From: joeyli <jlee@suse.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Jann Horn <jannh@google.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
joeyli.kernel@gmail.com, "Rafael J. Wysocki" <rjw@rjwysocki.net>,
Pavel Machek <pavel@ucw.cz>, LKML <linux-kernel@vger.kernel.org>,
linux-pm@vger.kernel.org,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Chen Yu <yu.c.chen@intel.com>,
oneukum@suse.com, yu.chen.surf@gmail.com, ggherdovich@suse.cz
Subject: Re: [PATCH 1/5] PM / hibernate: Create snapshot keys handler
Date: Mon, 08 Oct 2018 13:29:45 +0000 [thread overview]
Message-ID: <20181008132945.GV3831@linux-l9pv.suse> (raw)
In-Reply-To: <CALCETrVriVL1uhm_6wOLzCPZ++c3E+O6Yhp4it53+Cz9xu9o7Q@mail.gmail.com>
Hi Any, Jann,
On Wed, Oct 03, 2018 at 03:08:12PM -0700, Andy Lutomirski wrote:
> On Tue, Oct 2, 2018 at 12:36 PM Jann Horn <jannh@google.com> wrote:
> >
> > +Andy for opinions on things in write handlers
> > +Mimi Zohar as EVM maintainer
> >
> > On Tue, Oct 2, 2018 at 9:55 AM joeyli <jlee@suse.com> wrote:
> > > On Thu, Sep 13, 2018 at 04:31:18PM +0200, Jann Horn wrote:
> > > > On Thu, Sep 13, 2018 at 4:08 PM Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote:
> > > > > This patch adds a snapshot keys handler for using the key retention
> > > > > service api to create keys for snapshot image encryption and
> > > > > authentication.
> > > [...snip]
> > > > > +static ssize_t disk_kmk_store(struct kobject *kobj, struct kobj_attribute *attr,
> > > > > + const char *buf, size_t n)
> > > > > +{
> > > > > + int error = 0;
> > > > > + char *p;
> > > > > + int len;
> > > > > +
> > > > > + if (!capable(CAP_SYS_ADMIN))
> > > > > + return -EPERM;
> > > >
> > > > This is wrong, you can't use capable() in a write handler. You'd have
> > > > to use file_ns_capable(), and I think sysfs currently doesn't give you
> > > > a pointer to the struct file.
> > > > If you want to do this in a write handler, you'll have to either get
> > > > rid of this check or plumb through the cred struct pointer.
> > > > Alternatively, you could use some interface that doesn't go through a
> > > > write handler.
> > > >
> > >
> > > Thank you for point out this problem.
> > >
> > > Actually the evm_write_key() is the example for my code. The
> > > difference is that evm creates interface file on securityfs, but my
> > > implementation is on sysfs:
> > >
> > > security/integrity/evm/evm_secfs.c
> > >
> > > static ssize_t evm_write_key(struct file *file, const char __user *buf,
> > > size_t count, loff_t *ppos)
> > > {
> > > int i, ret;
> > >
> > > if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP))
> > > return -EPERM;
>
> Yeah, that's a bug.
>
> > > ...
> > >
> > > On the other hand, the writing handler of /sys/power/wake_lock also
> > > uses capable() to check the CAP_BLOCK_SUSPEND capability:
> > >
> > > kernel/power/main.c
> > > static ssize_t wake_lock_store(struct kobject *kobj,
> > > struct kobj_attribute *attr,
> > > const char *buf, size_t n)
> > > {
> > > int error = pm_wake_lock(buf);
> > > return error ? error : n;
> > > }
> > > power_attr(wake_lock);
> > >
> > > kernel/power/wakelock.c
> > > int pm_wake_lock(const char *buf)
> > > {
> > > ...
> > > if (!capable(CAP_BLOCK_SUSPEND))
> > > return -EPERM;
> > > ...
>
> Also a bug.
>
> > >
> > >
> > > So I confused for when can capable() be used in sysfs interface? Is
> > > capable() only allowed in reading handler? Why the writing handler
> > > of securityfs can use capable()?
> >
> > They can't, they're all wrong. :P All of these capable() checks in
> > write handlers have to be assumed to be ineffective. But it's not a
> > big deal because you still need UID 0 to access these files.
>
> Why are there capability checks at all?
>
> >
> > > > > +static int user_key_init(void)
> > > > > +{
> > > > > + struct user_key_payload *ukp;
> > > > > + struct key *key;
> > > > > + int err = 0;
> > > > > +
> > > > > + pr_debug("%s\n", __func__);
> > > > > +
> > > > > + /* find out swsusp-key */
> > > > > + key = request_key(&key_type_user, skey.key_name, NULL);
> > > >
> > > > request_key() looks at current's keyring. That shouldn't happen in a
> > > > write handler.
