From: Djalal Harouni <tixxdz@opendz.org>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Solar Designer <solar@openwall.com>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [kernel-hardening] Re: [PATCH 8/9] proc: protect /proc/<pid>/{environ,pagemap} across execve
Date: Sun, 11 Mar 2012 18:01:25 +0100 [thread overview]
Message-ID: <20120311170125.GA10787@dztty> (raw)
In-Reply-To: <20120311080523.GB3794@p183.telecom.by>
On Sun, Mar 11, 2012 at 11:05:23AM +0300, Alexey Dobriyan wrote:
> On Sun, Mar 11, 2012 at 12:25:18AM +0100, Djalal Harouni wrote:
> > The /proc/<pid>/{environ,pagemap} are sensitive files which must be
> > protected across execve to avoid information leaks.
> >
> > These files are protected by attaching them to their task at open time by
> > saving the exec_id of the target task, this way in read we just compare
> > the target task's exec_id and the previously saved exec_id of the
> > proc_file_private struct, in other words we just bind these files to their
> > appropriate process image at open time. We do this since we are able to do
> > proper permission checks (ptrace) at each syscall, so we do not care about
> > the reader.
> >
> > Another important rule is to set the exec_id of the target task before the
> > permission checks at open, this way we do not race against target task
> > execve, and it will be more effective if the exec_id check at read/write
> > times are delayed as much as possible to be sure that the target task do
> > not change during execve.
> >
> > This patch adds the open file_operation to the
> > /proc/<pid>/{environ,pagemap} so we are able to set the exec_id of the
> > target task and to do the appropriate permission checks. The exec_id check
> > is done in the related read file_operation.
>
> ->open is duplicated.
Right, I'll unify the code in a generic open function that does:
* alloc and setup proc_file_private (which includes the exec_id)
* ptrace check using mm_for_maps()
unify only those who check PTRACE_MODE_READ
* save priv_file_proc.
This applies also to the release functions, I'll re-submit it.
Thanks Alexey.
--
tixxdz
http://opendz.org
WARNING: multiple messages have this Message-ID (diff)
From: Djalal Harouni <tixxdz@opendz.org>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Solar Designer <solar@openwall.com>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: Re: [PATCH 8/9] proc: protect /proc/<pid>/{environ,pagemap} across execve
Date: Sun, 11 Mar 2012 18:01:25 +0100 [thread overview]
Message-ID: <20120311170125.GA10787@dztty> (raw)
In-Reply-To: <20120311080523.GB3794@p183.telecom.by>
On Sun, Mar 11, 2012 at 11:05:23AM +0300, Alexey Dobriyan wrote:
> On Sun, Mar 11, 2012 at 12:25:18AM +0100, Djalal Harouni wrote:
> > The /proc/<pid>/{environ,pagemap} are sensitive files which must be
> > protected across execve to avoid information leaks.
> >
> > These files are protected by attaching them to their task at open time by
> > saving the exec_id of the target task, this way in read we just compare
> > the target task's exec_id and the previously saved exec_id of the
> > proc_file_private struct, in other words we just bind these files to their
> > appropriate process image at open time. We do this since we are able to do
> > proper permission checks (ptrace) at each syscall, so we do not care about
> > the reader.
> >
> > Another important rule is to set the exec_id of the target task before the
> > permission checks at open, this way we do not race against target task
> > execve, and it will be more effective if the exec_id check at read/write
> > times are delayed as much as possible to be sure that the target task do
> > not change during execve.
> >
> > This patch adds the open file_operation to the
> > /proc/<pid>/{environ,pagemap} so we are able to set the exec_id of the
> > target task and to do the appropriate permission checks. The exec_id check
> > is done in the related read file_operation.
>
> ->open is duplicated.
Right, I'll unify the code in a generic open function that does:
* alloc and setup proc_file_private (which includes the exec_id)
* ptrace check using mm_for_maps()
unify only those who check PTRACE_MODE_READ
* save priv_file_proc.
This applies also to the release functions, I'll re-submit it.
Thanks Alexey.
