From: Dave Chinner <david@fromorbit.com>
To: James Morris <jmorris@namei.org>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>, TongZhang <ztong@vt.edu>,
darrick.wong@oracle.com, linux-xfs@vger.kernel.org,
LKML <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org,
Wenbo Shen <shenwenbosmile@gmail.com>
Subject: Re: Leaking Path in XFS's ioctl interface(missing LSM check)
Date: Fri, 28 Sep 2018 08:19:48 +1000 [thread overview]
Message-ID: <20180927221948.GH31060@dastard> (raw)
In-Reply-To: <alpine.LRH.2.21.1809280720330.8410@namei.org>
On Fri, Sep 28, 2018 at 07:23:42AM +1000, James Morris wrote:
> On Thu, 27 Sep 2018, Dave Chinner wrote:
>
> > Sure, but there are so many CAP_SYS_ADMIN-only ioctls in the kernel
> > that have no LSM coverage that this is not an isolated problem that
> > people setting up such systems have to deal with.
>
> I could be missing something here, but all ioctls are mediated by LSM at a
> high level (security_file_ioctl). Some problematic ones are singled out at
> that point by LSMs for special handling.
selinux_file_ioctl() checks whether a specific /file/ has
permissions to execute ioctls, but it doesn't know anything about
what that ioctl actually does. It has special cases for a handful of
ioctls, but misses a large number of ioctls that perform similar
functionality (e.g. file getattr/setattr type ioctls).
smack just checks for read/write permissions depending on the
IOW/IOR/IORW definition of the ioctl. Tomoyo does a path check
based on the path associated with the file passed to it to see if an
ioctl can be run.
IOWs, none of there really know anything about what the ioctl does,
and they sure as hell don't check any of the arguments for other
file descriptors that the ioctl might be accessing. It's basically a
"does we allow ioctls to this inode/path from this user?" check and
nothing more.
That just doesn't work for ioctls structured like the XFS filehandle
operations. The ioctl is performed on a "fshandle" file descriptor,
which generally points at the root directory of the filesystem the
file handle belongs to. This gives the ioctl the superblock context
that it is to operate on, and nothing more. It then opens a new file
based on the filehandle that was in the ioctl argument, and performs
the required operation on that file it opened itself.
IOWs, the security_file_ioctl() hook is almost completely useless in
cases like this - you can't isolate the ioctl based on the file
argument, because it can point to any file or directory in the
filesystem. And without actually parsing, decoding and instantiating
the the ioctl arguments, you can't tell the ioctl it can't act on
specific targets. And because filehandle to dentry resolution
results in disconnected dentries, the paths are not complete and
hence path based security checks (e.g. tomoyo) are likely to be
broken and unfixable...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2018-09-28 4:40 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-26 0:51 Leaking Path in XFS's ioctl interface(missing LSM check) TongZhang
2018-09-26 1:33 ` Dave Chinner
2018-09-26 13:23 ` Stephen Smalley
2018-09-27 2:08 ` Dave Chinner
2018-09-26 18:24 ` Alan Cox
2018-09-27 1:38 ` Dave Chinner
2018-09-27 21:23 ` James Morris
2018-09-27 22:19 ` Dave Chinner [this message]
2018-09-27 23:12 ` Tetsuo Handa
2018-09-30 14:16 ` Alan Cox
2018-10-01 0:25 ` Dave Chinner
2018-10-01 15:04 ` Alan Cox
2018-10-01 15:25 ` Theodore Y. Ts'o
2018-10-01 22:53 ` Dave Chinner
2018-10-01 15:44 ` Darrick J. Wong
2018-10-01 20:08 ` James Morris
2018-10-01 22:45 ` Dave Chinner
2018-10-02 19:20 ` James Morris
2018-10-02 22:42 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180927221948.GH31060@dastard \
--to=david@fromorbit.com \
--cc=darrick.wong@oracle.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=shenwenbosmile@gmail.com \
--cc=ztong@vt.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).