Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2566274imm; Thu, 16 Aug 2018 11:36:00 -0700 (PDT) X-Google-Smtp-Source: AA+uWPy1SHaXuZLyW+CGHisbFbb2KGWUx6GRKX6xSKVr+zo3WGHaLhJK2fmOlcSma6+GAgaLTbw7 X-Received: by 2002:a62:c288:: with SMTP id w8-v6mr33192763pfk.92.1534444560048; Thu, 16 Aug 2018 11:36:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534444560; cv=none; d=google.com; s=arc-20160816; b=gH/cZNfYQO70DgHq43Ukde4v6497FUBJwJqidLNDxh3tjwOO3HSwtgfEmsTA5Zu7b5 KYfBC4RlBEKpA9IMJol3Ms3+6HqmESg2uQZZ1303n13GXBfyyaFysglBwLGLT2C2pd3m KFViRxFkorKxKmpqgqwJXfbZ3X9bD+y4J+0ojOl4+XYLo81MuJ4svJ6M5BkixVQAzGof Cb8Z7sO0KUN6fbonQW4GdvG6NNsLiPpt8hcYojZXpQqoIrWAuW2nSy2pqH6fDZDbSABY T4YWmeNeeHCukQXiDugEi8D6bSNBOEzWq8PvNIi9mgJKjBTcz83rm9frbKD5T6fmVFdU rXUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=VJJtEHz/Df5gyQRZGNdlwzVmY5ghFvMgBdqhmv3aTds=; b=MeWe5f89XYZwYocFpojOmDyijtyJwvcvAllS8GVOW2mpWv3++0hS2Wm53M9kRxNVx2 eE5x8qlUo2G03Y5rm/3zgrX896N/V3+ab0fCNIBkBl2T0oH6wUozzMw/349gJ3h5xOku Z045hWt3TtfuE/Kc2Mt6kgeRUowiBxQPuxYluJuPniBx5+JvATw/qjOmnl7nnCZUi98+ Q2Byt8tE/gUvHDif175Sl6l4yzouY8+f2cMIKebxfvbdaAq1mLOLNviB1yJN2q8IReBo pFT8kg9eCcj01PupNxur9hddii6zQsWvOaktJAoahE0yUrI8hDb5eATL4lxdEVLbdiBz WPbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sHii2XNj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u6-v6si14495pld.256.2018.08.16.11.35.44; Thu, 16 Aug 2018 11:36:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=sHii2XNj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391731AbeHPRPO (ORCPT + 99 others); Thu, 16 Aug 2018 13:15:14 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:41909 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726312AbeHPRPO (ORCPT ); Thu, 16 Aug 2018 13:15:14 -0400 Received: by mail-oi0-f65.google.com with SMTP id k12-v6so8241877oiw.8 for ; Thu, 16 Aug 2018 07:16:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VJJtEHz/Df5gyQRZGNdlwzVmY5ghFvMgBdqhmv3aTds=; b=sHii2XNjT/MJZ0YTypRWKbWHGKKX2uAJJxkxNTN7wZ7RR+mHQPrYRBFf5A7xg/Qilp WMflr559ZnT3Hjq/RL8j8JWLwYeqFGWJYU+m3e0345+7NxpBZtl9YtQmiUVu1Wx4+VXi 5M5MWmtlasYqQ7T4ChF8n67lvzDeOWdA1t5l1fm5TvfB9jMae1i0VWmT9a23N7yk0ISh tmWJDRsR+/Ng31AWOa0eEnkgFnsvQotnl9KcOussgVybE83VzsgNCo7/TKGv/3bye4X0 u/yq6pXGGqJ5t3YsFGCkdDGUcaY04NNkS2tjr87+mXV5yCBAPb+bjBNvC86/yfz01bFF xIRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VJJtEHz/Df5gyQRZGNdlwzVmY5ghFvMgBdqhmv3aTds=; b=i5aGU23JOv6gfCkBKUuMEk4geu3dbr1Vga/ZwSNi2G9F3HxhAXyuW0N+zWHEyekbXt s6ONMsRYAzCnAfsdnZKIQ4IIqG7V6PbbwDhPsI/uAElrWDjLx4eKUJt1ykh6yUra4dmO h6KkLUdzyewmSrLSUaCdG1keUzZhjGf2U9IxRmCs6ujw8+/fXU0pUe50ZNSDyALjrKbH Al2f/A3zDznh+wpKw9/NWlcSzJmokBzoGxeZFxRcohh58C9PZp0u7Xq8hIAczPXzEbNm 9+tn5vbc7OTOJAOJ5L+GxZPX7+AlfsLy0z2XbYZBc6deKQD2xI8MNfzsEkim6r/D0WV+ kkNA== X-Gm-Message-State: AOUpUlGchiFSA6wfFW0gR5NWrpG/0s2tRVwdO5j594Z0rk/IDDkXxMtC 7cpkIaMcCDVRhQaapZbPZTo/+cnGVRt7fDZb8SsiNg== X-Received: by 2002:aca:3882:: with SMTP id f124-v6mr30162447oia.195.1534428979344; Thu, 16 Aug 2018 07:16:19 -0700 (PDT) MIME-Version: 1.0 References: <20180815235355.14908-1-casey.schaufler@intel.com> <20180815235355.14908-4-casey.schaufler@intel.com> In-Reply-To: <20180815235355.14908-4-casey.schaufler@intel.com> From: Jann Horn Date: Thu, 16 Aug 2018 16:15:52 +0200 Message-ID: Subject: Re: [PATCH RFC 3/5] LSM: Security module checking for side-channel dangers To: casey.schaufler@intel.com Cc: Kernel Hardening , kernel list , linux-security-module , selinux@tycho.nsa.gov, SMACK-discuss@lists.01.org, Dave Hansen , deneen.t.dock@intel.com, kristen@linux.intel.com, Arjan van de Ven Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 16, 2018 at 11:51 AM Casey Schaufler wrote: > > From: Casey Schaufler > > The sidechannel LSM checks for cases where a side-channel > attack may be dangerous based on security attributes of tasks. > This includes: > Effective UID of the tasks is different > Capablity sets are different > Tasks are in different namespaces > An option is also provided to assert that task are never > to be considered safe. This is high paranoia, and expensive > as well. > > Signed-off-by: Casey Schaufler [...] > +static int safe_by_uid(struct task_struct *p) > +{ > + const struct cred *ccred = current->cred; > + const struct cred *pcred = p->cred; See below. [...] > +static int safe_by_capability(struct task_struct *p) > +{ > + const struct cred *ccred = current->cred; > + const struct cred *pcred = p->cred; See below. [...] > + if (current->cred->user_ns != p->cred->user_ns) > + return -EACCES; Shouldn't this access be using one of the rcu_dereference_* helpers? Something like rcu_dereference_protected(..., 1). Also, you're looking at ->cred, and you don't want to do that. ->cred are the *subjective* credentials of the task, meaning the credentials that should only be used when this task actively performs an access. Depending on what userspace is doing, an unprivileged process' ->cred will randomly flake to something with GLOBAL_ROOT_UID because of override_creds() calls - for example, if you access a file through overlayfs in certain ways, your ->cred will temporarily be overwritten by ovl_override_creds(), which mostly switches to the credentials of the filesystem's creator (iow, normally root). coredumps can also override the EUID with GLOBAL_ROOT_UID: if (__get_dumpable(cprm.mm_flags) == SUID_DUMP_ROOT) { /* Setuid core dump mode */ cred->fsuid = GLOBAL_ROOT_UID; /* Dump root private */ need_suid_safe = true; } retval = coredump_wait(siginfo->si_signo, &core_state); if (retval < 0) goto fail_creds; old_cred = override_creds(cred); Please use the objective credentials (->real_cred) instead, which are not subject to random override_creds() effects, and are designed to be used when looking at the privileges associated with an overall task (as opposed to the privileges associated with the task's current syscall context). At least for the current-> access, you probably want current_real_cred(), which has been defined for this kind of use.