[PATCH] vsock: use ns_capable_noaudit() on socket create
During __vsock_create() CAP_NET_ADMIN is used to determine if the vsock_sock->trusted should be set to true. This value is used later for determing if a remote connection should be allowed to connect to a restricted VM. Unfortunately, if the caller doesn't have CAP_NET_ADMIN, an audit message such as an selinux denial is generated even if the caller does not want a trusted socket. Logging errors on success is confusing. To avoid this, switch the capable(CAP_NET_ADMIN) check to the noaudit version. Reported-by: Roman Kiryanov https://android-review.googlesource.com/c/device/generic/goldfish/+/1468545/ Signed-off-by: Jeff Vander Stoep --- net/vmw_vsock/af_vsock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c index 9e93bc201cc0..b4d7b8aba003 100644 --- a/net/vmw_vsock/af_vsock.c +++ b/net/vmw_vsock/af_vsock.c @@ -739,7 +739,7 @@ static struct sock *__vsock_create(struct net *net, vsk->buffer_min_size = psk->buffer_min_size; vsk->buffer_max_size = psk->buffer_max_size; } else { - vsk->trusted = capable(CAP_NET_ADMIN); + vsk->trusted = ns_capable_noaudit(_user_ns, CAP_NET_ADMIN); vsk->owner = get_current_cred(); vsk->connect_timeout = VSOCK_DEFAULT_CONNECT_TIMEOUT; vsk->buffer_size = VSOCK_DEFAULT_BUFFER_SIZE; -- 2.29.0.rc2.309.g374f81d7ae-goog
[PATCH 2/2] security, perf: Add config option to restrict perf_event_open
When CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y kernel.perf_event_paranoid sysctl will be set to 3 by default, and no unprivileged use of the perf_event_open syscall will be permitted unless it is changed. This new level of restriction is intended to reduce the attack surface of the kernel. It allows for a safe default to be set on production systems at build time while leaving a simple means for developers to grant access. Signed-off-by: Jeff Vander Stoep <je...@google.com> --- Documentation/sysctl/kernel.txt | 3 ++- kernel/events/core.c| 4 security/Kconfig| 9 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index fac9798..52daff6 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -659,7 +659,8 @@ allowed to execute. perf_event_paranoid: Controls use of the performance events system by unprivileged -users (without CAP_SYS_ADMIN). The default value is 2. +users (without CAP_SYS_ADMIN). The default value is 3 if +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise. -1: Allow use of (almost) all events by all users >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK diff --git a/kernel/events/core.c b/kernel/events/core.c index 52bd100..df9df87 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -355,7 +355,11 @@ static struct srcu_struct pmus_srcu; * 2 - disallow kernel profiling for unpriv * 3 - disallow all unpriv perf event use */ +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT +int sysctl_perf_event_paranoid __read_mostly = 3; +#else int sysctl_perf_event_paranoid __read_mostly = 2; +#endif /* Minimum for 512 kiB + 1 user control page */ int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ diff --git a/security/Kconfig b/security/Kconfig index df28f2b..2a93551 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. +config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the + perf_event_open syscall will be permitted unless it is + changed. + config SECURITY bool "Enable different security models" depends on SYSFS -- 2.8.0.rc3.226.g39d4020
[PATCH 2/2] security, perf: Add config option to restrict perf_event_open
When CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y kernel.perf_event_paranoid sysctl will be set to 3 by default, and no unprivileged use of the perf_event_open syscall will be permitted unless it is changed. This new level of restriction is intended to reduce the attack surface of the kernel. It allows for a safe default to be set on production systems at build time while leaving a simple means for developers to grant access. Signed-off-by: Jeff Vander Stoep --- Documentation/sysctl/kernel.txt | 3 ++- kernel/events/core.c| 4 security/Kconfig| 9 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index fac9798..52daff6 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -659,7 +659,8 @@ allowed to execute. perf_event_paranoid: Controls use of the performance events system by unprivileged -users (without CAP_SYS_ADMIN). The default value is 2. +users (without CAP_SYS_ADMIN). The default value