Re: [PATCH v3] lockdown,selinux: fix wrong subject in some SELinux lockdown checks
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: 2021-08-31 09:09:50
Also in:
bpf, kexec, linux-acpi, linux-cxl, linux-efi, linux-fsdevel, linux-pci, linux-pm, linux-security-module, linux-serial, linuxppc-dev, lkml, selinux
On Sat, Jun 19, 2021 at 12:18 AM Dan Williams [off-list ref] wrote:
On Wed, Jun 16, 2021 at 1:51 AM Ondrej Mosnacek [off-list ref] wrote:quoted
Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") added an implementation of the locked_down LSM hook to SELinux, with the aim to restrict which domains are allowed to perform operations that would breach lockdown. However, in several places the security_locked_down() hook is called in situations where the current task isn't doing any action that would directly breach lockdown, leading to SELinux checks that are basically bogus. To fix this, add an explicit struct cred pointer argument to security_lockdown() and define NULL as a special value to pass instead of current_cred() in such situations. LSMs that take the subject credentials into account can then fall back to some default or ignore such calls altogether. In the SELinux lockdown hook implementation, use SECINITSID_KERNEL in case the cred argument is NULL. Most of the callers are updated to pass current_cred() as the cred pointer, thus maintaining the same behavior. The following callers are modified to pass NULL as the cred pointer instead: 1. arch/powerpc/xmon/xmon.c Seems to be some interactive debugging facility. It appears that the lockdown hook is called from interrupt context here, so it should be more appropriate to request a global lockdown decision. 2. fs/tracefs/inode.c:tracefs_create_file() Here the call is used to prevent creating new tracefs entries when the kernel is locked down. Assumes that locking down is one-way - i.e. if the hook returns non-zero once, it will never return zero again, thus no point in creating these files. Also, the hook is often called by a module's init function when it is loaded by userspace, where it doesn't make much sense to do a check against the current task's creds, since the task itself doesn't actually use the tracing functionality (i.e. doesn't breach lockdown), just indirectly makes some new tracepoints available to whoever is authorized to use them. 3. net/xfrm/xfrm_user.c:copy_to_user_*() Here a cryptographic secret is redacted based on the value returned from the hook. There are two possible actions that may lead here: a) A netlink message XFRM_MSG_GETSA with NLM_F_DUMP set - here the task context is relevant, since the dumped data is sent back to the current task. b) When adding/deleting/updating an SA via XFRM_MSG_xxxSA, the dumped SA is broadcasted to tasks subscribed to XFRM events - here the current task context is not relevant as it doesn't represent the tasks that could potentially see the secret. It doesn't seem worth it to try to keep using the current task's context in the a) case, since the eventual data leak can be circumvented anyway via b), plus there is no way for the task to indicate that it doesn't care about the actual key value, so the check could generate a lot of "false alert" denials with SELinux. Thus, let's pass NULL instead of current_cred() here faute de mieux. Improvements-suggested-by: Casey Schaufler [off-list ref] Improvements-suggested-by: Paul Moore [off-list ref] Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>[..]quoted
diff --git a/drivers/cxl/mem.c b/drivers/cxl/mem.c index 2acc6173da36..c1747b6555c7 100644 --- a/drivers/cxl/mem.c +++ b/drivers/cxl/mem.c@@ -568,7 +568,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode) if (!IS_ENABLED(CONFIG_CXL_MEM_RAW_COMMANDS)) return false; - if (security_locked_down(LOCKDOWN_NONE)) + if (security_locked_down(current_cred(), LOCKDOWN_NONE))Acked-by: Dan Williams <redacted> ...however that usage looks wrong. The expectation is that if kernel integrity protections are enabled then raw command access should be disabled. So I think that should be equivalent to LOCKDOWN_PCI_ACCESS in terms of the command capabilities to filter.
Yes, the LOCKDOWN_NONE seems wrong here... but it's a pre-existing bug and I didn't want to go down yet another rabbit hole trying to fix it. I'll look at this again once this patch is settled - it may indeed be as simple as replacing LOCKDOWN_NONE with LOCKDOWN_PCI_ACCESS. -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.