Re: [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Pavel Emelyanov <xemul@parallels.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Glauber Costa <glommer@parallels.com>,
	Andi Kleen <andi@firstfloor.org>, Tejun Heo <tj@kernel.org>,
	Matt Helsley <matthltc@us.ibm.com>,
	Pekka Enberg <penberg@kernel.org>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	Vasiliy Kulikov <segoon@openwall.com>
Subject: Re: [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks
Date: Sat, 19 Nov 2011 01:03:22 +0400	[thread overview]
Message-ID: <20111118210322.GD21041@moon> (raw)
In-Reply-To: <20111118123728.554b45e7.akpm@linux-foundation.org>

On Fri, Nov 18, 2011 at 12:37:28PM -0800, Andrew Morton wrote:
...
> > 
> > Actually the address is not exposed in open-form but rather xor'ed with
> > a random number, still from security pov it's not clear if it's really useful
> > for attacker to obtain inverted low bits of the former random number (which
> > might happen on aligned addresses).
> > 
> 
> Of course.  But
> 
> a) I'm not sure that this scheme actually protects the kernel
>    addresses - there may be way in which cunning userspace can work out
>    the random mask.
> 

Well, in case of hw-rng it should not be that easy, still of course
there is no 100% guarantee that there is absolutely no way to predict
this mask (espec since it's generated once at lives here forever). But
whatever makes attacker life harder -- is a good thing. After all we might
simply take some hash on kernel address here (such as sha256) since it's
not a time-critical operation and as far as I know collision is not found
for it yet (??).

> b) If we can export these addresses only to CAP_SYS_ADMIN tasks then
>    we don't need to obfuscate them anyway.
> 
>    Which takes me back to again asking: why not make c/r root-only?
>    And provide non-root access via a carefully-written setuid
>    front-end?
> 

I think non-root approach is a win in a long term (even if it requires
some new CAP_ for that). The less root priviledge needed -- then better.
Having it root-only is easier of course and solves the problem of masking
kernel addresses from untrusted user-space agents, but still. Pavel, what
do you think about root-only?

	Cyrill

next prev parent reply	other threads:[~2011-11-18 21:03 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-17  9:55 [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks Pavel Emelyanov
2011-11-17  9:56 ` [PATCH 1/4] Routine for generating a safe ID for kernel pointer Pavel Emelyanov
2011-11-17  9:56 ` [PATCH 2/4] proc: Show namespaces IDs in /proc/pid/ns/* files Pavel Emelyanov
2011-11-17  9:56 ` [PATCH 3/4] proc: Show open file ID in /proc/pid/fdinfo/* Pavel Emelyanov
2011-11-17 20:48 ` [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objects that can be shared between tasks Andrew Morton
2011-11-18  9:24   ` Pavel Emelyanov
2011-11-18 19:07     ` Andrew Morton
2011-11-18 20:03       ` Cyrill Gorcunov
2011-11-18 20:37         ` Andrew Morton
2011-11-18 21:03           ` Cyrill Gorcunov [this message]
2011-11-18 21:09             ` Pekka Enberg
2011-11-18 22:10               ` Kyle Moffett
2011-11-18 23:46                 ` Tejun Heo
2011-11-19  1:09                   ` Kyle Moffett
2011-11-19  5:30                     ` Cyrill Gorcunov
2011-11-18 23:38             ` Matt Helsley
2011-11-19  5:35               ` Cyrill Gorcunov
2011-11-19  7:57       ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19  7:57         ` Vasiliy Kulikov
2011-11-19  8:10         ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19  8:10           ` Vasiliy Kulikov
2011-11-19  8:18           ` [kernel-hardening] " Vasiliy Kulikov
2011-11-19  8:18             ` Vasiliy Kulikov
2011-11-19 15:34           ` [kernel-hardening] " Cyrill Gorcunov
2011-11-19 15:34             ` Cyrill Gorcunov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111118210322.GD21041@moon \
    --to=gorcunov@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=andi@firstfloor.org \
    --cc=eric.dumazet@gmail.com \
    --cc=glommer@parallels.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=matthltc@us.ibm.com \
    --cc=penberg@kernel.org \
    --cc=segoon@openwall.com \
    --cc=tj@kernel.org \
    --cc=xemul@parallels.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.