1. 20 10月, 2017 1 次提交
    • C
      security: bpf: Add LSM hooks for bpf object related syscall · afdb09c7
      Chenbo Feng 提交于
      Introduce several LSM hooks for the syscalls that will allow the
      userspace to access to eBPF object such as eBPF programs and eBPF maps.
      The security check is aimed to enforce a per object security protection
      for eBPF object so only processes with the right priviliges can
      read/write to a specific map or use a specific eBPF program. Besides
      that, a general security hook is added before the multiplexer of bpf
      syscall to check the cmd and the attribute used for the command. The
      actual security module can decide which command need to be checked and
      how the cmd should be checked.
      Signed-off-by: NChenbo Feng <fengc@google.com>
      Acked-by: NJames Morris <james.l.morris@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      afdb09c7
  2. 04 10月, 2017 1 次提交
    • C
      lsm: fix smack_inode_removexattr and xattr_getsecurity memleak · 57e7ba04
      Casey Schaufler 提交于
      security_inode_getsecurity() provides the text string value
      of a security attribute. It does not provide a "secctx".
      The code in xattr_getsecurity() that calls security_inode_getsecurity()
      and then calls security_release_secctx() happened to work because
      SElinux and Smack treat the attribute and the secctx the same way.
      It fails for cap_inode_getsecurity(), because that module has no
      secctx that ever needs releasing. It turns out that Smack is the
      one that's doing things wrong by not allocating memory when instructed
      to do so by the "alloc" parameter.
      
      The fix is simple enough. Change the security_release_secctx() to
      kfree() because it isn't a secctx being returned by
      security_inode_getsecurity(). Change Smack to allocate the string when
      told to do so.
      
      Note: this also fixes memory leaks for LSMs which implement
      inode_getsecurity but not release_secctx, such as capabilities.
      Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      Reported-by: NKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Cc: stable@vger.kernel.org
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      57e7ba04
  3. 26 9月, 2017 2 次提交
    • J
      security/keys: rewrite all of big_key crypto · 428490e3
      Jason A. Donenfeld 提交于
      This started out as just replacing the use of crypto/rng with
      get_random_bytes_wait, so that we wouldn't use bad randomness at boot
      time. But, upon looking further, it appears that there were even deeper
      underlying cryptographic problems, and that this seems to have been
      committed with very little crypto review. So, I rewrote the whole thing,
      trying to keep to the conventions introduced by the previous author, to
      fix these cryptographic flaws.
      
      It makes no sense to seed crypto/rng at boot time and then keep
      using it like this, when in fact there's already get_random_bytes_wait,
      which can ensure there's enough entropy and be a much more standard way
      of generating keys. Since this sensitive material is being stored
      untrusted, using ECB and no authentication is simply not okay at all. I
      find it surprising and a bit horrifying that this code even made it past
      basic crypto review, which perhaps points to some larger issues. This
      patch moves from using AES-ECB to using AES-GCM. Since keys are uniquely
      generated each time, we can set the nonce to zero. There was also a race
      condition in which the same key would be reused at the same time in
      different threads. A mutex fixes this issue now.
      
      So, to summarize, this commit fixes the following vulnerabilities:
      
        * Low entropy key generation, allowing an attacker to potentially
          guess or predict keys.
        * Unauthenticated encryption, allowing an attacker to modify the
          cipher text in particular ways in order to manipulate the plaintext,
          which is is even more frightening considering the next point.
        * Use of ECB mode, allowing an attacker to trivially swap blocks or
          compare identical plaintext blocks.
        * Key re-use.
        * Faulty memory zeroing.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Reviewed-by: NEric Biggers <ebiggers3@gmail.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
      Cc: security@kernel.org
      Cc: stable@vger.kernel.org
      428490e3
    • J
      security/keys: properly zero out sensitive key material in big_key · 91080180
      Jason A. Donenfeld 提交于
      Error paths forgot to zero out sensitive material, so this patch changes
      some kfrees into a kzfrees.
      Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NEric Biggers <ebiggers3@gmail.com>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Kirill Marinushkin <k.marinushkin@gmail.com>
      Cc: security@kernel.org
      Cc: stable@vger.kernel.org
      91080180
  4. 25 9月, 2017 10 次提交
    • E
      KEYS: use kmemdup() in request_key_auth_new() · e007ce9c
      Eric Biggers 提交于
      kmemdup() is preferred to kmalloc() followed by memcpy().
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      e007ce9c
    • E
      KEYS: restrict /proc/keys by credentials at open time · 4aa68e07
      Eric Biggers 提交于
      When checking for permission to view keys whilst reading from
      /proc/keys, we should use the credentials with which the /proc/keys file
      was opened.  This is because, in a classic type of exploit, it can be
      possible to bypass checks for the *current* credentials by passing the
      file descriptor to a suid program.
      
