Re: Leaking Path in XFS's ioctl interface(missing LSM check)

From: Tetsuo Handa
Date: Thu Sep 27 2018 - 19:13:13 EST

Next message: Nicolin Chen: "Re: [PATCH 2/2] hwmon: ina3221: Add enable sysfs nodes"
Previous message: Vladis Dronov: "Re: KMSAN: uninit-value in __dev_mc_add"
In reply to: Dave Chinner: "Re: Leaking Path in XFS's ioctl interface(missing LSM check)"
Next in thread: Alan Cox: "Re: Leaking Path in XFS's ioctl interface(missing LSM check)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2018/09/28 7:19, Dave Chinner wrote:> IOWs, the security_file_ioctl() hook is almost completely useless in
> cases like this - you can't isolate the ioctl based on the file
> argument, because it can point to any file or directory in the
> filesystem. And without actually parsing, decoding and instantiating
> the the ioctl arguments, you can't tell the ioctl it can't act on
> specific targets. And because filehandle to dentry resolution
> results in disconnected dentries, the paths are not complete and
> hence path based security checks (e.g. tomoyo) are likely to be
> broken and unfixable...

Though TOMOYO uses pathname as a mandatory parameter, CaitSith
(currently waiting for review) does not.

CaitSith can filter filesystem specific ioctl() using fsmagic
and cmd parameter like:

10 acl ioctl path.fsmagic=0x9FA0
audit 0
10 deny cmd=@FORBIDDEN_IOCTLS_ON_PROCFS
20 allow

CaitSith does ioctl() checks. Missing LSM check is a bug.

Next message: Nicolin Chen: "Re: [PATCH 2/2] hwmon: ina3221: Add enable sysfs nodes"
Previous message: Vladis Dronov: "Re: KMSAN: uninit-value in __dev_mc_add"
In reply to: Dave Chinner: "Re: Leaking Path in XFS's ioctl interface(missing LSM check)"
Next in thread: Alan Cox: "Re: Leaking Path in XFS's ioctl interface(missing LSM check)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]