From: Djalal Harouni <tixxdz@opendz.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
Cyrill Gorcunov <gorcunov@openvz.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
tixxdz@gmail.com
Subject: [kernel-hardening] Re: [PATCH 04/12] seq_file: Make seq_file able to access the file's opener cred
Date: Fri, 27 Sep 2013 09:37:53 +0100 [thread overview]
Message-ID: <20130927083753.GA3268@dztty> (raw)
In-Reply-To: <20130926030254.GF13318@ZenIV.linux.org.uk>
On Thu, Sep 26, 2013 at 04:02:54AM +0100, Al Viro wrote:
> On Wed, Sep 25, 2013 at 05:22:51PM -0700, Linus Torvalds wrote:
> > On Wed, Sep 25, 2013 at 1:14 PM, Djalal Harouni <tixxdz@opendz.org> wrote:
> > >
> > > Therefor add the f_cred field to the seq_file struct and a helper
> > > seq_f_cred() to return it.
> >
> > I hate how you've split up this patch from the next one that actually
> > _initializes_ the new field.
> >
> > The two patches should have been one.
> >
> > I think the patch should also remove the 'user_ns' member, since it's
> > now available as f_cred->user_ns.
> >
> > I also suspect that it would be better to just make the the new
> > seq_file member point to the 'struct file' instead. Sure, it's an
> > extra level of indirection, but the lifetime of f_cred is not as clear
> > otherwise. You don't increment the reference count, which is correct
> > *only* because 'seq_file' has the same lifetime as 'struct file', and
> > thus the reference count from struct file for the f_cred is
> > sufficient.
>
> That's better than f_cred (or user_ns, for that matter), but... I'm
> afraid that it'll get abused very soon. And I don't understand the
> argument about the lifetime rules - what makes struct file ones
> different from struct cred ones in that respect? Except that in this
> case it's really obvious that we can't grab a reference, that is...
Ok, I'll not argue on f_cred or user_ns as fields for seq_file struct
Al there are other solutions:
1) Use the 'struct file' as pointed by Linus, but instead make
the seq_file->private member point to it.
These ONE nodes that share the same code call:
proc_single_open()
-> single_open(filp, proc_single_show, inode);
-> seq_open()
-> seq_file->private = inode;
So instead of 'inode' we can pass the 'struct file' to single_open(),
and get the 'inode' and 'file->f_cred' later at any point.
If we go for this, then later other files like /proc/*/{maps,smaps}
that use the 'struct proc_maps_private' should also embed a pointer
to the 'struct file' in that struct. These files use seq files and their
seq_file->private point to this 'struct proc_maps_private'.
So:
Sensitive ONE files can use this solution.
Sensitive INF files need to be converted to REG files and have their own
file operations, like it's done in
[PATCH 11/12] procfs: improve permission checks on /proc/*/syscall
Other REG files will receive the 'struct file' as an arugment, and for
files that use seq files, we should find a way to embed a pointer to
the 'struct file'.
2) Like (1) but instead of using the 'struct file' we pass the adress of
&file->f_inode. We can have 'struct file' using container_of and we also
have the inode. But it will just add more extra level of indirections.
I'm not sure of this one! I don't like it, what about other
/proc/<pid>/* files ? Is this consistent ?
3) Make the sensitive files like /proc/*/{stack,stat} have their own
file_operations. These are ONE nodes that share the same code with the
other ONE files.
I've already done this for /proc/*/syscall that shares code with other
INF files:
[PATCH 11/12] procfs: improve permission checks on /proc/*/syscall
That was the only way I found to have appropriate permission checks and
to not break other files. The /proc/<pid>/auxv will also need its own
file_operations.
We can also argue that sharing code is good or not as good as we think.
Example there is extra unused code for the /proc/*/stack
proc_pid_stack() handler. This function never use its 'pid and ns'
arguments, so why bother to retrieve them!
If we go for this (3) there will be:
* More extra code but optimized for the corresponding file.
* We should not touch seq_file struct.
* These files will still continue to use seq files.
* We'll embed a pointer to the 'struct file' inside
'struct proc_maps_private', so we can protect /proc/<pid>/{maps,smaps}
files later. They use seq files, the check will be implemented in
their m_start() handler.
Personally I'll go for (3) since we'll do the same for some INF files.
Al, what do you think ?
--
Djalal Harouni
http://opendz.org
WARNING: multiple messages have this Message-ID (diff)
From: Djalal Harouni <tixxdz@opendz.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
Cyrill Gorcunov <gorcunov@openvz.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
tixxdz@gmail.com
Subject: Re: [PATCH 04/12] seq_file: Make seq_file able to access the file's opener cred
Date: Fri, 27 Sep 2013 09:37:53 +0100 [thread overview]
Message-ID: <20130927083753.GA3268@dztty> (raw)
In-Reply-To: <20130926030254.GF13318@ZenIV.linux.org.uk>
On Thu, Sep 26, 2013 at 04:02:54AM +0100, Al Viro wrote:
> On Wed, Sep 25, 2013 at 05:22:51PM -0700, Linus Torvalds wrote:
> > On Wed, Sep 25, 2013 at 1:14 PM, Djalal Harouni <tixxdz@opendz.org> wrote:
> > >
> > > Therefor add the f_cred field to the seq_file struct and a helper
> > > seq_f_cred() to return it.
> >
> > I hate how you've split up this patch from the next one that actually
> > _initializes_ the new field.
> >
> > The two patches should have been one.
> >
> > I think the patch should also remove the 'user_ns' member, since it's
> > now available as f_cred->user_ns.
