[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 28/32] selinux: Use mem_to_flex_dup() with xfrm and sidtab
- To: Kees Cook <keescook@xxxxxxxxxxxx>
- From: Paul Moore <paul@xxxxxxxxxxxxxx>
- Date: Thu, 5 May 2022 19:16:18 -0400
- Cc: "Gustavo A. R. Silva" <gustavoars@xxxxxxxxxx>, Steffen Klassert <steffen.klassert@xxxxxxxxxxx>, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Stephen Smalley <stephen.smalley.work@xxxxxxxxx>, Eric Paris <eparis@xxxxxxxxxxxxxx>, Nick Desaulniers <ndesaulniers@xxxxxxxxxx>, Xiu Jianfeng <xiujianfeng@xxxxxxxxxx>, Christian Göttsche <cgzones@xxxxxxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, selinux@xxxxxxxxxxxxxxx, Alexei Starovoitov <ast@xxxxxxxxxx>, alsa-devel@xxxxxxxxxxxxxxxx, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Andrew Gabbasov <andrew_gabbasov@xxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Andy Gross <agross@xxxxxxxxxx>, Andy Lavr <andy.lavr@xxxxxxxxx>, Arend van Spriel <aspriel@xxxxxxxxx>, Baowen Zheng <baowen.zheng@xxxxxxxxxxxx>, Bjorn Andersson <bjorn.andersson@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Bradley Grove <linuxdrivers@xxxxxxxxxxxx>, brcm80211-dev-list.pdl@xxxxxxxxxxxx, Christian Brauner <brauner@xxxxxxxxxx>, Christian Lamparter <chunkeey@xxxxxxxxxxxxxx>, Chris Zankel <chris@xxxxxxxxxx>, Cong Wang <cong.wang@xxxxxxxxxxxxx>, Daniel Axtens <dja@xxxxxxxxxx>, Daniel Vetter <daniel.vetter@xxxxxxxx>, Dan Williams <dan.j.williams@xxxxxxxxx>, David Gow <davidgow@xxxxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, Dennis Dalessandro <dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx>, devicetree@xxxxxxxxxxxxxxx, Dexuan Cui <decui@xxxxxxxxxxxxx>, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx>, Eli Cohen <elic@xxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>, Eugeniu Rosca <erosca@xxxxxxxxxxxxxx>, Felipe Balbi <balbi@xxxxxxxxxx>, Francis Laniel <laniel_francis@xxxxxxxxxxxxxxxxxxx>, Frank Rowand <frowand.list@xxxxxxxxx>, Franky Lin <franky.lin@xxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Gregory Greenman <gregory.greenman@xxxxxxxxx>, Guenter Roeck <linux@xxxxxxxxxxxx>, Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>, Hante Meuleman <hante.meuleman@xxxxxxxxxxxx>, Hulk Robot <hulkci@xxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, "James E.J. Bottomley" <jejb@xxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, Jarkko Sakkinen <jarkko@xxxxxxxxxx>, Jaroslav Kysela <perex@xxxxxxxx>, Jason Gunthorpe <jgg@xxxxxxxx>, Jens Axboe <axboe@xxxxxxxxx>, Johan Hedberg <johan.hedberg@xxxxxxxxx>, Johannes Berg <johannes.berg@xxxxxxxxx>, Johannes Berg <johannes@xxxxxxxxxxxxxxxx>, John Keeping <john@xxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Kalle Valo <kvalo@xxxxxxxxxx>, Keith Packard <keithp@xxxxxxxxxx>, keyrings@xxxxxxxxxxxxxxx, kunit-dev@xxxxxxxxxxxxxxxx, Kuniyuki Iwashima <kuniyu@xxxxxxxxxxxx>, "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>, Lars-Peter Clausen <lars@xxxxxxxxxx>, Lee Jones <lee.jones@xxxxxxxxxx>, Leon Romanovsky <leon@xxxxxxxxxx>, Liam Girdwood <lgirdwood@xxxxxxxxx>, linux1394-devel@xxxxxxxxxxxxxxxxxxxxx, linux-afs@xxxxxxxxxxxxxxxxxxx, linux-arm-kernel@xxxxxxxxxxxxxxxxxxx, linux-arm-msm@xxxxxxxxxxxxxxx, linux-bluetooth@xxxxxxxxxxxxxxx, linux-hardening@xxxxxxxxxxxxxxx, linux-hyperv@xxxxxxxxxxxxxxx, linux-integrity@xxxxxxxxxxxxxxx, linux-rdma@xxxxxxxxxxxxxxx, linux-scsi@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, linux-usb@xxxxxxxxxxxxxxx, linux-wireless@xxxxxxxxxxxxxxx, linux-xtensa@xxxxxxxxxxxxxxxx, llvm@xxxxxxxxxxxxxxx, Loic Poulain <loic.poulain@xxxxxxxxxx>, Louis Peens <louis.peens@xxxxxxxxxxxx>, Luca Coelho <luciano.coelho@xxxxxxxxx>, Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>, Marc Dionne <marc.dionne@xxxxxxxxxxxx>, Marcel Holtmann <marcel@xxxxxxxxxxxx>, Mark Brown <broonie@xxxxxxxxxx>, "Martin K. Petersen" <martin.petersen@xxxxxxxxxx>, Max Filippov <jcmvbkbc@xxxxxxxxx>, Mimi Zohar <zohar@xxxxxxxxxxxxx>, Muchun Song <songmuchun@xxxxxxxxxxxxx>, Nathan Chancellor <nathan@xxxxxxxxxx>, Nuno Sá <nuno.sa@xxxxxxxxxx>, Paolo Abeni <pabeni@xxxxxxxxxx>, Rich Felker <dalias@xxxxxxxxxx>, Rob Herring <robh+dt@xxxxxxxxxx>, Russell King <linux@xxxxxxxxxxxxxxx>, "Serge E. Hallyn" <serge@xxxxxxxxxx>, SHA-cyfmac-dev-list@xxxxxxxxxxxx, Simon Horman <simon.horman@xxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>, Stephen Hemminger <sthemmin@xxxxxxxxxxxxx>, Tadeusz Struk <tadeusz.struk@xxxxxxxxxx>, Takashi Iwai <tiwai@xxxxxxxx>, Tom Rix <trix@xxxxxxxxxx>, Udipto Goswami <quic_ugoswami@xxxxxxxxxxx>, Vincenzo Frascino <vincenzo.frascino@xxxxxxx>, wcn36xx@xxxxxxxxxxxxxxxxxxx, Wei Liu <wei.liu@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Yang Yingliang <yangyingliang@xxxxxxxxxx>
