Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp287757pxb;
        Wed, 11 Nov 2020 03:50:04 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzuRLq1RooALO08LW05MBlM4zKd3eHsGu30AzSObGyO8//5cWQ+3i1Q12w/8OIfjnqO0tM0
X-Received: by 2002:aa7:d84a:: with SMTP id f10mr26612029eds.163.1605095404235;
        Wed, 11 Nov 2020 03:50:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605095404; cv=none;
        d=google.com; s=arc-20160816;
        b=RnzVZWOe1auvAECIyGMgS+wuY5dCX6nOtGoVxeG+HvDLehv9qOd4arClcloqchixl6
         F5+OQyQ7Sit7TIlu1HgEYDjLsp30AaZRF6/a+j+c7g31ViWtQme5/NABDqhOqll3DG89
         gvnniUVD3ybu9CY3H6FFM6wBnpP0+xwGmB4s2KH4JT5s21oYhtCC1zV0TAk+9unSkWth
         8TeD9VkpdKetqOt3KX/mNVOLygpr9VhAihZ8wiKIohuY8tJQUC8CILTOlIcf0RmHTVir
         Wds6rJHW613G/dOQKmhGH8Q2UPFZ48p8MwxH+0UbobyA3vqHDtLvvBsM2n2t0Fn57/vL
         r9fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=5/bsZJ2SXh7EWUOoj25+V0UBuv9sNRFfAJnPmwXVu1s=;
        b=YzHTe+8Mo67QCz3PvE414mAvjg9on+0/s2CBDKOL/RMs1Gq9MFi1S9NgGPVJTFYpWC
         aJT0/ToDAW528PBrOUNjbEnC3PTEDsjHgQn+Haj5KRKxu/uYB5+GuiTVySHQS4ElZTbv
         2TCpam9m62ruS6Dm6U4T8uuI3zONnQe2bEel7QdGzMqk/o5/fvbBon4rsZGdzs0js8HZ
         GEVTQin5izUgSdqi8PjiB8fv41dezqKJzlXJjVFdWtgb/+uEkaqLzy/zLMzlEDhNqYcl
         YumrdLeBD/H5qoDeZWqoPu0VFS72pCzradpHynxUP6CrLjCKIFwJ/5rsWXuQ/kH5gvVF
         vz0A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=u5HABaE3;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id t8si1298039edy.496.2020.11.11.03.49.40;
        Wed, 11 Nov 2020 03:50:04 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=u5HABaE3;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726240AbgKKLsP (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Wed, 11 Nov 2020 06:48:15 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37562 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725860AbgKKLsN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Nov 2020 06:48:13 -0500
Received: from mail-qv1-xf42.google.com (mail-qv1-xf42.google.com [IPv6:2607:f8b0:4864:20::f42])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AA09EC0613D1
        for <linux-kernel@vger.kernel.org>; Wed, 11 Nov 2020 03:48:13 -0800 (PST)
Received: by mail-qv1-xf42.google.com with SMTP id 13so713028qvr.5
        for <linux-kernel@vger.kernel.org>; Wed, 11 Nov 2020 03:48:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=5/bsZJ2SXh7EWUOoj25+V0UBuv9sNRFfAJnPmwXVu1s=;
        b=u5HABaE355NHv54+nsM4vzu7xItgx0bQHDH2oFWb6imxmfuScr2jqNWW9XgYnl2fXm
         0dJj3090WHnTYYiAJI03sv1PFoeTpFS0EM4G9e7pYlUrph8o/iHjnw836qP7wIX2KQc6
         hHVirZoSrFeQo5ctaC139iDJnI+/H+JlScB0leoVqTZQMIUBbcjLN+xv45LULAE3/MCp
         Icje2YNe/vdtZGfFSHYBqnoAIzNN1hoXNuGARlURG9vZOq6A1O186BWmZNgRWcGtcplG
         gHyc4nPOcsK0Kl7q7YXiZmWMHIJxXFH+A4TInnVI1HPQxlrtaS7bxLchejT9DeQwd8gi
         X/Xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=5/bsZJ2SXh7EWUOoj25+V0UBuv9sNRFfAJnPmwXVu1s=;
        b=IQR3pnwtIHTprcodNYP6xE/wNnfp5f+y8eWQen2mUd4NdFxb6KSN/lxd8QJeYyrUKS
         +7vylKNC9MY1MkCBwrY+TDA5G9Sj2ABqCpzArDTVo/pwMraqsvYPYQiOxxMQhqBDYYwH
