[PATCH 00/23] LSM: Full security module stacking

Stephen Smalley sds at tycho.nsa.gov
Tue May 15 12:33:12 UTC 2018 

On 05/14/2018 05:31 PM, Casey Schaufler wrote:
> On 5/14/2018 1:07 PM, Stephen Smalley wrote:
>> On 05/14/2018 03:52 PM, Stephen Smalley wrote:
>>> On 05/10/2018 08:30 PM, Casey Schaufler wrote:
>>>> Subject: [PATCH 00/23] LSM: Full security module stacking
>>>>
>>>> Here it is, the whole nine yards, broken into mostly
>>>> review friendly pieces. I believe that it would make
>>>> a good deal of sense to take this in two bites, with
>>>> the infrastructure managed blobs going first and the
>>>> secid conversion coming later. I hope there will be some
>>>> debate around that.
>>>>
>>>> The blob management part is pretty clean by now. I
>>>> welcome serious review on that. The secid part is more
>>>> wobbly, but I am convinced that it's the right direction
>>>> if not perhaps always the best possible implementation.
>>>> AppArmor in in the process of a major overhaul, and that
>>>> slowed me down a bit as I had to do new work to convert
>>>> it to use the new mechanisms.
>>>>
>>>> I had experimented with secid "tokens" in the hope of
>>>> minimizing API changes. That doesn't work. Changing
>>>> the APIs to use a struct secids pointer in place of a
>>>> u32 is brutal to the diffstat, but reduces the amount
>>>> of active code that has to change, and really makes
>>>> data management easier.
>>>>
>>>> If there are two possible ways to do a thing you will
>>>> find them both in the networking code. AF_UNIX, netfilter,
>>>> SO_PEERSEC and netlabel each has its own clever ways
>>>> to manipulate security information. I think I nailed
>>>> them all, but I'm not betting more than a beer on it.
>>>>
>>>> There could be issues in the audit code, although nothing
>>>> jumped out immediately. The same goes for the integrity
>>>> subsystem. I haven't tried Infiniband or very many
>>>> filesystem types that don't com standard with Fedora or
>>>> Ubuntu.
>>>>
>>>> I have fixed everything I've found. If you find something
>>>> (please look!) let me know.
>>>>
>>>> Tested primarily on virtual machines.
>>>> 	Fedora 25-27 - SELinux, Smack and the two together
>>>> 	Ubuntu 17.04 - AppArmor and AppArmor + Smack
>>>>
>>>> The SELinux test suite completes successfully unless
>>>> you add in Smack, in which case it fails where you would
>>>> expect it to due to the different use models for netlabel.
>>>> Smack tests work as well. AppArmor was tested by booting
>>>> Ubuntu, but not beyond.
>>> Getting this during boot with CONFIG_KASAN=y and SELinux+Smack stacked:
>>>
>>> [   83.809008] ==================================================================
>>> [   83.809046] BUG: KASAN: use-after-free in string+0xab/0x180
>>> [   83.809051] Read of size 1 at addr ffff8803bb3ad508 by task systemd/1
>>>
>>> [   83.809062] CPU: 3 PID: 1 Comm: systemd Not tainted 4.17.0-rc3+ #41
>>> [   83.809066] Call Trace:
>>> [   83.809072]  dump_stack+0x9a/0xec
>>> [   83.809079]  print_address_description+0x65/0x22e
>>> [   83.809084]  ? string+0xab/0x180
>>> [   83.809087]  kasan_report.cold.6+0xac/0x2f4
>>> [   83.809095]  ? string+0xab/0x180
>>> [   83.809101]  ? widen_string+0x160/0x160
>>> [   83.809107]  ? __kasan_slab_free+0x125/0x170
>>> [   83.809110]  ? kfree+0xe5/0x2f0
>>> [   83.809114]  ? security_inode_getsecctx+0x20b/0x240
>>> [   83.809123]  ? vsnprintf+0x211/0x780
>>> [   83.809130]  ? pointer+0x560/0x560
>>> [   83.809137]  ? kasprintf+0x96/0xc0
>>> [   83.809141]  ? rcu_read_lock_sched_held+0x8f/0xa0
>>> [   83.809145]  ? __kmalloc_track_caller+0x2d7/0x330
>>> [   83.809152]  ? kvasprintf+0x8d/0x120
>>> [   83.809157]  ? bust_spinlocks+0x50/0x50
>>> [   83.809164]  ? mark_held_locks+0x8b/0xb0
>>> [   83.809173]  ? kasprintf+0x96/0xc0
>>> [   83.809177]  ? kvasprintf_const+0xb0/0xb0
>>> [   83.809184]  ? strlen+0x1f/0x40
>>> [   83.809194]  ? security_inode_getsecctx+0x101/0x240
>>> [   83.809200]  ? security_socket_getpeersec_dgram+0x90/0x90
>>> [   83.809204]  ? selinux_secctx_to_secid+0x20/0x20
>>> [   83.809209]  ? trace_hardirqs_on_caller+0x17f/0x260
>>> [   83.809215]  ? __lockdep_init_map+0x86/0x230
>>> [   83.809228]  ? kernfs_security_xattr_set+0x12f/0x1c0
>>> [   83.809233]  ? kernfs_iop_listxattr+0x90/0x90
>>> [   83.809244]  ? selinux_inode_setxattr+0x2e7/0x460
>>> [   83.809249]  ? xattr_resolve_name+0x107/0x180
>>> [   83.809256]  ? __vfs_setxattr+0xca/0x110
>>> [   83.809262]  ? xattr_resolve_name+0x180/0x180
>>> [   83.809270]  ? lock_acquire+0xca/0x1f0
>>> [   83.809277]  ? __vfs_setxattr_noperm+0x89/0x220
>>> [   83.809282]  ? security_inode_setxattr+0x79/0xc0
>>> [   83.809289]  ? vfs_setxattr+0x8d/0xb0
>>> [   83.809296]  ? setxattr+0x182/0x240
>>> [   83.809301]  ? vfs_setxattr+0xb0/0xb0
>>> [   83.809305]  ? kmem_cache_free+0x105/0x320
>>> [   83.809312]  ? filename_lookup.part.57+0x176/0x250
>>> [   83.809319]  ? filename_parentat.isra.55.part.56+0x250/0x250
>>> [   83.809323]  ? fs_reclaim_release.part.80+0x5/0x20
>>> [   83.809327]  ? match_held_lock+0x2e/0x240
>>> [   83.809334]  ? __lock_is_held+0x51/0xc0
>>> [   83.809346]  ? rcu_read_lock_sched_held+0x8f/0xa0
>>> [   83.809349]  ? rcu_sync_lockdep_assert+0x43/0x70
>>> [   83.809353]  ? __sb_start_write+0x171/0x1e0
>>> [   83.809356]  ? mnt_want_write+0x2d/0x70
>>> [   83.809360]  ? __mnt_want_write+0x98/0xd0
>>> [   83.809369]  ? path_setxattr+0x11b/0x130
>>> [   83.809376]  ? setxattr+0x240/0x240
>>> [   83.809381]  ? mark_held_locks+0x23/0xb0
>>> [   83.809386]  ? retint_user+0x18/0x18
>>> [   83.809389]  ? page_fault+0x8/0x30
>>> [   83.809397]  ? __x64_sys_lsetxattr+0x65/0x70
>>> [   83.809404]  ? do_syscall_64+0x78/0x270
>>> [   83.809409]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>
>>> [   83.809429] Allocated by task 1:
>>> [   83.809434]  kasan_kmalloc+0xbf/0xe0
>>> [   83.809437]  __kmalloc+0x155/0x350
>>> [   83.809441]  context_struct_to_string+0x240/0x360
>>> [   83.809444]  security_sid_to_context_core.isra.14+0x110/0x160
>>>
>>> [   83.809450] Freed by task 1:
>>> [   83.809455]  __kasan_slab_free+0x125/0x170
>>> [   83.809458]  kfree+0xe5/0x2f0
>>> [   83.809461]  security_inode_getsecctx+0x20b/0x240
>>>
>>> [   83.809467] The buggy address belongs to the object at ffff8803bb3ad508
>>>                 which belongs to the cache kmalloc-32 of size 32
>>> [   83.809473] The buggy address is located 0 bytes inside of
>>>                 32-byte region [ffff8803bb3ad508, ffff8803bb3ad528)
>>> [   83.809478] The buggy address belongs to the page:
>>> [   83.809483] page:ffffea000eeceb00 count:1 mapcount:0 mapping:0000000000000000 index:0xffff8803bb3acc08 compound_mapcount: 0
>>> [   83.809492] flags: 0x17ffe000008100(slab|head)
>>> [   83.809498] raw: 0017ffe000008100 0000000000000000 ffff8803bb3acc08 000000010015000e
>>> [   83.809504] raw: ffffea000e76f920 ffff8803be803b00 ffff8803be80c6c0 0000000000000000
>>> [   83.809508] page dumped because: kasan: bad access detected
>>>
>>> [   83.809515] Memory state around the buggy address:
>>> [   83.809585]  ffff8803bb3ad400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> [   83.809589]  ffff8803bb3ad480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> [   83.809594] >ffff8803bb3ad500: fc fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
>>> [   83.809598]                       ^
>>> [   83.809603]  ffff8803bb3ad580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> [   83.809607]  ffff8803bb3ad600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>> [   83.809611] ==================================================================
> 
> I haven't seen that one. What distro/version/architecture are you using?