- Delivery-date: Fri, 06 May 2022 05:17:54 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, May 5, 2022 at 2:39 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> On Wed, May 04, 2022 at 11:14:42PM -0400, Paul Moore wrote:
> > On Wed, May 4, 2022 at 7:34 PM Gustavo A. R. Silva
> > <gustavoars@xxxxxxxxxx> wrote:
> > >
> > > Hi Paul,
> > >
> > > On Wed, May 04, 2022 at 06:57:28PM -0400, Paul Moore wrote:
> > > > On Tue, May 3, 2022 at 9:57 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> > >
> > > [..]
> > >
> > > > > +++ b/include/uapi/linux/xfrm.h
> > > > > @@ -31,9 +31,9 @@ struct xfrm_id {
> > > > > struct xfrm_sec_ctx {
> > > > > __u8 ctx_doi;
> > > > > __u8 ctx_alg;
> > > > > - __u16 ctx_len;
> > > > > + __DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(__u16, ctx_len);
> > > > > __u32 ctx_sid;
> > > > > - char ctx_str[0];
> > > > > + __DECLARE_FLEX_ARRAY_ELEMENTS(char, ctx_str);
> > > > > };
> > > >
> > > > While I like the idea of this in principle, I'd like to hear about the
> > > > testing you've done on these patches. A previous flex array
> > > > conversion in the audit uapi headers ended up causing a problem with
> > >
> > > I'm curious about which commit caused those problems...?
> >
> > Commit ed98ea2128b6 ("audit: replace zero-length array with
> > flexible-array member"), however, as I said earlier, the problem was
> > actually with SWIG, it just happened to be triggered by the kernel
> > commit. There was a brief fedora-devel mail thread about the problem,
> > see the link below:
> >
> > * https://www.spinics.net/lists/fedora-devel/msg297991.html
>
> Wow, that's pretty weird -- it looks like SWIG was scraping the headers
> to build its conversions? I assume SWIG has been fixed now?
I honestly don't know, the audit userspace was hacking around it with
some header file duplication/munging last I heard, but I try to avoid
having to touch Steve's audit userspace code.
> > To reiterate, I'm supportive of changes like this, but I would like to
> > hear how it was tested to ensure there are no unexpected problems with
> > userspace. If there are userspace problems it doesn't mean we can't
> > make changes like this, it just means we need to ensure that the
> > userspace issues are resolved first.
>
> Well, as this is the first and only report of any problems with [0] -> []
> conversions (in UAPI or anywhere) that I remember seeing, and they've
> been underway since at least v5.9, I hadn't been doing any new testing.
... and for whatever it is worth, I wasn't expecting it to be a
problem either. Surprise :)
> So, for this case, I guess I should ask what tests you think would be
> meaningful here? Anything using #include should be fine:
> https://codesearch.debian.net/search?q=linux%2Fxfrm.h&literal=1&perpkg=1
> Which leaves just this, which may be doing something weird:
>
> libabigail_2.0-1/tests/data/test-diff-filter/test-PR27569-v0.abi
> </data-member>
> <data-member access="public" layout-offset-in-bits="128">
> <var-decl name="seq_hi" type-id="3f1a6b60" visibility="default"
> filepath="include/uapi/linux/xfrm.h" line="97" column="1"/>
> </data-member>
> <data-member access="public" layout-offset-in-bits="160">
>
> But I see that SWIG doesn't show up in a search for linux/audit.h:
> https://codesearch.debian.net/search?q=linux%2Faudit.h&literal=1&perpkg=1
>
> So this may not be a sufficient analysis...
I think from a practical perspective ensuring that the major IPsec/IKE
tools, e.g. the various *SWANs, that know about labeled IPSec still
build and can set/get the SA/SPD labels correctly would be sufficient.
I seriously doubt there would be any problems, but who knows.
--
paul-moore.com
|