         DVvC8fkyDGci0xO4A43AkzfT2luNBBmRge/HoNTqx1Jyq1Dmn2do6dsIC23TCIavDVsZ
         tZ3xCNXiwLocWiguuILs7f4abOW4LVLh9TCOC4SDTcauGN45H+YOYDCpwMhxMFiDkDnA
         aG0ORlem04AHbRXpptHzFcWQ7yX4cXDUB1syRJg5njYGbrrVm+mHhunxdSTOBFXdu65X
         CGYw==
X-Gm-Message-State: AOAM530Fnzf9xfLaHQHYi4j3r5K8S3Je10ART/hFU649v4RKwQeAiMVT
        7PIiMLq38VgOl8VoH5PH+oEukyUAH6FOadmiOARvpQ==
X-Received: by 2002:a05:6214:209:: with SMTP id i9mr24657975qvt.38.1605095292686;
 Wed, 11 Nov 2020 03:48:12 -0800 (PST)
MIME-Version: 1.0
References: <20201111104409.1530957-1-a.nogikh@gmail.com> <20201111104409.1530957-2-a.nogikh@gmail.com>
In-Reply-To: <20201111104409.1530957-2-a.nogikh@gmail.com>
From:   Alexander Potapenko <glider@google.com>
Date:   Wed, 11 Nov 2020 12:48:01 +0100
Message-ID: <CAG_fn=U63McR4-0uAfK44=GeYr78wP5PRzasG59CoSXLm0fCcQ@mail.gmail.com>
Subject: Re: [PATCH v4 1/2] security: add fault injection capability
To:     Aleksandr Nogikh <a.nogikh@gmail.com>
Cc:     James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Akinobu Mita <akinobu.mita@gmail.com>,
        Andrey Konovalov <andreyknvl@google.com>,
        Dmitriy Vyukov <dvyukov@google.com>,
        Marco Elver <elver@google.com>,
        Kees Cook <keescook@google.com>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        LKML <linux-kernel@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        mortonm@chromium.org, Aleksandr Nogikh <nogikh@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 11, 2020 at 11:45 AM Aleksandr Nogikh <a.nogikh@gmail.com> wrot=
e:
>
> From: Aleksandr Nogikh <nogikh@google.com>
>
> Add a fault injection capability to call_int_hook macro. This will
> facilitate testing of fault tolerance of the code that invokes
> security hooks as well as the fault tolerance of the LSM
> implementations themselves.
>
> Add a KConfig option (CONFIG_FAIL_LSM_HOOKS) that controls whether the
> capability is enabled. In order to enable configuration from the user
> space, add the standard debugfs entries for fault injection (if
> CONFIG_FAULT_INJECTION_DEBUG_FS is enabled).
>
> Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
> Reviewed-by: Marco Elver <elver@google.com>
> Reviewed-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Reviewed-by: Alexander Potapenko <glider@google.com>

> ---
> v4:
> - Changed retval debugfs file type - now it keeps a signed integer.
> - Made CONFIG_FAIL_LSM_HOOKS depend on CONFIG_SECURITY.
> v2:
> - Renamed should_fail_lsm_hook() to lsm_hooks_inject_fail().
> ---
>  lib/Kconfig.debug   |  6 ++++
>  security/security.c | 69 +++++++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 72 insertions(+), 3 deletions(-)
>
> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index 6140413174be..5f4399816019 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -1813,6 +1813,12 @@ config FAIL_MAKE_REQUEST
>         help
>           Provide fault-injection capability for disk IO.
>
> +config FAIL_LSM_HOOKS
> +       bool "Fault-injection capability for LSM hooks"
> +       depends on FAULT_INJECTION && SECURITY
> +       help
> +         Provide fault-injection capability for LSM hooks.
> +
>  config FAIL_IO_TIMEOUT
>         bool "Fault-injection capability for faking disk interrupts"
>         depends on FAULT_INJECTION && BLOCK
> diff --git a/security/security.c b/security/security.c
> index 69ff6e2e2cd4..be3a3c7c6d6a 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -28,6 +28,7 @@
>  #include <linux/backing-dev.h>
>  #include <linux/string.h>
>  #include <linux/msg.h>
> +#include <linux/fault-inject.h>
>  #include <net/flow.h>
>
>  #define MAX_LSM_EVM_XATTR      2
> @@ -669,6 +670,67 @@ static void __init lsm_early_task(struct task_struct=
 *task)
>                 panic("%s: Early task alloc failed.\n", __func__);
>  }
>
> +
> +#ifdef CONFIG_FAIL_LSM_HOOKS
> +
> +static struct {
> +       struct fault_attr attr;
> +       int retval;
> +} fail_lsm_hooks =3D {
> +       .attr =3D FAULT_ATTR_INITIALIZER,
> +       .retval =3D -EACCES
> +};
> +
> +static int __init setup_fail_lsm_hooks(char *str)
> +{
> +       return setup_fault_attr(&fail_lsm_hooks.attr, str);
> +}
> +__setup("fail_lsm_hooks=3D", setup_fail_lsm_hooks);
> +
> +static int lsm_hooks_inject_fail(void)
> +{
> +       return should_fail(&fail_lsm_hooks.attr, 1) ? fail_lsm_hooks.retv=
al : 0;
> +}
> +
> +#ifdef CONFIG_FAULT_INJECTION_DEBUG_FS
> +
> +static int fail_lsm_retval_set(void *data, u64 val)
> +{
> +       fail_lsm_hooks.retval =3D (int)val;
> +       return 0;
> +}
> +
> +static int fail_lsm_retval_get(void *data, u64 *val)
> +{
> +       *val =3D (u64)fail_lsm_hooks.retval;
> +       return 0;
> +}
> +
> +DEFINE_DEBUGFS_ATTRIBUTE(fail_lsm_retval_ops, fail_lsm_retval_get,
> +                                                fail_lsm_retval_set, "%l=
ld\n");
> +
> +static int __init fail_lsm_hooks_debugfs(void)
> +{
> +       umode_t mode =3D S_IFREG | 0600;
> +       struct dentry *dir;
> +
> +       dir =3D fault_create_debugfs_attr("fail_lsm_hooks", NULL,
> +                                       &fail_lsm_hooks.attr);
> +       debugfs_create_file("retval", mode, dir, NULL,
> +                                               &fail_lsm_retval_ops);
> +       return 0;
> +}
> +
> +late_initcall(fail_lsm_hooks_debugfs);
> +
> +#endif /* CONFIG_FAULT_INJECTION_DEBUG_FS */
> +
> +#else
> +
> +static inline int lsm_hooks_inject_fail(void) { return 0; }
> +
> +#endif /* CONFIG_FAIL_LSM_HOOKS */
> +
>  /*
>   * The default value of the LSM hook is defined in linux/lsm_hook_defs.h=
 and
>   * can be accessed with:
> @@ -707,16 +769,17 @@ static void __init lsm_early_task(struct task_struc=
t *task)
>         } while (0)
>
>  #define call_int_hook(FUNC, IRC, ...) ({                       \
> -       int RC =3D IRC;                                           \
> -       do {                                                    \
> +       int RC =3D lsm_hooks_inject_fail();                       \
> +       if (RC =3D=3D 0) {                                               =
           \
>                 struct security_hook_list *P;                   \
> +               RC =3D IRC;                                              =
                 \
>                                                                 \
>                 hlist_for_each_entry(P, &security_hook_heads.FUNC, list) =
{ \
>                         RC =3D P->hook.FUNC(__VA_ARGS__);         \
>                         if (RC !=3D 0)                            \
>                                 break;                          \
>                 }                                               \
> -       } while (0);                                            \
> +       }                                                       \
>         RC;                                                     \
>  })
>
> --
> 2.29.2.222.g5d2a92d10f8-goog
>


--=20
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Stra=C3=9Fe, 33
80636 M=C3=BCnchen

Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg