mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-12-28 16:56:26 +00:00
417c5643cd
LSM hooks are currently invoked from a linked list as indirect calls
which are invoked using retpolines as a mitigation for speculative
attacks (Branch History / Target injection) and add extra overhead which
is especially bad in kernel hot paths:
security_file_ioctl:
0xff...0320 <+0>: endbr64
0xff...0324 <+4>: push %rbp
0xff...0325 <+5>: push %r15
0xff...0327 <+7>: push %r14
0xff...0329 <+9>: push %rbx
0xff...032a <+10>: mov %rdx,%rbx
0xff...032d <+13>: mov %esi,%ebp
0xff...032f <+15>: mov %rdi,%r14
0xff...0332 <+18>: mov $0xff...7030,%r15
0xff...0339 <+25>: mov (%r15),%r15
0xff...033c <+28>: test %r15,%r15
0xff...033f <+31>: je 0xff...0358 <security_file_ioctl+56>
0xff...0341 <+33>: mov 0x18(%r15),%r11
0xff...0345 <+37>: mov %r14,%rdi
0xff...0348 <+40>: mov %ebp,%esi
0xff...034a <+42>: mov %rbx,%rdx
0xff...034d <+45>: call 0xff...2e0 <__x86_indirect_thunk_array+352>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Indirect calls that use retpolines leading to overhead, not just due
to extra instruction but also branch misses.
0xff...0352 <+50>: test %eax,%eax
0xff...0354 <+52>: je 0xff...0339 <security_file_ioctl+25>
0xff...0356 <+54>: jmp 0xff...035a <security_file_ioctl+58>
0xff...0358 <+56>: xor %eax,%eax
0xff...035a <+58>: pop %rbx
0xff...035b <+59>: pop %r14
0xff...035d <+61>: pop %r15
0xff...035f <+63>: pop %rbp
0xff...0360 <+64>: jmp 0xff...47c4 <__x86_return_thunk>
The indirect calls are not really needed as one knows the addresses of
enabled LSM callbacks at boot time and only the order can possibly
change at boot time with the lsm= kernel command line parameter.
An array of static calls is defined per LSM hook and the static calls
are updated at boot time once the order has been determined.
With the hook now exposed as a static call, one can see that the
retpolines are no longer there and the LSM callbacks are invoked
directly:
security_file_ioctl:
0xff...0ca0 <+0>: endbr64
0xff...0ca4 <+4>: nopl 0x0(%rax,%rax,1)
0xff...0ca9 <+9>: push %rbp
0xff...0caa <+10>: push %r14
0xff...0cac <+12>: push %rbx
0xff...0cad <+13>: mov %rdx,%rbx
0xff...0cb0 <+16>: mov %esi,%ebp
0xff...0cb2 <+18>: mov %rdi,%r14
0xff...0cb5 <+21>: jmp 0xff...0cc7 <security_file_ioctl+39>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Static key enabled for SELinux
0xffffffff818f0cb7 <+23>: jmp 0xff...0cde <security_file_ioctl+62>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Static key enabled for BPF LSM. This is something that is changed to
default to false to avoid the existing side effect issues of BPF LSM
[1] in a subsequent patch.
0xff...0cb9 <+25>: xor %eax,%eax
0xff...0cbb <+27>: xchg %ax,%ax
0xff...0cbd <+29>: pop %rbx
0xff...0cbe <+30>: pop %r14
0xff...0cc0 <+32>: pop %rbp
0xff...0cc1 <+33>: cs jmp 0xff...0000 <__x86_return_thunk>
0xff...0cc7 <+39>: endbr64
0xff...0ccb <+43>: mov %r14,%rdi
0xff...0cce <+46>: mov %ebp,%esi
0xff...0cd0 <+48>: mov %rbx,%rdx
0xff...0cd3 <+51>: call 0xff...3230 <selinux_file_ioctl>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Direct call to SELinux.
0xff...0cd8 <+56>: test %eax,%eax
0xff...0cda <+58>: jne 0xff...0cbd <security_file_ioctl+29>
0xff...0cdc <+60>: jmp 0xff...0cb7 <security_file_ioctl+23>
0xff...0cde <+62>: endbr64
0xff...0ce2 <+66>: mov %r14,%rdi
0xff...0ce5 <+69>: mov %ebp,%esi
0xff...0ce7 <+71>: mov %rbx,%rdx
0xff...0cea <+74>: call 0xff...e220 <bpf_lsm_file_ioctl>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Direct call to BPF LSM.