is 3 if +CONFIG_SECURITY_PERF_EVENTS_RESTRICT is set, or 2 otherwise. -1: Allow use of (almost) all events by all users >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK diff --git a/kernel/events/core.c b/kernel/events/core.c index 52bd100..df9df87 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -355,7 +355,11 @@ static struct srcu_struct pmus_srcu; * 2 - disallow kernel profiling for unpriv * 3 - disallow all unpriv perf event use */ +#ifdef CONFIG_SECURITY_PERF_EVENTS_RESTRICT +int sysctl_perf_event_paranoid __read_mostly = 3; +#else int sysctl_perf_event_paranoid __read_mostly = 2; +#endif /* Minimum for 512 kiB + 1 user control page */ int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */ diff --git a/security/Kconfig b/security/Kconfig index df28f2b..2a93551 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -18,6 +18,15 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. +config SECURITY_PERF_EVENTS_RESTRICT + bool "Restrict unprivileged use of performance events" + depends on PERF_EVENTS + help + If you say Y here, the kernel.perf_event_paranoid sysctl + will be set to 3 by default, and no unprivileged use of the + perf_event_open syscall will be permitted unless it is + changed. + config SECURITY bool "Enable different security models" depends on SYSFS -- 2.8.0.rc3.226.g39d4020
[PATCH 1/2] security, perf: allow further restriction of perf_event_open
When kernel.perf_event_paranoid is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. This new level of restriction is intended to reduce the attack surface of the kernel. Perf is a valuable tool for developers but is generally unnecessary and unused on production systems. Perf may open up an attack vector to vulnerable device-specific drivers as recently demonstrated in CVE-2016-0805, CVE-2016-0819, CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of restriction allows for a safe default to be set on production systems while leaving a simple means for developers to grant access [1]. This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches have been modified and split up to address on-list feedback. kernel.perf_event_paranoid=3 is the default on both Debian [2] and Android [3]. [1] Making perf available to developers on Android: https://android-review.googlesource.com/#/c/234400/ [2] Original patch by Ben Hutchings: https://lkml.org/lkml/2016/1/11/587 [3] https://android-review.googlesource.com/#/c/234743/ Signed-off-by: Jeff Vander Stoep <je...@google.com> --- Documentation/sysctl/kernel.txt | 1 + include/linux/perf_event.h | 5 + kernel/events/core.c| 4 3 files changed, 10 insertions(+) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index ffab8b5..fac9798 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -665,6 +665,7 @@ users (without CAP_SYS_ADMIN). The default value is 2. >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN +>=3: Disallow all event access by users without CAP_SYS_ADMIN == diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index 8ed43261..1e2080f 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void) return sysctl_perf_event_paranoid > 1; } +static inline bool perf_paranoid_any(void) +{ + return sysctl_perf_event_paranoid > 2; +} + extern void perf_event_init(void); extern void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size, struct pt_regs *regs, diff --git a/kernel/events/core.c b/kernel/events/core.c index 356a6c7..52bd100 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu; * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv + * 3 - disallow all unpriv perf event use */ int sysctl_perf_event_paranoid __read_mostly = 2; @@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) + return -EACCES; + err = perf_copy_attr(attr_uptr, ); if (err) return err; -- 2.8.0.rc3.226.g39d4020
[PATCH 1/2] security, perf: allow further restriction of perf_event_open
