"value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, lockdown, audit: Fix buggy SELinux lockdown permission checks\n\nCommit 59438b46471a (\"security,lockdown,selinux: implement SELinux lockdown\")\nadded an implementation of the locked_down LSM hook to SELinux, with the aim\nto restrict which domains are allowed to perform operations that would breach\nlockdown. This is indirectly also getting audit subsystem involved to report\nevents. The latter is problematic, as reported by Ondrej and Serhei, since it\ncan bring down the whole system via audit:\n\n 1) The audit events that are triggered due to calls to security_locked_down()\n can OOM kill a machine, see below details [0].\n\n 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit()\n when trying to wake up kauditd, for example, when using trace_sched_switch()\n tracepoint, see details in [1]. Triggering this was not via some hypothetical\n corner case, but with existing tools like runqlat & runqslower from bcc, for\n example, which make use of this tracepoint. Rough call sequence goes like:\n\n rq_lock(rq) -> -------------------------+\n trace_sched_switch() -> |\n bpf_prog_xyz() -> +-> deadlock\n selinux_lockdown() -> |\n audit_log_end() -> |\n wake_up_interruptible() -> |\n try_to_wake_up() -> |\n rq_lock(rq) --------------+\n\nWhat's worse is that the intention of 59438b46471a to further restrict lockdown\nsettings for specific applications in respect to the global lockdown policy is\ncompletely broken for BPF. The SELinux policy rule for the current lockdown check\nlooks something like this:\n\n allow <who> <who> : lockdown { <reason> };\n\nHowever, this doesn't match with the 'current' task where the security_locked_down()\nis executed, example: httpd does a syscall. There is a tracing program attached\nto the syscall which triggers a BPF program to run, which ends up doing a\nbpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does\nthe permission check against 'current', that is, httpd in this example. httpd\nhas literally zero relation to this tracing program, and it would be nonsensical\nhaving to write an SELinux policy rule against httpd to let the tracing helper\npass. The policy in this case needs to be against the entity that is installing\nthe BPF program. For example, if bpftrace would generate a histogram of syscall\ncounts by user space application:\n\n bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'\n\nbpftrace would then go and generate a BPF program from this internally. One way\nof doing it [for the sake of the example] could be to call bpf_get_current_task()\nhelper and then access current->comm via one of bpf_probe_read_kernel{,_str}()\nhelpers. So the program itself has nothing to do with httpd or any other random\napp doing a syscall here. The BPF program _explicitly initiated_ the lockdown\ncheck. The allow/deny policy belongs in the context of bpftrace: meaning, you\nwant to grant bpftrace access to use these helpers, but other tracers on the\nsystem like my_random_tracer _not_.\n\nTherefore fix all three issues at the same time by taking a completely different\napproach for the security_locked_down() hook, that is, move the check into the\nprogram verification phase where we actually retrieve the BPF func proto. This\nalso reliably gets the task (current) that is trying to install the BPF tracing\nprogram, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since\nwe're moving this out of the BPF helper's fast-path which can be called several\nmillions of times per second.\n\nThe check is then also in line with other security_locked_down() hooks in the\nsystem where the enforcement is performed at open/load time, for example,\nopen_kcore() for /proc/kcore access or module_sig_check() for module signatures\njust to pick f\n---truncated---"
