Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp61355imm;
        Thu, 10 May 2018 15:30:30 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZp3TU34yhjzOuKQUh1HdI6zRdzm1K/RgXOgELC64hmfTAdI0Ff3i0sIZXhMteEL0/N6+bvq
X-Received: by 2002:a62:9c93:: with SMTP id u19-v6mr3046131pfk.74.1525991430284;
        Thu, 10 May 2018 15:30:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525991430; cv=none;
        d=google.com; s=arc-20160816;
        b=N69x4MT7GUdrKxUgPNPRrt/y39+8zkHs7+mfh6g9ujyYj9xLzOxiREyuuP1Yu5fvBR
         yBkPbraRFg1mWFk7kkln3qNGI3QO/ZF8PNsQNCGvDdGSc5GN4bZhB07E1sHD8fZamC9z
         K5M1g5M0e+azjFtvCuxvqEUoNDhUIJOvc1eWplhTcbcduFdvnWbPAw0L4RmVKPYqdYy5
         YfEf6Lzm1EKFtzuup2xiyuZZ/zNRb8EDdR7rH0wos+hpK8w2/MIXBqX3twpp6I0QNrWu
         OVxq4AVD4Mp0Snj5FNwC+WoNwGZPTx+8NcPuDrflNC1mIW9sJcIzdgq1r+zcyVoqeUSt
         UzyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=G6rMnX+tvSLRYJix03irRAgnekDrzV6HjhD9YB4yyH8=;
        b=yyPiP73E+cfc1IEs5qGA7IlfxvkrGCcl9ma5KTM2XXVQjHud5VFuLma3CthoSJUQyp
         hbN940Ba901ZLX8Y4dyPzujY5kUkIMgC4lfx0qdBtjoyhoUdlghRCJSjumzziceOrrV4
         veB+tbAr4gAR9VUoroW3o92b/bjjxrVkEeLJytaIPWtqzJXsO2vUaEAuO+4OWxp4r4db
         G7au9xDqdMRgGyfAlX8idPiPifXpSC6nxPxA7dJTvW56mHjxEm9ZPul2qLEdWGu5SPhS
         9jS34Rxmic4mA9Wu9T3Tmfad1+Dl0GZhUify8GuLCrxtZgqVK3V42pfYZE3UsHXYueHP
         ScNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=rtmY7fWX;
       dkim=fail header.i=@chromium.org header.s=google header.b=SIEs7REN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e63-v6si1785607pfd.261.2018.05.10.15.30.15;
        Thu, 10 May 2018 15:30:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=rtmY7fWX;
       dkim=fail header.i=@chromium.org header.s=google header.b=SIEs7REN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750972AbeEJW1a (ORCPT <rfc822;zxj546700287@gmail.com>
        + 99 others); Thu, 10 May 2018 18:27:30 -0400
Received: from mail-vk0-f65.google.com ([209.85.213.65]:46025 "EHLO
        mail-vk0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750794AbeEJW11 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 May 2018 18:27:27 -0400
Received: by mail-vk0-f65.google.com with SMTP id 203-v6so2154103vka.12
        for <linux-kernel@vger.kernel.org>; Thu, 10 May 2018 15:27:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=G6rMnX+tvSLRYJix03irRAgnekDrzV6HjhD9YB4yyH8=;
        b=rtmY7fWXK5jTuyfytIR6MipIzMkn3vFljfVFp0jI4qrbatqWVcfgOvrDoacZkpi+ru
         BNIZs+P/ATD42KCRqFrIvbTkKwMNejFE+4EKz1DBehn+EgzCjkZo4Nbyrxif97bqI/9A
         C7HVJMZDYeufkqeP70xqIFnSUdgCN7JKUw/PiKjiZYqdBhA7kwyGY4nqC+ageaZ7e1z9
         X97PMlFRhv2wzorLVYyXrURsmelRDK/7kE3mHC/9XruSf5RuR7NWSNhU1lvBS4k87p3k
         V7zsXNZFv+NalYI7NkkUuFry8dgmPGTj0l5cPpAU5cTKQ6LEkdrzdUXBa/NORALYR+8+
         oqTA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=G6rMnX+tvSLRYJix03irRAgnekDrzV6HjhD9YB4yyH8=;
        b=SIEs7RENLe57xXvZlQJv8zv4wf5GO4BIqqx2inh2atVWWvQBnrBoML6csVg/c3P3MZ
         XwV2WN9IG0HUHzsLIH4AUxwqXbQFH2ShxPOtm99xR8ETLBfFWYdO9IsbkZBX+4nR5J1V
         C5AUzK9UokuQmuXb8NRwNPPLQVZj1CL2yjJD4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=G6rMnX+tvSLRYJix03irRAgnekDrzV6HjhD9YB4yyH8=;
        b=KN93l9tECx1kZX939ecjOpoWwmKx53NY6d1TlpKppXw/W6EUFbIDwxJ6M1F8tHfwz1
         1Dnrs3LeOVvN/hmTacxC/tiGTyBpxY4vCT7bHqGnMfOMvdDRb1URKA8wyKZRx62tuhzN
         U54b+xgU6G17JsxtEQ8pzsYENmB4oD1seKVdsDIfv4wAB7H5oCX94IYN1202INAO6bd2
         ErzHj1OlqtS8mDHdtJT238XxyUf6dbj3jAe9cdvARRCZiRXZn/Q+aOFQpIR3Whz83Fwt
         zJ78fxMr3By0bHpEnzdWOihuOC9/j7Q6qHwpcOUll2GOFBVSc2aktNsbYvLk+Bvbo42f
         eNIQ==
X-Gm-Message-State: ALKqPwe5fFAGyKif53qXNMHGFPBjeoqpEVweFM4EZ9n8p5cEpvWJkhvN
        0XN1L3HKTNHzEJucqO61+wXtM75bCZGD4R3zQ3X8Bg==
X-Received: by 2002:a1f:b9d2:: with SMTP id j201-v6mr2281335vkf.123.1525991245922;
 Thu, 10 May 2018 15:27:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a1f:bd1:0:0:0:0:0 with HTTP; Thu, 10 May 2018 15:27:24 -0700 (PDT)
In-Reply-To: <20180504195642.GB12838@wotan.suse.de>
References: <20180503043604.1604587-1-ast@kernel.org> <20180503043604.1604587-2-ast@kernel.org>
 <20180504195642.GB12838@wotan.suse.de>
From:   Kees Cook <keescook@chromium.org>
Date:   Thu, 10 May 2018 15:27:24 -0700
X-Google-Sender-Auth: 6h_gqkXFsy_tnH80Du1A8LUMF30
Message-ID: <CAGXu5j+1p5ccFBjcKa3FDR4cQnbQn3cokbbhrwizoUyAAqFSTQ@mail.gmail.com>
Subject: Re: [PATCH v2 net-next 1/4] umh: introduce fork_usermode_blob() helper
To:     "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc:     Alexei Starovoitov <ast@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Greg KH <gregkh@linuxfoundation.org>,
        Andy Lutomirski <luto@amacapital.net>,
        Network Development <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        kernel-team <kernel-team@fb.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        David Howells <dhowells@redhat.com>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Dominik Brodowski <linux@dominikbrodowski.net>,
        Hugh Dickins <hughd@google.com>,
        Jani Nikula <jani.nikula@linux.intel.com>,
        Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@intel.com>,
        David Airlie <airlied@linux.ie>,
        "Rafael J. Wysocki" <rjw@rjwysocki.net>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        Peter Jones <pjones@redhat.com>,
        Matthew Garrett <mjg59@google.com>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        Jessica Yu <jeyu@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 4, 2018 at 12:56 PM, Luis R. Rodriguez <mcgrof@kernel.org> wrote:
> What a mighty short list of reviewers. Adding some more. My review below.
> I'd appreciate a Cc on future versions of these patches.

Me too, please. And likely linux-security-module@ and Jessica too.

> On Wed, May 02, 2018 at 09:36:01PM -0700, Alexei Starovoitov wrote:
>> Introduce helper:
>> int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
>> struct umh_info {
>>        struct file *pipe_to_umh;
>>        struct file *pipe_from_umh;
>>        pid_t pid;
>> };
>>
>> that GPLed kernel modules (signed or unsigned) can use it to execute part
>> of its own data as swappable user mode process.
>>
>> The kernel will do:
>> - mount "tmpfs"
>> - allocate a unique file in tmpfs
>> - populate that file with [data, data + len] bytes
>> - user-mode-helper code will do_execve that file and, before the process
>>   starts, the kernel will create two unix pipes for bidirectional
>>   communication between kernel module and umh
>> - close tmpfs file, effectively deleting it
>> - the fork_usermode_blob will return zero on success and populate
>>   'struct umh_info' with two unix pipes and the pid of the user process

I'm trying to think how LSMs can successfully reason about the
resulting exec(). In the past, we've replaced "blob" style interfaces
with file-based interfaces (e.g. init_module() -> finit_module(),
kexec_load() -> kexec_file_load()) to better let the kernel understand
the origin of executable content. Here the intent is fine: we're
getting the exec from an already-loaded module, etc, etc. I'm trying
to think specifically about the interface.

How can the ultimate exec get tied back to the kernel module in a way
that the LSM can query? Right now the hooks hit during exec are:
kernel_read_file() and kernel_post_read_file() of tmpfs file,
bprm_set_creds(), bprm_check(), bprm_commiting_creds(),
bprm_commited_creds(). It seems silly to me for an LSM to perform
these checks at all since I would expect the _meaningful_ check to be
finit_module() of the module itself. Having a way for an LSM to know
the exec is tied to a kernel module would let them skip the nonsense
checks.

Since the process for doing the usermode_blob is defined by the kernel
module build/link/objcopy process, could we tighten the
fork_usermode_blob() interface to point to the kernel module itself,
rather than leaving it an open-ended "blob" interface? Given our
history of needing to replace blob interfaces with file interfaces,
I'm cautious to add a new blob interface. Maybe just pull all the
blob-finding/loading into the interface, and just make it something
like fork_usermode_kmod(struct module *mod, struct umh_info *info) ?

-Kees

-- 
Kees Cook
Pixel Security