When kernel.perf_event_paranoid is set to 3 (or greater), disallow all access to performance events by users without CAP_SYS_ADMIN. This new level of restriction is intended to reduce the attack surface of the kernel. Perf is a valuable tool for developers but is generally unnecessary and unused on production systems. Perf may open up an attack vector to vulnerable device-specific drivers as recently demonstrated in CVE-2016-0805, CVE-2016-0819, CVE-2016-0843, CVE-2016-3768, and CVE-2016-3843. This new level of restriction allows for a safe default to be set on production systems while leaving a simple means for developers to grant access [1]. This feature is derived from CONFIG_GRKERNSEC_PERF_HARDEN by Brad Spengler. It is based on a patch by Ben Hutchings [2]. Ben's patches have been modified and split up to address on-list feedback. kernel.perf_event_paranoid=3 is the default on both Debian [2] and Android [3]. [1] Making perf available to developers on Android: https://android-review.googlesource.com/#/c/234400/ [2] Original patch by Ben Hutchings: https://lkml.org/lkml/2016/1/11/587 [3] https://android-review.googlesource.com/#/c/234743/ Signed-off-by: Jeff Vander Stoep --- Documentation/sysctl/kernel.txt | 1 + include/linux/perf_event.h | 5 + kernel/events/core.c| 4 3 files changed, 10 insertions(+) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index ffab8b5..fac9798 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -665,6 +665,7 @@ users (without CAP_SYS_ADMIN). The default value is 2. >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK >=1: Disallow CPU event access by users without CAP_SYS_ADMIN >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN +>=3: Disallow all event access by users without CAP_SYS_ADMIN == diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h index 8ed43261..1e2080f 100644 --- a/include/linux/perf_event.h +++ b/include/linux/perf_event.h @@ -1156,6 +1156,11 @@ static inline bool perf_paranoid_kernel(void) return sysctl_perf_event_paranoid > 1; } +static inline bool perf_paranoid_any(void) +{ + return sysctl_perf_event_paranoid > 2; +} + extern void perf_event_init(void); extern void perf_tp_event(u16 event_type, u64 count, void *record, int entry_size, struct pt_regs *regs, diff --git a/kernel/events/core.c b/kernel/events/core.c index 356a6c7..52bd100 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -353,6 +353,7 @@ static struct srcu_struct pmus_srcu; * 0 - disallow raw tracepoint access for unpriv * 1 - disallow cpu events for unpriv * 2 - disallow kernel profiling for unpriv + * 3 - disallow all unpriv perf event use */ int sysctl_perf_event_paranoid __read_mostly = 2; @@ -9296,6 +9297,9 @@ SYSCALL_DEFINE5(perf_event_open, if (flags & ~PERF_FLAG_ALL) return -EINVAL; + if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN)) + return -EACCES; + err = perf_copy_attr(attr_uptr, ); if (err) return err; -- 2.8.0.rc3.226.g39d4020
[PATCH v2] arm64 Kconfig: Move LIST_POISON to a safe value
Move the poison pointer offset to 0xdead, a recognized value that is not mappable by user-space exploits. Signed-off-by: Thierry Strudel Signed-off-by: Jeff Vander Stoep --- v2 removes an extra newline. arch/arm64/Kconfig | 4 1 file changed, 4 insertions(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 318175f..8f1789c 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -104,6 +104,10 @@ config NO_IOPORT_MAP config STACKTRACE_SUPPORT def_bool y +config ILLEGAL_POINTER_VALUE + hex + default 0xdead + config LOCKDEP_SUPPORT def_bool y -- 2.5.0.276.gf5e568e -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] arm64 Kconfig: Move LIST_POISON to a safe value
Move the poison pointer offset to 0xdead, a recognized value that is not mappable by user-space exploits. Signed-off-by: Jeff Vander Stoep --- arch/arm64/Kconfig | 5 + 1 file changed, 5 insertions(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 9532f8d..c003911 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -91,6 +91,11 @@ config NO_IOPORT_MAP config STACKTRACE_SUPPORT def_bool y +config ILLEGAL_POINTER_VALUE + hex + default 0xdead + + config LOCKDEP_SUPPORT def_bool y -- 2.5.0.rc2.392.g76e840b -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] arm64 Kconfig: Move LIST_POISON to a safe value
Move the poison pointer offset to 0xdead, a recognized value that is not mappable by user-space exploits. Signed-off-by: Jeff Vander Stoep je...@google.com --- arch/arm64/Kconfig | 5 + 1 file changed, 5 insertions(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 9532f8d..c003911 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -91,6 +91,11 @@ config NO_IOPORT_MAP config STACKTRACE_SUPPORT def_bool y +config ILLEGAL_POINTER_VALUE + hex + default 0xdead + + config LOCKDEP_SUPPORT def_bool y -- 2.5.0.rc2.392.g76e840b -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v2] arm64 Kconfig: Move LIST_POISON to a safe value
Move the poison pointer offset to 0xdead, a recognized value that is not mappable by user-space exploits. Signed-off-by: Thierry Strudel tstru...@google.com Signed-off-by: Jeff Vander Stoep je...@google.com --- v2 removes an extra newline. arch/arm64/Kconfig | 4 1 file changed, 4 insertions(+) diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 318175f..8f1789c 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -104,6 +104,10 @@ config NO_IOPORT_MAP config STACKTRACE_SUPPORT def_bool y +config ILLEGAL_POINTER_VALUE + hex + default 0xdead + config LOCKDEP_SUPPORT def_bool y -- 2.5.0.276.gf5e568e -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] mm: reorder can_do_mlock to fix audit denial
A userspace call to mmap(MAP_LOCKED) may result in the successful locking of memory while also producing a confusing audit log denial. can_do_mlock checks capable and rlimit. If either of these return positive can_do_mlock returns true. The capable check leads to an LSM hook used by apparmour and selinux which produce the audit denial. Reordering so rlimit is checked first eliminates the denial on success, only recording a denial when the lock is unsuccessful as a result of the denial. Signed-off-by: Jeff Vander Stoep --- mm/mlock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/mlock.c b/mm/mlock.c index 73cf098..8a54cd2 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -26,10 +26,10 @@ int can_do_mlock(void) { - if (capable(CAP_IPC_LOCK)) - return 1; if (rlimit(RLIMIT_MEMLOCK) != 0) return 1; + if (capable(CAP_IPC_LOCK)) + return 1; return 0; } EXPORT_SYMBOL(can_do_mlock); -- 2.2.0.rc0.207.ga3a616c -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] mm: reorder can_do_mlock to fix audit denial
A userspace call to mmap(MAP_LOCKED) may result in the successful locking of memory while also producing a confusing audit log denial. can_do_mlock checks capable and rlimit. If either of these return positive can_do_mlock returns true. The capable check leads to an LSM hook used by apparmour and selinux which produce the audit denial. Reordering so rlimit is checked first eliminates the denial on success, only recording a denial when the lock is unsuccessful as a result of the denial. Signed-off-by: Jeff Vander Stoep je...@google.com --- mm/mlock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/mlock.c b/mm/mlock.c index 73cf098..8a54cd2 100644 --- a/mm/mlock.c +++ b/mm/mlock.c @@ -26,10 +26,10 @@ int can_do_mlock(void) { - if (capable(CAP_IPC_LOCK)) - return 1; if (rlimit(RLIMIT_MEMLOCK) != 0) return 1; + if (capable(CAP_IPC_LOCK)) + return 1; return 0; } EXPORT_SYMBOL(can_do_mlock); -- 2.2.0.rc0.207.ga3a616c -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] avc: remove unnecessary pointer reassignment
Commit f01e1af445fa ("selinux: don't pass in NULL avd to avc_has_perm_noaudit") made this pointer reassignment unnecessary. Avd should continue to reference the stack-based copy. Signed-off-by: Jeff Vander Stoep --- security/selinux/avc.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index afcc0ae..3c17dda 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -724,12 +724,10 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, rcu_read_lock(); node = avc_lookup(ssid, tsid, tclass); - if (unlikely(!node)) { + if (unlikely(!node)) node = avc_compute_av(ssid, tsid, tclass, avd); - } else { + else memcpy(avd, >ae.avd, sizeof(*avd)); - avd = >ae.avd; - } denied = requested & ~(avd->allowed); if (unlikely(denied)) -- 2.2.0.rc0.207.ga3a616c -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] avc: remove unnecessary pointer reassignment
Commit f01e1af445fa (selinux: don't pass in NULL avd to avc_has_perm_noaudit) made this pointer reassignment unnecessary. Avd should continue to reference the stack-based copy. Signed-off-by: Jeff Vander Stoep je...@google.com --- security/selinux/avc.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index afcc0ae..3c17dda 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -724,12 +724,10 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid, rcu_read_lock(); node = avc_lookup(ssid, tsid, tclass); - if (unlikely(!node)) { + if (unlikely(!node)) node = avc_compute_av(ssid, tsid, tclass, avd); - } else { + else memcpy(avd, node-ae.avd, sizeof(*avd)); - avd = node-ae.avd; - } denied = requested ~(avd-allowed); if (unlikely(denied)) -- 2.2.0.rc0.207.ga3a616c -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/