0xff...0cef <+79>: test %eax,%eax
0xff...0cf1 <+81>: jne 0xff...0cbd <security_file_ioctl+29>
0xff...0cf3 <+83>: jmp 0xff...0cb9 <security_file_ioctl+25>
0xff...0cf5 <+85>: endbr64
0xff...0cf9 <+89>: mov %r14,%rdi
0xff...0cfc <+92>: mov %ebp,%esi
0xff...0cfe <+94>: mov %rbx,%rdx
0xff...0d01 <+97>: pop %rbx
0xff...0d02 <+98>: pop %r14
0xff...0d04 <+100>: pop %rbp
0xff...0d05 <+101>: ret
0xff...0d06 <+102>: int3
0xff...0d07 <+103>: int3
0xff...0d08 <+104>: int3
0xff...0d09 <+105>: int3
While this patch uses static_branch_unlikely indicating that an LSM hook
is likely to be not present. In most cases this is still a better choice
as even when an LSM with one hook is added, empty slots are created for
all LSM hooks (especially when many LSMs that do not initialize most
hooks are present on the system).
There are some hooks that don't use the call_int_hook or
call_void_hook. These hooks are updated to use a new macro called
lsm_for_each_hook where the lsm_callback is directly invoked as an
indirect call.
Below are results of the relevant Unixbench system benchmarks with BPF LSM
and SELinux enabled with default policies enabled with and without these
patches.
Benchmark Delta(%): (+ is better)
==========================================================================
Execl Throughput +1.9356
File Write 1024 bufsize 2000 maxblocks +6.5953
Pipe Throughput +9.5499
Pipe-based Context Switching +3.0209
Process Creation +2.3246
Shell Scripts (1 concurrent) +1.4975
System Call Overhead +2.7815
System Benchmarks Index Score (Partial Only): +3.4859
In the best case, some syscalls like eventfd_create benefitted to about
~10%.
Tested-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Song Liu <song@kernel.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
195 lines
6.0 KiB
C
195 lines
6.0 KiB
C
/*
|
|
* Linux Security Module interfaces
|
|
*
|
|
* Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
|
|
* Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
|
|
* Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
|
|
* Copyright (C) 2001 James Morris <jmorris@intercode.com.au>
|
|
* Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
|
|
* Copyright (C) 2015 Intel Corporation.
|
|
* Copyright (C) 2015 Casey Schaufler <casey@schaufler-ca.com>
|
|
* Copyright (C) 2016 Mellanox Techonologies
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Due to this file being licensed under the GPL there is controversy over
|
|
* whether this permits you to write a module that #includes this file
|
|
* without placing your module under the GPL. Please consult a lawyer for
|
|
* advice before doing this.
|
|
*
|
|
*/
|
|
|
|
#ifndef __LINUX_LSM_HOOKS_H
|
|
#define __LINUX_LSM_HOOKS_H
|
|
|
|
#include <uapi/linux/lsm.h>
|
|
#include <linux/security.h>
|
|
#include <linux/init.h>
|
|
#include <linux/rculist.h>
|
|
#include <linux/xattr.h>
|
|
#include <linux/static_call.h>
|
|
#include <linux/unroll.h>
|
|
#include <linux/jump_label.h>
|
|
#include <linux/lsm_count.h>
|
|
|
|
union security_list_options {
|
|
#define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__);
|
|
#include "lsm_hook_defs.h"
|
|
#undef LSM_HOOK
|
|
void *lsm_func_addr;
|
|
};
|
|
|
|
/*
|
|
* @key: static call key as defined by STATIC_CALL_KEY
|
|
* @trampoline: static call trampoline as defined by STATIC_CALL_TRAMP
|
|
* @hl: The security_hook_list as initialized by the owning LSM.
|
|
* @active: Enabled when the static call has an LSM hook associated.
|
|
*/
|
|
struct lsm_static_call {
|
|
struct static_call_key *key;
|
|
void *trampoline;
|
|
struct security_hook_list *hl;
|
|
/* this needs to be true or false based on what the key defaults to */
|
|
struct static_key_false *active;
|
|
} __randomize_layout;
|
|
|
|
/*
|
|
* Table of the static calls for each LSM hook.
|
|
* Once the LSMs are initialized, their callbacks will be copied to these
|
|
* tables such that the calls are filled backwards (from last to first).
|
|
* This way, we can jump directly to the first used static call, and execute
|
|
* all of them after. This essentially makes the entry point
|
|
* dynamic to adapt the number of static calls to the number of callbacks.
|
|
*/
|
|
struct lsm_static_calls_table {
|
|
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
|
|
struct lsm_static_call NAME[MAX_LSM_COUNT];
|
|
#include <linux/lsm_hook_defs.h>
|
|
#undef LSM_HOOK
|
|
} __packed __randomize_layout;
|
|
|
|
/**
|
|
* struct lsm_id - Identify a Linux Security Module.
|
|
* @lsm: name of the LSM, must be approved by the LSM maintainers
|
|
* @id: LSM ID number from uapi/linux/lsm.h
|
|
*
|
|
* Contains the information that identifies the LSM.
