From patchwork Wed Nov 11 10:44:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aleksandr Nogikh X-Patchwork-Id: 11897377 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B4F9714C0 for ; Wed, 11 Nov 2020 10:45:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 871C92063A for ; Wed, 11 Nov 2020 10:45:13 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IjeglUGh" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725895AbgKKKpM (ORCPT ); Wed, 11 Nov 2020 05:45:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55428 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725859AbgKKKpL (ORCPT ); Wed, 11 Nov 2020 05:45:11 -0500 Received: from mail-wm1-x341.google.com (mail-wm1-x341.google.com [IPv6:2a00:1450:4864:20::341]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A7B6C0613D1; Wed, 11 Nov 2020 02:45:11 -0800 (PST) Received: by mail-wm1-x341.google.com with SMTP id h62so1874361wme.3; Wed, 11 Nov 2020 02:45:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=sT+gZe0r8U7E1fOWd1D4bWdDDMPbW0dyZ/UKoJjOFwo=; b=IjeglUGhhwfyqF1t7cRE2AWo+xXAdfcUxs6HWQeAOup8QzPegm1owlp+4JqPar0TC3 JTVj3XDEebdOVpOOp6cOqU9GdI1gEuiIGF9Nr+GqFbVnXz6XZh55FLDEQZavgxL4fvxX 6SKql2uoULuDYTnaYAA4/5G0lW3axvufGDZLPmiuO7sokzBCvh5kH9EUfiiJU8Ml7VHe pTwoDRf6JrwcCSpHxLZAjW6Y4CxyMt1BQcVDHWwiHHxAervGsGqknQB4iEfMOFLiR3Lh dtNakCkiC2SuWTwru7vQe6qAlraXN6YsdZkV9xmGnl3SGWIr9qCnw0bnX/GwtBfztpxF 7ZUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sT+gZe0r8U7E1fOWd1D4bWdDDMPbW0dyZ/UKoJjOFwo=; b=LvKL+DZpyx4/NZKaxDxnpJbgRgKgbOy2Aqi908msJ/udNWklkKy+/H28vdffUCsAqi 9EdjKKlPuhC6O598MMxiGqDIa8kiLcTcI7a+zH1u02YTHDsvPsFKk8uvYMBzXEgaplS6 KE4yUFOt31wJ7aXTqrhGHBICQalg4sfHPA7gLsgToo1/IXUjlZUfah+oNWrGhTqFack8 0F69gKEZJRzuOdLOGMkHJFVfciy4v07pxK+wooYIuT3iGq8V6LypoUzVRsqbc5c1T8ez v53TIEZQ1uEejgdJfuBotLiPNfHz1iXLmfCvdkylTxTN0pvZJPy6U6CVavnEcxeH+Kju bXxQ== X-Gm-Message-State: AOAM531B4IXyamUmLENv9PiTF72Zj8cSnwdE1JvcQRaridBk6RlqkQKR uuVSSQXOpH2qbs50oPbEi4w= X-Google-Smtp-Source: ABdhPJzOfqB+nORtxB9KG/o7pYhAyjUAyFHG8HiCIMlUMhyRlB6b0MMzp49GIpohgJakl8omEOYDtA== X-Received: by 2002:a1c:c203:: with SMTP id s3mr3353522wmf.77.1605091510130; Wed, 11 Nov 2020 02:45:10 -0800 (PST) Received: from nogikh.c.googlers.com.com (88.140.78.34.bc.googleusercontent.com. [34.78.140.88]) by smtp.gmail.com with ESMTPSA id u195sm2111549wmu.18.2020.11.11.02.45.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Nov 2020 02:45:09 -0800 (PST) From: Aleksandr Nogikh To: jmorris@namei.org, serge@hallyn.com, akinobu.mita@gmail.com Cc: andreyknvl@google.com, dvyukov@google.com, elver@google.com, glider@google.com, keescook@google.com, casey@schaufler-ca.com, penguin-kernel@i-love.sakura.ne.jp, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, mortonm@chromium.org, Aleksandr Nogikh , Tetsuo Handa Subject: [PATCH v4 1/2] security: add fault injection capability Date: Wed, 11 Nov 2020 10:44:08 +0000 Message-Id: <20201111104409.1530957-2-a.nogikh@gmail.com> X-Mailer: git-send-email 2.29.2.222.g5d2a92d10f8-goog In-Reply-To: <20201111104409.1530957-1-a.nogikh@gmail.com> References: <20201111104409.1530957-1-a.nogikh@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: From: Aleksandr Nogikh Add a fault injection capability to call_int_hook macro. This will facilitate testing of fault tolerance of the code that invokes security hooks as well as the fault tolerance of the LSM implementations themselves. Add a KConfig option (CONFIG_FAIL_LSM_HOOKS) that controls whether the capability is enabled. In order to enable configuration from the user space, add the standard debugfs entries for fault injection (if CONFIG_FAULT_INJECTION_DEBUG_FS is enabled). Signed-off-by: Aleksandr Nogikh Reviewed-by: Marco Elver Reviewed-by: Tetsuo Handa Reviewed-by: Andrey Konovalov Reviewed-by: Alexander Potapenko --- v4: - Changed retval debugfs file type - now it keeps a signed integer. - Made CONFIG_FAIL_LSM_HOOKS depend on CONFIG_SECURITY. v2: - Renamed should_fail_lsm_hook() to lsm_hooks_inject_fail(). --- lib/Kconfig.debug | 6 ++++ security/security.c | 69 +++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 72 insertions(+), 3 deletions(-) diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 6140413174be..5f4399816019 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -1813,6 +1813,12 @@ config FAIL_MAKE_REQUEST help Provide fault-injection capability for disk IO. +config FAIL_LSM_HOOKS + bool "Fault-injection capability for LSM hooks" + depends on FAULT_INJECTION && SECURITY + help + Provide fault-injection capability for LSM hooks. + config FAIL_IO_TIMEOUT bool "Fault-injection capability for faking disk interrupts" depends on FAULT_INJECTION && BLOCK diff --git a/security/security.c b/security/security.c index 69ff6e2e2cd4..be3a3c7c6d6a 100644 --- a/security/security.c +++ b/security/security.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #define MAX_LSM_EVM_XATTR 2 @@ -669,6 +670,67 @@ static void __init lsm_early_task(struct task_struct *task) panic("%s: Early task alloc failed.\n", __func__); } + +#ifdef CONFIG_FAIL_LSM_HOOKS + +static struct { + struct fault_attr attr; + int retval; +} fail_lsm_hooks = { + .attr = FAULT_ATTR_INITIALIZER, + .retval = -EACCES +}; + +static int __init setup_fail_lsm_hooks(char *str) +{ + return setup_fault_attr(&fail_lsm_hooks.attr, str); +} +__setup("fail_lsm_hooks=", setup_fail_lsm_hooks); + +static int lsm_hooks_inject_fail(void) +{ + return should_fail(&fail_lsm_hooks.attr, 1) ? fail_lsm_hooks.retval : 0; +} + +#ifdef CONFIG_FAULT_INJECTION_DEBUG_FS + +static int fail_lsm_retval_set(void *data, u64 val) +{ + fail_lsm_hooks.retval = (int)val; + return 0; +} + +static int fail_lsm_retval_get(void *data, u64 *val) +{ + *val = (u64)fail_lsm_hooks.retval; + return 0; +} + +DEFINE_DEBUGFS_ATTRIBUTE(fail_lsm_retval_ops, fail_lsm_retval_get, + fail_lsm_retval_set, "%lld\n"); + +static int __init fail_lsm_hooks_debugfs(void) +{ + umode_t mode = S_IFREG | 0600; + struct dentry *dir; + + dir = fault_create_debugfs_attr("fail_lsm_hooks", NULL, + &fail_lsm_hooks.attr); + debugfs_create_file("retval", mode, dir, NULL, + &fail_lsm_retval_ops); + return 0; +} + +late_initcall(fail_lsm_hooks_debugfs); + +#endif /* CONFIG_FAULT_INJECTION_DEBUG_FS */ + +#else + +static inline int lsm_hooks_inject_fail(void) { return 0; } + +#endif /* CONFIG_FAIL_LSM_HOOKS */ + /* * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and * can be accessed with: @@ -707,16 +769,17 @@ static void __init lsm_early_task(struct task_struct *task) } while (0) #define call_int_hook(FUNC, IRC, ...) ({ \ - int RC = IRC; \ - do { \ + int RC = lsm_hooks_inject_fail(); \ + if (RC == 0) { \ struct security_hook_list *P; \ + RC = IRC; \ \ hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \ RC = P->hook.FUNC(__VA_ARGS__); \ if (RC != 0) \ break; \ } \ - } while (0); \ + } \ RC; \ }) From patchwork Wed Nov 11 10:44:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aleksandr Nogikh X-Patchwork-Id: 11897379 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 30982138B for ; Wed, 11 Nov 2020 10:45:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0543820795 for ; Wed, 11 Nov 2020 