Re: [RFC PATCH 1/1] security: add fault injection capability
From: "Serge E. Hallyn" <serge@hallyn.com>
Date: 2020-10-15 15:30:13
Also in:
lkml
On Thu, Oct 15, 2020 at 10:46:49AM +0000, Aleksandr Nogikh wrote:
quoted hunk ↗ jump to hunk
From: Aleksandr Nogikh <redacted> Add a fault injection capability to call_int_hook macro. This will facilitate testing of fault tolerance of the code that invokes security hooks as well as the fault tolerance of the LSM implementations themselves. Add a KConfig option (CONFIG_FAIL_LSM_HOOKS) that controls whether the capability is enabled. In order to enable configuration from the user space, add the standard debugfs entries for fault injection (if CONFIG_FAULT_INJECTION_DEBUG_FS is enabled). Signed-off-by: Aleksandr Nogikh <redacted> --- lib/Kconfig.debug | 6 +++++ security/security.c | 53 ++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 56 insertions(+), 3 deletions(-)diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 08c82666cf3e..0c9913ebe1c1 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug@@ -1803,6 +1803,12 @@ config FAIL_MAKE_REQUEST help Provide fault-injection capability for disk IO. +config FAIL_LSM_HOOKS + bool "Fault-injection capability for LSM hooks" + depends on FAULT_INJECTION + help + Provide fault-injection capability for LSM hooks. + config FAIL_IO_TIMEOUT bool "Fault-injection capability for faking disk interrupts" depends on FAULT_INJECTION && BLOCKdiff --git a/security/security.c b/security/security.c index 69ff6e2e2cd4..bd4dbe720098 100644 --- a/security/security.c +++ b/security/security.c@@ -28,6 +28,7 @@ #include <linux/backing-dev.h> #include <linux/string.h> #include <linux/msg.h> +#include <linux/fault-inject.h> #include <net/flow.h> #define MAX_LSM_EVM_XATTR 2@@ -669,6 +670,51 @@ static void __init lsm_early_task(struct task_struct *task) panic("%s: Early task alloc failed.\n", __func__); } + +#ifdef CONFIG_FAIL_LSM_HOOKS + +static struct { + struct fault_attr attr; + int retval; +} fail_lsm_hooks = { + .attr = FAULT_ATTR_INITIALIZER, + .retval = -EACCES +}; + +static int __init setup_fail_lsm_hooks(char *str) +{ + return setup_fault_attr(&fail_lsm_hooks.attr, str); +} +__setup("fail_lsm_hooks=", setup_fail_lsm_hooks); + +static int should_fail_lsm_hook(void) +{ + return should_fail(&fail_lsm_hooks.attr, 1) ? fail_lsm_hooks.retval : 0; +} + +#ifdef CONFIG_FAULT_INJECTION_DEBUG_FS + +static int __init fail_lsm_hooks_debugfs(void) +{ + umode_t mode = S_IFREG | 0600; + struct dentry *dir; + + dir = fault_create_debugfs_attr("fail_lsm_hooks", NULL, + &fail_lsm_hooks.attr); + debugfs_create_u32("retval", mode, dir, &fail_lsm_hooks.retval); + return 0; +} + +late_initcall(fail_lsm_hooks_debugfs); + +#endif /* CONFIG_FAULT_INJECTION_DEBUG_FS */ + +#else + +static inline int should_fail_lsm_hook(void) { return 0; } + +#endif /* CONFIG_FAIL_LSM_HOOKS */ + /* * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and * can be accessed with:@@ -707,16 +753,17 @@ static void __init lsm_early_task(struct task_struct *task) } while (0) #define call_int_hook(FUNC, IRC, ...) ({ \ - int RC = IRC; \ - do { \ + int RC = should_fail_lsm_hook(); \
seeing 'should_fail' here, kind of out of context, would be confusing to thousands of ppl reading the code and wondering why it should fail. maybe "inject_fail_lsm_hook()" ?
+ if (RC == 0) { \
struct security_hook_list *P; \
+ RC = IRC; \
\
hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
RC = P->hook.FUNC(__VA_ARGS__); \
if (RC != 0) \
break; \
} \
- } while (0); \
+ } \
RC; \
})
--
2.28.0.1011.ga647a8990f-goog