      Following commit 34dbbcdb ("Make file credentials available to the
      seqfile interfaces") we can finally fix it.  So let's do it.
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      4aa68e07
    • E
      KEYS: reset parent each time before searching key_user_tree · 8f674565
      Eric Biggers 提交于
      In key_user_lookup(), if there is no key_user for the given uid, we drop
      key_user_lock, allocate a new key_user, and search the tree again.  But
      we failed to set 'parent' to NULL at the beginning of the second search.
      If the tree were to be empty for the second search, the insertion would
      be done with an invalid 'parent', scribbling over freed memory.
      
      Fortunately this can't actually happen currently because the tree always
      contains at least the root_key_user.  But it still should be fixed to
      make the code more robust.
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      8f674565
    • E
      KEYS: prevent KEYCTL_READ on negative key · 37863c43
      Eric Biggers 提交于
      Because keyctl_read_key() looks up the key with no permissions
      requested, it may find a negatively instantiated key.  If the key is
      also possessed, we went ahead and called ->read() on the key.  But the
      key payload will actually contain the ->reject_error rather than the
      normal payload.  Thus, the kernel oopses trying to read the
      user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82.
      
      Fortunately the payload data is stored inline, so it shouldn't be
      possible to abuse this as an arbitrary memory read primitive...
      
      Reproducer:
          keyctl new_session
          keyctl request2 user desc '' @s
          keyctl read $(keyctl show | awk '/user: desc/ {print $1}')
      
      It causes a crash like the following:
           BUG: unable to handle kernel paging request at 00000000ffffff92
           IP: user_read+0x33/0xa0
           PGD 36a54067 P4D 36a54067 PUD 0
           Oops: 0000 [#1] SMP
           CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337
           Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
           task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000
           RIP: 0010:user_read+0x33/0xa0
           RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246
           RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017
           RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340
           RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000
           R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
           R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
           FS:  00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000
           CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
           CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0
           Call Trace:
            keyctl_read_key+0xac/0xe0
            SyS_keyctl+0x99/0x120
            entry_SYSCALL_64_fastpath+0x1f/0xbe
           RIP: 0033:0x7f58ec787bb9
           RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa
           RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9
           RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b
           RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020
           R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800
           R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000
           Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48
           RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8
           CR2: 00000000ffffff92
      
      Fixes: 61ea0c0b ("KEYS: Skip key state checks when checking for possession")
      Cc: <stable@vger.kernel.org>	[v3.13+]
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      37863c43
    • E
      KEYS: prevent creating a different user's keyrings · 237bbd29
      Eric Biggers 提交于
      It was possible for an unprivileged user to create the user and user
      session keyrings for another user.  For example:
      
          sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
                                 keyctl add keyring _uid_ses.4000 "" @u
                                 sleep 15' &
          sleep 1
          sudo -u '#4000' keyctl describe @u
          sudo -u '#4000' keyctl describe @us
      
      This is problematic because these "fake" keyrings won't have the right
      permissions.  In particular, the user who created them first will own
      them and will have full access to them via the possessor permissions,
      which can be used to compromise the security of a user's keys:
      
          -4: alswrv-----v------------  3000     0 keyring: _uid.4000
          -5: alswrv-----v------------  3000     0 keyring: _uid_ses.4000
      
      Fix it by marking user and user session keyrings with a flag
      KEY_FLAG_UID_KEYRING.  Then, when searching for a user or user session
      keyring by name, skip all keyrings that don't have the flag set.
      
      Fixes: 69664cf1 ("keys: don't generate user and user session keyrings unless they're accessed")
      Cc: <stable@vger.kernel.org>	[v2.6.26+]
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      237bbd29
    • E
      KEYS: fix writing past end of user-supplied buffer in keyring_read() · e645016a
      Eric Biggers 提交于
      Userspace can call keyctl_read() on a keyring to get the list of IDs of
      keys in the keyring.  But if the user-supplied buffer is too small, the
      kernel would write the full list anyway --- which will corrupt whatever
      userspace memory happened to be past the end of the buffer.  Fix it by
      only filling the space that is available.
      
      Fixes: b2a4df20 ("KEYS: Expand the capacity of a keyring")
      Cc: <stable@vger.kernel.org>	[v3.13+]
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      e645016a
    • E
      KEYS: fix key refcount leak in keyctl_read_key() · 7fc0786d
      Eric Biggers 提交于
      In keyctl_read_key(), if key_permission() were to return an error code
      other than EACCES, we would leak a the reference to the key.  This can't
      actually happen currently because key_permission() can only return an
      error code other than EACCES if security_key_permission() does, only
      SELinux and Smack implement that hook, and neither can return an error
      code other than EACCES.  But it should still be fixed, as it is a bug
      waiting to happen.
      
      Fixes: 29db9190 ("[PATCH] Keys: Add LSM hooks for key management [try #3]")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      7fc0786d
    • E
      KEYS: fix key refcount leak in keyctl_assume_authority() · 884bee02
      Eric Biggers 提交于
      In keyctl_assume_authority(), if keyctl_change_reqkey_auth() were to
      fail, we would leak the reference to the 'authkey'.  Currently this can
      only happen if prepare_creds() fails to allocate memory.  But it still
      should be fixed, as it is a more severe bug waiting to happen.
      
      This patch also moves the read of 'authkey->serial' to before the
      reference to the authkey is dropped.  Doing the read after dropping the
      reference is very fragile because it assumes we still hold another
      reference to the key.  (Which we do, in current->cred->request_key_auth,
      but there's no reason not to write it in the "obviously correct" way.)
      
      Fixes: d84f4f99 ("CRED: Inaugurate COW credentials")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      884bee02
    • E
      KEYS: don't revoke uninstantiated key in request_key_auth_new() · f7b48cf0
      Eric Biggers 提交于
      If key_instantiate_and_link() were to fail (which fortunately isn't
      possible currently), the call to key_revoke(authkey) would crash with a
      NULL pointer dereference in request_key_auth_revoke() because the key
      has not yet been instantiated.
      
      Fix this by removing the call to key_revoke().  key_put() is sufficient,
      as it's not possible for an uninstantiated authkey to have been used for
      anything yet.
      
      Fixes: b5f545c8 ("[PATCH] keys: Permit running process to instantiate keys")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      f7b48cf0
    • E
      KEYS: fix cred refcount leak in request_key_auth_new() · 44d81433
      Eric Biggers 提交于
      In request_key_auth_new(), if key_alloc() or key_instantiate_and_link()
      were to fail, we would leak a reference to the 'struct cred'.  Currently
      this can only happen if key_alloc() fails to allocate memory.  But it
      still should be fixed, as it is a more severe bug waiting to happen.
      
      Fix it by cleaning things up to use a helper function which frees a
      'struct request_key_auth' correctly.
      
      Fixes: d84f4f99 ("CRED: Inaugurate COW credentials")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      44d81433
  5. 24 9月, 2017 1 次提交
  6. 23 9月, 2017 17 次提交
  7. 05 9月, 2017 3 次提交
  8. 02 9月, 2017 1 次提交
    • S
      Introduce v3 namespaced file capabilities · 8db6c34f
      Serge E. Hallyn 提交于
      Root in a non-initial user ns cannot be trusted to write a traditional
      security.capability xattr.  If it were allowed to do so, then any
      unprivileged user on the host could map his own uid to root in a private
      namespace, write the xattr, and execute the file with privilege on the
      host.
      
      However supporting file capabilities in a user namespace is very
      desirable.  Not doing so means that any programs designed to run with
      limited privilege must continue to support other methods of gaining and
      dropping privilege.  For instance a program installer must detect
      whether file capabilities can be assigned, and assign them if so but set
      setuid-root otherwise.  The program in turn must know how to drop
      partial capabilities, and do so only if setuid-root.
      
