From: Stephen Smalley <sds@tycho.nsa.gov>
To: David Quigley <selinux@davequigley.com>
Cc: selinux@lists.fedoraproject.org, selinux@tycho.nsa.gov
Subject: Re: Recent /proc/pid/mem exploit
Date: Wed, 25 Jan 2012 08:07:20 -0500 [thread overview]
Message-ID: <1327496840.9607.8.camel@moss-pluto> (raw)
In-Reply-To: <a2c83875882386021eb7ccd57df283ee@countercultured.net>
On Tue, 2012-01-24 at 11:22 -0500, David Quigley wrote:
> So I read through the recent privilege escalation vulnerability using
> su and gpasswd which exploits weak permission checks in /proc/pid/mem
> and tried to figure out why we didn't stop it. What it comes down to is
> that /proc/pid and everything under it is given the same type as the
> process itself. In the case of the gpasswd that type is groupadd_t.
> Looking at the kernel code for /proc/pid/mem and its read/write
> functions it seems that the only permission checking we do on that node
> is done by the vfs. So from the SELinux perspective you would need allow
> groupadd_t groupadd_t file:{open read write} to have access to
> /proc/pid/mem. For some odd reason tons and tons of applications have
> file:{open read and write} on itself.
>
> One question that should be asked is why is is that we have so many
> rules that contain sometype_t sometype_t file: {open read write}. Is it
> necessary or something that is just being pulled in from a macro. If
> this is necessary for other reasons the followup to this would be should
> /proc/pid/mem have the same type as the process or should we have some
> additional requirements permission wise for a process to read and write
> to its own memory through /proc/pid/mem. What are the valid reasons for
> a process to be poking around through its memory using /proc/pid/mem?
The /proc/pid files are labeled with the same security context as the
associated task via security_task_to_inode() -> selinux_task_to_inode().
There is presently no support for distinguishing /proc/pid files in
policy, unlike other files in /proc. As processes are expected to be
able to write to various files under /proc/self, this is allowed by
policy.
Implementing support for labeling different /proc/pid inodes differently
might be an interesting project.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2012-01-25 13:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-24 16:22 Recent /proc/pid/mem exploit David Quigley
2012-01-25 13:07 ` Stephen Smalley [this message]
2012-01-25 13:55 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1327496840.9607.8.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=selinux@davequigley.com \
--cc=selinux@lists.fedoraproject.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.