From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Cc: Will Drewry <wad@chromium.org>
Subject: [kernel-hardening] 32/64 bitness restriction for pid namespace
Date: Sun, 7 Aug 2011 15:00:25 +0400 [thread overview]
Message-ID: <20110807110025.GA3778@albatros> (raw)
Solar, Will, all -
The new sysctl is introduced, abi.bitness_locked. If set to 1, it locks
all tasks inside of current pid namespace to the bitness of init task
(pid_ns->child_reaper). After that (1) all syscalls of other bitness
return -ENOSYS and (2) loading ELF binaries of another bitness is
prohibited (as if the corresponding CONFIG_BINFMT_*=N). If there is any
task which differs in bitness, the lockup fails.
TODO:
* Fix a race of sysctl against fork().
* Denied syscall should behave as if it doesn't exist.
The patch was tested very roughly.
diff --git a/arch/x86/kernel/syscall_restrict.c b/arch/x86/kernel/syscall_restrict.c
index 1a2bf1c..b2bfd8f 100644
--- a/arch/x86/kernel/syscall_restrict.c
+++ b/arch/x86/kernel/syscall_restrict.c
@@ -31,8 +31,8 @@ static int task_get_bitness(struct task_struct *task)
static bool pidns_locked(struct pid_namespace *pid_ns)
{
struct task_struct *init = pid_ns->child_reaper;
- return (test_ti_thread_flag(task_thread_info(task), TIF_SYSCALL32_DENIED) ||
- test_ti_thread_flag(task_thread_info(task), TIF_SYSCALL64_DENIED));
+ return (test_ti_thread_flag(task_thread_info(init), TIF_SYSCALL32_DENIED) ||
+ test_ti_thread_flag(task_thread_info(init), TIF_SYSCALL64_DENIED));
}
static int bits_to_flags(int bits)
@@ -69,7 +69,7 @@ static int __pidns_may_lock_bitness(struct pid_namespace *pid_ns, int bits)
}
/* Called with hold tasklist_lock and rcu */
-static int __change_syscall_restrict(struct pid_namespace *pid_ns, int bits)
+static int __bitness_lock(struct pid_namespace *pid_ns, int bits)
{
u32 clear_bit_nr;
struct task_struct *p, *thread;
@@ -90,7 +90,7 @@ static int __change_syscall_restrict(struct pid_namespace *pid_ns, int bits)
return 0;
}
-static int syscall_bitness_lock(struct pid_namespace *pid_ns)
+static int bitness_lock(struct pid_namespace *pid_ns)
{
int rc, new_bits;
@@ -100,14 +100,14 @@ static int syscall_bitness_lock(struct pid_namespace *pid_ns)
new_bits = task_get_bitness(pid_ns->child_reaper);
rc = __pidns_may_lock_bitness(pid_ns, new_bits);
if (!rc)
- rc = __change_syscall_restrict(pid_ns, new_bits);
+ rc = __bitness_lock(pid_ns, new_bits);
write_unlock_irq(&tasklist_lock);
rcu_read_unlock();
return rc;
}
-static int syscall_bitness_locked_handler(struct ctl_table *table, int write,
+static int bitness_locked_handler(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp,
loff_t *ppos)
{
@@ -128,14 +128,14 @@ static int syscall_bitness_locked_handler(struct ctl_table *table, int write,
return -EACCES;
if (new_bits && old_bits)
return 0;
- return syscall_bitness_lock(current->nsproxy->pid_ns);
+ return bitness_lock(current->nsproxy->pid_ns);
}
static struct ctl_table abi_syscall_restrict[] = {
{
- .procname = "syscall_bitness_locked",
+ .procname = "bitness_locked",
.mode = 0644,
- .proc_handler = syscall_bitness_locked_handler
+ .proc_handler = bitness_locked_handler
},
{}
};
---
next reply other threads:[~2011-08-07 11:00 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-07 11:00 Vasiliy Kulikov [this message]
2011-08-08 17:39 ` [kernel-hardening] Re: 32/64 bitness restriction for pid namespace Vasiliy Kulikov
2011-08-10 9:52 ` Vasiliy Kulikov
2011-08-10 13:03 ` [kernel-hardening] " Solar Designer
2011-08-10 13:27 ` Vasiliy Kulikov
2011-08-10 14:26 ` Solar Designer
2011-08-10 15:02 ` Vasiliy Kulikov
2011-08-10 15:40 ` Solar Designer
2011-08-10 16:21 ` Vasiliy Kulikov
2011-08-10 16:42 ` Solar Designer
2011-08-12 12:07 ` Vasiliy Kulikov
2011-08-12 12:23 ` Solar Designer
2011-08-13 15:12 ` Vasiliy Kulikov
2011-08-13 15:19 ` Solar Designer
2011-08-13 16:55 ` Vasiliy Kulikov
2011-08-13 17:31 ` Vasiliy Kulikov
2011-08-13 19:25 ` Solar Designer
2011-08-13 19:22 ` Solar Designer
2011-08-14 9:50 ` Solar Designer
2011-08-14 10:16 ` Vasiliy Kulikov
2011-08-14 11:29 ` Solar Designer
2011-08-14 11:55 ` Vasiliy Kulikov
2011-08-14 12:04 ` Solar Designer
2011-08-14 12:16 ` Vasiliy Kulikov
2011-08-15 15:38 ` Vasiliy Kulikov
2011-08-15 21:33 ` Solar Designer
2011-08-16 6:39 ` Vasiliy Kulikov
2011-08-15 21:46 ` Solar Designer
2011-08-16 6:25 ` Vasiliy Kulikov
2011-08-18 10:34 ` Solar Designer
2011-08-18 14:42 ` Vasiliy Kulikov
2011-08-12 9:09 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110807110025.GA3778@albatros \
--to=segoon@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.