syzbot is reporting kernel panic triggered by memory allocation fault injection before loading TOMOYO's policy [1]. To make the fuzzing tests useful, we need to assign a profile other than "disabled" (no-op) mode. Therefore, let's allow syzbot to load TOMOYO's built-in policy for "learning" mode using a kernel config option. This option must not be enabled for kernels built for production system, for this option also disables domain/program checks when modifying policy configuration via /sys/kernel/security/tomoyo/ interface. [1] https://syzkaller.appspot.com/bug?extid=29569ed06425fcf67a95 Reported-by: syzbot <syzbot+e1b8084e532b6ee7afab@syzkaller.appspotmail.com> Reported-by: syzbot <syzbot+29569ed06425fcf67a95@syzkaller.appspotmail.com> Reported-by: syzbot <syzbot+2ee3f8974c2e7dc69feb@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --- security/tomoyo/Kconfig | 10 ++++++++++ security/tomoyo/common.c | 13 ++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-)