From patchwork Mon Nov 25 10:39:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13884787 X-Patchwork-Delegate: kuba@kernel.org Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1F704194C6E; Mon, 25 Nov 2024 10:40:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732531238; cv=none; b=CHOUp58Z6SL6sRWBkBID6H8Rp//x2DBVWD8Ef2wQ3y7WL0h/C7UUcQgXRqhtYDwiX6K+wHt2T1XZSPAzrDGD2bAqTtiZW6+2kvBp71xUkkHS8gKBt59AQQeGcLxBfIZnuLDTXKLI0PkTo+7NVelloDJt7ROP+k3iq4CAc6TOmRA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732531238; c=relaxed/simple; bh=cO1yPL6/mL7nkUA25VaU+cKW9bIPnwazWGqCpFKgihI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ZjuYjhxY4XmeTo8jcP2AgS5YuxNxHOWJ+Dug0xqI3Urd1wxQY5d8dWh+azmJG5M7/uobr0H2wHTY4syDGArp9pQyqTP7oYxbuaob93cgx5oKDza3fFHG66v3lGotOX3BbNt5HZ48R48kKSqP6VhCt1TFk5KGx4xSOQCGRlaoBwY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=E5uuCsWL; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="E5uuCsWL" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1732531232; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7wVOSUhPMHDDdyWhZb1LxKVvZ0vAeRZe7OwxlJZ3FIg=; b=E5uuCsWLjd+f5UuRf0P4XipqTBXRFNmMzjfboQYwQD7a/vLFsAnUw1bZ56W3QjCp1wdjVM OQqtKYGM/yAjFf3k+3k1jtPdsniFUNb11UryVGQwNUTop3xUf7ZVrtrQIjGWtilvfkdwKr f5CG7nKKLyLEXJFWK+BEEtF1j1ADNYhVn9diBKye0NPtrUUqKFn0jTJ5XhnaMFybt60XFV uhN5+nVRzW98zFouj+AP1ej6JEOdLWJAVW5VkO4tgX3YPw80iAP6cfcRI6i4Iann0ici2p 95U/wJpEbE+4mWtxePvaBHXM6KM6ysgwRRr0AE5h1TyAgH1Xmd3ufqAcedwbtQ== To: linux-security-module@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , Eric Dumazet , "David S. Miller" , David Ahern , Jakub Kicinski , Paolo Abeni , Simon Horman , Serge Hallyn , Julia Lawall , Nicolas Palix , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, cocci@inria.fr Subject: [PATCH 07/11] ipv4: reorder capability check last Date: Mon, 25 Nov 2024 11:39:59 +0100 Message-ID: <20241125104011.36552-6-cgoettsche@seltendoof.de> In-Reply-To: <20241125104011.36552-1-cgoettsche@seltendoof.de> References: <20241125104011.36552-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Christian Göttsche capable() calls refer to enabled LSMs whether to permit or deny the request. This is relevant in connection with SELinux, where a capability check results in a policy decision and by default a denial message on insufficient permission is issued. It can lead to three undesired cases: 1. A denial message is generated, even in case the operation was an unprivileged one and thus the syscall succeeded, creating noise. 2. To avoid the noise from 1. the policy writer adds a rule to ignore those denial messages, hiding future syscalls, where the task performs an actual privileged operation, leading to hidden limited functionality of that task. 3. To avoid the noise from 1. the policy writer adds a rule to permit the task the requested capability, while it does not need it, violating the principle of least privilege. Signed-off-by: Christian Göttsche --- net/ipv4/tcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 0d704bda6c41..bd3d7a3d6655 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3406,8 +3406,8 @@ EXPORT_SYMBOL(tcp_disconnect); static inline bool tcp_can_repair_sock(const struct sock *sk) { - return sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN) && - (sk->sk_state != TCP_LISTEN); + return (sk->sk_state != TCP_LISTEN) && + sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN); } static int tcp_repair_set_window(struct