Re: [PATCH 0/6] enable writing to /proc/pid/mem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@ZenIV.linux.org.uk>
To: Stephen Wilson <wilsons@start.ca>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
	Rik van Riel <riel@redhat.com>,
	KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Roland McGrath <roland@redhat.com>,
	Matt Mackall <mpm@selenic.com>,
	David Rientjes <rientjes@google.com>,
	Nick Piggin <npiggin@kernel.dk>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Mel Gorman <mel@csn.ul.ie>, Ingo Molnar <mingo@elte.hu>,
	Michel Lespinasse <walken@google.com>,
	Hugh Dickins <hughd@google.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/6] enable writing to /proc/pid/mem
Date: Wed, 9 Mar 2011 01:30:17 +0000	[thread overview]
Message-ID: <20110309013017.GY22723@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1299631343-4499-1-git-send-email-wilsons@start.ca>

On Tue, Mar 08, 2011 at 07:42:17PM -0500, Stephen Wilson wrote:
> For a long time /proc/pid/mem has provided a read-only interface, at least
> since 2.4.0.  However, a write capability has existed "forever" in tree via the
> function mem_write(), disabled with an #ifdef along with the comment "this is a
> security hazard".  Currently, the main problem with mem_write() is that between
> the time permissions are checked and the actual write the target task could
> exec a setuid-root binary.
> 
> This patch series enables safe writes to /proc/pid/mem.  The principle strategy
> is to get a reference to the target task's mm before the permission check, and
> to hold that reference until after the write completes.

One note: I'd rather prefer approach similar to mm_for_maps().  IOW, instead
of "check, then get mm, then check _again_ to decide if we are allowed to
use it", just turn check_mm_permissions() into a function that returns
you a safe mm or gives you NULL (or, better yet, ERR_PTR(...)).  With all
checks done within that sucker.

Then mem_read() and mem_write() wouldn't need to recheck anything again
and the same helper would be usable for other things as well.  I mean
something like this: (*WARNING* - completely untested)

        err = mutex_lock_killable(&tsk->signal->cred_guard_mutex);
	if (err)
                return ERR_PTR(err);

        mm = get_tsk_mm(tsk);
	if (!mm) {
		mm = ERR_PTR(-EPERM);	/* maybe EINVAL here? */
	} else if (mm != current->mm) {
		int match;
	        /*
		 * If current is actively ptrace'ing, and would also be
		 * permitted to freshly attach with ptrace now, permit it.
		 */
		if (!tsk_is_stopped_or_traced(tsk))
			goto Eperm;
		rcu_read_lock();
		match = (tracehook_tracer_tsk(tsk) == current);
		rcu_read_unlock();
		if (!match)
			goto Eperm;
		if (!ptrace_may_access(tsk, PTRACE_MODE_ATTACH))
			goto Eperm;
        }
        mutex_unlock(&tsk->signal->cred_guard_mutex);
	return mm;
Eperm:
        mutex_unlock(&tsk->signal->cred_guard_mutex);
	mmput(mm);
	return ERR_PTR(-EPERM);

WARNING: multiple messages have this Message-ID (diff)

From: Al Viro <viro@ZenIV.linux.org.uk>
To: Stephen Wilson <wilsons@start.ca>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
	Rik van Riel <riel@redhat.com>,
	KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Roland McGrath <roland@redhat.com>,
	Matt Mackall <mpm@selenic.com>,
	David Rientjes <rientjes@google.com>,
	Nick Piggin <npiggin@kernel.dk>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Mel Gorman <mel@csn.ul.ie>, Ingo Molnar <mingo@elte.hu>,
	Michel Lespinasse <walken@google.com>,
	Hugh Dickins <hughd@google.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/6] enable writing to /proc/pid/mem
Date: Wed, 9 Mar 2011 01:30:17 +0000	[thread overview]
Message-ID: <20110309013017.GY22723@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1299631343-4499-1-git-send-email-wilsons@start.ca>

On Tue, Mar 08, 2011 at 07:42:17PM -0500, Stephen Wilson wrote:
> For a long time /proc/pid/mem has provided a read-only interface, at least
> since 2.4.0.  However, a write capability has existed "forever" in tree via the
> function mem_write(), disabled with an #ifdef along with the comment "this is a
> security hazard".  Currently, the main problem with mem_write() is that between
> the time permissions are checked and the actual write the target task could
> exec a setuid-root binary.
> 
> This patch series enables safe writes to /proc/pid/mem.  The principle strategy
> is to get a reference to the target task's mm before the permission check, and
> to hold that reference until after the write completes.