> > > >
> > >
> > > The evm_write_key() also uses request_key() but it's on securityfs. Should
> > > I move my sysfs interface to securityfs?
> >
> > I don't think you should be doing this in the context of any
> > filesystem. If EVM does that, EVM is doing it wrong.
>
> EVM sounds buggy.
>
> In general if you look at current *at all* in an implementation of
> write() *in any filesystem*, you are doing it wrong.
I have read CVE-2013-1959... Thanks for Jann and Andy's review.
I will create the sysfs interface through other way, then using
file_ns_capable() for capability checking in next version.
Thanks a lot!
Joey Lee
WARNING: multiple messages have this Message-ID (diff)
From: joeyli <jlee@suse.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Jann Horn <jannh@google.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
joeyli.kernel@gmail.com, "Rafael J. Wysocki" <rjw@rjwysocki.net>,
Pavel Machek <pavel@ucw.cz>, LKML <linux-kernel@vger.kernel.org>,
linux-pm@vger.kernel.org,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Chen Yu <yu.c.chen@intel.com>,
oneukum@suse.com, yu.chen.surf@gmail.com, ggherdovich@suse.cz
Subject: Re: [PATCH 1/5] PM / hibernate: Create snapshot keys handler
Date: Mon, 8 Oct 2018 21:29:45 +0800 [thread overview]
Message-ID: <20181008132945.GV3831@linux-l9pv.suse> (raw)
In-Reply-To: <CALCETrVriVL1uhm_6wOLzCPZ++c3E+O6Yhp4it53+Cz9xu9o7Q@mail.gmail.com>
Hi Any, Jann,
On Wed, Oct 03, 2018 at 03:08:12PM -0700, Andy Lutomirski wrote:
> On Tue, Oct 2, 2018 at 12:36 PM Jann Horn <jannh@google.com> wrote:
> >
> > +Andy for opinions on things in write handlers
> > +Mimi Zohar as EVM maintainer
> >
> > On Tue, Oct 2, 2018 at 9:55 AM joeyli <jlee@suse.com> wrote:
> > > On Thu, Sep 13, 2018 at 04:31:18PM +0200, Jann Horn wrote:
> > > > On Thu, Sep 13, 2018 at 4:08 PM Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote:
> > > > > This patch adds a snapshot keys handler for using the key retention
> > > > > service api to create keys for snapshot image encryption and
> > > > > authentication.
> > > [...snip]
> > > > > +static ssize_t disk_kmk_store(struct kobject *kobj, struct kobj_attribute *attr,
> > > > > + const char *buf, size_t n)
> > > > > +{
> > > > > + int error = 0;
> > > > > + char *p;
> > > > > + int len;
> > > > > +
> > > > > + if (!capable(CAP_SYS_ADMIN))
> > > > > + return -EPERM;
> > > >
> > > > This is wrong, you can't use capable() in a write handler. You'd have
> > > > to use file_ns_capable(), and I think sysfs currently doesn't give you
> > > > a pointer to the struct file.
> > > > If you want to do this in a write handler, you'll have to either get
> > > > rid of this check or plumb through the cred struct pointer.
> > > > Alternatively, you could use some interface that doesn't go through a
> > > > write handler.
> > > >
> > >
> > > Thank you for point out this problem.
> > >
> > > Actually the evm_write_key() is the example for my code. The
> > > difference is that evm creates interface file on securityfs, but my
> > > implementation is on sysfs:
> > >
> > > security/integrity/evm/evm_secfs.c
> > >
> > > static ssize_t evm_write_key(struct file *file, const char __user *buf,
> > > size_t count, loff_t *ppos)
> > > {
> > > int i, ret;
> > >
> > > if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP))
> > > return -EPERM;
>
> Yeah, that's a bug.
>
> > > ...
> > >
> > > On the other hand, the writing handler of /sys/power/wake_lock also
> > > uses capable() to check the CAP_BLOCK_SUSPEND capability:
> > >
> > > kernel/power/main.c
> > > static ssize_t wake_lock_store(struct kobject *kobj,
> > > struct kobj_attribute *attr,
> > > const char *buf, size_t n)
> > > {
> > > int error = pm_wake_lock(buf);
> > > return error ? error : n;
> > > }
> > > power_attr(wake_lock);
> > >
> > > kernel/power/wakelock.c
> > > int pm_wake_lock(const char *buf)
> > > {
> > > ...
> > > if (!capable(CAP_BLOCK_SUSPEND))
> > > return -EPERM;
> > > ...
>
> Also a bug.
>
> > >
> > >
> > > So I confused for when can capable() be used in sysfs interface? Is
> > > capable() only allowed in reading handler? Why the writing handler
> > > of securityfs can use capable()?
