From patchwork Mon Nov 5 19:05:00 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schaufler, Casey" X-Patchwork-Id: 10668961 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 877061751 for ; Mon, 5 Nov 2018 19:05:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 79EBD292E2 for ; Mon, 5 Nov 2018 19:05:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6E2D729BCE; Mon, 5 Nov 2018 19:05:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 702BF292E2 for ; Mon, 5 Nov 2018 19:05:22 +0000 (UTC) Received: (qmail 14208 invoked by uid 550); 5 Nov 2018 19:05:19 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 14174 invoked from network); 5 Nov 2018 19:05:18 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,468,1534834800"; d="scan'208";a="271567345" From: Casey Schaufler To: kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, casey.schaufler@intel.com, dave.hansen@intel.com, deneen.t.dock@intel.com, kristen@linux.intel.com, arjan@linux.intel.com Subject: [PATCH v6 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED Date: Mon, 5 Nov 2018 11:05:00 -0800 Message-Id: <20181105190504.500-2-casey.schaufler@intel.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20181105190504.500-1-casey.schaufler@intel.com> References: <20181105190504.500-1-casey.schaufler@intel.com> X-Virus-Scanned: ClamAV using ClamSMTP From: Casey Schaufler A ptrace access check with mode PTRACE_MODE_SCHED gets called from process switching code. This precludes the use of audit, as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED case. Signed-off-by: Casey Schaufler --- security/apparmor/domain.c | 2 +- security/apparmor/include/ipc.h | 2 +- security/apparmor/ipc.c | 8 +++++--- security/apparmor/lsm.c | 5 +++-- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 08c88de0ffda..28300f4c3ef9 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -77,7 +77,7 @@ static int may_change_ptraced_domain(struct aa_label *to_label, if (!tracer || unconfined(tracerl)) goto out; - error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH); + error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH, true); out: rcu_read_unlock(); diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h index 5ffc218d1e74..299d1c45fef0 100644 --- a/security/apparmor/include/ipc.h +++ b/security/apparmor/include/ipc.h @@ -34,7 +34,7 @@ struct aa_profile; "xcpu xfsz vtalrm prof winch io pwr sys emt lost" int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, - u32 request); + u32 request, bool audit); int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig); #endif /* __AA_IPC_H */ diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c index 527ea1557120..9ed110afc822 100644 --- a/security/apparmor/ipc.c +++ b/security/apparmor/ipc.c @@ -121,15 +121,17 @@ static int profile_tracer_perm(struct aa_profile *tracer, * Returns: %0 else error code if permission denied or error */ int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, - u32 request) + u32 request, bool audit) { struct aa_profile *profile; u32 xrequest = request << PTRACE_PERM_SHIFT; DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE); return xcheck_labels(tracer, tracee, profile, - profile_tracer_perm(profile, tracee, request, &sa), - profile_tracee_perm(profile, tracer, xrequest, &sa)); + profile_tracer_perm(profile, tracee, request, + audit ? &sa : NULL), + profile_tracee_perm(profile, tracer, xrequest, + audit ? &sa : NULL)); } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 8b8b70620bbe..da9d0b228857 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -118,7 +118,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child, tracee = aa_get_task_label(child); error = aa_may_ptrace(tracer, tracee, (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ - : AA_PTRACE_TRACE); + : AA_PTRACE_TRACE, + !