linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Aleksandr Nogikh <nogikh@google.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Aleksandr Nogikh <a.nogikh@gmail.com>,
	jmorris@namei.org, serge@hallyn.com, akinobu.mita@gmail.com,
	Andrey Konovalov <andreyknvl@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Marco Elver <elver@google.com>,
	glider@google.com, keescook@google.com,
	LKML <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v2 1/2] security: add fault injection capability
Date: Tue, 27 Oct 2020 20:29:35 +0300	[thread overview]
Message-ID: <CANp29Y5w1ZxDShGQHvJ-F0bM_P4WSrvPoDQtPNnBCG38Ee-x-A@mail.gmail.com> (raw)
In-Reply-To: <c768f42a-1370-5b38-4f89-357744fd9d5a@schaufler-ca.com>

(resending the previous message in a plain/text mode)

On Mon, Oct 26, 2020 at 7:20 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
[...]
> > -     int RC = IRC;                                           \
> > -     do {                                                    \
> > +     int RC = lsm_hooks_inject_fail();                       \
> > +     if (RC == 0) {                                                          \
>
> Injecting the failure here will prevent the loaded LSM hooks from
> being called.
In this RFC, fault injection was intentionally placed before the code that
invokes LSM hooks. The reasoning was that it would simultaneously check
how the kernel code reacts to LSM denials and the effect of fault injections
on LSM modules.

>
> >               struct security_hook_list *P;                   \
> > +             RC = IRC;                                                               \
> >                                                               \
> >               hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
> >                       RC = P->hook.FUNC(__VA_ARGS__);         \
> >                       if (RC != 0)                            \
> >                               break;                          \
> >               }                                               \
> > -     } while (0);                                            \
> > +     }                                                       \
>
> Injecting the failure here would allow the loaded LSM hooks to
> be called. It shouldn't make a difference, but hooks with side-effects
> are always possible. I don't have an issue either way.
>
> >       RC;                                                     \
> >  })
> >
>
Should we expect LSM modules to properly handle the cases when their
hooks with side effects were not invoked (unlike the selinux crash that
is described in the cover letter)? From the source code it seems that a
failure/denial from one module prevents the execution of the subsequent
hooks, so this looks like a realistic scenario.

If that is not true in general and depends on the specific active modules,
then it probably makes sense to introduce an option to control whether to
inject faults at the beginning of call_int_hook() or after the hooks have
been invoked.

  reply	other threads:[~2020-10-27 17:31 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-26 12:52 [RFC PATCH v2 0/2] security: add fault injection to LSM hooks Aleksandr Nogikh
2020-10-26 12:52 ` [RFC PATCH v2 1/2] security: add fault injection capability Aleksandr Nogikh
2020-10-26 16:20   ` Casey Schaufler
2020-10-27 17:29     ` Aleksandr Nogikh [this message]
2020-10-27 17:56       ` Casey Schaufler
2020-10-26 12:52 ` [RFC PATCH v2 2/2] docs: add fail_lsm_hooks info to fault-injection.rst Aleksandr Nogikh
2020-10-27 15:31   ` Akinobu Mita
2020-10-27 17:33     ` Aleksandr Nogikh
2020-10-28  9:41       ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CANp29Y5w1ZxDShGQHvJ-F0bM_P4WSrvPoDQtPNnBCG38Ee-x-A@mail.gmail.com \
    --to=nogikh@google.com \
    --cc=a.nogikh@gmail.com \
    --cc=akinobu.mita@gmail.com \
    --cc=andreyknvl@google.com \
    --cc=casey@schaufler-ca.com \
    --cc=dvyukov@google.com \
    --cc=elver@google.com \
    --cc=glider@google.com \
    --cc=jmorris@namei.org \
    --cc=keescook@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).