Fedora 28 / x86_64

>>>
>>> Also, networking seems to be dead:
>>> [   94.522829] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  125.507242] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  150.543984] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  156.194458] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  157.371219] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  175.536981] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  183.049992] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  183.185015] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  200.545209] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  225.555808] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  232.142729] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  233.085649] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  250.571034] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  275.592124] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  300.606852] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  325.616553] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  328.875799] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  350.645427] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  375.654276] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  400.668521] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  425.685705] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  450.709773] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  475.725636] Failed to initialize the IGMP autojoin socket (err -13)
>>> [  500.736369] Failed to initialize the IGMP autojoin socket (err -13)
>>>
>>> And I can't bring up the interface.
> 
> What you're seeing is SELinux and Smack being unable to agree on the
> labeling for IP sockets. The socket() call is failing because
> SELinux and Smack want different CIPSO on the packets from the sockets.
> Paul and I discussed this at length, and in the end agreed that this is
> safe, if "inconvenient", behavior. I believe that a netlabel configuration
> that is useful is possible, but I don't have one to suggest just yet.
> 
> On Fedora25 and 27 the services using IP sockets eventually time out,
> after which I can successfully log on. Without being able to create sockets,
> it's tough to start the interfaces.

Hmm...SELinux shouldn't be doing anything with CIPSO by default (i.e. without additional config),
so why is there a conflict just when booting without any SELinux NetLabel configuration at all?

> 
>> NB Disabling Smack was sufficient to resolve both errors.  But CONFIG_SECURITY_STACKING was enabled in both cases,
>> as was CONFIG_SECURITY_SELINUX_STACKED.
> 
> I'll look into the stack trace. Thanks for reporting it.


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list