> >
> > I also suspect that it would be better to just make the the new
> > seq_file member point to the 'struct file' instead. Sure, it's an
> > extra level of indirection, but the lifetime of f_cred is not as clear
> > otherwise. You don't increment the reference count, which is correct
> > *only* because 'seq_file' has the same lifetime as 'struct file', and
> > thus the reference count from struct file for the f_cred is
> > sufficient.
>
> That's better than f_cred (or user_ns, for that matter), but... I'm
> afraid that it'll get abused very soon. And I don't understand the
> argument about the lifetime rules - what makes struct file ones
> different from struct cred ones in that respect? Except that in this
> case it's really obvious that we can't grab a reference, that is...
Ok, I'll not argue on f_cred or user_ns as fields for seq_file struct
Al there are other solutions:
1) Use the 'struct file' as pointed by Linus, but instead make
the seq_file->private member point to it.
These ONE nodes that share the same code call:
proc_single_open()
-> single_open(filp, proc_single_show, inode);
-> seq_open()
-> seq_file->private = inode;
So instead of 'inode' we can pass the 'struct file' to single_open(),
and get the 'inode' and 'file->f_cred' later at any point.
If we go for this, then later other files like /proc/*/{maps,smaps}
that use the 'struct proc_maps_private' should also embed a pointer
to the 'struct file' in that struct. These files use seq files and their
seq_file->private point to this 'struct proc_maps_private'.
So:
Sensitive ONE files can use this solution.
Sensitive INF files need to be converted to REG files and have their own
file operations, like it's done in
[PATCH 11/12] procfs: improve permission checks on /proc/*/syscall
Other REG files will receive the 'struct file' as an arugment, and for
files that use seq files, we should find a way to embed a pointer to
the 'struct file'.
2) Like (1) but instead of using the 'struct file' we pass the adress of
&file->f_inode. We can have 'struct file' using container_of and we also
have the inode. But it will just add more extra level of indirections.
I'm not sure of this one! I don't like it, what about other
/proc/<pid>/* files ? Is this consistent ?
3) Make the sensitive files like /proc/*/{stack,stat} have their own
file_operations. These are ONE nodes that share the same code with the
other ONE files.
I've already done this for /proc/*/syscall that shares code with other
INF files:
[PATCH 11/12] procfs: improve permission checks on /proc/*/syscall
That was the only way I found to have appropriate permission checks and
to not break other files. The /proc/<pid>/auxv will also need its own
file_operations.
We can also argue that sharing code is good or not as good as we think.
Example there is extra unused code for the /proc/*/stack
proc_pid_stack() handler. This function never use its 'pid and ns'
arguments, so why bother to retrieve them!
If we go for this (3) there will be:
* More extra code but optimized for the corresponding file.
* We should not touch seq_file struct.
* These files will still continue to use seq files.
* We'll embed a pointer to the 'struct file' inside
'struct proc_maps_private', so we can protect /proc/<pid>/{maps,smaps}
files later. They use seq files, the check will be implemented in
their m_start() handler.
Personally I'll go for (3) since we'll do the same for some INF files.
Al, what do you think ?
--
Djalal Harouni
http://opendz.org
next prev parent reply other threads:[~2013-09-27 8:37 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-25 20:14 [kernel-hardening] [PATCH 0/12] procfs: protect /proc/<pid>/* files with file->f_cred Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 01/12] procfs: add proc_same_open_cred() to check if the cred have changed Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 02/12] procfs: add proc_allow_access() to check if file's opener may access task Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 03/12] procfs: Document the proposed solution to protect procfs entries Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 04/12] seq_file: Make seq_file able to access the file's opener cred Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-26 0:22 ` [kernel-hardening] " Linus Torvalds
2013-09-26 0:22 ` Linus Torvalds
2013-09-26 3:02 ` [kernel-hardening] " Al Viro
2013-09-26 3:02 ` Al Viro
2013-09-27 8:37 ` Djalal Harouni [this message]
2013-09-27 8:37 ` Djalal Harouni
2013-09-28 14:57 ` [kernel-hardening] " Djalal Harouni
2013-09-28 14:57 ` Djalal Harouni
2013-09-27 8:34 ` [kernel-hardening] " Djalal Harouni
2013-09-27 8:34 ` Djalal Harouni
2013-09-26 2:42 ` [kernel-hardening] " Al Viro
2013-09-26 2:42 ` Al Viro
2013-09-25 20:14 ` [kernel-hardening] [PATCH 05/12] seq_file: set the seq_file->f_cred during seq_open() Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 06/12] procfs: make /proc/*/stack 0400 Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-26 20:43 ` [kernel-hardening] " Kees Cook
2013-09-26 20:43 ` Kees Cook
2013-09-28 14:35 ` [kernel-hardening] " Djalal Harouni
2013-09-28 14:35 ` Djalal Harouni
2013-10-02 19:52 ` [kernel-hardening] " Kees Cook
2013-10-02 19:52 ` Kees Cook
2013-09-29 10:37 ` [kernel-hardening] " Djalal Harouni
2013-09-29 10:37 ` Djalal Harouni
2013-10-02 19:49 ` [kernel-hardening] " Kees Cook
2013-10-02 19:49 ` Kees Cook
2013-09-25 20:14 ` [kernel-hardening] [PATCH 07/12] procfs: add permission checks on the file's opener of /proc/*/stack Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 08/12] procfs: add permission checks on the file's opener of /proc/*/personality Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 09/12] procfs: add permission checks on the file's opener of /proc/*/stat Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 10/12] procfs: move PROC_BLOCK_SIZE declaration up to make it visible Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 11/12] procfs: improve permission checks on /proc/*/syscall Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 12/12] user_ns: seq_file: use the user_ns that is embedded in the f_cred struct Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130927083753.GA3268@dztty \
--to=tixxdz@opendz.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=gorcunov@openvz.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=serge.hallyn@ubuntu.com \
--cc=tixxdz@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.