|
|
*/
|
|
struct lsm_id {
|
|
const char *name;
|
|
u64 id;
|
|
};
|
|
|
|
/*
|
|
* Security module hook list structure.
|
|
* For use with generic list macros for common operations.
|
|
*
|
|
* struct security_hook_list - Contents of a cacheable, mappable object.
|
|
* @scalls: The beginning of the array of static calls assigned to this hook.
|
|
* @hook: The callback for the hook.
|
|
* @lsm: The name of the lsm that owns this hook.
|
|
*/
|
|
struct security_hook_list {
|
|
struct lsm_static_call *scalls;
|
|
union security_list_options hook;
|
|
const struct lsm_id *lsmid;
|
|
} __randomize_layout;
|
|
|
|
/*
|
|
* Security blob size or offset data.
|
|
*/
|
|
struct lsm_blob_sizes {
|
|
int lbs_cred;
|
|
int lbs_file;
|
|
int lbs_ib;
|
|
int lbs_inode;
|
|
int lbs_sock;
|
|
int lbs_superblock;
|
|
int lbs_ipc;
|
|
int lbs_key;
|
|
int lbs_msg_msg;
|
|
int lbs_perf_event;
|
|
int lbs_task;
|
|
int lbs_xattr_count; /* number of xattr slots in new_xattrs array */
|
|
int lbs_tun_dev;
|
|
int lbs_bdev;
|
|
};
|
|
|
|
/*
|
|
* LSM_RET_VOID is used as the default value in LSM_HOOK definitions for void
|
|
* LSM hooks (in include/linux/lsm_hook_defs.h).
|
|
*/
|
|
#define LSM_RET_VOID ((void) 0)
|
|
|
|
/*
|
|
* Initializing a security_hook_list structure takes
|
|
* up a lot of space in a source file. This macro takes
|
|
* care of the common case and reduces the amount of
|
|
* text involved.
|
|
*/
|
|
#define LSM_HOOK_INIT(NAME, HOOK) \
|
|
{ \
|
|
.scalls = static_calls_table.NAME, \
|
|
.hook = { .NAME = HOOK } \
|
|
}
|
|
|
|
extern void security_add_hooks(struct security_hook_list *hooks, int count,
|
|
const struct lsm_id *lsmid);
|
|
|
|
#define LSM_FLAG_LEGACY_MAJOR BIT(0)
|
|
#define LSM_FLAG_EXCLUSIVE BIT(1)
|
|
|
|
enum lsm_order {
|
|
LSM_ORDER_FIRST = -1, /* This is only for capabilities. */
|
|
LSM_ORDER_MUTABLE = 0,
|
|
LSM_ORDER_LAST = 1, /* This is only for integrity. */
|
|
};
|
|
|
|
struct lsm_info {
|
|
const char *name; /* Required. */
|
|
enum lsm_order order; /* Optional: default is LSM_ORDER_MUTABLE */
|
|
unsigned long flags; /* Optional: flags describing LSM */
|
|
int *enabled; /* Optional: controlled by CONFIG_LSM */
|
|
int (*init)(void); /* Required. */
|
|
struct lsm_blob_sizes *blobs; /* Optional: for blob sharing. */
|
|
};
|
|
|
|
#define DEFINE_LSM(lsm) \
|
|
static struct lsm_info __lsm_##lsm \
|
|
__used __section(".lsm_info.init") \
|
|
__aligned(sizeof(unsigned long))
|
|
|
|
#define DEFINE_EARLY_LSM(lsm) \
|
|
static struct lsm_info __early_lsm_##lsm \
|
|
__used __section(".early_lsm_info.init") \
|
|
__aligned(sizeof(unsigned long))
|
|
|
|
/* DO NOT tamper with these variables outside of the LSM framework */
|
|
extern char *lsm_names;
|
|
extern struct lsm_static_calls_table static_calls_table __ro_after_init;
|
|
extern struct lsm_info __start_lsm_info[], __end_lsm_info[];
|
|
extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
|
|
|
|
/**
|
|
* lsm_get_xattr_slot - Return the next available slot and increment the index
|
|
* @xattrs: array storing LSM-provided xattrs
|
|
* @xattr_count: number of already stored xattrs (updated)
|
|
*
|
|
* Retrieve the first available slot in the @xattrs array to fill with an xattr,
|
|
* and increment @xattr_count.
|
|
*
|
|
* Return: The slot to fill in @xattrs if non-NULL, NULL otherwise.
|
|
*/
|
|
static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs,
|
|
int *xattr_count)
|
|
{
|
|
if (unlikely(!xattrs))
|
|
return NULL;
|
|
return &xattrs[(*xattr_count)++];
|
|
}
|
|
|
|
#endif /* ! __LINUX_LSM_HOOKS_H */
|