(mode & PTRACE_MODE_SCHED)); aa_put_label(tracee); end_current_label_crit_section(tracer); @@ -132,7 +133,7 @@ static int apparmor_ptrace_traceme(struct task_struct *parent) tracee = begin_current_label_crit_section(); tracer = aa_get_task_label(parent); - error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); + error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE, true); aa_put_label(tracer); end_current_label_crit_section(tracee); From patchwork Mon Nov 5 19:05:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schaufler, Casey" X-Patchwork-Id: 10668971 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9E1A91751 for ; Mon, 5 Nov 2018 19:05:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 90A0529252 for ; Mon, 5 Nov 2018 19:05:39 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 84C7F2929F; Mon, 5 Nov 2018 19:05:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id A15B029252 for ; Mon, 5 Nov 2018 19:05:38 +0000 (UTC) Received: (qmail 15465 invoked by uid 550); 5 Nov 2018 19:05:21 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 14266 invoked from network); 5 Nov 2018 19:05:20 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,468,1534834800"; d="scan'208";a="271567353" From: Casey Schaufler To: kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, casey.schaufler@intel.com, dave.hansen@intel.com, deneen.t.dock@intel.com, kristen@linux.intel.com, arjan@linux.intel.com Subject: [PATCH v6 2/5] Smack: Prepare for PTRACE_MODE_SCHED Date: Mon, 5 Nov 2018 11:05:01 -0800 Message-Id: <20181105190504.500-3-casey.schaufler@intel.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20181105190504.500-1-casey.schaufler@intel.com> References: <20181105190504.500-1-casey.schaufler@intel.com> X-Virus-Scanned: ClamAV using ClamSMTP From: Casey Schaufler A ptrace access check with mode PTRACE_MODE_SCHED gets called from process switching code. This precludes the use of audit, as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED case. Signed-off-by: Casey Schaufler --- security/smack/smack_lsm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 340fc30ad85d..ffa95bcab599 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -422,7 +422,8 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, struct task_smack *tsp; struct smack_known *tracer_known; - if ((mode & PTRACE_MODE_NOAUDIT) == 0) { + if ((mode & PTRACE_MODE_NOAUDIT) == 0 && + (mode & PTRACE_MODE_SCHED) == 0) { smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); smk_ad_setfield_u_tsk(&ad, tracer); saip = &ad; From patchwork Mon Nov 5 19:05:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schaufler, Casey" X-Patchwork-Id: 10668973 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5585E1751 for ; Mon, 5 Nov 2018 19:05:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 47FF029252 for ; Mon, 5 Nov 2018 19:05:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3C443292E2; Mon, 5 Nov 2018 19:05:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 490A129252 for ; Mon, 5 Nov 2018 19:05:48 +0000 (UTC) Received: (qmail 15550 invoked by uid 550); 5 Nov 2018 19:05:23 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 15483 invoked from network); 5 Nov 2018 19:05:21 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,468,1534834800"; d="scan'208";a="271567363" From: Casey Schaufler To: kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, casey.schaufler@intel.com, dave.hansen@intel.com, deneen.t.dock@intel.com, kristen@linux.intel.com, arjan@linux.intel.com Subject: [PATCH v6 3/5] SELinux: Prepare for PTRACE_MODE_SCHED Date: Mon, 5 Nov 2018 11:05:02 -0800 Message-Id: <20181105190504.500-4-casey.schaufler@intel.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20181105190504.500-1-casey.schaufler@intel.com> References: <20181105190504.500-1-casey.schaufler@intel.com> X-Virus-Scanned: ClamAV using ClamSMTP From: Casey Schaufler A ptrace access check with mode PTRACE_MODE_SCHED gets called from process switching code. This precludes the use of audit or avc, as the locking is incompatible. The only available check that can be made without using avc is a comparison of the secids. This is not very satisfactory as it will indicate possible vulnerabilies much too aggressively. Signed-off-by: Casey Schaufler --- security/selinux/hooks.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad9a9b8e9979..160239791007 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2267,6 +2267,8 @@ static int selinux_ptrace_access_check(struct task_struct *child, u32 sid = current_sid(); u32 csid = task_sid(child); + if (mode & PTRACE_MODE_SCHED) + return sid == csid ? 