One note: I'd rather prefer approach similar to mm_for_maps().  IOW, instead
of "check, then get mm, then check _again_ to decide if we are allowed to
use it", just turn check_mm_permissions() into a function that returns
you a safe mm or gives you NULL (or, better yet, ERR_PTR(...)).  With all
checks done within that sucker.

Then mem_read() and mem_write() wouldn't need to recheck anything again
and the same helper would be usable for other things as well.  I mean
something like this: (*WARNING* - completely untested)

        err = mutex_lock_killable(&tsk->signal->cred_guard_mutex);
	if (err)
                return ERR_PTR(err);

        mm = get_tsk_mm(tsk);
	if (!mm) {
		mm = ERR_PTR(-EPERM);	/* maybe EINVAL here? */
	} else if (mm != current->mm) {
		int match;
	        /*
		 * If current is actively ptrace'ing, and would also be
		 * permitted to freshly attach with ptrace now, permit it.
		 */
		if (!tsk_is_stopped_or_traced(tsk))
			goto Eperm;
		rcu_read_lock();
		match = (tracehook_tracer_tsk(tsk) == current);
		rcu_read_unlock();
		if (!match)
			goto Eperm;
		if (!ptrace_may_access(tsk, PTRACE_MODE_ATTACH))
			goto Eperm;
        }
        mutex_unlock(&tsk->signal->cred_guard_mutex);
	return mm;
Eperm:
        mutex_unlock(&tsk->signal->cred_guard_mutex);
	mmput(mm);
	return ERR_PTR(-EPERM);

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

next prev parent reply	other threads:[~2011-03-09  1:31 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-09  0:42 [PATCH 0/6] enable writing to /proc/pid/mem Stephen Wilson
2011-03-09  0:42 ` Stephen Wilson
2011-03-09  0:42 ` [PATCH 1/6] mm: use mm_struct to resolve gate vma's in __get_user_pages Stephen Wilson
2011-03-09  0:42   ` Stephen Wilson
2011-03-09  5:19   ` KOSAKI Motohiro
2011-03-09  5:19     ` KOSAKI Motohiro
2011-03-09  6:06     ` Al Viro
2011-03-09  6:06       ` Al Viro
2011-03-09 12:38       ` Stephen Wilson
2011-03-09 12:38         ` Stephen Wilson
2011-03-09  0:42 ` [PATCH 2/6] mm: factor out main logic of access_process_vm Stephen Wilson
2011-03-09  0:42   ` Stephen Wilson
2011-03-09  0:42 ` [PATCH 3/6] mm: implement access_remote_vm Stephen Wilson
2011-03-09  0:42   ` Stephen Wilson
2011-03-09  0:42 ` [PATCH 4/6] proc: disable mem_write after exec Stephen Wilson
2011-03-09  0:42   ` Stephen Wilson
2011-03-09  5:22   ` KOSAKI Motohiro
2011-03-09  5:22     ` KOSAKI Motohiro
2011-03-09  0:42 ` [PATCH 5/6] proc: make check_mem_permission() return an mm_struct on success Stephen Wilson
2011-03-09  0:42   ` Stephen Wilson
2011-03-09  6:20   ` KOSAKI Motohiro
2011-03-09  6:20     ` KOSAKI Motohiro
2011-03-09  0:42 ` [PATCH 6/6] proc: enable writing to /proc/pid/mem Stephen Wilson
2011-03-09  0:42   ` Stephen Wilson
2011-03-09  1:30 ` Al Viro [this message]
2011-03-09  1:30   ` [PATCH 0/6] " Al Viro
2011-03-09  2:15   ` Stephen Wilson
2011-03-09  2:15     ` Stephen Wilson
2011-03-09  2:33     ` Al Viro
2011-03-09  2:33       ` Al Viro
2011-03-09  2:47       ` Stephen Wilson
2011-03-09  2:47         ` Stephen Wilson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110309013017.GY22723@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=aarcange@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=hughd@google.com \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mel@csn.ul.ie \
    --cc=mingo@elte.hu \
    --cc=mpm@selenic.com \
    --cc=npiggin@kernel.dk \
    --cc=riel@redhat.com \
    --cc=rientjes@google.com \
    --cc=roland@redhat.com \
    --cc=walken@google.com \
    --cc=wilsons@start.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.