10:45:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kWXi/eR9" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726050AbgKKKpV (ORCPT ); Wed, 11 Nov 2020 05:45:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725859AbgKKKpN (ORCPT ); Wed, 11 Nov 2020 05:45:13 -0500 Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 89C2EC0613D1; Wed, 11 Nov 2020 02:45:13 -0800 (PST) Received: by mail-wr1-x444.google.com with SMTP id l1so2039144wrb.9; Wed, 11 Nov 2020 02:45:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bQfCxdd9lfHZL2HxpazZyNkHVyN3/e1lyGU4J0L7Nm8=; b=kWXi/eR9bpXEcqR6HMdlwx3uxK8rFreZAPYa0jp5MxBLMJnf9nUfQkDdDge9I4U4zh LQYzpqKj6H03fwpTZBpLOn1yEMIsu0FEtSe+8z6LgyZTaEB2xa2UeD8dsjBErcNmT3p4 n8J+0n1qOtVYk1H4FMO+MVyDjPkhpVVCGoUXai1Q0Ew7njRqliR4H7Ak406ZaGIRVhU5 o5nlk0xj1jtb+e+NAI0GB1hdeeh/MTICWuTqqhMxsfqe3aiqB2AHpEs8hn/AqLrPVHvD sjcNM0LjPbnKcsYVlG6i6unyDHvHM3Jddb4+INGxpHqPIuQWgxlcK7o2pkvkpBcG7zDd K88A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bQfCxdd9lfHZL2HxpazZyNkHVyN3/e1lyGU4J0L7Nm8=; b=OhsfYIX1m4z1kvp1i8ljMKPjj4FICTH0tukrSPD2zdomWHj7+QqvSpovvduAFFrtVH liRbLKGCYWwenFRH2KbrZUNUIIY3WgowvBqvtynrB8LkxSPlrBi87U1LjUPCDGvf5TZv fmI9pp6JyzWJh+bF6q2+AfMJoGAYGhG2NxNkBEWfSVfm3TFtRa10vzOz+VaesJWJAApn 5h+8dbakG8mfnoewMer1khSwVS4Um36yyuA+q7VgUs2/t7dI1cKFYsDLh6vTnAb9ot+3 DuWwrv/VlL7R3EM8ONayR8h3KaEvRzrEAqg+EAvyRlWsrjtFYjLB0K6HrjATVeasdOf0 mO1g== X-Gm-Message-State: AOAM531AIDY2RzSs9Wx+KIg8nvT76l1Ygnzx4rg6J/mrunnYbfrXnHMm UjPf8JCf8iJw5UOWf2da7xUK4pw9+az41A== X-Google-Smtp-Source: ABdhPJx2xco370midub/gDlZx0qtge/7pjUmIJ2cKuUZAchpfZusrIHz0xm2gpp/yasatifvcDIaiQ== X-Received: by 2002:adf:804b:: with SMTP id 69mr28946750wrk.274.1605091512294; Wed, 11 Nov 2020 02:45:12 -0800 (PST) Received: from nogikh.c.googlers.com.com (88.140.78.34.bc.googleusercontent.com. [34.78.140.88]) by smtp.gmail.com with ESMTPSA id u195sm2111549wmu.18.2020.11.11.02.45.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Nov 2020 02:45:11 -0800 (PST) From: Aleksandr Nogikh To: jmorris@namei.org, serge@hallyn.com, akinobu.mita@gmail.com Cc: andreyknvl@google.com, dvyukov@google.com, elver@google.com, glider@google.com, keescook@google.com, casey@schaufler-ca.com, penguin-kernel@i-love.sakura.ne.jp, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, mortonm@chromium.org, Aleksandr Nogikh Subject: [PATCH v4 2/2] docs: add fail_lsm_hooks info to fault-injection.rst Date: Wed, 11 Nov 2020 10:44:09 +0000 Message-Id: <20201111104409.1530957-3-a.nogikh@gmail.com> X-Mailer: git-send-email 2.29.2.222.g5d2a92d10f8-goog In-Reply-To: <20201111104409.1530957-1-a.nogikh@gmail.com> References: <20201111104409.1530957-1-a.nogikh@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: From: Aleksandr Nogikh Describe fail_lsm_hooks fault injection capability. Signed-off-by: Aleksandr Nogikh --- v2: - Added this commit. --- Documentation/fault-injection/fault-injection.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/fault-injection/fault-injection.rst b/Documentation/fault-injection/fault-injection.rst index 31ecfe44e5b4..48705adfbc18 100644 --- a/Documentation/fault-injection/fault-injection.rst +++ b/Documentation/fault-injection/fault-injection.rst @@ -48,6 +48,12 @@ Available fault injection capabilities status code is NVME_SC_INVALID_OPCODE with no retry. The status code and retry flag can be set via the debugfs. +- fail_lsm_hooks + + injects failures into LSM hooks. When a fault is injected, actual hooks + are not executed and a code from /sys/kernel/debug/fail_lsm_hooks/retval + is returned (the default value is -EACCES). + Configure fault-injection capabilities behavior -----------------------------------------------