Received: by 10.223.185.116 with SMTP id b49csp277014wrg; Thu, 8 Mar 2018 17:25:23 -0800 (PST) X-Google-Smtp-Source: AG47ELud6LyU9h9hkhUqPyhmza18Gq2m8RCaKBVXRnM47aBEIqlQWi57yXHxwCM+tfvfJAQBwWuH X-Received: by 2002:a17:902:864b:: with SMTP id y11-v6mr25661496plt.380.1520558723767; Thu, 08 Mar 2018 17:25:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520558723; cv=none; d=google.com; s=arc-20160816; b=xb6LUYEp+ztHU71sVuLCtphBzTl4cJT9oL6xGE4Vr+YJH78jkbJv4kuW1mVpREg8CA 3xGqYlp4v8tVDy6a7hTsg7/QyMrUO+QEHG+1zwD0MBx6EEjMsVDBS5PocVhsWNH5BzXY b7lnKGZjG1zQkcAsLSeRCFk5OjXocVocjLCe2usRa5oEecWhzuOILaOFHdf2N3zpSHeW zFRKL5HSY+5b/ILopdgui0sL86frfQiYrM3mIaHKquVrkH1406uH0nz4qDfAxAm2h9nk znrtJlsdUaI6dD81z4t845EWlLVTJShyBNuStcM9dS5B3Orahzjmsz5C8GP+S9hPvbq5 pe/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=jHzuBvTJdh7jhjG2hUwUB/75UnPKIncMK6r4tw0ig3A=; b=jYdwxWg8S4Rwy0XGghpWjm/Yav1gq4PfaJsjrvNWWIUn09jTmJDDWjMg/dBe5W1l/e YVRO5sU1XOUHennLMuOWkNmDo5qAPIe588XYtJLIUl6yxDGka9XC6Q2ObVuYtAsTcXJa lgIPUpHQWZXz1rRQhfn2VORAcFPN/o9y0G2m1okMHV48NCtVUyP9YtqHBvqFfRggHZxg 8k/Ulg1tIVHTeIoC0TwXLfJuh8cFNo7s5P9cqFu94dV0qkmQToF1ky6YrKjYT4Ri2QT+ bJRaPMaAWm4AvzqD+FaZ/Fq1h+QRgNhiMJbamNoi0ZJiO1QipNM4nW9YhZz10jxGuRtl mtfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=bI59rta+; dkim=fail header.i=@chromium.org header.s=google header.b=UEAVHk/Y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l64si9899459pgl.485.2018.03.08.17.25.08; Thu, 08 Mar 2018 17:25:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=bI59rta+; dkim=fail header.i=@chromium.org header.s=google header.b=UEAVHk/Y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751496AbeCIBYP (ORCPT + 99 others); Thu, 8 Mar 2018 20:24:15 -0500 Received: from mail-ua0-f196.google.com ([209.85.217.196]:33335 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750880AbeCIBYN (ORCPT ); Thu, 8 Mar 2018 20:24:13 -0500 Received: by mail-ua0-f196.google.com with SMTP id f6so1243763ual.0 for ; Thu, 08 Mar 2018 17:24:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jHzuBvTJdh7jhjG2hUwUB/75UnPKIncMK6r4tw0ig3A=; b=bI59rta+LJFGXJMg3tKJspHr/4sFkgxRWr5KrUFdDxj3vLvzILc3sDvlZCO6SZ+1BV S0xtYPI5RaPhfo3s/OizMTo9Tzr/ceoTi30Gl/13UORIt6BMetVjwcLrC5cj39hsyMiO sTuY7WUpkSaFnLdGp8w0OW+/OP9WeKpFyVX1asQzopg7lfV3iOXiDTGPyzrURD83xaja zKhbLi4OG48NsXvLnc1IbxloIzsE+RJeX9wAiJZnoSqU7ABpZSYaj6RYSQW5LwDG1tca s/MmRV1AeafqkUMupwCdFYYJWD9UqP8AubQQh0GDL5Wo9dghU0J5nVsFWZMftOnlS9ii fMzQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jHzuBvTJdh7jhjG2hUwUB/75UnPKIncMK6r4tw0ig3A=; b=UEAVHk/YBtuGe/xamcjU9BBF6RWVKEFbWeYin2UyZ4NoWnBKLx+zqaPeEYprdxsgvw E7+0CT4ACvApngImW1hBtq5Rl5iAOq9qP3aISCy/wAmgd8qgSMYuZJ4Cji2cNJ8W9sUH FgNUKsNgA/lEDEfP6oJ0in+W7wFZQJl4YvQSo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jHzuBvTJdh7jhjG2hUwUB/75UnPKIncMK6r4tw0ig3A=; b=q1zjmTdIISKjXFo9ejfq3mBtAiEbvTBvLhSjSEWjkVBNWnRMyK+x/ZWPYkbAMcTP4d kmwpYtj6XZIIJcBFCEeC2K/IILs8H0QQfllq+Q2lCqZqm9Qm3z0nb4SuDkgl2A7En4g2 D7Eh2IlwTxun2ArqRN9BmgvTFYhSoh9oV8tz+o/JLtXDUWm/0aSSm1DJ9rUNv4EDWhlZ O6pwRqWAVNUvQyhBYkEQ3lzW8z48dkHCYNeYWniikojmF71kezqrXdalWFtEVQMwdE2i NUUJT4gK7BAY+Lvt3B7TdhOBaETBBsW3PVV8vAHnAEKEZqhbn5mdxp2HBk65IQdQ/hd5 DqNw== X-Gm-Message-State: APf1xPAkqmedunHAYcjTRr7EQtgv9goTp8UBGMKh3RouDaX28gQcyc6A A+RAFQ49dM6FiF5KYwlc6bhrgmwt9mrhh7X4iaSzaw== X-Received: by 10.176.83.151 with SMTP id k23mr21195069uaa.167.1520558651975; Thu, 08 Mar 2018 17:24:11 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Thu, 8 Mar 2018 17:24:11 -0800 (PST) In-Reply-To: <357c330f-0165-b7a4-7ecc-4cd797e61e15@fb.com> References: <20180306013457.1955486-1-ast@kernel.org> <357c330f-0165-b7a4-7ecc-4cd797e61e15@fb.com> From: Kees Cook Date: Thu, 8 Mar 2018 17:24:11 -0800 X-Google-Sender-Auth: D_IR42H8ayeCUfO0OokZm1Odnl8 Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: Alexei Starovoitov Cc: Alexei