> >
> > They can't, they're all wrong. :P All of these capable() checks in
> > write handlers have to be assumed to be ineffective. But it's not a
> > big deal because you still need UID 0 to access these files.
>
> Why are there capability checks at all?
>
> >
> > > > > +static int user_key_init(void)
> > > > > +{
> > > > > + struct user_key_payload *ukp;
> > > > > + struct key *key;
> > > > > + int err = 0;
> > > > > +
> > > > > + pr_debug("%s\n", __func__);
> > > > > +
> > > > > + /* find out swsusp-key */
> > > > > + key = request_key(&key_type_user, skey.key_name, NULL);
> > > >
> > > > request_key() looks at current's keyring. That shouldn't happen in a
> > > > write handler.
> > > >
> > >
> > > The evm_write_key() also uses request_key() but it's on securityfs. Should
> > > I move my sysfs interface to securityfs?
> >
> > I don't think you should be doing this in the context of any
> > filesystem. If EVM does that, EVM is doing it wrong.
>
> EVM sounds buggy.
>
> In general if you look at current *at all* in an implementation of
> write() *in any filesystem*, you are doing it wrong.
I have read CVE-2013-1959... Thanks for Jann and Andy's review.
I will create the sysfs interface through other way, then using
file_ns_capable() for capability checking in next version.
Thanks a lot!
Joey Lee
WARNING: multiple messages have this Message-ID (diff)
From: joeyli <jlee@suse.com>
To: Andy Lutomirski <luto@kernel.org>, Jann Horn <jannh@google.com>
Cc: Jann Horn <jannh@google.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
joeyli.kernel@gmail.com, "Rafael J. Wysocki" <rjw@rjwysocki.net>,
Pavel Machek <pavel@ucw.cz>, LKML <linux-kernel@vger.kernel.org>,
linux-pm@vger.kernel.org,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Chen Yu <yu.c.chen@intel.com>,
oneukum@suse.com, yu.chen.surf@gmail.com, ggherdovich@suse.cz
Subject: Re: [PATCH 1/5] PM / hibernate: Create snapshot keys handler
Date: Mon, 8 Oct 2018 21:29:45 +0800 [thread overview]
Message-ID: <20181008132945.GV3831@linux-l9pv.suse> (raw)
In-Reply-To: <CALCETrVriVL1uhm_6wOLzCPZ++c3E+O6Yhp4it53+Cz9xu9o7Q@mail.gmail.com>
Hi Any, Jann,
On Wed, Oct 03, 2018 at 03:08:12PM -0700, Andy Lutomirski wrote:
> On Tue, Oct 2, 2018 at 12:36 PM Jann Horn <jannh@google.com> wrote:
> >
> > +Andy for opinions on things in write handlers
> > +Mimi Zohar as EVM maintainer
> >
> > On Tue, Oct 2, 2018 at 9:55 AM joeyli <jlee@suse.com> wrote:
> > > On Thu, Sep 13, 2018 at 04:31:18PM +0200, Jann Horn wrote:
> > > > On Thu, Sep 13, 2018 at 4:08 PM Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote:
> > > > > This patch adds a snapshot keys handler for using the key retention
> > > > > service api to create keys for snapshot image encryption and
> > > > > authentication.
> > > [...snip]
> > > > > +static ssize_t disk_kmk_store(struct kobject *kobj, struct kobj_attribute *attr,
> > > > > + const char *buf, size_t n)
> > > > > +{
> > > > > + int error = 0;
> > > > > + char *p;
> > > > > + int len;
> > > > > +
> > > > > + if (!capable(CAP_SYS_ADMIN))
> > > > > + return -EPERM;
> > > >
> > > > This is wrong, you can't use capable() in a write handler. You'd have
> > > > to use file_ns_capable(), and I think sysfs currently doesn't give you
> > > > a pointer to the struct file.
> > > > If you want to do this in a write handler, you'll have to either get
> > > > rid of this check or plumb through the cred struct pointer.
> > > > Alternatively, you could use some interface that doesn't go through a
> > > > write handler.
> > > >
> > >
> > > Thank you for point out this problem.
> > >
> > > Actually the evm_write_key() is the example for my code. The
> > > difference is that evm creates interface file on securityfs, but my
> > > implementation is on sysfs:
> > >
> > > security/integrity/evm/evm_secfs.c
> > >
> > > static ssize_t evm_write_key(struct file *file, const char __user *buf,
> > > size_t count, loff_t *ppos)
> > > {
> > > int i, ret;
> > >
> > > if (!capable(CAP_SYS_ADMIN) || (evm_initialized & EVM_SETUP))
> > > return -EPERM;
>
> Yeah, that's a bug.
