From: Djalal Harouni <tixxdz@opendz.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Solar Designer <solar@openwall.com>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve
Date: Sun, 11 Mar 2012 01:27:25 +0100 [thread overview]
Message-ID: <20120311002725.GA4310@dztty> (raw)
In-Reply-To: <CA+55aFwdOgt=C52APPyvnAitcWNbzu-uXRi43m4bLS85oDgtqA@mail.gmail.com>
On Sat, Mar 10, 2012 at 04:01:09PM -0800, Linus Torvalds wrote:
> On Sat, Mar 10, 2012 at 3:25 PM, Djalal Harouni <tixxdz@opendz.org> wrote:
> >
> > 1) Use the target exec_id to bind files to their exec_id task:
> >
> > For the REG files /proc/<pid>/{environ,pagemap,mem} we set the exec_id
> > of the proc_file_private to the target task, and we continue with
> > permission checks at open time, later on each read/write call the
> > permission checks are done + check the target exec_id if it equals the
> > exec_id of the proc_file_private that was set at open time, in other words
> > we bind the file to its task's exec_id, this way new exec programs can not
> > operate on the passed fd.
>
> So the exec_id approach was totally broken when it was used for
> /proc/<pid>/mem, is there any reason to believe it's a good idea now?
Yes the previously one was broken since it was not a global uniq exec_id,
it was designed for threads tracking.
The current one is a global exec_id with uniq IDs, incremented on each
do_execve_common() call.
> It's entirely predictable, and you can make the exec_id match by
> simply forking elsewhere and then passing the fd around using unix
> domain sockets, since the exec_id is just updated by incrementing a
> counter.
For the fork one yes exec_id will match but we have the permission
checks (ptrace) at each syscall, so even if two processes share the same
exec_id the ptrace check should fail.
Yes it's predictable, but I don't see how you could pass the fd to another
extern privileged process without failing at the exec_id check.
--
tixxdz
http://opendz.org
WARNING: multiple messages have this Message-ID (diff)
From: Djalal Harouni <tixxdz@opendz.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Solar Designer <solar@openwall.com>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve
Date: Sun, 11 Mar 2012 01:27:25 +0100 [thread overview]
Message-ID: <20120311002725.GA4310@dztty> (raw)
In-Reply-To: <CA+55aFwdOgt=C52APPyvnAitcWNbzu-uXRi43m4bLS85oDgtqA@mail.gmail.com>
On Sat, Mar 10, 2012 at 04:01:09PM -0800, Linus Torvalds wrote:
> On Sat, Mar 10, 2012 at 3:25 PM, Djalal Harouni <tixxdz@opendz.org> wrote:
> >
> > 1) Use the target exec_id to bind files to their exec_id task:
> >
> > For the REG files /proc/<pid>/{environ,pagemap,mem} we set the exec_id
> > of the proc_file_private to the target task, and we continue with
> > permission checks at open time, later on each read/write call the
> > permission checks are done + check the target exec_id if it equals the
> > exec_id of the proc_file_private that was set at open time, in other words
> > we bind the file to its task's exec_id, this way new exec programs can not
> > operate on the passed fd.
>
> So the exec_id approach was totally broken when it was used for
> /proc/<pid>/mem, is there any reason to believe it's a good idea now?
Yes the previously one was broken since it was not a global uniq exec_id,
it was designed for threads tracking.
The current one is a global exec_id with uniq IDs, incremented on each
do_execve_common() call.
> It's entirely predictable, and you can make the exec_id match by
> simply forking elsewhere and then passing the fd around using unix
> domain sockets, since the exec_id is just updated by incrementing a
> counter.
For the fork one yes exec_id will match but we have the permission
checks (ptrace) at each syscall, so even if two processes share the same
exec_id the ptrace check should fail.
Yes it's predictable, but I don't see how you could pass the fd to another
extern privileged process without failing at the exec_id check.