0 : -EACCES; if (mode & PTRACE_MODE_READ) return avc_has_perm(&selinux_state, sid, csid, SECCLASS_FILE, FILE__READ, NULL); From patchwork Mon Nov 5 19:05:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schaufler, Casey" X-Patchwork-Id: 10668975 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9A2DA181D for ; Mon, 5 Nov 2018 19:06:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8CE472929F for ; Mon, 5 Nov 2018 19:05:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 80AF4293C5; Mon, 5 Nov 2018 19:05:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 831E22929F for ; Mon, 5 Nov 2018 19:05:58 +0000 (UTC) Received: (qmail 15620 invoked by uid 550); 5 Nov 2018 19:05:23 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 15512 invoked from network); 5 Nov 2018 19:05:22 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,468,1534834800"; d="scan'208";a="271567370" From: Casey Schaufler To: kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, casey.schaufler@intel.com, dave.hansen@intel.com, deneen.t.dock@intel.com, kristen@linux.intel.com, arjan@linux.intel.com Subject: [PATCH v6 4/5] Capability: Complete PTRACE_MODE_SCHED Date: Mon, 5 Nov 2018 11:05:03 -0800 Message-Id: <20181105190504.500-5-casey.schaufler@intel.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20181105190504.500-1-casey.schaufler@intel.com> References: <20181105190504.500-1-casey.schaufler@intel.com> X-Virus-Scanned: ClamAV using ClamSMTP From: Casey Schaufler Allow a complete ptrace access check with mode PTRACE_MODE_SCHED. Disable the inappropriate privilege check in the capability code that does incompatible locking. Signed-off-by: Casey Schaufler --- kernel/ptrace.c | 2 -- security/commoncap.c | 3 ++- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 99cfddde6a55..0b6a9df51c3b 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -331,8 +331,6 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) !ptrace_has_cap(mm->user_ns, mode))) return -EPERM; - if (mode & PTRACE_MODE_SCHED) - return 0; return security_ptrace_access_check(task, mode); } diff --git a/security/commoncap.c b/security/commoncap.c index 2e489d6a3ac8..70a7e3d19c16 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -152,7 +152,8 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode) if (cred->user_ns == child_cred->user_ns && cap_issubset(child_cred->cap_permitted, *caller_caps)) goto out; - if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) + if (!(mode & PTRACE_MODE_SCHED) && + ns_capable(child_cred->user_ns, CAP_SYS_PTRACE)) goto out; ret = -EPERM; out: From patchwork Mon Nov 5 19:05:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Schaufler, Casey" X-Patchwork-Id: 10668977 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6C6691751 for ; Mon, 5 Nov 2018 19:06:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5ED512926B for ; Mon, 5 Nov 2018 19:06:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5283A292E2; Mon, 5 Nov 2018 19:06:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 034302926B for ; Mon, 5 Nov 2018 19:06:10 +0000 (UTC) Received: (qmail 15771 invoked by uid 550); 5 Nov 2018 19:05:25 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 15658 invoked from network); 5 Nov 2018 19:05:23 -0000 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,468,1534834800"; d="scan'208";a="271567374" From: Casey Schaufler To: kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, casey.schaufler@intel.com, dave.hansen@intel.com, deneen.t.dock@intel.com, kristen@linux.intel.com, arjan@linux.intel.com Subject: [PATCH v6 5/5] sidechannel: Linux Security Module for sidechannel Date: Mon, 5 Nov 2018 11:05:04 -0800 Message-Id: <20181105190504.500-6-casey.schaufler@intel.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20181105190504.500-1-casey.schaufler@intel.com> References: <20181105190504.500-1-casey.schaufler@intel.com> X-Virus-Scanned: ClamAV using ClamSMTP From: Casey Schaufler This is a new Linux Security Module (LSM) that checks for potential sidechannel issues that are not covered in the ptrace PTRACE_MODE_SCHED option. Namespace differences are checked in this intitial version. Additional checks should be added when they are determined to be useful. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 5 ++ security/Kconfig | 1 + security/Makefile | 2 + security/security.c | 1 + security/sidechannel/Kconfig | 13 +++++ security/sidechannel/Makefile | 1 + security/sidechannel/sidechannel.c | 88 ++++++++++++++++++++++++++++++ 7 files changed, 111 insertions(+) create mode 100644 security/sidechannel/Kconfig create mode 100644 security/sidechannel/Makefile create mode 100644 security/sidechannel/sidechannel.c diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 97a020c616ad..3cb6516dba3c 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2081,5 +2081,10 @@ void __init loadpin_add_hooks(void); #else static inline void loadpin_add_hooks(void) { }; #endif +#ifdef CONFIG_SECURITY_SIDECHANNEL +void __init