tcp_sock *tp, sockptr_t optbuf, int len) From patchwork Mon Nov 25 10:40:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13884788 X-Patchwork-Delegate: kuba@kernel.org Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 839D8199924; Mon, 25 Nov 2024 10:40:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732531240; cv=none; b=sECDE6XqApn9pQ89XlA/Di9UEtmFmDpGfdTykrUQ2jV5EJuTRotfwUvrmTW3PCnPiN8g/rTrlzfs85qub+0skcXDQ2xv0nDrmGpftt5ovdZP1WfOvM0QWTO8pWt5CKQMqESInTXlxHV6jscmmUTazL1emgd1dz2w5im+eUybyaM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1732531240; c=relaxed/simple; bh=5zl918IEUyEEK6Zj6zbtZJmQTRCcBiXNutEld1pO/Ks=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=UnsczJ3xfz+0i9zBBRgx6mLWFkJ2+Pk0DJAjywp8Ysy92JYKuk/17vp4Rc5V/4mqdJf8r86C/BTK94w4ioZavcUYLNB0Vbrq6jASp6GnfDaN+PmyszSp4mr/WUrFtppRZULUtn/mDIh1djhAECcjBBSk140FtVxv9Te4TJipC5o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=He/Nsu8T; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="He/Nsu8T" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1732531236; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e3xkA6/OPtNWl6A170imeRaHJSFeFAlcMrS6betDjBY=; b=He/Nsu8T8nvfNlUyWxosD+aqdOqwmX/wEHaa2TjwySQRhsy3y5mTIIxk/xGqu/tcDJ5953 ZnRNBzqyhJWSs4bdvRWugPMdaEsZwP1EY0ud9vuXGWC4i3ViL8z0nnFQIVAsnam3OKt7my K2Ca6NHqvTfAEibYKAzLnT1cErwF54vzr0x0gtB5XB/U8Jumi5mAICsd54kb+UqDr39vt6 jctvGmD/eh545sdjY605727XRkT0xXG6+ZLYPvzo7Bw//DkeQH4/XwiZL3HYSTqumPksvy biWPeTD9ZM37zKthExv/H7ZnuC3e8ZPnbE/4hQKbh6oXoC0j3uLMOb2YBU12kA== To: linux-security-module@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Serge Hallyn , Julia Lawall , Nicolas Palix , Mina Almasry , Willem de Bruijn , Pavel Begunkov , Lorenzo Bianconi , Sebastian Andrzej Siewior , Liang Chen , Alexander Lobakin , linux-kernel@vger.kernel.org, netdev@vger.kernel.org, cocci@inria.fr Subject: [PATCH 10/11] skbuff: reorder capability check last Date: Mon, 25 Nov 2024 11:40:02 +0100 Message-ID: <20241125104011.36552-9-cgoettsche@seltendoof.de> In-Reply-To: <20241125104011.36552-1-cgoettsche@seltendoof.de> References: <20241125104011.36552-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Christian Göttsche capable() calls refer to enabled LSMs whether to permit or deny the request. This is relevant in connection with SELinux, where a capability check results in a policy decision and by default a denial message on insufficient permission is issued. It can lead to three undesired cases: 1. A denial message is generated, even in case the operation was an unprivileged one and thus the syscall succeeded, creating noise. 2. To avoid the noise from 1. the policy writer adds a rule to ignore those denial messages, hiding future syscalls, where the task performs an actual privileged operation, leading to hidden limited functionality of that task. 3. To avoid the noise from 1. the policy writer adds a rule to permit the task the requested capability, while it does not need it, violating the principle of least privilege. Signed-off-by: Christian Göttsche --- net/core/skbuff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 6841e61a6bd0..8bf622744862 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -1656,7 +1656,7 @@ int mm_account_pinned_pages(struct mmpin *mmp, size_t size) unsigned long max_pg, num_pg, new_pg, old_pg, rlim; struct user_struct *user; - if (capable(CAP_IPC_LOCK) || !size) + if (!size || capable(CAP_IPC_LOCK)) return 0; rlim = rlimit(RLIMIT_MEMLOCK);