--
tixxdz
http://opendz.org
next prev parent reply other threads:[~2012-03-11 0:27 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-10 23:25 [kernel-hardening] [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 1/9] exec: add a global execve counter Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 0:12 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:12 ` Linus Torvalds
2012-03-11 0:36 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:36 ` Linus Torvalds
2012-03-11 0:58 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:58 ` Linus Torvalds
2012-03-11 8:24 ` [kernel-hardening] " Solar Designer
2012-03-11 8:24 ` Solar Designer
2012-03-11 9:56 ` [kernel-hardening] " Ingo Molnar
2012-03-11 9:56 ` Ingo Molnar
2012-03-11 14:03 ` [kernel-hardening] " Alan Cox
2012-03-11 14:03 ` Alan Cox
2012-03-11 17:15 ` [kernel-hardening] " Djalal Harouni
2012-03-11 17:15 ` Djalal Harouni
2012-03-11 8:39 ` [kernel-hardening] " Djalal Harouni
2012-03-11 8:39 ` Djalal Harouni
2012-03-11 9:40 ` [kernel-hardening] " Solar Designer
2012-03-11 9:40 ` Solar Designer
2012-03-11 17:25 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 17:25 ` Oleg Nesterov
2012-03-11 17:49 ` [kernel-hardening] self_exec_id/parent_exec_id && CLONE_PARENT Oleg Nesterov
2012-03-11 17:49 ` Oleg Nesterov
2012-03-11 18:02 ` [kernel-hardening] " Linus Torvalds
2012-03-11 18:02 ` Linus Torvalds
2012-03-11 18:37 ` [kernel-hardening] " richard -rw- weinberger
2012-03-11 18:37 ` richard -rw- weinberger
2012-03-11 18:39 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 18:39 ` Oleg Nesterov
2012-03-14 18:55 ` [kernel-hardening] [PATCH 0/1] (Was: self_exec_id/parent_exec_id && CLONE_PARENT) Oleg Nesterov
2012-03-14 18:55 ` Oleg Nesterov
2012-03-14 18:55 ` [kernel-hardening] [PATCH 1/1] CLONE_PARENT shouldn't allow to set ->exit_signal Oleg Nesterov
2012-03-14 18:55 ` Oleg Nesterov
2012-03-18 18:25 ` [kernel-hardening] " Linus Torvalds
2012-03-18 18:25 ` Linus Torvalds
2012-03-18 20:53 ` [kernel-hardening] " Oleg Nesterov
2012-03-18 20:53 ` Oleg Nesterov
[not found] ` <20120314190939.GC14172@redhat.com>
2012-03-19 16:02 ` [PATCH 0/3] exec_id/exit_signal fixes Oleg Nesterov
2012-03-19 16:03 ` [PATCH 1/3] exit_signal: simplify the "we have changed execution domain" logic Oleg Nesterov
2012-03-19 16:03 ` [PATCH 2/3] exit_signal: fix the "parent has changed security " Oleg Nesterov
2012-03-19 16:04 ` [PATCH 3/3] exec: move de_thread()->setmax_mm_hiwater_rss() into exec_mmap() Oleg Nesterov
2012-03-11 22:48 ` [kernel-hardening] Re: [PATCH 1/9] exec: add a global execve counter Linus Torvalds
2012-03-11 22:48 ` Linus Torvalds
2012-03-11 23:32 ` [kernel-hardening] " Djalal Harouni
2012-03-11 23:32 ` Djalal Harouni
2012-03-11 23:42 ` [kernel-hardening] " Linus Torvalds
2012-03-11 23:42 ` Linus Torvalds
2012-03-12 0:25 ` [kernel-hardening] " Djalal Harouni
2012-03-12 0:25 ` Djalal Harouni
2012-03-12 10:11 ` [kernel-hardening] " Linus Torvalds
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 14:01 ` [kernel-hardening] " Djalal Harouni
2012-03-12 14:01 ` Djalal Harouni
2012-03-12 14:01 ` Djalal Harouni
2012-03-11 23:36 ` [kernel-hardening] " Djalal Harouni
2012-03-11 23:36 ` Djalal Harouni
2012-03-12 14:34 ` [kernel-hardening] " Oleg Nesterov
2012-03-12 14:34 ` Oleg Nesterov
2012-03-10 23:25 ` [kernel-hardening] [PATCH 2/9] proc: add proc_file_private struct to store private information Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 3/9] proc: new proc_exec_id_ok() helper function Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 4/9] proc: protect /proc/<pid>/* INF files from reader across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 5/9] proc: add protection support for /proc/<pid>/* ONE files Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 6/9] proc: protect /proc/<pid>/* ONE files from reader across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 7/9] proc: protect /proc/<pid>/{maps,smaps,numa_maps} Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 8/9] proc: protect /proc/<pid>/{environ,pagemap} across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 8:05 ` [kernel-hardening] " Alexey Dobriyan
2012-03-11 8:05 ` Alexey Dobriyan
2012-03-11 17:01 ` [kernel-hardening] " Djalal Harouni
2012-03-11 17:01 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 9/9] proc: improve and clean up /proc/<pid>/mem protection Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 0:01 ` [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Linus Torvalds
2012-03-11 0:01 ` Linus Torvalds
2012-03-11 0:27 ` Djalal Harouni [this message]
2012-03-11 0:27 ` Djalal Harouni
2012-03-11 8:46 ` [kernel-hardening] " Djalal Harouni
2012-03-11 8:46 ` Djalal Harouni
2012-03-11 10:35 ` [kernel-hardening] exec_id protection from bad child exit signals (was: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve) Solar Designer
2012-03-11 10:35 ` Solar Designer
2012-03-11 18:20 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 18:20 ` Oleg Nesterov
2012-03-12 19:13 ` [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Eric W. Biederman
2012-03-12 19:13 ` Eric W. Biederman
2012-03-12 20:44 ` [kernel-hardening] " Djalal Harouni
2012-03-12 20:44 ` Djalal Harouni
2012-03-12 21:47 ` [kernel-hardening] " Eric W. Biederman
2012-03-12 21:47 ` Eric W. Biederman
2012-03-12 22:41 ` [kernel-hardening] " Djalal Harouni
2012-03-12 22:41 ` Djalal Harouni
2012-03-12 23:10 ` [kernel-hardening] " Eric W. Biederman
2012-03-12 23:10 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120311002725.GA4310@dztty \
--to=tixxdz@opendz.org \
--cc=Jason@zx2c4.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=segoon@openwall.com \
--cc=solar@openwall.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wilsons@start.ca \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.