      This patch introduces v3 of the security.capability xattr.  It builds a
      vfs_ns_cap_data struct by appending a uid_t rootid to struct
      vfs_cap_data.  This is the absolute uid_t (that is, the uid_t in user
      namespace which mounted the filesystem, usually init_user_ns) of the
      root id in whose namespaces the file capabilities may take effect.
      
      When a task asks to write a v2 security.capability xattr, if it is
      privileged with respect to the userns which mounted the filesystem, then
      nothing should change.  Otherwise, the kernel will transparently rewrite
      the xattr as a v3 with the appropriate rootid.  This is done during the
      execution of setxattr() to catch user-space-initiated capability writes.
      Subsequently, any task executing the file which has the noted kuid as
      its root uid, or which is in a descendent user_ns of such a user_ns,
      will run the file with capabilities.
      
      Similarly when asking to read file capabilities, a v3 capability will
      be presented as v2 if it applies to the caller's namespace.
      
      If a task writes a v3 security.capability, then it can provide a uid for
      the xattr so long as the uid is valid in its own user namespace, and it
      is privileged with CAP_SETFCAP over its namespace.  The kernel will
      translate that rootid to an absolute uid, and write that to disk.  After
      this, a task in the writer's namespace will not be able to use those
      capabilities (unless rootid was 0), but a task in a namespace where the
      given uid is root will.
      
      Only a single security.capability xattr may exist at a time for a given
      file.  A task may overwrite an existing xattr so long as it is
      privileged over the inode.  Note this is a departure from previous
      semantics, which required privilege to remove a security.capability
      xattr.  This check can be re-added if deemed useful.
      
      This allows a simple setxattr to work, allows tar/untar to work, and
      allows us to tar in one namespace and untar in another while preserving
      the capability, without risking leaking privilege into a parent
      namespace.
      
      Example using tar:
      
       $ cp /bin/sleep sleepx
       $ mkdir b1 b2
       $ lxc-usernsexec -m b:0:100000:1 -m b:1:$(id -u):1 -- chown 0:0 b1
       $ lxc-usernsexec -m b:0:100001:1 -m b:1:$(id -u):1 -- chown 0:0 b2
       $ lxc-usernsexec -m b:0:100000:1000 -- tar --xattrs-include=security.capability --xattrs -cf b1/sleepx.tar sleepx
       $ lxc-usernsexec -m b:0:100001:1000 -- tar --xattrs-include=security.capability --xattrs -C b2 -xf b1/sleepx.tar
       $ lxc-usernsexec -m b:0:100001:1000 -- getcap b2/sleepx
         b2/sleepx = cap_sys_admin+ep
       # /opt/ltp/testcases/bin/getv3xattr b2/sleepx
         v3 xattr, rootid is 100001
      
      A patch to linux-test-project adding a new set of tests for this
      functionality is in the nsfscaps branch at github.com/hallyn/ltp
      
      Changelog:
         Nov 02 2016: fix invalid check at refuse_fcap_overwrite()
         Nov 07 2016: convert rootid from and to fs user_ns
         (From ebiederm: mar 28 2017)
           commoncap.c: fix typos - s/v4/v3
           get_vfs_caps_from_disk: clarify the fs_ns root access check
           nsfscaps: change the code split for cap_inode_setxattr()
         Apr 09 2017:
             don't return v3 cap for caps owned by current root.
            return a v2 cap for a true v2 cap in non-init ns
         Apr 18 2017:
            . Change the flow of fscap writing to support s_user_ns writing.
            . Remove refuse_fcap_overwrite().  The value of the previous
              xattr doesn't matter.
         Apr 24 2017:
            . incorporate Eric's incremental diff
            . move cap_convert_nscap to setxattr and simplify its usage
         May 8, 2017:
            . fix leaking dentry refcount in cap_inode_getsecurity
      Signed-off-by: NSerge Hallyn <serge@hallyn.com>
      Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
      8db6c34f
  9. 29 8月, 2017 1 次提交
  10. 23 8月, 2017 1 次提交
  11. 18 8月, 2017 2 次提交