Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp100550pxj; Fri, 7 May 2021 04:47:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJweXrd3Pwmrim/aLKWNKuO4G4VqK8mLNzy3EsxQ/9El+0eZHXHvItttFI/7/8i9uav8BXSi X-Received: by 2002:a17:906:e88:: with SMTP id p8mr9673415ejf.31.1620388053478; Fri, 07 May 2021 04:47:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620388053; cv=none; d=google.com; s=arc-20160816; b=wPASk3oSDbRYWrp+c2VdjgAljOqo3td7SZIrIrmHRWebYVlLi/INbITCPJFWFjc7+a cPOmx4SiFwcPVfJRdJ1abVwE/K/Rn+YBg/hhFa4zs2UBk8yARjboC6Xq1/TcXyUvE/bC ongMI8n3fz+0eX61v85O6nZKzuyfG56CaJHrPB9FwcFvAIr90O6LSFBlv7JIvnj9JmoV Hgkg4xtSLmq99TMdEvebmSDeKRfa+DiCrFl4xmKb40YQxC5Qng7b9fQ69oSaNusQvKTw CHumM54K3C+xneyQNRZaNDr4KhLVQhXMhRJuxu/Zft3EiUcHiv3e9QCb1y5Ev9Caz7DK IGgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=G4FGrNimJhV01IK3zZ0JL4RVVApImUVGYjkgoM4AFN0=; b=DBInyBCvOYxzP+cxoFYEoH05RQ0JMWeWsR6GlGu86QbaAjSUr5Fi+AbIyQhZqCYalE WB9w2Ge2YmmxHIkqucNdpckPVM8FZlbcFnWM3z02skIljzDCUvWt9BDELwFeRDcpwWV0 XGbF9UBG1QQpEj1hsK2/UTzdUob05ONLfQaU+NDf4ELd3uGhmLfG+IBa6XQ9HehpK0uN 2DAXeYQQLeIOsMDnoa6iSXEf1WPa1n+3aLsz9kp4RyEtwCf2ZOxMzfQ1MkCM5hlWxMCI 2U4Y1H1c1Lr5guUXSXW5LgQeG8WKBDEJu9Cj+OV6r+regt1izQprpbz9wf6aNqU+HRui d21Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Y2HNdQlb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dy5si4822992edb.532.2021.05.07.04.47.09; Fri, 07 May 2021 04:47:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Y2HNdQlb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236363AbhEGIiV (ORCPT + 99 others); Fri, 7 May 2021 04:38:21 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:31515 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233340AbhEGIiU (ORCPT ); Fri, 7 May 2021 04:38:20 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620376640; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=G4FGrNimJhV01IK3zZ0JL4RVVApImUVGYjkgoM4AFN0=; b=Y2HNdQlbgbxH2vQVugjm+WOuSYybEMSzpeo/904eTqrgVMcPHi6MKJ6MwzsUoXJxJXNBwR bo9eBc+7cq1ytvn0HB9Me+X3v1D5XHBjgctcsFrkHunNgQxj5/ETYrXPNoY/tJwvmrwoSk GdT1C5JplCQUBN16zN+JEM4+1weVP2Q= Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com [209.85.219.200]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-285-lOwuKfpEMsWu-_g1xditSA-1; Fri, 07 May 2021 04:37:19 -0400 X-MC-Unique: lOwuKfpEMsWu-_g1xditSA-1 Received: by mail-yb1-f200.google.com with SMTP id o12-20020a5b050c0000b02904f4a117bd74so9228177ybp.17 for ; Fri, 07 May 2021 01:37:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G4FGrNimJhV01IK3zZ0JL4RVVApImUVGYjkgoM4AFN0=; b=htzIYNoVXKD3vvURGMZKieiPoYKmGMe/7IGnqfLa3RoSWCFVLcoAgoh7+fcRs3XLv/ g5Eygzes+KK27ABum5xnLHYqKFZo0BA6YuwU8LR1W52jUnHxD+KykXaBgE/NPszH7ZtC hIk0Y8I0sCzWpUhHq4gp+JW9SovuPUE4x1RBeZscCxt60Zh9K3/EZsU/mPPUaGMl/57t W2BbI5eCGrgNX4LgkbTg1KsUmal14spA0Q+8NBVcoao97ThV0z2trrwZv3kIJ+b5iLqR yp3GzgrEnyaY1SVNouhuFs5wSW+P5VceyuLZdkw48aZifb5GdEusFygn0Eqor6cC7uTu eMYg== X-Gm-Message-State: AOAM533v6MigWmh2agfLPLC5hoCjw6TMhooFJeTBhePGAHlsyOoToyuv R6QH7K7O5OQvcTguOgNHI1vKQ6j8pEtn+QuKdzLt0kppYuJX4so4Vnlvio2/grps6LaBe65Wrcb mNkn+6PKJ830k1IWGKdF9ffGzkinUI9oYWG9z1d6J X-Received: by 2002:a25:cccd:: with SMTP id l196mr12372291ybf.26.1620376638471; Fri, 07 May 2021 01:37:18 -0700 (PDT) X-Received: by 2002:a25:cccd:: with SMTP id l196mr12372264ybf.26.1620376638189; Fri, 07 May 2021 01:37:18 -0700 (PDT) MIME-Version: 1.0 References: <20210506091859.6961-1-maxime.coquelin@redhat.com> <20210506155004.7e214d8f@redhat.com> In-Reply-To: <20210506155004.7e214d8f@redhat.com> From: Ondrej Mosnacek Date: Fri, 7 May 2021 10:37:04 +0200 Message-ID: Subject: Re: [PATCH] vfio: Lock down no-IOMMU mode when kernel is locked down To: Alex Williamson Cc: Maxime Coquelin , James Morris , David Howells , Linux kernel mailing list , Linux Security Module list , kvm@vger.kernel.org, mjg59@srcf.ucam.org, Kees Cook , Cornelia Huck Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 6, 2021 at 11:50 PM Alex Williamson wrote: > On Thu, 6 May 2021 11:18:59 +0200 > Maxime Coquelin wrote: > > > When no-IOMMU mode is enabled, VFIO