Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp467145pxu; Tue, 5 Jan 2021 16:50:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJxMYrHIL2S4iW4UhN5Sv8z3QIGUuOQU1pk+dylffmwQ6HmY0czUfgyYLaPRozu+9dvhrKSm X-Received: by 2002:a17:906:259a:: with SMTP id m26mr1279694ejb.399.1609894229416; Tue, 05 Jan 2021 16:50:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609894229; cv=none; d=google.com; s=arc-20160816; b=aIJ0G0968PKRz9GAP0fk5UiD470Otk5xh5QtkU6lTIguf6qoXRr+qnnOCMkCR2Gs5E N5QxJ65OxLV2zYV/8lBm1AJtueg0kv3Uu2uAmaRLbHuhMN+o+tgy4XGgbXypRje6wdi7 WpvP+zokcciN67k8JweEJ2wh060aBhdCL6/VbkEoBMK6Qt6P85dTj8YgNRoJrzg5zrv6 JIZgGv9b8l3F23z6RRryOnlo/squtX1uVO6xZcjrpYITXPykHSRMabWWEUiV4yf3BMPw FNTuq8Tu5JYohyCmPRaHGLEgQDGTgThOCxafcutKRuExAITw3yjXexloDUu/Zo84p9Fe TtFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=zfAl9KpSkJTd6+U94OCEriXL161o3FlE2sDMdIxmbKg=; b=b1E5mk4/AZJp9QPjCVqkMaqugITQHzct/FIRPlaTNaC7ol3bckW1k5NtdGmGdXxVih 8TRWe+CVPdaQqKh9S6umwnl+J713Xg8kqDPOBze/jKnbFZrquXqOjoXuk5M1QIGkoBHT 3vRWG89bBBEIVYceeOKkdLtPiOvmBe1UTAecQeQhs+5Gw/YJIwI4tWTIX8fsmLL9tn1M d66x3a+rzscQswZ5csgycj/2SWOAjJSMggUlCKzTjaU9gMx+Za4aD5eOYhmfqVxxQi/B TX7dNoEjx7W0LzN5Lzb33lOL9dOWvQ+2gb3XTe+k7FtDyRias0p4Y1xUGfBsPZrGpVO1 jojQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="Nm/doGyR"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j12si299294ejb.431.2021.01.05.16.50.06; Tue, 05 Jan 2021 16:50:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="Nm/doGyR"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727083AbhAFABx (ORCPT + 99 others); Tue, 5 Jan 2021 19:01:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33876 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727012AbhAFABw (ORCPT ); Tue, 5 Jan 2021 19:01:52 -0500 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E913C061793 for ; Tue, 5 Jan 2021 16:01:12 -0800 (PST) Received: by mail-ej1-x62a.google.com with SMTP id 6so2846268ejz.5 for ; Tue, 05 Jan 2021 16:01:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zfAl9KpSkJTd6+U94OCEriXL161o3FlE2sDMdIxmbKg=; b=Nm/doGyRQLbdfDauhHJdBMWjqc8dfsV0Ro8t+lUY4IOId9KByo/HmTzrWnYe+azun7 4znDTF6xd9f2RL72SvmRnRraFzK+o0ExupZGqeZ9FpLuwM9ojh68bhAvIl2Is6ZT6Ls7 EwZgjtShg6ffB9qGAHMidgzE8KqBcdWmVaItT8V1RRd4nvVSoRwsWVMI4SxwXmAvkmw7 6u3VoeUyEdQUB+iGPEYBoXQj/3t7J+5Hyk5gRbKG41FjIx5VK9MW3HTaT8myas7Vb8Ez Kvy6Jm/WVyeAELN8jKn8Iv9PqyJ/aBgB61WW/PQdS6HroeC4AQLzPGJ0jnndtWQ2D3ws Lxwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zfAl9KpSkJTd6+U94OCEriXL161o3FlE2sDMdIxmbKg=; b=rx5mkFigpbbLrUePSYcoM34U3KmViFjDgqxyisT6mTIPDo2PYf+D70T/xw9wbTNMuf DXg8LBklwkvIZDrybBclkcA+gV54C7Qw89meglHNLvHWijABi7K1L+41QXlkK0o2juUY 3CNW2IVk5qiyy2LVA8DdxrzXkdp+ok6LyCzPJ2hivPJ1cCabRrMU5v4CNIpklIuGfghc cS2aT+75GPCuQc2Ztd0sz2Nj3/a910eD6IT5x5Fo88+rapWuRQVl1jefEYRjs4xmC0Wo wmbMe6d6yZHrIx1yMuqmnGU/w7/3WeiprID8QoyL9Qqz0eAdh85evZPJ3Lz1rpnRaCer tUjQ== X-Gm-Message-State: AOAM530PQlAke9DWe2FsfwiQzjdAU/39r8qBiQQ90YNsG2sYrR0hSFpD ER38jV0ky18oDTGOuTZW9jr1SwZmBhw7u0N/q+gA X-Received: by 2002:a17:907:4126:: with SMTP id mx6mr1206433ejb.91.1609891270677; Tue, 05 Jan 2021 16:01:10 -0800 (PST) MIME-Version: 1.0 References: <20210104232123.31378-1-stephen.s.brennan@oracle.com> <20210105055935.GT3579531@ZenIV.linux.org.uk> <20210105165005.GV3579531@ZenIV.linux.org.uk> <20210105195937.GX3579531@ZenIV.linux.org.uk> <87a6tnge5k.fsf@stepbren-lnx.us.oracle.com> In-Reply-To: <87a6tnge5k.fsf@stepbren-lnx.us.oracle.com> From: Paul Moore Date: Tue, 5 Jan 2021 19:00:59 -0500 Message-ID: Subject: Re: [PATCH v4] proc: Allow pid_revalidate() during LOOKUP_RCU To: Stephen Brennan Cc: Al Viro , Linus Torvalds , Alexey Dobriyan , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, Stephen Smalley , Eric Paris , selinux@vger.kernel.org, Casey Schaufler , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Matthew Wilcox Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 5, 2021 at 6:27 PM Stephen Brennan wrote: > Al Viro writes: > > > On Tue, Jan 05, 2021 at 04:50:05PM +0000, Al Viro wrote: > > > >> LSM_AUDIT_DATA_DENTRY is easy to handle - wrap > >> audit_log_untrustedstring(ab, a->u.dentry->d_name.name); > >> into grabbing/dropping a->u.dentry->d_lock and we are done. > > > > Incidentally, LSM_AUDIT_DATA_DENTRY in mainline is *not* safe wrt > > rename() - for long-named dentries it is possible to get preempted > > in the middle of > > audit_log_untrustedstring(ab, a->u.dentry->d_name.name); > > and have the bugger renamed, with old name ending up freed. The > > same goes for LSM_AUDIT_DATA_INODE... > > In the case of proc_pid_permission(), this preemption doesn't seem > possible. We have task_lock() (a spinlock) held by ptrace_may_access() > during this call, so preemption should be disabled: > > proc_pid_permission() > has_pid_permissions() > ptrace_may_access() > task_lock() > __ptrace_may_access() > | security_ptrace_access_check() > | ptrace_access_check -> selinux_ptrace_access_check() > | avc_has_perm() > | avc_audit() // note that has_pid_permissions() didn't get a > | // flags field to propagate, so flags will not > | // contain MAY_NOT_BLOCK > | slow_avc_audit() > | common_lsm_audit() > | dump_common_audit_data() > task_unlock() > > I understand the issue of d_name.name being freed across a preemption is > more general than proc_pid_permission() (as other callers may have > preemption enabled). However, it seems like there's another issue here. > avc_audit() seems to imply that slow_avc_audit() would sleep: > > static inline int avc_audit(struct selinux_state *state, > u32 ssid, u32 tsid, > u16 tclass, u32 requested, > struct av_decision *avd, > int result, > struct common_audit_data *a, > int flags) > { > u32 audited, denied; > audited = avc_audit_required(requested, avd, result, 0, &denied); > if (likely(!audited)) > return 0; > /* fall back to ref-walk if we have to generate audit */ > if (flags & MAY_NOT_BLOCK) > return -ECHILD; > return slow_avc_audit(state, ssid, tsid, tclass, > requested, audited, denied, result, > a); > } > > If there are other cases in here where we might sleep, it would be a > problem to sleep with the task lock held, correct? I would expect the problem here to be the currently allocated audit buffer isn't large enough to hold the full audit record, in which case it will attempt to expand the buffer by a call to pskb_expand_head() - don't ask why audit buffers are skbs, it's awful - using a gfp flag that was established when the buffer was first created. In this particular case it is GFP_ATOMIC|__GFP_NOWARN, which I believe should be safe in that it will not sleep on an allocation miss. I need to go deal with dinner, so I can't trace the entire path at the moment, but I believe the potential audit buffer allocation is the main issue. -- paul moore www.paul-moore.com