RE: [PATCH v5 3/5] SELinux: Prepare for PTRACE_MODE_SCHED
From: Schaufler, Casey
Date: Thu Sep 27 2018 - 12:26:55 EST
> -----Original Message-----
> From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx]
> Sent: Thursday, September 27, 2018 8:50 AM
> To: Schaufler, Casey <casey.schaufler@xxxxxxxxx>; kernel-
> hardening@xxxxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; linux-security-
> module@xxxxxxxxxxxxxxx; selinux@xxxxxxxxxxxxx; Hansen, Dave
> <dave.hansen@xxxxxxxxx>; Dock, Deneen T <deneen.t.dock@xxxxxxxxx>;
> kristen@xxxxxxxxxxxxxxx; arjan@xxxxxxxxxxxxxxx; Paul Moore <paul@paul-
> moore.com>
> Subject: Re: [PATCH v5 3/5] SELinux: Prepare for PTRACE_MODE_SCHED
>
> On 09/26/2018 04:34 PM, Casey Schaufler wrote:
> > From: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> >
> > A ptrace access check with mode PTRACE_MODE_SCHED gets called
> > from process switching code. This precludes the use of audit or avc,
> > as the locking is incompatible. The only available check that
> > can be made without using avc is a comparison of the secids.
> > This is not very satisfactory as it will indicate possible
> > vulnerabilies much too aggressively.
> Can you document (in the patch description and/or in the inline
> documentation in lsm_hooks.h) what locks can be safely used when this
> hook is called with PTRACE_MODE_SCHED? rcu_read_lock() seemingly must
> be safe since it is being called by task_sid() below. Are any other
> locking primitives safe?
Peter Zijlstra <peterz@xxxxxxxxxxxxx> had this comment on
locking in the SELinux ptrace path.
avc_has_perm_noaudit()
security_compute_av()
read_lock(&state->ss->policy_rwlock);
avc_insert()
spin_lock_irqsave();
avc_denied()
avc_update_node()
spin_lock_irqsave();
under the scheduler's raw_spinlock_t, which are invalid lock nestings.
I don't know that it would be impossible to address these issues,
but as many people have noted over the years I am not now
nor have ever been an expert on locking.
>
> Does the PTRACE_MODE_SCHED check have to occur while holding the
> scheduler lock, or could it be performed before taking the lock?
My understanding is that the lock is required.
> Can you cite the commit or patch posting (e.g. from lore or patchwork)
> that defines PTRACE_MODE_SCHED and its usage as part of the patch
> description for context? Is this based on the v7 patchset, e.g.
> https://lore.kernel.org/lkml/nycvar.YFH.7.76.1809251437340.15880@xxxxxxxxx
> r.pm/
Yes, that's the one. Sorry, I should have identified that.
>
> >
> > Signed-off-by: Casey Schaufler <casey.schaufler@xxxxxxxxx>
> > ---
> > security/selinux/hooks.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> > index ad9a9b8e9979..160239791007 100644
> > --- a/security/selinux/hooks.c
> > +++ b/security/selinux/hooks.c
> > @@ -2267,6 +2267,8 @@ static int selinux_ptrace_access_check(struct
> task_struct *child,
> > u32 sid = current_sid();
> > u32 csid = task_sid(child);
> >
> > + if (mode & PTRACE_MODE_SCHED)
> > + return sid == csid ? 0 : -EACCES;
> IIUC, this logic is essentially the same as the uid-based check,
> including the fact that even a "privileged" process is not given any
> special handling since they always return false from ptrace_has_cap()
> for PTRACE_MODE_SCHED. If they are ok with applying IBPB whenever uids
> differ, then doing so whenever sids/contexts differ does not seem like
> an onerous thing.
>
>
> > if (mode & PTRACE_MODE_READ)
> > return avc_has_perm(&selinux_state,
> > sid, csid, SECCLASS_FILE, FILE__READ,
> NULL);
> >