Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: Fix side effects of default BPF LSM hooks #3142

Closed
wants to merge 2 commits into from
Closed

security: Fix side effects of default BPF LSM hooks #3142

wants to merge 2 commits into from

Commits on Jun 9, 2022

  1. adding ci files

    Kernel Patches Daemon committed Jun 9, 2022
    Configuration menu
    Copy the full SHA
    d59b854 View commit details
    Browse the repository at this point in the history

  2. security: Fix side effects of default BPF LSM hooks 

    BPF LSM currently has a default implementation for each LSM hooks which
return a default value defined in include/linux/lsm_hook_defs.h. These
hooks should have no functional effect when there is no BPF program
loaded to implement the hook logic.

Some LSM hooks treat any return value of the hook as policy decision
which results in destructive side effects.

This issue and the effects were reported to me by Jann Horn:

For a system configured with CONFIG_BPF_LSM and the bpf lsm is enabled
(via lsm= or CONFIG_LSM) an unprivileged user can vandalize the system
by removing the security.capability xattrs from binaries, preventing
them from working normally:

$ getfattr -d -m- /bin/ping
getfattr: Removing leading '/' from absolute path names
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=

$ setfattr -x security.capability /bin/ping
$ getfattr -d -m- /bin/ping
$ ping 1.2.3.4
$ ping google.com
$ echo $?
2

The above reproduces with:

cat /sys/kernel/security/lsm
capability,apparmor,bpf

But not with SELinux as SELinux does the required check in its LSM hook:

cat /sys/kernel/security/lsm
capability,selinux,bpf

In this case security_inode_removexattr() calls
call_int_hook(inode_removexattr, 1, mnt_userns, dentry, name), which
expects a return value of 1 to mean "no LSM hooks hit" and 0 is
supposed to mean "the LSM decided to permit the access and checked
cap_inode_removexattr"

There are other security hooks that are similarly effected.

In order to reliably fix this issue and also allow LSM Hooks and BPF
programs which implement hook logic to choose to not make a decision
in certain conditions (e.g. when BPF programs are used for auditing),
introduce a special return value LSM_HOOK_NO_EFFECT which can be used
by the hook to indicate to the framework that it does not intend to
make a decision.

Fixes: 520b7aa ("bpf: lsm: Initialize the BPF LSM hooks")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
    KP Singh authored and Kernel Patches Daemon committed Jun 9, 2022
    Configuration menu
    Copy the full SHA
    e584aee View commit details
    Browse the repository at this point in the history