>
> > > ...
> > >
> > > On the other hand, the writing handler of /sys/power/wake_lock also
> > > uses capable() to check the CAP_BLOCK_SUSPEND capability:
> > >
> > > kernel/power/main.c
> > > static ssize_t wake_lock_store(struct kobject *kobj,
> > > struct kobj_attribute *attr,
> > > const char *buf, size_t n)
> > > {
> > > int error = pm_wake_lock(buf);
> > > return error ? error : n;
> > > }
> > > power_attr(wake_lock);
> > >
> > > kernel/power/wakelock.c
> > > int pm_wake_lock(const char *buf)
> > > {
> > > ...
> > > if (!capable(CAP_BLOCK_SUSPEND))
> > > return -EPERM;
> > > ...
>
> Also a bug.
>
> > >
> > >
> > > So I confused for when can capable() be used in sysfs interface? Is
> > > capable() only allowed in reading handler? Why the writing handler
> > > of securityfs can use capable()?
> >
> > They can't, they're all wrong. :P All of these capable() checks in
> > write handlers have to be assumed to be ineffective. But it's not a
> > big deal because you still need UID 0 to access these files.
>
> Why are there capability checks at all?
>
> >
> > > > > +static int user_key_init(void)
> > > > > +{
> > > > > + struct user_key_payload *ukp;
> > > > > + struct key *key;
> > > > > + int err = 0;
> > > > > +
> > > > > + pr_debug("%s\n", __func__);
> > > > > +
> > > > > + /* find out swsusp-key */
> > > > > + key = request_key(&key_type_user, skey.key_name, NULL);
> > > >
> > > > request_key() looks at current's keyring. That shouldn't happen in a
> > > > write handler.
> > > >
> > >
> > > The evm_write_key() also uses request_key() but it's on securityfs. Should
> > > I move my sysfs interface to securityfs?
> >
> > I don't think you should be doing this in the context of any
> > filesystem. If EVM does that, EVM is doing it wrong.
>
> EVM sounds buggy.
>
> In general if you look at current *at all* in an implementation of
> write() *in any filesystem*, you are doing it wrong.
I have read CVE-2013-1959... Thanks for Jann and Andy's review.
I will create the sysfs interface through other way, then using
file_ns_capable() for capability checking in next version.
Thanks a lot!
Joey Lee
next prev parent reply other threads:[~2018-10-08 13:29 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-12 14:23 [PATCH 0/5][RFC] Encryption and authentication for hibernate snapshot image Lee, Chun-Yi
2018-09-12 14:23 ` [PATCH 1/5] PM / hibernate: Create snapshot keys handler Lee, Chun-Yi
2018-09-12 16:27 ` Randy Dunlap
2018-09-13 8:39 ` joeyli
2018-09-13 13:58 ` Yu Chen
2018-10-01 10:47 ` joeyli
2018-09-13 14:31 ` Jann Horn
2018-09-13 14:31 ` Jann Horn
2018-10-02 7:54 ` joeyli
2018-10-02 7:54 ` joeyli
2018-10-02 19:36 ` Jann Horn
2018-10-02 19:36 ` Jann Horn
2018-10-03 22:08 ` Andy Lutomirski
2018-10-03 22:08 ` Andy Lutomirski
2018-10-08 13:29 ` joeyli [this message]
2018-10-08 13:29 ` joeyli
2018-10-08 13:29 ` joeyli
2018-10-04 4:02 ` Mimi Zohar
2018-10-04 4:02 ` Mimi Zohar
2018-09-14 5:52 ` kbuild test robot
2018-09-12 14:23 ` [PATCH 2/5] PM / hibernate: Generate and verify signature for snapshot image Lee, Chun-Yi
2018-09-12 14:23 ` [PATCH 3/5] PM / hibernate: Encrypt " Lee, Chun-Yi
2018-09-12 14:23 ` [PATCH 4/5] PM / hibernate: Erase the snapshot master key in snapshot pages Lee, Chun-Yi
2018-09-12 14:23 ` [PATCH 5/5] PM / hibernate: An option to request that snapshot image must be authenticated Lee, Chun-Yi
2018-09-12 16:24 ` Randy Dunlap
2018-09-13 8:37 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181008132945.GV3831@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=dhowells@redhat.com \
--cc=ggherdovich@suse.cz \
--cc=jannh@google.com \
--cc=joeyli.kernel@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=luto@kernel.org \
--cc=oneukum@suse.com \
--cc=pavel@ucw.cz \
--cc=rafael.j.wysocki@intel.com \
--cc=rjw@rjwysocki.net \
--cc=yu.c.chen@intel.com \
--cc=yu.chen.surf@gmail.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.