Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp61355imm; Thu, 10 May 2018 15:30:30 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp3TU34yhjzOuKQUh1HdI6zRdzm1K/RgXOgELC64hmfTAdI0Ff3i0sIZXhMteEL0/N6+bvq X-Received: by 2002:a62:9c93:: with SMTP id u19-v6mr3046131pfk.74.1525991430284; Thu, 10 May 2018 15:30:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525991430; cv=none; d=google.com; s=arc-20160816; b=N69x4MT7GUdrKxUgPNPRrt/y39+8zkHs7+mfh6g9ujyYj9xLzOxiREyuuP1Yu5fvBR yBkPbraRFg1mWFk7kkln3qNGI3QO/ZF8PNsQNCGvDdGSc5GN4bZhB07E1sHD8fZamC9z K5M1g5M0e+azjFtvCuxvqEUoNDhUIJOvc1eWplhTcbcduFdvnWbPAw0L4RmVKPYqdYy5 YfEf6Lzm1EKFtzuup2xiyuZZ/zNRb8EDdR7rH0wos+hpK8w2/MIXBqX3twpp6I0QNrWu OVxq4AVD4Mp0Snj5FNwC+WoNwGZPTx+8NcPuDrflNC1mIW9sJcIzdgq1r+zcyVoqeUSt UzyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=G6rMnX+tvSLRYJix03irRAgnekDrzV6HjhD9YB4yyH8=; b=yyPiP73E+cfc1IEs5qGA7IlfxvkrGCcl9ma5KTM2XXVQjHud5VFuLma3CthoSJUQyp hbN940Ba901ZLX8Y4dyPzujY5kUkIMgC4lfx0qdBtjoyhoUdlghRCJSjumzziceOrrV4 veB+tbAr4gAR9VUoroW3o92b/bjjxrVkEeLJytaIPWtqzJXsO2vUaEAuO+4OWxp4r4db G7au9xDqdMRgGyfAlX8idPiPifXpSC6nxPxA7dJTvW56mHjxEm9ZPul2qLEdWGu5SPhS 9jS34Rxmic4mA9Wu9T3Tmfad1+Dl0GZhUify8GuLCrxtZgqVK3V42pfYZE3UsHXYueHP ScNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=rtmY7fWX; dkim=fail header.i=@chromium.org header.s=google header.b=SIEs7REN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e63-v6si1785607pfd.261.2018.05.10.15.30.15; Thu, 10 May 2018 15:30:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=rtmY7fWX; dkim=fail header.i=@chromium.org header.s=google header.b=SIEs7REN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750972AbeEJW1a (ORCPT + 99 others); Thu, 10 May 2018 18:27:30 -0400 Received: from mail-vk0-f65.google.com ([209.85.213.65]:46025 "EHLO mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750794AbeEJW11 (ORCPT ); Thu, 10 May 2018 18:27:27 -0400 Received: by mail-vk0-f65.google.com with SMTP id 203-v6so2154103vka.12 for ; Thu, 10 May 2018 15:27:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=G6rMnX+tvSLRYJix03irRAgnekDrzV6HjhD9YB4yyH8=; b=rtmY7fWXK5jTuyfytIR6MipIzMkn3vFljfVFp0jI4qrbatqWVcfgOvrDoacZkpi+ru BNIZs+P/ATD42KCRqFrIvbTkKwMNejFE+4EKz1DBehn+EgzCjkZo4Nbyrxif97bqI/9A C7HVJMZDYeufkqeP70xqIFnSUdgCN7JKUw/PiKjiZYqdBhA7kwyGY4nqC+ageaZ7e1z9 X97PMlFRhv2wzorLVYyXrURsmelRDK/7kE3mHC/9XruSf5RuR7NWSNhU1lvBS4k87p3k V7zsXNZFv+NalYI7NkkUuFry8dgmPGTj0l5cPpAU5cTKQ6LEkdrzdUXBa/NORALYR+8+ oqTA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=G6rMnX+tvSLRYJix03irRAgnekDrzV6HjhD9YB4yyH8=; b=SIEs7RENLe57xXvZlQJv8zv4wf5GO4BIqqx2inh2atVWWvQBnrBoML6csVg/c3P3MZ XwV2WN9IG0HUHzsLIH4AUxwqXbQFH2ShxPOtm99xR8ETLBfFWYdO9IsbkZBX+4nR5J1V C5AUzK9UokuQmuXb8NRwNPPLQVZj1CL2yjJD4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=G6rMnX+tvSLRYJix03irRAgnekDrzV6HjhD9YB4yyH8=; b=KN93l9tECx1kZX939ecjOpoWwmKx53NY6d1TlpKppXw/W6EUFbIDwxJ6M1F8tHfwz1 1Dnrs3LeOVvN/hmTacxC/tiGTyBpxY4vCT7bHqGnMfOMvdDRb1URKA8wyKZRx62tuhzN U54b+xgU6G17JsxtEQ8pzsYENmB4oD1seKVdsDIfv4wAB7H5oCX94IYN1202INAO6bd2 ErzHj1OlqtS8mDHdtJT238XxyUf6dbj3jAe9cdvARRCZiRXZn/Q+aOFQpIR3Whz83Fwt zJ78fxMr3By0bHpEnzdWOihuOC9/j7Q6qHwpcOUll2GOFBVSc2aktNsbYvLk+Bvbo42f eNIQ== X-Gm-Message-State: ALKqPwe5fFAGyKif53qXNMHGFPBjeoqpEVweFM4EZ9n8p5cEpvWJkhvN 0XN1L3HKTNHzEJucqO61+wXtM75bCZGD4R3zQ3X8Bg== X-Received: by 2002:a1f:b9d2:: with SMTP id j201-v6mr2281335vkf.123.1525991245922; Thu, 10 May 2018 15:27:25 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1f:bd1:0:0:0:0:0 with HTTP; Thu, 10 May 2018 15:27:24 -0700 (PDT) In-Reply-To: <20180504195642.GB12838@wotan.suse.de> References: <20180503043604.1604587-1-ast@kernel.org> <20180503043604.1604587-2-ast@kernel.org> <20180504195642.GB12838@wotan.suse.de> From: Kees Cook Date: Thu, 10 May 2018 15:27:24 -0700 X-Google-Sender-Auth: 6h_gqkXFsy_tnH80Du1A8LUMF30 Message-ID: Subject: Re: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper To: "Luis R. Rodriguez" Cc: Alexei Starovoitov , "David S. Miller" , Daniel Borkmann , Linus Torvalds , Greg KH , Andy Lutomirski , Network Development , LKML , kernel-team , Al Viro , David Howells , Mimi Zohar , Andrew Morton , Dominik Brodowski , Hugh Dickins , Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , David Airlie , "Rafael J. Wysocki" , Linux FS Devel , Peter Jones , Matthew Garrett , linux-security-module , linux-integrity , Jessica Yu Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 4, 2018 at 12:56 PM, Luis R. Rodriguez wrote: > What a mighty short list of reviewers. Adding some more. My review below. > I'd appreciate a Cc on future versions of these patches. Me too, please. And likely linux-security-module@ and Jessica too. > On Wed, May 02, 2018 at 09:36:01PM -0700, Alexei Starovoitov wrote: >> Introduce helper: >> int fork_usermode_blob(void *data, size_t len, struct umh_info *info); >> struct umh_info { >> struct file *pipe_to_umh; >> struct file *pipe_from_umh; >> pid_t pid; >> }; >> >> that GPLed kernel modules (signed or unsigned) can use it to execute part >> of its own data as swappable user mode process. >> >> The kernel will do: >> - mount "tmpfs" >> - allocate a unique file in tmpfs >> - populate that file with [data, data + len] bytes >> - user-mode-helper code will do_execve that file and, before the process >> starts, the kernel will create two unix pipes for bidirectional >> communication between kernel module and umh >> - close tmpfs file, effectively deleting it >> - the fork_usermode_blob will return zero on success and populate >> 'struct umh_info' with two unix pipes and the pid of the user process I'm trying to think how LSMs can successfully reason about the resulting exec(). In the past, we've replaced "blob" style interfaces with file-based interfaces (e.g. init_module() -> finit_module(), kexec_load() -> kexec_file_load()) to better let the kernel understand the origin of executable content. Here the intent is fine: we're getting the exec from an already-loaded module, etc, etc. I'm trying to think specifically about the interface. How can the ultimate exec get tied back to the kernel module in a way that the LSM can query? Right now the hooks hit during exec are: kernel_read_file() and kernel_post_read_file() of tmpfs file, bprm_set_creds(), bprm_check(), bprm_commiting_creds(), bprm_commited_creds(). It seems silly to me for an LSM to perform these checks at all since I would expect the _meaningful_ check to be finit_module() of the module itself. Having a way for an LSM to know the exec is tied to a kernel module would let them skip the nonsense checks. Since the process for doing the usermode_blob is defined by the kernel module build/link/objcopy process, could we tighten the fork_usermode_blob() interface to point to the kernel module itself, rather than leaving it an open-ended "blob" interface? Given our history of needing to replace blob interfaces with file interfaces, I'm cautious to add a new blob interface. Maybe just pull all the blob-finding/loading into the interface, and just make it something like fork_usermode_kmod(struct module *mod, struct umh_info *info) ? -Kees -- Kees Cook Pixel Security