Starovoitov , Djalal Harouni , Al Viro , "David S. Miller" , Daniel Borkmann , Linus Torvalds , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team@fb.com, Linux API , Mimi Zohar , Paul Moore , James Morris , Stephen Smalley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 8, 2018 at 4:57 PM, Alexei Starovoitov wrote: > The above are three paragraphs of security paranoia without single > concrete example of a security issue. How is running an arbitrary ELF as full init_ns root from a container not a concrete example? I'm not saying this approach can never happen. And this isn't paranoia. There are very real security boundary violations in this model, IMO. Though, as Andy says, it's more about autoloading than umh itself. I just don't want to extend that problem further. >> As Andy asked earlier, why not DYN too to catch PIE executables? Seems >> like forcing the userspace helper to be non-PIE would defeat some of >> the userspace defenses in use in most distros. > > > because we don't add features without concrete users. It's just a two-line change, and then it would work on distros that build PIE-by-default. That seems like a concrete use-case. >> The exec.c changes should be split into a separate patch. Something >> feels incorrectly refactored here, though. Passing all three of fd, >> filename, and file to __do_execve_file() seems wrong; perhaps the fd >> to file handling needs to happen externally in what you have here as >> do_execveat_common()? The resulting __do_execve_file() has repeated >> conditionals on filename... maybe what I object to is being able to >> pass a NULL filename at all. The filename can be (painfully) >> reconstructed from the struct file. > > reconstruct the path and instantly introduce the race between execing > something by path vs prior check that it's actual elf of already > opened file ?! > excellent suggestion to improve security. I'm not sure why you're being so hostile. We're both interested in improving the kernel. Path names aren't stable, but they provide good _debugging_ about things when needed. For example, the LSM hooks, if they report on one of these loads, can produce a hint to the user about what happened. Passing "/dev/null" around is confusing at the very least. The ELF is absolutely not /dev/null. Why make someone guess? >>> [...] >>> diff --git a/kernel/module.c b/kernel/module.c >>> index ad2d420024f6..6cfa35795741 100644 >>> --- a/kernel/module.c >>> +++ b/kernel/module.c >>> [...] >>> @@ -3870,14 +3896,21 @@ SYSCALL_DEFINE3(finit_module, int, fd, const char >>> __user *, uargs, int, flags) >>> |MODULE_INIT_IGNORE_VERMAGIC)) >>> return -EINVAL; >>> >>> - err = kernel_read_file_from_fd(fd, &hdr, &size, INT_MAX, >>> - READING_MODULE); >>> + f = fdget(fd); >>> + if (!f.file) >>> + return -EBADF; >>> + >>> + err = kernel_read_file(f.file, &hdr, &size, INT_MAX, >>> READING_MODULE); >> >> >> For the LSM subsystem, I think this should also get it's own enum >> kernel_read_file_id. This is really no longer a kernel module... > > > at this point it's a _file_. It could have been text file just well. > If lsm is thinking that at this point kernel is processing > kernel module that lsm is badly broken. Again, this is about making things more discoverable. We already know if we're loading a kernel module or a umh ELF. Passing this information to the LSM is valuable to the LSM to distinguish between types of files. They have very different effects on the system, for example. The issue is about validating intent with target. "Is this kernel module allowed?" and "Is this umh ELF allowed?" are better questions that "Is something loaded through finit_module() allowed?" Note already that the LSM distinguishes between many other file types in kernel_read_file*(). -Kees -- Kees Cook Pixel Security