From: Eric Biggers <ebiggers@kernel.org>
To: Paul Moore <paul@paul-moore.com>
Cc: Alfred Piccioni <alpic@google.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, stable@vger.kernel.org,
selinux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] security: new security_file_ioctl_compat() hook
Date: Tue, 26 Dec 2023 22:43:22 -0600 [thread overview]
Message-ID: <20231227044322.GB4240@quark.localdomain> (raw)
In-Reply-To: <CAHC9VhRDPv4-gNNiFMNtP_vL8UM66RQX0vxB0WkNw3Rn_Lcfmg@mail.gmail.com>
On Sun, Dec 24, 2023 at 03:53:16PM -0500, Paul Moore wrote:
> On Tue, Dec 19, 2023 at 4:09 AM Alfred Piccioni <alpic@google.com> wrote:
> >
> > Some ioctl commands do not require ioctl permission, but are routed to
> > other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is
> > done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*).
> >
> > However, if a 32-bit process is running on a 64-bit kernel, it emits
> > 32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are
> > being checked erroneously, which leads to these ioctl operations being
> > routed to the ioctl permission, rather than the correct file
> > permissions.
> >
> > This was also noted in a RED-PEN finding from a while back -
> > "/* RED-PEN how should LSM module know it's handling 32bit? */".
> >
> > This patch introduces a new hook, security_file_ioctl_compat, that is
> > called from the compat ioctl syscall. All current LSMs have been changed
> > to support this hook.
> >
> > Reviewing the three places where we are currently using
> > security_file_ioctl, it appears that only SELinux needs a dedicated
> > compat change; TOMOYO and SMACK appear to be functional without any
> > change.
> >
> > Fixes: 0b24dcb7f2f7 ("Revert "selinux: simplify ioctl checking"")
> > Signed-off-by: Alfred Piccioni <alpic@google.com>
> > Cc: stable@vger.kernel.org
> > ---
> > fs/ioctl.c | 3 +--
> > include/linux/lsm_hook_defs.h | 2 ++
> > include/linux/security.h | 7 +++++++
> > security/security.c | 17 +++++++++++++++++
> > security/selinux/hooks.c | 28 ++++++++++++++++++++++++++++
> > security/smack/smack_lsm.c | 1 +
> > security/tomoyo/tomoyo.c | 1 +
> > 7 files changed, 57 insertions(+), 2 deletions(-)
>
> I made some minor style tweaks around line length and alignment, but
> otherwise this looked good to me. Thanks all!
>
Reviewed-by: Eric Biggers <ebiggers@google.com>
(I reviewed the version in branch "next" of
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git)
- Eric
prev parent reply other threads:[~2023-12-27 4:43 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-06 10:25 [PATCH] SELinux: Check correct permissions for FS_IOC32_* Alfred Piccioni
2023-09-06 11:59 ` [PATCH V2] " Alfred Piccioni
2023-09-06 17:49 ` Stephen Smalley
2023-09-08 22:54 ` kernel test robot
2023-09-11 13:19 ` Stephen Smalley
2023-09-11 13:49 ` Stephen Smalley
2023-09-12 9:00 ` Alfred Piccioni
2023-09-12 12:00 ` Stephen Smalley
2023-09-12 15:46 ` Mickaël Salaün
2023-09-13 3:52 ` Paul Moore
2023-12-18 12:41 ` [PATCH] SELinux: Introduce security_file_ioctl_compat hook Alfred Piccioni
2023-12-18 13:46 ` Stephen Smalley
2023-12-18 13:50 ` Stephen Smalley
2023-12-19 9:09 ` [PATCH] security: new security_file_ioctl_compat() hook Alfred Piccioni
2023-12-19 9:10 ` Alfred Piccioni
2023-12-20 14:38 ` Alfred Piccioni
2023-12-20 15:34 ` Stephen Smalley
2023-12-23 14:41 ` Tetsuo Handa
2023-12-20 17:31 ` Stephen Smalley
2023-12-20 18:48 ` Eric Biggers
2023-12-23 1:23 ` Paul Moore
2023-12-23 10:48 ` Tetsuo Handa
2023-12-24 19:58 ` Paul Moore
2023-12-23 15:34 ` Eric Biggers
2023-12-24 20:00 ` Paul Moore
2023-12-24 20:09 ` Paul Moore
2023-12-23 17:54 ` Casey Schaufler
2023-12-24 20:53 ` Paul Moore
2023-12-27 4:43 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231227044322.GB4240@quark.localdomain \
--to=ebiggers@kernel.org \
--cc=alpic@google.com \
--cc=eparis@parisplace.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).