From: Cyrill Gorcunov <gorcunov@openvz.org>
To: Matt Helsley <matthltc@us.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Pavel Emelyanov <xemul@parallels.com>,
Kees Cook <keescook@chromium.org>, Tejun Heo <tj@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] c/r: prctl: Add ability to set new mm_struct::exe_file v3
Date: Tue, 13 Mar 2012 10:26:25 +0400 [thread overview]
Message-ID: <20120313062625.GA1912@moon> (raw)
In-Reply-To: <20120313024511.GF19584@count0.beaverton.ibm.com>
On Mon, Mar 12, 2012 at 07:45:11PM -0700, Matt Helsley wrote:
> >
> > Indeed. But I think any change will mean compatibility broken, programs
> > may rely on one-shot or multi-shot behaviour. So I personally vote
> > for more flexible approach here.
>
> Very true. In fact thinking about this prctl a bit more makes me more certain
> that one-shot is better and it ought to stay that way forever. The
> flexibility to change the /proc/pid/exe symlink could be yet another
> way for malicious code to obscure a compromised program and
> masquerade as a benign process. That's a problem inherent in this prctl
> whether its one-shot or multi-shot. However, if you use the one-shot
> approach then a security-concious program can use this prctl once
> during its early initialization to ensure the prctl cannot later be abused
> for this purpose.
>
Hi Matt,
well, sure our tool can live with one-shot approach (and I'll update it)
but not that only program with CAP_RESOURCE granted can do that, ie it's
not any arbitrary program in a system.
> > names -- how would he know if a program did change own /proc/pid/exe
> > at all? Note it's not that important how many times the symlink was
> > changed there is simply no way to find out if it was changed at all,
> > and actually from my POV it's a win for transparent c/r, that was
> > all the idea.
>
> I am quite aware of the c/r use for this prctl :). However I also
> wonder if there aren't serious malicious uses of it. I'm not saying the
> symlink has to be perfectly accurate at all times, but it's easy and
> reasonable to make it much harder to abuse this particular prctl for
> malicious purposes by making it one-shot.
>
ok, convinced, I'll update the patch ;)
> With this patch -- especially the multi-shot form -- the symlink will
> be entirely under the control of (potentially untrusted) userspace code
> and the admin is totally at the mercy of the userspace code. In
> single-shot form programs could use the prctl() to ensure the symlink
> could not be changed later -- the restart tool would be the only program
> that would need to ensure that prctl() had not been used since the last
> exec*().
>
> If we're going to let userspace do arbitrary things to the symlink I can't
> help but wonder why we can't skip the prctl() altogether and just enable
> MAP_EXECUTABLE in mmap().
Well, hard to tell from my side. At moment I don't see problem in allowing
MAP_EXECUTABLE in mmap, but -mm guys help needed. I'm sure there were a reason
why it's not allowed.
Cyrill
next prev parent reply other threads:[~2012-03-13 6:26 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-08 16:51 [RFC] c/r: prctl: Add ability to set new mm_struct::exe_file v3 Cyrill Gorcunov
2012-03-08 18:26 ` Oleg Nesterov
2012-03-08 19:03 ` Cyrill Gorcunov
2012-03-08 19:05 ` Oleg Nesterov
2012-03-08 19:25 ` Cyrill Gorcunov
2012-03-08 19:25 ` Oleg Nesterov
2012-03-08 19:36 ` Cyrill Gorcunov
2012-03-08 21:48 ` Cyrill Gorcunov
2012-03-09 12:48 ` Oleg Nesterov
2012-03-09 12:57 ` Cyrill Gorcunov
2012-03-09 13:35 ` Cyrill Gorcunov
2012-03-09 13:47 ` Oleg Nesterov
2012-03-09 14:13 ` Cyrill Gorcunov
2012-03-09 14:26 ` Oleg Nesterov
2012-03-09 14:42 ` Cyrill Gorcunov
2012-03-09 15:21 ` Oleg Nesterov
2012-03-09 15:42 ` Cyrill Gorcunov
2012-03-09 22:02 ` Matt Helsley
2012-03-09 22:39 ` Cyrill Gorcunov
2012-03-09 23:59 ` Matt Helsley
2012-03-10 7:48 ` Cyrill Gorcunov
2012-03-13 2:45 ` Matt Helsley
2012-03-13 6:26 ` Cyrill Gorcunov [this message]
2012-03-13 7:18 ` Cyrill Gorcunov
2012-03-13 15:43 ` Oleg Nesterov
2012-03-13 16:00 ` Cyrill Gorcunov
2012-03-13 16:04 ` Cyrill Gorcunov
2012-03-13 16:44 ` Oleg Nesterov
2012-03-14 1:41 ` Matt Helsley
2012-03-14 5:47 ` Cyrill Gorcunov
2012-03-14 22:21 ` Matt Helsley
2012-03-14 22:48 ` Cyrill Gorcunov
2012-03-14 0:36 ` Matt Helsley
2012-03-09 21:46 ` Matt Helsley
2012-03-09 21:52 ` Cyrill Gorcunov
2012-03-08 19:31 ` Kees Cook
2012-03-08 19:40 ` Cyrill Gorcunov
2012-03-08 20:02 ` Andy Lutomirski
2012-03-08 20:06 ` Kees Cook
2012-03-08 20:07 ` Cyrill Gorcunov
2012-03-08 20:15 ` Andy Lutomirski
2012-03-08 20:21 ` Cyrill Gorcunov
2012-03-08 20:24 ` Andy Lutomirski
2012-03-08 20:28 ` Cyrill Gorcunov
2012-03-08 21:57 ` Cyrill Gorcunov
2012-03-08 22:03 ` Kees Cook
2012-03-08 22:12 ` Cyrill Gorcunov
2012-03-08 22:14 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120313062625.GA1912@moon \
--to=gorcunov@openvz.org \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matthltc@us.ibm.com \
--cc=oleg@redhat.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.