Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp7305303rwb; Tue, 15 Nov 2022 10:14:22 -0800 (PST) X-Google-Smtp-Source: AA0mqf4PjEnh0plAHmuq7jYDYbLI1jLsziD4JPgEXXr4oneK2992bT1ohisoibmsi1Ocupvqz/hJ X-Received: by 2002:a17:907:985a:b0:7ae:83:5be7 with SMTP id jj26-20020a170907985a00b007ae00835be7mr14227541ejc.139.1668536062612; Tue, 15 Nov 2022 10:14:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668536062; cv=none; d=google.com; s=arc-20160816; b=I388JTvkUeq9gwTVDGc1AUKVCIT86RH1L+GNIkOWtz0ldMNRx7YK4XiZ9aXUhMPrMD eg1Zls1VMiviDABVkyrgtAaq9+CSLqHDbORfZeLR+dsWGUCsEYXFSO83obEVuVmxbjQW ZF6DjExI0nQCplG8sNefXVY5O5BHB8CQiPkNhNkD7gMjbWJmWycIHREHcha4gbPM0nix WcRW/hEsKVZwHDl7RDgCeKGBXCSgAqrp1t5qpDwMSc3hklzHlQWj4K/GrS5tUgC+dv7k g4RLmprUvanbf2XQoVxklOAsxK7lOgy6Gzje/1mMn/2WsJjU10cY/YOiUwUs/3oX1IvZ phIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=ydn70Bq/7ln5vBJ1d3lSailr+Qa+lfbqN7DnnEQOeM4=; b=gecRAvvuBwmGm4q+i6rfMwqLaFjDggaezNbpbCNrm6QEkElzPAZ+IsUMwN1j0kE7U/ jrkR8MB8uDOsJDUgK3k4FL1Nw9ukVv9i4XBMFiou4QoGzpzxFCPPi81eFvpOmSmvYnVG pDwxBxng4Tn+FcDRTZTsUN30U/jeQX44WixlbiI5USxVUr/TdWth6T7V1Fm4cB1Gp/dF 3YwuYp+9otlWFzeR4fkMP/51hlmFeArQ7OPOdHs1APaz9RcJkS5xy7rESEmK/9t3+DeR c6oNIRdNbry5SKYWKNYD20AqHgpKW/NIVuDheQDQ3nBHAmnC/SwwMHf63owCLwhjC3K0 PvHQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g5-20020a50d0c5000000b00448d387c327si11125666edf.181.2022.11.15.10.14.00; Tue, 15 Nov 2022 10:14:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238395AbiKOR7J (ORCPT + 90 others); Tue, 15 Nov 2022 12:59:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50512 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231596AbiKOR6L (ORCPT ); Tue, 15 Nov 2022 12:58:11 -0500 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E2692F3BE; Tue, 15 Nov 2022 09:58:10 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.228]) by frasgout13.his.huawei.com (SkyGuard) with ESMTP id 4NBYdS3q2Dz9xs6c; Wed, 16 Nov 2022 01:51:24 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwCHcW7o0nNj73dpAA--.16599S6; Tue, 15 Nov 2022 18:57:46 +0100 (CET) From: Roberto Sassu To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, revest@chromium.org, jackmanb@chromium.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Roberto Sassu Subject: [RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs Date: Tue, 15 Nov 2022 18:56:52 +0100 Message-Id: <20221115175652.3836811-5-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221115175652.3836811-1-roberto.sassu@huaweicloud.com> References: <20221115175652.3836811-1-roberto.sassu@huaweicloud.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: LxC2BwCHcW7o0nNj73dpAA--.16599S6 X-Coremail-Antispam: 1UD129KBjvJXoWxZFykWF4kJF4UJF1xGw47XFb_yoW5Jw47pw 4akFy5KF4j9Fy7XFZ3tanxua1Sv3yrKr4DCrZxXw15Za98Jwn8J3W8tF15tF1rCry8t34Y gF4Ut3y5Cw4DG37anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPlb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUAV Cq3wA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0 rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUCVW8JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267 AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E 14v26r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrV C2j2WlYx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE 7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262 kKe7AKxVW8ZVWrXwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s02 6c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GF v_WrylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42IY6xIIjxv20xvE c7CjxVAFwI0_Gr1j6F4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aV AFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZF pf9x07j7GYLUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgARBF1jj4F5bgAAsw X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Roberto Sassu LSMs should not be able to return arbitrary return values, as the callers of the LSM infrastructure might not be ready to handle unexpected values (e.g. positive values that are first converted to a pointer with ERR_PTR, and then evaluated with IS_ERR()). Modify call_int_hook() to call is_ret_value_allowed(), so that the return value from each LSM for a given hook is checked. If for the interval the return value falls into the corresponding flag is not set, change the return value to the default value, just for the current LSM. A misbehaving LSM would not have impact on the decision of other LSMs, as the loop terminates whenever the return value is not zero. Signed-off-by: Roberto Sassu --- security/security.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/security/security.c b/security/security.c index 4041d24e3283..cd417a8a0e65 100644 --- a/security/security.c +++ b/security/security.c @@ -716,6 +716,35 @@ static int lsm_superblock_alloc(struct super_block *sb) #include #undef LSM_HOOK +/* + * The return value flags of the LSM hook are defined in linux/lsm_hook_defs.h + * and can be accessed with: + * + * LSM_RET_FLAGS() + * + * The macros below define static constants for the return value flags of each + * LSM hook. + */ +#define LSM_RET_FLAGS(NAME) (NAME##_ret_flags) +#define DECLARE_LSM_RET_FLAGS(RET_FLAGS, NAME) \ + static const u32 __maybe_unused LSM_RET_FLAGS(NAME) = (RET_FLAGS); +#define LSM_HOOK(RET, DEFAULT, RET_FLAGS, NAME, ...) \ + DECLARE_LSM_RET_FLAGS(RET_FLAGS, NAME) + +#include +#undef LSM_HOOK + +static bool is_ret_value_allowed(int ret, u32 ret_flags) +{ + if ((ret < 0 && !(ret_flags & LSM_RET_NEG)) || + (ret == 0 && !(ret_flags & LSM_RET_ZERO)) || + (ret == 1 && !(ret_flags & LSM_RET_ONE)) || + (ret > 1 && !(ret_flags & LSM_RET_GT_ONE))) + return false; + + return true; +} + /* * Hook list operation macros. * @@ -741,6 +770,11 @@ static int lsm_superblock_alloc(struct super_block *sb) \ hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \ RC = P->hook.FUNC(__VA_ARGS__); \ + if (!is_ret_value_allowed(RC, LSM_RET_FLAGS(FUNC))) { \ + WARN_ONCE(1, "Illegal ret %d for " #FUNC " from %s, forcing %d\n", \ + RC, P->lsm, LSM_RET_DEFAULT(FUNC)); \ + RC = LSM_RET_DEFAULT(FUNC); \ + } \ if (RC != 0) \ break; \ } \ -- 2.25.1