Received: by 10.223.185.116 with SMTP id b49csp3928776wrg;
        Tue, 13 Feb 2018 09:54:41 -0800 (PST)
X-Google-Smtp-Source: AH8x227mkNDrwFmz/QIYHxxck/qMVycaP7vBbE5S7cLqt4fcHc92sNTS4aGt34fFnYj+29XpL2ol
X-Received: by 2002:a17:902:5a5:: with SMTP id f34-v6mr1897104plf.134.1518544481811;
        Tue, 13 Feb 2018 09:54:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518544481; cv=none;
        d=google.com; s=arc-20160816;
        b=nyVVt3xLosINOzmHB5lDG8Zi5TNM5u0fCx/xsFH+3rzxboZNcqDDki3YJm8916+MNE
         9ODBn4dmyksXnn9ATQy27QSGt5P0PqE5KXvnd3rEGeA4BkOhQhmr9ohBAF9uGF1TvTKM
         jRK55f6Vwhu7OVrytzNcioy2uE2bvy1U9OqBJXDrPd1z0p2QeZultlcU9ucBWLS521fp
         6pz5H2+3edAUzoTMAJrTnd9mxo9X2MBUjlWVtFO2EfpdrVy3p1Oj9x4F0FTiFtUw3Jbw
         y37LymuSWwigwYP+a+kVu+1vLcBKf0rEQ2LA+gRq+Kpj6agyAnQlKm1g+UVYQpeU174/
         HmQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:arc-authentication-results;
        bh=dsjmgJ47nfLZcY7FiaG8lGXsBRyI3t/FpdPfw6W2wOk=;
        b=DcfMcn3ehbfLxf5lJAIGe0ZseZ4C/+YJftJnPBVKbYe87rAOnKO8Zng2lC8RW8yjpD
         pf6RNgJPfALARMFfd+nb0DyaNb7p9uxyyHXOnswi7N0WeqabdizTHwpPSGdGbxNvReEj
         003GcqTdxYenZyz2IJk/Nl2vQN/2n7zJ5WXl+gnOzjaVeGwXSsRF+dci1l4oxXGtdSrs
         ZQlpA9FT+5ggzu+ZWvB7bneY3Yffiu88Hz/UL6dJoGaRjuXVjnuq1bgeqydUVmEwzxcP
         LcCxmDCXm/1IdeomFiB7YwQjRt67baNXFee9IDiZVS0ez2wFmlrPaI1IkkAKzh3hEbw4
         DHYg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u8si1428003pgp.78.2018.02.13.09.54.27;
        Tue, 13 Feb 2018 09:54:41 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965538AbeBMRvG (ORCPT <rfc822;rmelvin.vger@gmail.com>
        + 99 others); Tue, 13 Feb 2018 12:51:06 -0500
Received: from smtp2.provo.novell.com ([137.65.250.81]:59111 "EHLO
        smtp2.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S965419AbeBMRvE (ORCPT
        <rfc822;groupwise-linux-kernel@vger.kernel.org:0:0>);
        Tue, 13 Feb 2018 12:51:04 -0500
Received: from linux-n805.suse.de (prv-ext-foundry1int.gns.novell.com [137.65.251.240])
        by smtp2.provo.novell.com with ESMTP (TLS encrypted); Tue, 13 Feb 2018 10:50:59 -0700
From:   Davidlohr Bueso <dave@stgolabs.net>
To:     akpm@linux-foundation.org
Cc:     mhocko@kernel.org, mtk.manpages@gmail.com, keescook@chromium.org,
        linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
        Davidlohr Bueso <dave@stgolabs.net>,
        Davidlohr Bueso <dbueso@suse.de>
Subject: [PATCH 1/3] ipc/shm: introduce shmctl(SHM_STAT_ALL)
Date:   Tue, 13 Feb 2018 09:41:34 -0800
Message-Id: <20180213174136.6346-2-dave@stgolabs.net>
X-Mailer: git-send-email 2.13.6
In-Reply-To: <20180213174136.6346-1-dave@stgolabs.net>
References: <20180213174136.6346-1-dave@stgolabs.net>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

There is a permission discrepancy when consulting shm ipc
object metadata between /proc/sysvipc/shm (0444) and the
SHM_STAT shmctl command. The later does permission checks
for the object vs S_IRUGO. As such there can be cases where
EACCESS is returned via syscall but the info is displayed
anyways in the procfs files.

