Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp28475imm; Thu, 27 Sep 2018 15:20:25 -0700 (PDT) X-Google-Smtp-Source: ACcGV60WTC5gMe0IL4yr3ReFmVOJj9EKQKshqkv/9DleJY+DXgVM++CcEcijFyRtaIPIvCTsesHk X-Received: by 2002:a62:e511:: with SMTP id n17-v6mr13454087pff.210.1538086825586; Thu, 27 Sep 2018 15:20:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538086825; cv=none; d=google.com; s=arc-20160816; b=AUg0uQLitTJQrQTY967HEhXfqtaVtIgniQnliCQmpxSCnOOE+UC/hgSly89HzjANHH xzJ1WUhcRu3AL/yyHtrDu88mPH0oDzie/FdrFs1aIMX2i8FOQFGG1AGnK2L2/RFKQtpG MkWrAgemlLrBpWPCjpxzWnFhlsWAU2OAiakaLsA4+dP+0yXfJn11V6cz97bvjkGQhqB2 gG+8vmEn4PhbiUGOwyOhXOrC4q9eqgg5EhnCsNw62+v0jIbn6jeNMyHiKEk1YD+muQGr AfigMqVwJS/rrLEArdUrYfgPw5H1/z6kOei0LBp47bye/ElVrbf4TLEfphq3Gps/IBZb bgnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ZcOx2pHFIkqTPsiO115p300BhLL3zVFfDWCo+zmMGHc=; b=IFdmzmtnkys9BXUBw7OALBzLrIv/666w2qeMiLpHMHKJkjhZZDuBo5Nq39Hw2+tYwG 4MnDfyjeYAwR21sBUotWZnas14ArwznUx5Rkaplc2/D7douMnrDHzD8dxgqf8oMJcaTn 0IHeJ5gsEAzNuBCYCJGmOASMWnVfckuVEidHEmnsHUZsEe3ktEMCDpUiVmjiaYDp2oY6 wPoQgdqCSnN/oOEKrFioreYKP2AMpXhHqvISd/imKL2x3B5WcnF/H5XuSzXeJX195JZY 54qZs+j9im88NwT2n6/FotHwQ4VjHluJNRyd4++6+5uGpgVRozb/fEBeFXmZ7c2Vy4tc rpCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x37-v6si2951477pgl.544.2018.09.27.15.20.07; Thu, 27 Sep 2018 15:20:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727810AbeI1EkV (ORCPT + 99 others); Fri, 28 Sep 2018 00:40:21 -0400 Received: from ipmail06.adl6.internode.on.net ([150.101.137.145]:29921 "EHLO ipmail06.adl6.internode.on.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725917AbeI1EkV (ORCPT ); Fri, 28 Sep 2018 00:40:21 -0400 Received: from ppp59-167-129-252.static.internode.on.net (HELO dastard) ([59.167.129.252]) by ipmail06.adl6.internode.on.net with ESMTP; 28 Sep 2018 07:49:49 +0930 Received: from dave by dastard with local (Exim 4.80) (envelope-from ) id 1g5edQ-0000qX-DS; Fri, 28 Sep 2018 08:19:48 +1000 Date: Fri, 28 Sep 2018 08:19:48 +1000 From: Dave Chinner To: James Morris Cc: Alan Cox , TongZhang , darrick.wong@oracle.com, linux-xfs@vger.kernel.org, LKML , linux-security-module@vger.kernel.org, Wenbo Shen Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check) Message-ID: <20180927221948.GH31060@dastard> References: <5EF0D46A-C098-4B51-AD13-225FFCA35D4C@vt.edu> <20180926013329.GD31060@dastard> <20180926192426.472360ea@alans-desktop> <20180927013812.GF31060@dastard> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 28, 2018 at 07:23:42AM +1000, James Morris wrote: > On Thu, 27 Sep 2018, Dave Chinner wrote: > > > Sure, but there are so many CAP_SYS_ADMIN-only ioctls in the kernel > > that have no LSM coverage that this is not an isolated problem that > > people setting up such systems have to deal with. > > I could be missing something here, but all ioctls are mediated by LSM at a > high level (security_file_ioctl). Some problematic ones are singled out at > that point by LSMs for special handling. selinux_file_ioctl() checks whether a specific /file/ has permissions to execute ioctls, but it doesn't know anything about what that ioctl actually does. It has special cases for a handful of ioctls, but misses a large number of ioctls that perform similar functionality (e.g. file getattr/setattr type ioctls). smack just checks for read/write permissions depending on the IOW/IOR/IORW definition of the ioctl. Tomoyo does a path check based on the path associated with the file passed to it to see if an ioctl can be run. IOWs, none of there really know anything about what the ioctl does, and they sure as hell don't check any of the arguments for other file descriptors that the ioctl might be accessing. It's basically a "does we allow ioctls to this inode/path from this user?" check and nothing more. That just doesn't work for ioctls structured like the XFS filehandle operations. The ioctl is performed on a "fshandle" file descriptor, which generally points at the root directory of the filesystem the file handle belongs to. This gives the ioctl the superblock context that it is to operate on, and nothing more. It then opens a new file based on the filehandle that was in the ioctl argument, and performs the required operation on that file it opened itself. IOWs, the security_file_ioctl() hook is almost completely useless in cases like this - you can't isolate the ioctl based on the file argument, because it can point to any file or directory in the filesystem. And without actually parsing, decoding and instantiating the the ioctl arguments, you can't tell the ioctl it can't act on specific targets. And because filehandle to dentry resolution results in disconnected dentries, the paths are not complete and hence path based security checks (e.g. tomoyo) are likely to be broken and unfixable... Cheers, Dave. -- Dave Chinner david@fromorbit.com