security: Fix side effects of default BPF LSM hooks #3142
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BPF LSM currently has a default implementation for each LSM hooks which return a default value defined in include/linux/lsm_hook_defs.h. These hooks should have no functional effect when there is no BPF program loaded to implement the hook logic. Some LSM hooks treat any return value of the hook as policy decision which results in destructive side effects. This issue and the effects were reported to me by Jann Horn: For a system configured with CONFIG_BPF_LSM and the bpf lsm is enabled (via lsm= or CONFIG_LSM) an unprivileged user can vandalize the system by removing the security.capability xattrs from binaries, preventing them from working normally: $ getfattr -d -m- /bin/ping getfattr: Removing leading '/' from absolute path names security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= $ setfattr -x security.capability /bin/ping $ getfattr -d -m- /bin/ping $ ping 1.2.3.4 $ ping google.com $ echo $? 2 The above reproduces with: cat /sys/kernel/security/lsm capability,apparmor,bpf But not with SELinux as SELinux does the required check in its LSM hook: cat /sys/kernel/security/lsm capability,selinux,bpf In this case security_inode_removexattr() calls call_int_hook(inode_removexattr, 1, mnt_userns, dentry, name), which expects a return value of 1 to mean "no LSM hooks hit" and 0 is supposed to mean "the LSM decided to permit the access and checked cap_inode_removexattr" There are other security hooks that are similarly effected. In order to reliably fix this issue and also allow LSM Hooks and BPF programs which implement hook logic to choose to not make a decision in certain conditions (e.g. when BPF programs are used for auditing), introduce a special return value LSM_HOOK_NO_EFFECT which can be used by the hook to indicate to the framework that it does not intend to make a decision. Fixes: 520b7aa ("bpf: lsm: Initialize the BPF LSM hooks") Reported-by: Jann Horn <jannh@google.com> Signed-off-by: KP Singh <kpsingh@kernel.org>
|
Master branch: fe92833 |
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=649020 expired. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: security: Fix side effects of default BPF LSM hooks
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=649020