"value":"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: bpf, bloqueo, auditor\u00eda: se corrigieron las comprobaciones de permisos de bloqueo de SELinux con errores. El commit 59438b46471a (\"seguridad, bloqueo, selinux: implementar bloqueo de SELinux\")agreg\u00f3unaimplementaci\u00f3ndelganchoLSMlock_downaSELinux.conelobjetivoderestringirqu\u00e9dominiospuedenrealizaroperacionesqueviolar\u00edanelbloqueo.Indirectamente,estotambi\u00e9nimplicainvolucraralsubsistemadeauditor\u00edaparainformareventos.Esto\u00faltimoesproblem\u00e1tico,comoinformaronOndrejySerhei,yaquepuedehacercaertodoelsistemaatrav\u00e9sdeunaauditor\u00eda:1)Loseventosdeauditor\u00edaqueseactivandebidoallamadasasecurity_locked_down()puedenOOMmatarunam\u00e1quina,vealosdetallesacontinuaci\u00f3n[0].2)Tambi\u00e9npareceestarcausandounpuntomuertoatrav\u00e9sdeavc_has_perm()/slow_avc_audit()cuandoseintentaactivarkauditd,porejemplo,cuandoseusaelpuntodeseguimientotrace_sched_switch(),consultelosdetallesen[1].Estonoseactiv\u00f3atrav\u00e9sdealg\u00fancasohipot\u00e9ticodeesquina,sinoconherramientasexistentescomorunqlatyrunqslowerdebcc,porejemplo,quehacenusodeestepuntodeseguimiento.Lasecuenciadellamadaaproximadaesas\u00ed:rq_lock(rq)->-------------------------+trace_sched_switch()->|bpf_prog_xyz()->+->puntomuertoselinux_lockdown()->|audit_log_end()->|wake_up_interruptible()->|try_to_wake_up()->|rq_lock(rq)--------------+Loqueespeoresquelaintenci\u00f3nde59438b46471aderestringira\u00fanm\u00e1slaconfiguraci\u00f3ndebloqueoparaaplicacionesespec\u00edficasconrespectoalapol\u00edticadebloqueoglobalnoesv\u00e1lidaparaBPF.Laregladepol\u00edticadeSELinuxparalaverificaci\u00f3ndebloqueoactualsepareceaesto:permitir:bloqueo{};Sinembargo,estonocoincideconlatarea'actual'dondeseejecutasecurity_locked_down(),ejemplo:httpdrealizaunallamadaalsistema.Hayunprogramadeseguimientoadjuntoalallamadaalsistemaqueactivalaejecuci\u00f3ndeunprogramaBPF,queterminarealizandounallamadadeayudabpf_probe_read_kernel{,_str}().Elganchoselinux_lockdown()realizalaverificaci\u00f3ndepermisosconrespectoa'actual',esdecir,httpdenesteejemplo.httpdtieneliteralmentecerorelaci\u00f3nconesteprogramaderastreo,ynotendr\u00edasentidotenerqueescribirunaregladepol\u00edticaSELinuxcontrahttpdparapermitirquepaseelasistentederastreo.Lapol\u00edticaenestecasodebesercontralaentidadqueest\u00e1instalandoelprogramaBPF.Porejemplo,sibpftracegeneraraunhistogramaderecuentosdellamadasalsistemaporaplicaci\u00f3ndeespaciodeusuario:bpftrace-e'tracepoint:raw_syscalls:sys_enter{@[comm]=count();}'bpftraceluegogenerar\u00edaunprogramaBPFapartirdeestointernamente.Unaformadehacerlo[porelbiendelejemplo]podr\u00edaserllamaralasistentebpf_get_current_task()yluegoaccederacurrent->commatrav\u00e9sdeunodelosasistentesbpf_probe_read_kernel{,_str}().Entonces,elprogramaens\u00ednotienenadaqueverconhttpdocualquierotraaplicaci\u00f3naleatoriaquerealiceunallamadaalsistemaaqu\u00ed.ElprogramaBPF_inici\u00f3expl\u00edcitamente_laverificaci\u00f3ndelbloqueo.Lapol\u00edticadepermitir/denegarpertenecealcontextodebpftrace:esdecir,deseaotorgaraccesoabpftraceparausarestosasistentes,perootrosrastreadoresenelsistemacomomy_random_tracer_no_.Porlotanto,solucionelostresproblemasalmismotiempoadoptandounenfoquecompletamentediferenteparaelenlacesecurity_locked_down(),esdecir,muevalaverificaci\u00f3nalafasedeverificaci\u00f3ndelprogramadonderealmenterecuperamoselprotocolodefunci\u00f3nBPF.Estotambi\u00e9nobtienedemaneraconfiablelatarea(actual)queest\u00e1intentandoinstalarelprogram
