[v4,04/19] SELinux: Remove cred security blob poisoning

Message ID	5360cd42-5827-58af-515c-6e1ded1d9154@schaufler-ca.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> Subject: [PATCH v4 04/19] SELinux: Remove cred security blob poisoning To: LSM <linux-security-module@vger.kernel.org>, James Morris <jmorris@namei.org>, SE Linux <selinux@tycho.nsa.gov>, LKLM <linux-kernel@vger.kernel.org>, John Johansen <john.johansen@canonical.com>, Kees Cook <keescook@chromium.org>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>, "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>, Alexey Dobriyan <adobriyan@gmail.com>, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, Salvatore Mesoraca <s.mesoraca16@gmail.com> References: <e9bfb2d5-d987-55ce-4011-9b32ff745d36@schaufler-ca.com> From: Casey Schaufler <casey@schaufler-ca.com> Message-ID: <5360cd42-5827-58af-515c-6e1ded1d9154@schaufler-ca.com> Date: Fri, 21 Sep 2018 17:17:25 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <e9bfb2d5-d987-55ce-4011-9b32ff745d36@schaufler-ca.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk
Series	LSM: Module stacking for SARA and Landlock \| expand [v4,00/19] LSM: Module stacking for SARA and Landlock [v4,01/19] procfs: add smack subdir to attrs [v4,02/19] Smack: Abstract use of cred security blob [v4,03/19] SELinux: Abstract use of cred security blob [v4,04/19] SELinux: Remove cred security blob poisoning [v4,05/19] SELinux: Remove unused selinux_is_enabled [v4,06/19] AppArmor: Abstract use of cred security blob [v4,07/19] TOMOYO: Abstract use of cred security blob [v4,08/19] Infrastructure management of the cred security blob [v4,10/19] Smack: Abstract use of file security blob [v4,11/19] LSM: Infrastructure management of the file security [v4,12/19] SELinux: Abstract use of inode security blob [v4,13/19] Smack: Abstract use of inode security blob [v4,14/19] LSM: Infrastructure management of the inode security [v4,15/19] LSM: Infrastructure management of the task security [v4,16/19] SELinux: Abstract use of ipc security blobs [v4,17/19] Smack: Abstract use of ipc security blobs [v4,18/19] LSM: Infrastructure management of the ipc security blob [v4,19/19] LSM: Blob sharing support for S.A.R.A and LandLock [v4,09/19] SELinux: Abstract use of file security blob [v4,20/19] LSM: Correct file blob free empty blob check [21/19] LSM: Cleanup and fixes from Tetsuo Handa

Message ID

5360cd42-5827-58af-515c-6e1ded1d9154@schaufler-ca.com (mailing list archive)

State

New, archived

Headers

Subject: [PATCH v4 04/19] SELinux: Remove cred security blob poisoning
To: LSM <linux-security-module@vger.kernel.org>,
 James Morris <jmorris@namei.org>, SE Linux <selinux@tycho.nsa.gov>,
 LKLM <linux-kernel@vger.kernel.org>,
 John Johansen <john.johansen@canonical.com>,
 Kees Cook <keescook@chromium.org>,
 Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
 Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>,
 "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
 Alexey Dobriyan <adobriyan@gmail.com>,
 =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>,
 Salvatore Mesoraca <s.mesoraca16@gmail.com>
References: <e9bfb2d5-d987-55ce-4011-9b32ff745d36@schaufler-ca.com>
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <5360cd42-5827-58af-515c-6e1ded1d9154@schaufler-ca.com>
Date: Fri, 21 Sep 2018 17:17:25 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <e9bfb2d5-d987-55ce-4011-9b32ff745d36@schaufler-ca.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Series

LSM: Module stacking for SARA and Landlock | expand

Commit Message

Casey Schaufler Sept. 22, 2018, 12:17 a.m. UTC

The SELinux specific credential poisioning only makes sense
if SELinux is managing the credentials. As the intent of this
patch set is to move the blob management out of the modules
and into the infrastructure, the SELinux specific code has
to go. The poisioning could be introduced into the infrastructure
at some later date.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 kernel/cred.c            | 13 -------------
 security/selinux/hooks.c |  6 ------
 2 files changed, 19 deletions(-)

Comments

Kees Cook Sept. 22, 2018, 2:43 a.m. UTC | #1

On Fri, Sep 21, 2018 at 5:17 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> The SELinux specific credential poisioning only makes sense
> if SELinux is managing the credentials. As the intent of this
> patch set is to move the blob management out of the modules
> and into the infrastructure, the SELinux specific code has
> to go. The poisioning could be introduced into the infrastructure
> at some later date.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees


> ---
>  kernel/cred.c            | 13 -------------
>  security/selinux/hooks.c |  6 ------
>  2 files changed, 19 deletions(-)
>
> diff --git a/kernel/cred.c b/kernel/cred.c
> index ecf03657e71c..fa2061ee4955 100644
> --- a/kernel/cred.c
> +++ b/kernel/cred.c
> @@ -704,19 +704,6 @@ bool creds_are_invalid(const struct cred *cred)
>  {
>         if (cred->magic != CRED_MAGIC)
>                 return true;
> -#ifdef CONFIG_SECURITY_SELINUX
> -       /*
> -        * cred->security == NULL if security_cred_alloc_blank() or
> -        * security_prepare_creds() returned an error.
> -        */
> -       if (selinux_is_enabled() && cred->security) {
> -               if ((unsigned long) cred->security < PAGE_SIZE)
> -                       return true;
> -               if ((*(u32 *)cred->security & 0xffffff00) ==
> -                   (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
> -                       return true;
> -       }
> -#endif
>         return false;
>  }
>  EXPORT_SYMBOL(creds_are_invalid);
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 9d6cdd21acb6..80614ca25a2b 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -3920,12 +3920,6 @@ static void selinux_cred_free(struct cred *cred)
>  {
>         struct task_security_struct *tsec = selinux_cred(cred);
>
> -       /*
> -        * cred->security == NULL if security_cred_alloc_blank() or
> -        * security_prepare_creds() returned an error.
> -        */
> -       BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
> -       cred->security = (void *) 0x7UL;
>         kfree(tsec);
>  }
>
> --
> 2.17.1
>
>

James Morris Sept. 27, 2018, 10:13 p.m. UTC | #2

On Fri, 21 Sep 2018, Casey Schaufler wrote:

> The SELinux specific credential poisioning only makes sense
> if SELinux is managing the credentials. As the intent of this
> patch set is to move the blob management out of the modules
> and into the infrastructure, the SELinux specific code has
> to go. The poisioning could be introduced into the infrastructure
> at some later date.

If it's useful, it should be incorporated into core LSM, otherwise that's 
a regression for SELinux.

Casey Schaufler Sept. 27, 2018, 10:32 p.m. UTC | #3

On 9/27/2018 3:13 PM, James Morris wrote:
> On Fri, 21 Sep 2018, Casey Schaufler wrote:
>
>> The SELinux specific credential poisioning only makes sense
>> if SELinux is managing the credentials. As the intent of this
>> patch set is to move the blob management out of the modules
>> and into the infrastructure, the SELinux specific code has
>> to go. The poisioning could be introduced into the infrastructure
>> at some later date.
> If it's useful, it should be incorporated into core LSM, otherwise that's 
> a regression for SELinux

When I discussed this code with David Howells he indicated
that it was primarily used for debugging the original shared
credential implementation and that is was not especially
valuable any longer. If someone thinks it is valuable we
should consider doing it in the infrastructure for all the
blobs, not just the credential.

diff --git a/kernel/cred.c b/kernel/cred.c
index ecf03657e71c..fa2061ee4955 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -704,19 +704,6 @@  bool creds_are_invalid(const struct cred *cred)
 {
 	if (cred->magic != CRED_MAGIC)
 		return true;
-#ifdef CONFIG_SECURITY_SELINUX
-	/*
-	 * cred->security == NULL if security_cred_alloc_blank() or
-	 * security_prepare_creds() returned an error.
-	 */
-	if (selinux_is_enabled() && cred->security) {
-		if ((unsigned long) cred->security < PAGE_SIZE)
-			return true;
-		if ((*(u32 *)cred->security & 0xffffff00) ==
-		    (POISON_FREE << 24 | POISON_FREE << 16 | POISON_FREE << 8))
-			return true;
-	}
-#endif
 	return false;
 }
 EXPORT_SYMBOL(creds_are_invalid);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 9d6cdd21acb6..80614ca25a2b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3920,12 +3920,6 @@  static void selinux_cred_free(struct cred *cred)
 {
 	struct task_security_struct *tsec = selinux_cred(cred);
 
-	/*
-	 * cred->security == NULL if security_cred_alloc_blank() or
-	 * security_prepare_creds() returned an error.
-	 */
-	BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
-	cred->security = (void *) 0x7UL;
 	kfree(tsec);
 }

[v4,04/19] SELinux: Remove cred security blob poisoning

Commit Message

Comments

Patch