From: Junxiao Bi <junxiao.bi@oracle.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, jmorris@namei.org,
serge@hallyn.com, nathanl@linux.ibm.com, joe.jin@oracle.com,
Eric <eric.snowberg@oracle.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
axboe@kernel.dk
Subject: Re: Semantics of blktrace with lockdown (integrity) enabled kernel.
Date: Mon, 10 Apr 2023 14:28:02 -0700 [thread overview]
Message-ID: <fa0a4afb-14ce-a387-ec0e-2098c5bec8c3@oracle.com> (raw)
In-Reply-To: <CAHC9VhRKzv4+fbSK8+fV7v+N5Eaevtag7YvSW1YwJrxs5gAyHQ@mail.gmail.com>
On 4/10/23 1:22 PM, Paul Moore wrote:
> On Mon, Apr 10, 2023 at 3:20 PM Junxiao Bi <junxiao.bi@oracle.com> wrote:
>> On 4/6/23 2:43 PM, Paul Moore wrote:
>>> On Thu, Apr 6, 2023 at 3:33 PM Konrad Rzeszutek Wilk
>>> <konrad.wilk@oracle.com> wrote:
>>>> On Thu, Apr 06, 2023 at 02:39:57PM -0400, Paul Moore wrote:
>>> ...
>>>
>>>>> Before we go any further, can you please verify that your issue is
>>>>> reproducible on a supported, upstream tree (preferably Linus')?
>>>> Yes. Very much so.
>>> Okay, in that case I suspect the issue is due to the somewhat limited
>>> granularity in the lockdown LSM. While there are a number of
>>> different lockdown "levels", the reality is that the admin has to
>>> choose from either NONE, INTEGRITY, or CONFIDENTIALITY. Without
>>> digging to deep into the code path that you would be hitting, we can
>>> see that TRACEFS is blocked by the CONFIDENTIALITY (and therefore
>>> INTEGRITY too) setting and DEBUGFS is blocked by the INTEGRITY
>>> setting. With DEBUGFS blocked by INTEGRITY, the only lockdown option
>>> that would allow DEBUGFS is NONE.
>>>
>>> Without knowing too much about blktrace beyond the manpage, it looks
>>> like it has the ability to trace/snoop on the block device operations
>>> so I don't think this is something we would want to allow in a
>>> "locked" system.
>> blktrace depends on tracepoint in block layer to trace io events of
>> block devices,
>>
>> through the test with mainline, those tracepoints were not blocked by
>> lockdown.
>>
>> If snoop block devices operations is a security concern in lock down, these
>>
>> tracepoints should be disabled?
> Possibly, however, as I said earlier I'm not very familiar with
> blktrace and the associated tracepoints. If it is possible to snoop
> on kernel/user data using blktrace then it probably should be
> protected by a lockdown control point.
>
> Is this something you could verify and potentially submit a patch to resolve?
blktrace can not snoop kernel/user data. The information it got from
kernel is kind of "io metadata", basically include which process from
which cpu, at what time, triggered what kind of IO events(issue, queue,
complete etc.), to which disk, from which sector offset and how long.
blktrace has no way to know what's inside that io. I am kind of think
this is safe for lockdown mode.
The following is sample of blktrace output.
252,0 1 1 0.000000000 2570 Q W 45779288 + 48 [nstat]
252,0 1 1 0.000000000 2570 Q W 45779288 + 48 [nstat]
252,0 1 1 0.000000000 2570 Q W 45779288 + 48 [nstat]
252,0 1 1 0.000000000 2570 Q W 45779288 + 48 [nstat]
252,0 3 1 0.001038626 2572 C W 45779288 + 48 [0]
252,0 3 1 0.001038626 2572 C W 45779288 + 48 [0]
252,0 3 1 0.001038626 2572 C W 45779288 + 48 [0]
252,0 3 1 0.001038626 2572 C W 45779288 + 48 [0]
252,0 1 2 1.764157693 1384 Q WS 24577112 + 8 [auditd]
252,0 1 2 1.764157693 1384 Q WS 24577112 + 8 [auditd]
252,0 1 2 1.764157693 1384 Q WS 24577112 + 8 [auditd]
252,0 1 2 1.764157693 1384 Q WS 24577112 + 8 [auditd]
252,0 1 3 1.764216845 1384 Q WS 24577120 + 16 [auditd]
252,0 1 3 1.764216845 1384 Q WS 24577120 + 16 [auditd]
252,0 1 3 1.764216845 1384 Q WS 24577120 + 16 [auditd]
252,0 1 3 1.764216845 1384 Q WS 24577120 + 16 [auditd]
Thanks,
Junxiao.
>
next prev parent reply other threads:[~2023-04-10 21:28 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-06 17:37 Semantics of blktrace with lockdown (integrity) enabled kernel Konrad Rzeszutek Wilk
2023-04-06 18:39 ` Paul Moore
2023-04-06 19:30 ` Junxiao Bi
2023-04-06 21:30 ` Paul Moore
2023-04-06 19:32 ` Konrad Rzeszutek Wilk
2023-04-06 21:43 ` Paul Moore
2023-04-10 19:19 ` Junxiao Bi
2023-04-10 20:22 ` Paul Moore
2023-04-10 21:28 ` Junxiao Bi [this message]
2023-04-10 21:44 ` Paul Moore
2023-04-10 21:51 ` Junxiao Bi
2023-04-10 22:00 ` Paul Moore
2023-04-10 22:31 ` Junxiao Bi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fa0a4afb-14ce-a387-ec0e-2098c5bec8c3@oracle.com \
--to=junxiao.bi@oracle.com \
--cc=axboe@kernel.dk \
--cc=boris.ostrovsky@oracle.com \
--cc=eric.snowberg@oracle.com \
--cc=jmorris@namei.org \
--cc=joe.jin@oracle.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nathanl@linux.ibm.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).