Date: Thu, 27 Sep 2018 16:23:27 +0000 From: "Schaufler, Casey" <casey.schaufler@...el.com> To: Stephen Smalley <sds@...ho.nsa.gov>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-security-module@...r.kernel.org" <linux-security-module@...r.kernel.org>, "selinux@...ho.nsa.gov" <selinux@...ho.nsa.gov>, "Hansen, Dave" <dave.hansen@...el.com>, "Dock, Deneen T" <deneen.t.dock@...el.com>, "kristen@...ux.intel.com" <kristen@...ux.intel.com>, "arjan@...ux.intel.com" <arjan@...ux.intel.com>, Paul Moore <paul@...l-moore.com>, "Schaufler, Casey" <casey.schaufler@...el.com> Subject: RE: [PATCH v5 3/5] SELinux: Prepare for PTRACE_MODE_SCHED > -----Original Message----- > From: Stephen Smalley [mailto:sds@...ho.nsa.gov] > Sent: Thursday, September 27, 2018 8:50 AM > To: Schaufler, Casey <casey.schaufler@...el.com>; kernel- > hardening@...ts.openwall.com; linux-kernel@...r.kernel.org; linux-security- > module@...r.kernel.org; selinux@...ho.nsa.gov; Hansen, Dave > <dave.hansen@...el.com>; Dock, Deneen T <deneen.t.dock@...el.com>; > kristen@...ux.intel.com; arjan@...ux.intel.com; Paul Moore <paul@...l- > moore.com> > Subject: Re: [PATCH v5 3/5] SELinux: Prepare for PTRACE_MODE_SCHED > > On 09/26/2018 04:34 PM, Casey Schaufler wrote: > > From: Casey Schaufler <casey@...aufler-ca.com> > > > > A ptrace access check with mode PTRACE_MODE_SCHED gets called > > from process switching code. This precludes the use of audit or avc, > > as the locking is incompatible. The only available check that > > can be made without using avc is a comparison of the secids. > > This is not very satisfactory as it will indicate possible > > vulnerabilies much too aggressively. > Can you document (in the patch description and/or in the inline > documentation in lsm_hooks.h) what locks can be safely used when this > hook is called with PTRACE_MODE_SCHED? rcu_read_lock() seemingly must > be safe since it is being called by task_sid() below. Are any other > locking primitives safe? Peter Zijlstra <peterz@...radead.org> had this comment on locking in the SELinux ptrace path. avc_has_perm_noaudit() security_compute_av() read_lock(&state->ss->policy_rwlock); avc_insert() spin_lock_irqsave(); avc_denied() avc_update_node() spin_lock_irqsave(); under the scheduler's raw_spinlock_t, which are invalid lock nestings. I don't know that it would be impossible to address these issues, but as many people have noted over the years I am not now nor have ever been an expert on locking. > > Does the PTRACE_MODE_SCHED check have to occur while holding the > scheduler lock, or could it be performed before taking the lock? My understanding is that the lock is required. > Can you cite the commit or patch posting (e.g. from lore or patchwork) > that defines PTRACE_MODE_SCHED and its usage as part of the patch > description for context? Is this based on the v7 patchset, e.g. > https://lore.kernel.org/lkml/nycvar.YFH.firstname.lastname@example.org > r.pm/ Yes, that's the one. Sorry, I should have identified that. > > > > > Signed-off-by: Casey Schaufler <casey.schaufler@...el.com> > > --- > > security/selinux/hooks.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index ad9a9b8e9979..160239791007 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -2267,6 +2267,8 @@ static int selinux_ptrace_access_check(struct > task_struct *child, > > u32 sid = current_sid(); > > u32 csid = task_sid(child); > > > > + if (mode & PTRACE_MODE_SCHED) > > + return sid == csid ? 0 : -EACCES; > IIUC, this logic is essentially the same as the uid-based check, > including the fact that even a "privileged" process is not given any > special handling since they always return false from ptrace_has_cap() > for PTRACE_MODE_SCHED. If they are ok with applying IBPB whenever uids > differ, then doing so whenever sids/contexts differ does not seem like > an onerous thing. > > > > if (mode & PTRACE_MODE_READ) > > return avc_has_perm(&selinux_state, > > sid, csid, SECCLASS_FILE, FILE__READ, > NULL); > >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.