is as unsafe as accessing > > the PCI BARs via the device's sysfs, which is locked down when > > the kernel is locked down. > > > > Indeed, it is possible for an attacker to craft DMA requests > > to modify kernel's code or leak secrets stored in the kernel, > > since the device is not isolated by an IOMMU. > > > > This patch introduces a new integrity lockdown reason for the > > unsafe VFIO no-iommu mode. > > I'm hoping security folks will chime in here as I'm not familiar with > the standard practices for new lockdown reasons. The vfio no-iommu > backend is clearly an integrity risk, which is why it's already hidden > behind a separate Kconfig option, requires RAWIO capabilities, and > taints the kernel if it's used, but I agree that preventing it during > lockdown seems like a good additional step. > > Is it generally advised to create specific reasons, like done here, or > should we aim to create a more generic reason related to unrestricted > userspace DMA? > > I understand we don't want to re-use PCI_ACCESS because the vfio > no-iommu backend is device agnostic, it can be used for both PCI and > non-PCI devices. > > > Signed-off-by: Maxime Coquelin > > --- > > drivers/vfio/vfio.c | 13 +++++++++---- > > include/linux/security.h | 1 + > > security/security.c | 1 + > > 3 files changed, 11 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c > > index 5e631c359ef2..fe466d6ea5d8 100644 > > --- a/drivers/vfio/vfio.c > > +++ b/drivers/vfio/vfio.c > > @@ -25,6 +25,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -165,7 +166,8 @@ static void *vfio_noiommu_open(unsigned long arg) > > { > > if (arg != VFIO_NOIOMMU_IOMMU) > > return ERR_PTR(-EINVAL); > > - if (!capable(CAP_SYS_RAWIO)) > > + if (!capable(CAP_SYS_RAWIO) || > > + security_locked_down(LOCKDOWN_VFIO_NOIOMMU)) > > return ERR_PTR(-EPERM); > > > > return NULL; > > @@ -1280,7 +1282,8 @@ static int vfio_group_set_container(struct vfio_group *group, int container_fd) > > if (atomic_read(&group->container_users)) > > return -EINVAL; > > > > - if (group->noiommu && !capable(CAP_SYS_RAWIO)) > > + if (group->noiommu && (!capable(CAP_SYS_RAWIO) || > > + security_locked_down(LOCKDOWN_VFIO_NOIOMMU))) > > return -EPERM; > > > > f = fdget(container_fd); > > @@ -1362,7 +1365,8 @@ static int vfio_group_get_device_fd(struct vfio_group *group, char *buf) > > !group->container->iommu_driver || !vfio_group_viable(group)) > > return -EINVAL; > > > > - if (group->noiommu && !capable(CAP_SYS_RAWIO)) > > + if (group->noiommu && (!capable(CAP_SYS_RAWIO) || > > + security_locked_down(LOCKDOWN_VFIO_NOIOMMU))) > > return -EPERM; > > > > device = vfio_device_get_from_name(group, buf); > > @@ -1490,7 +1494,8 @@ static int vfio_group_fops_open(struct inode *inode, struct file *filep) > > if (!group) > > return -ENODEV; > > > > - if (group->noiommu && !capable(CAP_SYS_RAWIO)) { > > + if (group->noiommu && (!capable(CAP_SYS_RAWIO) || > > + security_locked_down(LOCKDOWN_VFIO_NOIOMMU))) { > > vfio_group_put(group); > > return -EPERM; > > } > > In these cases where we're testing RAWIO, the idea is to raise the > barrier of passing file descriptors to unprivileged users. Is lockdown > sufficiently static that we might really only need the test on open? > The latter three cases here only make sense if the user were able to > open a no-iommu context when lockdown is not enabled, then lockdown is > later enabled preventing them from doing anything with that context... > but not preventing ongoing unsafe usage that might already exist. I > suspect for that reason that lockdown is static and we really only need > the test on open. Thanks, Note that SELinux now also implements the locked_down hook and that implementation is not static like the Lockdown LSM's. It checks whether the current task's SELinux domain has either integrity or confidentiality permission granted by the policy, so for SELinux it makes sense to have the lockdown hook called in these other places as well. -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.