Re: [PATCH] p9caps: add Plan9 capability devices

From: Enrico Weigelt
Date: Wed Apr 25 2018 - 06:38:29 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.14 027/183] KVM: s390: use created_vcpus in more places"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 009/183] drm/i915: Do no use kfree() to free a kmem_cache_alloc() return value"
Next in thread: Richard Weinberger: "Re: [PATCH] p9caps: add Plan9 capability devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 17.02.2018 23:11, Richard Weinberger wrote:

Hi,

+static LIST_HEAD(caphash_writers); >> +>> +static DEFINE_MUTEX(lock);>> +>> +struct crypto_ahash *hmac_tfm

= NULL;>> +>> +static int caphash_open(struct inode *inode, struct file *filp)>> +{>> + struct caphash_writer *tmp = NULL;>> + struct user_namespace *user_ns = current_user_ns();>> + int retval = 0;>> + struct list_head *pos, *q;>> +>> + /* make sure only one instance per namespace can be opened */>> + mutex_lock(&lock);>> +>> + list_for_each_safe(pos, q, &(caphash_writers)) {>> + tmp = list_entry(pos, struct caphash_writer, list);>> + if (tmp->user_ns == user_ns) {>> + pr_err("already locked in this namespace\n");>

So, evil guy opens the device but does not close it, therefore the
whole service is blocked in a namespace?

Yes, exactly as specified. There may be only one host factotum running,
which can create caps. It's an important security feature.

In general, I think we should open that device in
kernel_init_freeable() and hand over the fd to init/systemd.

That would require an customized init and factotum, and wouldn't be
Plan9 compatible.

+static int caphash_release(struct inode *inode, struct file *filp)
+{
+ int retval = 0;
+ struct user_namespace *user_ns = current_user_ns();

Why not obtaining the user namespace from the open file?
That way one can close a caphash file hande she never opened.
Think of open, followed by nsenter, ...

hmm, good point.

+ list_for_each_safe(pos, q, &(caphash_writers)) {
+ tmp = list_entry(pos, struct caphash_entry, list);

list_for_each_entry.

what's the exact difference ?

+static ssize_t capuse_write(struct file *filp, const char __user *buf,
+ size_t count, loff_t *f_pos)
+{
+ ssize_t retval = count;
+ char *rand_str, *src_uname, *dst_uname;
+ u8 hashval[SHA1_DIGEST_SIZE] = { 0 };
+ char *cmdbuf;
+
+ if (!(cmdbuf = kzalloc(count, GFP_KERNEL)))

count is unbound, please apply a limit check.

ok.

+ {
+ char *walk = cmdbuf;

cmdbuf is toxic, make sure it is at least nul-terminated.

ok.

+ if (hmac_tfm)

IS_ERR()? Otherwise you free a error value, if crypto_alloc_ahash() fails.

ok

--mtx

--
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@xxxxxxxxx -- +49-151-27565287

Next message: Greg Kroah-Hartman: "[PATCH 4.14 027/183] KVM: s390: use created_vcpus in more places"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 009/183] drm/i915: Do no use kfree() to free a kmem_cache_alloc() return value"
Next in thread: Richard Weinberger: "Re: [PATCH] p9caps: add Plan9 capability devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]