Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3592159imm; Mon, 8 Oct 2018 06:35:11 -0700 (PDT) X-Google-Smtp-Source: ACcGV633v122t2YeixqJQd/R4+iKAfvvj1yTYxvZ1Dn257J6q3XCKZ/jnYjVZW1t0dSa7UFX/NZO X-Received: by 2002:a17:902:e28a:: with SMTP id cf10-v6mr24001413plb.4.1539005711458; Mon, 08 Oct 2018 06:35:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539005711; cv=none; d=google.com; s=arc-20160816; b=yyeIsN49H3MPEWkgk3hrtRLIvhLu3sPpUpWPxBi/jqg/vzfcD1QfWiSt6BQSZoB7m+ kqRhEA5py0U2eNjVXamLBnpEj3djPlr+7O3yWROPRYiP3gZFawNQi8w81ePFGzxcUSH/ FhX5XvTGBw9mXG2p+zVna3/6OfcDqirQhC/z8bGTHKC7nUQmUA93EAu90/brvs0J2pJT cKiRTn7RNIa4Qv82MWJPZavesqNanq78dqAbNB8bZA63LXX3Uu4v74am9bMZ9PoW1LZx JkIpv+b22Qw5WYAnUemDWt9OrJ4NGl/ah/Bw0PE2kNTClFk0fvlvtFJgAFAF/DOWhzyL fWrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=pjSlHVBF+E4a8AHML4D60dwTg6ZKVCU72qmEj7p54lY=; b=OvD/5QHjVH6qey5LEeJ1dC+T0BUhtbK4JJrvV3GZ7tMnT/P55kX175imSVUvsik8P5 oqEEQg2sginFCojFYpd34XMqnzYLbHDY/DJesO333oybtU1tndu0Mp+2Sm4YVbkb+qWC LmaMYg+qkfj+mVTbztmMF7/miwO2ysIdmTJHQwcS24dAx9q+tkEHVYWb/bK5cXVz1MKm sXDFKppI9GzpslgRZzAWbqTwPxpLwbZ8ssYrUii/vOdqGjo+39FlgHGWzpwW5bMBpI9t 3TvDCoLJONhVZW3UDX7nn0GGf53hzjzF4GQ9Kw+9NpySOd+3cyq9jZ5EW2m0fEltX7Rl u+CA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j5-v6si16767767pgk.85.2018.10.08.06.34.27; Mon, 08 Oct 2018 06:35:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726693AbeJHUlz (ORCPT + 99 others); Mon, 8 Oct 2018 16:41:55 -0400 Received: from smtp.nue.novell.com ([195.135.221.5]:45118 "EHLO smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726427AbeJHUly (ORCPT ); Mon, 8 Oct 2018 16:41:54 -0400 Received: from linux-l9pv.suse (124-11-22-254.static.tfn.net.tw [124.11.22.254]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Mon, 08 Oct 2018 15:29:56 +0200 Date: Mon, 8 Oct 2018 21:29:45 +0800 From: joeyli To: Andy Lutomirski , Jann Horn Cc: Jann Horn , Mimi Zohar , keyrings@vger.kernel.org, David Howells , joeyli.kernel@gmail.com, "Rafael J. Wysocki" , Pavel Machek , LKML , linux-pm@vger.kernel.org, "Rafael J. Wysocki" , Chen Yu , oneukum@suse.com, yu.chen.surf@gmail.com, ggherdovich@suse.cz Subject: Re: [PATCH 1/5] PM / hibernate: Create snapshot keys handler Message-ID: <20181008132945.GV3831@linux-l9pv.suse> References: <20180912142337.21955-1-jlee@suse.com> <20180912142337.21955-2-jlee@suse.com> <20181002075243.GB6040@linux-l9pv.suse> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Any, Jann, On Wed, Oct 03, 2018 at 03:08:12PM -0700, Andy Lutomirski wrote: > On Tue, Oct 2, 2018 at 12:36 PM Jann Horn wrote: > > > > +Andy for opinions on things in write handlers > > +Mimi Zohar as EVM maintainer > > > > On Tue, Oct 2, 2018 at 9:55 AM joeyli wrote: > > > On Thu, Sep 13, 2018 at 04:31:18PM +0200, Jann Horn wrote: > > > > On Thu, Sep 13, 2018 at 4:08 PM Lee, Chun-Yi wrote: > > > > > This patch adds a snapshot keys handler for using the key retention > > > > > service api to create keys for snapshot image encryption and > > > > > authentication. > > > [...snip] > > > > > +static ssize_t disk_kmk_store(struct kobject *kobj, struct kobj_attribute *attr, > > > > > + const char *buf, size_t n) > > > > > +{ > > > > > + int error = 0; > > > > > + char *p; > > > > > + int len; > > > > > + > > > > > + if (!capable(CAP_SYS_ADMIN)) > > > > > + return -EPERM; > > > > > > > > This is wrong, you can't use capable() in a write handler. You'd have > > > > to use file_ns_capable(), and I think sysfs currently doesn't give you > > > > a pointer to the struct file. > > > > If you want to do this in a write handler, you'll have to either get > > > > rid of this check or plumb through the cred struct pointer. > > > > Alternatively, you could use some interface that doesn't go through a > > > > write handler. > > > > > > > > > > Thank you for point out this problem. > > > > > > Actually the evm_write_key() is the example for my code. The > > > difference is that evm creates interface file on securityfs, but my > > > implementation is on sysfs: > > > > > > security/integrity/evm/evm_secfs.c > > > > > > static ssize_t evm_write_key(struct file *file, const char __user *buf, > > > size_t count, loff_t *ppos) > > > { > > > int i, ret; > > > > > > if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP)) > > > return -EPERM; > > Yeah, that's a bug. > > > > ... > > > > > > On the other hand, the writing handler of /sys/power/wake_lock also > > > uses capable() to check the CAP_BLOCK_SUSPEND capability: > > > > > > kernel/power/main.c > > > static ssize_t wake_lock_store(struct kobject *kobj, > > > struct kobj_attribute *attr, > > > const char *buf, size_t n) > > > { > > > int error = pm_wake_lock(buf); > > > return error ? error : n; > > > } > > > power_attr(wake_lock); > > > > > > kernel/power/wakelock.c > > > int pm_wake_lock(const char *buf) > > > { > > > ... > > > if (!capable(CAP_BLOCK_SUSPEND)) > > > return -EPERM; > > > ... > > Also a bug. > > > > > > > > > > So I confused for when can capable() be used in sysfs interface? Is > > > capable() only allowed in reading handler? Why the writing handler > > > of securityfs can use capable()? > > > > They can't, they're all wrong. :P All of these capable() checks in > > write handlers have to be assumed to be ineffective. But it's not a > > big deal because you still need UID 0 to access these files. > > Why are there capability checks at all? > > > > > > > > +static int user_key_init(void) > > > > > +{ > > > > > + struct user_key_payload *ukp; > > > > > + struct key *key; > > > > > + int err = 0; > > > > > + > > > > > + pr_debug("%s\n", __func__); > > > > > + > > > > > + /* find out swsusp-key */ > > > > > + key = request_key(&key_type_user, skey.key_name, NULL); > > > > > > > > request_key() looks at current's keyring. That shouldn't happen in a > > > > write handler. > > > > > > > > > > The evm_write_key() also uses request_key() but it's on securityfs. Should > > > I move my sysfs interface to securityfs? > > > > I don't think you should be doing this in the context of any > > filesystem. If EVM does that, EVM is doing it wrong. > > EVM sounds buggy. > > In general if you look at current *at all* in an implementation of > write() *in any filesystem*, you are doing it wrong. I have read CVE-2013-1959... Thanks for Jann and Andy's review. I will create the sysfs interface through other way, then using file_ns_capable() for capability checking in next version. Thanks a lot! Joey Lee