Re: [PATCH v2] exec: Set file unwritable before LSM check

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Kees Cook <keescook@chromium.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Cc: James Morris <jmorris@namei.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	linux-integrity <linux-integrity@vger.kernel.org>,
	Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH v2] exec: Set file unwritable before LSM check
Date: Fri, 09 Mar 2018 16:54:27 -0500	[thread overview]
Message-ID: <1520632467.3911.49.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <CAGXu5j++Ju0Jg0O3gXPGD7Nzy8uE3NZo_dCF-L0hontG_P+5yw@mail.gmail.com>

On Fri, 2018-03-09 at 11:54 -0800, Kees Cook wrote:
> On Fri, Mar 9, 2018 at 11:47 AM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> > On Fri, Mar 9, 2018 at 11:30 AM, Kees Cook <keescook@chromium.org> wrote:
> >> The LSM check should happen after the file has been confirmed to be
> >> unchanging. Without this, we could have a race between the Time of Check
> >> (the call to security_kernel_read_file() which could read the file and
> >> make access policy decisions) and the Time of Use (starting with
> >> kernel_read_file()'s reading of the file contents). In theory, file
> >> contents could change between the two.

For files opened by userspace, IMA refers to the problem as "Time of
Measure, Time of Use" (ToMToU) and emits an audit message.

security_kernel_read_file() is being called by the kernel to read the
kexec kernel image and initramfs, kernel modules (new syscall),
ima_policy, EVM x509 certificate, and firmware.

If these files are signed, like they should be, then IMA prevents them
from being opened for write.  Modifying the file via the filesystem
should not be possible.  Other sorts of attacks, would probably be
possible.

If these files aren't signed, then in terms of IMA-measurement the
file measured, might not be the file used.  The ToMToU audit message
is not being generated for these files.

> > I'm going to assume I get this for 4.17 from the security tree.
> >
> > Because I'm guessing there are actually no existing users that care?
> > selinux seems to just look at file state, not actually at contents or
> > anything that write access denial would care about.
> >
> > And the only other security module that even registers this is
> > loadpin, and again it just seems to check things like "on the right
> > filesystem" that aren't actually impacted by write access (in fact,
> > the documented reason is to check that it's a read-only filesystem so
> > that write access is simply _irrelevant_).
> >
> > So this issue seems to be mainly a cleanliness thing, not an actual bug.
> 
> That is my assumption too (I left off the Cc: stable as a result). I'm
> much less familiar with IMA, though, but it's a caller of
> kernel_read_file(), not hooking it, etc.

Please add my reviewed-by.

Mimi

next prev parent reply	other threads:[~2018-03-09 21:59 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-09 19:30 [PATCH v2] exec: Set file unwritable before LSM check Kees Cook
2018-03-09 19:47 ` Linus Torvalds
2018-03-09 19:54   ` Kees Cook
2018-03-09 21:54     ` Mimi Zohar [this message]
2018-03-13  5:16 ` James Morris
2018-03-19  4:52 ` James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1520632467.3911.49.camel@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=sds@tycho.nsa.gov \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox