security: shmem: implement kernel private shmem inodes

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We have a problem where the big_key key storage implementation uses a
shmem backed inode to hold the key contents. Because of this detail of
implementation LSM checks are being done between processes trying to
read the keys and the tmpfs backed inode. The LSM checks are already
being handled on the key interface level and should not be enforced at
the inode level (since the inode is an implementation detail, not a
part of the security model)

This patch implements a new function shmem_kernel_file_setup() which
returns the equivalent to shmem_file_setup() only the underlying inode
has S_PRIVATE set. This means that all LSM checks for the inode in
question are skipped. It should only be used for kernel internal
operations where the inode is not exposed to userspace without proper
LSM checking. It is possible that some other users of
shmem_file_setup() should use the new interface, but this has not been
explored.

Reproducing this bug is a little bit difficult. The steps I used on
Fedora are:

(1) Turn off selinux enforcing:

setenforce 0

(2) Create a huge key

k=`dd if=/dev/zero bs=8192 count=1 | keyctl padd big_key test-key @s`

(3) Access the key in another context:

runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $k >/dev/null

(4) Examine the audit logs:

ausearch -m AVC -i --subject httpd_t | audit2allow

If the last command's output includes a line that looks like:

allow httpd_t user_tmpfs_t:file { open read };

There was an inode check between httpd and the tmpfs filesystem. With
this patch no such denial will be seen. (NOTE! you should clear your
audit log if you have tested for this previously)

(Please return you box to enforcing)

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hugh Dickins <hughd@google.com>
cc: linux-mm@kvack.org

authored by

Eric Paris and committed by

David Howells 12 years ago c7277090 9c5e45df

+32 -8

3 changed files

expand all

include

linux

shmem_fs.h

shmem.c

security

keys

big_key.c

include/linux/shmem_fs.h

··· 47 47 extern int shmem_fill_super(struct super_block *sb, void *data, int silent); 48 48 extern struct file *shmem_file_setup(const char *name, 49 49 loff_t size, unsigned long flags); 50 + extern struct file *shmem_kernel_file_setup(const char *name, loff_t size, 51 + unsigned long flags); 50 52 extern int shmem_zero_setup(struct vm_area_struct *); 51 53 extern int shmem_lock(struct file *file, int lock, struct user_struct *user); 52 54 extern void shmem_unlock_mapping(struct address_space *mapping);

+29 -7

mm/shmem.c

··· 2918 2918 .d_dname = simple_dname 2919 2919 }; 2920 2920 2921 - /** 2922 - * shmem_file_setup - get an unlinked file living in tmpfs 2923 - * @name: name for dentry (to be seen in /proc/<pid>/maps 2924 - * @size: size to be set for the file 2925 - * @flags: VM_NORESERVE suppresses pre-accounting of the entire object size 2926 - */ 2927 - struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags) 2921 + static struct file *__shmem_file_setup(const char *name, loff_t size, 2922 + unsigned long flags, unsigned int i_flags) 2928 2923 { 2929 2924 struct file *res; 2930 2925 struct inode *inode; ··· 2952 2957 if (!inode) 2953 2958 goto put_dentry; 2954 2959 2960 + inode->i_flags |= i_flags; 2955 2961 d_instantiate(path.dentry, inode); 2956 2962 inode->i_size = size; 2957 2963 clear_nlink(inode); /* It is unlinked */ ··· 2972 2976 put_memory: 2973 2977 shmem_unacct_size(flags, size); 2974 2978 return res; 2979 + } 2980 + 2981 + /** 2982 + * shmem_kernel_file_setup - get an unlinked file living in tmpfs which must be 2983 + * kernel internal. There will be NO LSM permission checks against the 2984 + * underlying inode. So users of this interface must do LSM checks at a 2985 + * higher layer. The one user is the big_key implementation. LSM checks 2986 + * are provided at the key level rather than the inode level. 2987 + * @name: name for dentry (to be seen in /proc/<pid>/maps 2988 + * @size: size to be set for the file 2989 + * @flags: VM_NORESERVE suppresses pre-accounting of the entire object size 2990 + */ 2991 + struct file *shmem_kernel_file_setup(const char *name, loff_t size, unsigned long flags) 2992 + { 2993 + return __shmem_file_setup(name, size, flags, S_PRIVATE); 2994 + } 2995 + 2996 + /** 2997 + * shmem_file_setup - get an unlinked file living in tmpfs 2998 + * @name: name for dentry (to be seen in /proc/<pid>/maps 2999 + * @size: size to be set for the file 3000 + * @flags: VM_NORESERVE suppresses pre-accounting of the entire object size 3001 + */ 3002 + struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags) 3003 + { 3004 + return __shmem_file_setup(name, size, flags, 0); 2975 3005 } 2976 3006 EXPORT_SYMBOL_GPL(shmem_file_setup); 2977 3007

+1 -1

security/keys/big_key.c

··· 70 70 * 71 71 * TODO: Encrypt the stored data with a temporary key. 72 72 */ 73 - file = shmem_file_setup("", datalen, 0); 73 + file = shmem_kernel_file_setup("", datalen, 0); 74 74 if (IS_ERR(file)) { 75 75 ret = PTR_ERR(file); 76 76 goto err_quota;