sidechannel_add_hooks(void); +#else +static inline void sidechannel_add_hooks(void) { }; +#endif #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/Kconfig b/security/Kconfig index d9aa521b5206..6b814a3f93ea 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -236,6 +236,7 @@ source security/tomoyo/Kconfig source security/apparmor/Kconfig source security/loadpin/Kconfig source security/yama/Kconfig +source security/sidechannel/Kconfig source security/integrity/Kconfig diff --git a/security/Makefile b/security/Makefile index 4d2d3782ddef..d0c9e1b227f9 100644 --- a/security/Makefile +++ b/security/Makefile @@ -10,6 +10,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor subdir-$(CONFIG_SECURITY_YAMA) += yama subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin +subdir-$(CONFIG_SECURITY_SIDECHANNEL) += sidechannel # always enable default capabilities obj-y += commoncap.o @@ -25,6 +26,7 @@ obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ obj-$(CONFIG_SECURITY_YAMA) += yama/ obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ +obj-$(CONFIG_SECURITY_SIDECHANNEL) += sidechannel/ obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o # Object integrity file lists diff --git a/security/security.c b/security/security.c index 12460f20c652..6047634d86a0 100644 --- a/security/security.c +++ b/security/security.c @@ -85,6 +85,7 @@ int __init security_init(void) capability_add_hooks(); yama_add_hooks(); loadpin_add_hooks(); + sidechannel_add_hooks(); /* * Load all the remaining security modules. diff --git a/security/sidechannel/Kconfig b/security/sidechannel/Kconfig new file mode 100644 index 000000000000..653033027415 --- /dev/null +++ b/security/sidechannel/Kconfig @@ -0,0 +1,13 @@ +config SECURITY_SIDECHANNEL + bool "Sidechannel attack safety extra checks" + depends on SECURITY + default n + help + Look for a variety of cases where a side-channel attack + could potentially be exploited. Instruct the switching + code to use the indirect_branch_prediction_barrier in + cases where the passed task and the current task may be + at risk. + + If you are unsure how to answer this question, answer N. + diff --git a/security/sidechannel/Makefile b/security/sidechannel/Makefile new file mode 100644 index 000000000000..f61d83f28035 --- /dev/null +++ b/security/sidechannel/Makefile @@ -0,0 +1 @@ +obj-$(CONFIG_SECURITY_SIDECHANNEL) += sidechannel.o diff --git a/security/sidechannel/sidechannel.c b/security/sidechannel/sidechannel.c new file mode 100644 index 000000000000..18a67d19c020 --- /dev/null +++ b/security/sidechannel/sidechannel.c @@ -0,0 +1,88 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Side Channel Safety Security Module + * + * Copyright (C) 2018 Intel Corporation. + * + */ + +#define pr_fmt(fmt) "SideChannel: " fmt + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef CONFIG_NAMESPACES +/** + * safe_by_namespace - Are task and current sidechannel safe? + * @p: task to check on + * + * Returns 0 if the tasks are sidechannel safe, -EACCES otherwise. + */ +static int safe_by_namespace(struct task_struct *p) +{ + struct cgroup_namespace *ccgn = NULL; + struct cgroup_namespace *pcgn = NULL; + + /* + * Namespace checks. Considered safe if: + * cgroup namespace is the same + * User namespace is the same + * PID namespace is the same + */ + if (current->nsproxy) + ccgn = current->nsproxy->cgroup_ns; + if (p->nsproxy) + pcgn = p->nsproxy->cgroup_ns; + if (ccgn != pcgn) + return -EACCES; + if (current->cred->user_ns != p->cred->user_ns) + return -EACCES; + if (task_active_pid_ns(current) != task_active_pid_ns(p)) + return -EACCES; + return 0; +} +#else +static int safe_by_namespace(struct task_struct *p) +{ + return 0; +} +#endif + +/** + * sidechannel_ptrace_access_check - Are task and current sidechannel safe? + * @p: task to check on + * @mode: ptrace access mode + * + * Returns 0 if the tasks are sidechannel safe, -EACCES otherwise. + */ +static int sidechannel_ptrace_access_check(struct task_struct *p, + unsigned int mode) +{ + int rc; + + if ((mode & PTRACE_MODE_SCHED) == 0) + return 0; + + rc = safe_by_namespace(p); + if (rc) + return rc; + return 0; +} + +static struct security_hook_list sidechannel_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(ptrace_access_check, sidechannel_ptrace_access_check), +}; + +void __init sidechannel_add_hooks(void) +{ + pr_info("Extra sidechannel checks enabled\n"); + security_add_hooks(sidechannel_hooks, ARRAY_SIZE(sidechannel_hooks), + "sidechannel"); +}