While this might have security implications via info leaking
(albeit no writing to the shm metadata), this behavior goes
way back and showing all the objects regardless of the
permissions was most likely an overlook - so we are stuck
with it. Furthermore, modifying either the syscall or the
procfs file can cause userspace programs to break (ie ipcs).
Some applications require getting the procfs info (without
root privileges) and can be rather slow in comparison with
a syscall -- up to 500x in some reported cases.

This patch introduces a new SHM_STAT_ALL command such that
the shm ipc object permissions are ignored, and only audited
instead. In addition, I've left the lsm security hook checks
in place, as if some policy can block the call, then the user
has no other choice than just parsing the procfs file.

Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
---
 include/uapi/linux/shm.h |  5 +++--
 ipc/shm.c                | 23 ++++++++++++++++++-----
 security/selinux/hooks.c |  1 +
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/include/uapi/linux/shm.h b/include/uapi/linux/shm.h
index 4de12a39b075..017284fca194 100644
--- a/include/uapi/linux/shm.h
+++ b/include/uapi/linux/shm.h
@@ -83,8 +83,9 @@ struct shmid_ds {
 #define SHM_UNLOCK 	12
 
 /* ipcs ctl commands */
-#define SHM_STAT 	13
-#define SHM_INFO 	14
+#define SHM_STAT	13
+#define SHM_INFO	14
+#define SHM_STAT_ALL    15
 
 /* Obsolete, used only for backwards compatibility */
 struct	shminfo {
diff --git a/ipc/shm.c b/ipc/shm.c
index 4643865e9171..a84b45b4f50f 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -915,14 +915,14 @@ static int shmctl_stat(struct ipc_namespace *ns, int shmid,
 	memset(tbuf, 0, sizeof(*tbuf));
 
 	rcu_read_lock();
-	if (cmd == SHM_STAT) {
+	if (cmd == SHM_STAT || cmd == SHM_STAT_ALL) {
 		shp = shm_obtain_object(ns, shmid);
 		if (IS_ERR(shp)) {
 			err = PTR_ERR(shp);
 			goto out_unlock;
 		}
 		id = shp->shm_perm.id;
-	} else {
+	} else { /* IPC_STAT */
 		shp = shm_obtain_object_check(ns, shmid);
 		if (IS_ERR(shp)) {
 			err = PTR_ERR(shp);
@@ -930,9 +930,20 @@ static int shmctl_stat(struct ipc_namespace *ns, int shmid,
 		}
 	}
 
-	err = -EACCES;
-	if (ipcperms(ns, &shp->shm_perm, S_IRUGO))
-		goto out_unlock;
+	/*
+	 * Semantically SHM_STAT_ALL ought to be identical to
+	 * that functionality provided by the /proc/sysvipc/
+	 * interface. As such, only audit these calls and
+	 * do not do traditional S_IRUGO permission checks on
+	 * the ipc object.
+	 */
+	if (cmd == SHM_STAT_ALL)
+		audit_ipc_obj(&shp->shm_perm);
+	else {
+		err = -EACCES;
+		if (ipcperms(ns, &shp->shm_perm, S_IRUGO))
+			goto out_unlock;
+	}
 
 	err = security_shm_shmctl(shp, cmd);
 	if (err)
@@ -1072,6 +1083,7 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
 		return err;
 	}
 	case SHM_STAT:
+	case SHM_STAT_ALL:
 	case IPC_STAT: {
 		err = shmctl_stat(ns, shmid, cmd, &sem64);
 		if (err < 0)
@@ -1245,6 +1257,7 @@ COMPAT_SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, void __user *, uptr)
 		return err;
 	}
 	case IPC_STAT:
+	case SHM_STAT_ALL:
 	case SHM_STAT:
 		err = shmctl_stat(ns, shmid, cmd, &sem64);
 		if (err < 0)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 35ef1e9045e8..dc2a9a0f6ddf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5734,6 +5734,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
 				    SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL);
 	case IPC_STAT:
 	case SHM_STAT:
+	case SHM_STAT_ALL:
 		perms = SHM__GETATTR | SHM__ASSOCIATE;
 		break;
 	case IPC_SET:
-- 
2.13.6