--
tixxdz
http://opendz.org
next prev parent reply other threads:[~2012-03-11 17:01 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-10 23:25 [kernel-hardening] [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 1/9] exec: add a global execve counter Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 0:12 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:12 ` Linus Torvalds
2012-03-11 0:36 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:36 ` Linus Torvalds
2012-03-11 0:58 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:58 ` Linus Torvalds
2012-03-11 8:24 ` [kernel-hardening] " Solar Designer
2012-03-11 8:24 ` Solar Designer
2012-03-11 9:56 ` [kernel-hardening] " Ingo Molnar
2012-03-11 9:56 ` Ingo Molnar
2012-03-11 14:03 ` [kernel-hardening] " Alan Cox
2012-03-11 14:03 ` Alan Cox
2012-03-11 17:15 ` [kernel-hardening] " Djalal Harouni
2012-03-11 17:15 ` Djalal Harouni
2012-03-11 8:39 ` [kernel-hardening] " Djalal Harouni
2012-03-11 8:39 ` Djalal Harouni
2012-03-11 9:40 ` [kernel-hardening] " Solar Designer
2012-03-11 9:40 ` Solar Designer
2012-03-11 17:25 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 17:25 ` Oleg Nesterov
2012-03-11 17:49 ` [kernel-hardening] self_exec_id/parent_exec_id && CLONE_PARENT Oleg Nesterov
2012-03-11 17:49 ` Oleg Nesterov
2012-03-11 18:02 ` [kernel-hardening] " Linus Torvalds
2012-03-11 18:02 ` Linus Torvalds
2012-03-11 18:37 ` [kernel-hardening] " richard -rw- weinberger
2012-03-11 18:37 ` richard -rw- weinberger
2012-03-11 18:39 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 18:39 ` Oleg Nesterov
2012-03-14 18:55 ` [kernel-hardening] [PATCH 0/1] (Was: self_exec_id/parent_exec_id && CLONE_PARENT) Oleg Nesterov
2012-03-14 18:55 ` Oleg Nesterov
2012-03-14 18:55 ` [kernel-hardening] [PATCH 1/1] CLONE_PARENT shouldn't allow to set ->exit_signal Oleg Nesterov
2012-03-14 18:55 ` Oleg Nesterov
2012-03-18 18:25 ` [kernel-hardening] " Linus Torvalds
2012-03-18 18:25 ` Linus Torvalds
2012-03-18 20:53 ` [kernel-hardening] " Oleg Nesterov
2012-03-18 20:53 ` Oleg Nesterov
[not found] ` <20120314190939.GC14172@redhat.com>
2012-03-19 16:02 ` [PATCH 0/3] exec_id/exit_signal fixes Oleg Nesterov
2012-03-19 16:03 ` [PATCH 1/3] exit_signal: simplify the "we have changed execution domain" logic Oleg Nesterov
2012-03-19 16:03 ` [PATCH 2/3] exit_signal: fix the "parent has changed security " Oleg Nesterov
2012-03-19 16:04 ` [PATCH 3/3] exec: move de_thread()->setmax_mm_hiwater_rss() into exec_mmap() Oleg Nesterov
2012-03-11 22:48 ` [kernel-hardening] Re: [PATCH 1/9] exec: add a global execve counter Linus Torvalds
2012-03-11 22:48 ` Linus Torvalds
2012-03-11 23:32 ` [kernel-hardening] " Djalal Harouni
2012-03-11 23:32 ` Djalal Harouni
2012-03-11 23:42 ` [kernel-hardening] " Linus Torvalds
2012-03-11 23:42 ` Linus Torvalds
2012-03-12 0:25 ` [kernel-hardening] " Djalal Harouni
2012-03-12 0:25 ` Djalal Harouni
2012-03-12 10:11 ` [kernel-hardening] " Linus Torvalds
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 14:01 ` [kernel-hardening] " Djalal Harouni
2012-03-12 14:01 ` Djalal Harouni
2012-03-12 14:01 ` Djalal Harouni
2012-03-11 23:36 ` [kernel-hardening] " Djalal Harouni
2012-03-11 23:36 ` Djalal Harouni
2012-03-12 14:34 ` [kernel-hardening] " Oleg Nesterov
2012-03-12 14:34 ` Oleg Nesterov
2012-03-10 23:25 ` [kernel-hardening] [PATCH 2/9] proc: add proc_file_private struct to store private information Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 3/9] proc: new proc_exec_id_ok() helper function Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 4/9] proc: protect /proc/<pid>/* INF files from reader across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 5/9] proc: add protection support for /proc/<pid>/* ONE files Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 6/9] proc: protect /proc/<pid>/* ONE files from reader across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 7/9] proc: protect /proc/<pid>/{maps,smaps,numa_maps} Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 8/9] proc: protect /proc/<pid>/{environ,pagemap} across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 8:05 ` [kernel-hardening] " Alexey Dobriyan
2012-03-11 8:05 ` Alexey Dobriyan
2012-03-11 17:01 ` Djalal Harouni [this message]
2012-03-11 17:01 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 9/9] proc: improve and clean up /proc/<pid>/mem protection Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 0:01 ` [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Linus Torvalds
2012-03-11 0:01 ` Linus Torvalds
2012-03-11 0:27 ` [kernel-hardening] " Djalal Harouni
2012-03-11 0:27 ` Djalal Harouni
2012-03-11 8:46 ` [kernel-hardening] " Djalal Harouni
2012-03-11 8:46 ` Djalal Harouni
2012-03-11 10:35 ` [kernel-hardening] exec_id protection from bad child exit signals (was: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve) Solar Designer
2012-03-11 10:35 ` Solar Designer
2012-03-11 18:20 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 18:20 ` Oleg Nesterov
2012-03-12 19:13 ` [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Eric W. Biederman
2012-03-12 19:13 ` Eric W. Biederman
2012-03-12 20:44 ` [kernel-hardening] " Djalal Harouni
2012-03-12 20:44 ` Djalal Harouni
2012-03-12 21:47 ` [kernel-hardening] " Eric W. Biederman
2012-03-12 21:47 ` Eric W. Biederman
2012-03-12 22:41 ` [kernel-hardening] " Djalal Harouni
2012-03-12 22:41 ` Djalal Harouni
2012-03-12 23:10 ` [kernel-hardening] " Eric W. Biederman
2012-03-12 23:10 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120311170125.GA10787@dztty \
--to=tixxdz@opendz.org \
--cc=Jason@zx2c4.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=segoon@openwall.com \
--cc=solar@openwall.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wilsons@start.ca \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.