[kernel-hardening] Re: [PATCH 06/12] procfs: make /proc/*/stack 0400

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Djalal Harouni <tixxdz@opendz.org>
To: Kees Cook <keescook@chromium.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Ingo Molnar <mingo@kernel.org>,
	"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
	Cyrill Gorcunov <gorcunov@openvz.org>,
	LKML <linux-kernel@vger.kernel.org>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
	tixxdz@gmail.com
Subject: [kernel-hardening] Re: [PATCH 06/12] procfs: make /proc/*/stack 0400
Date: Sat, 28 Sep 2013 15:35:23 +0100	[thread overview]
Message-ID: <20130928143523.GA2199@dztty> (raw)
In-Reply-To: <CAGXu5jJKH6WPSMnqALOEjqGb6ZoeyYzj5vemk=2z4KPZyg=ptw@mail.gmail.com>

On Thu, Sep 26, 2013 at 03:43:24PM -0500, Kees Cook wrote:
> On Wed, Sep 25, 2013 at 3:14 PM, Djalal Harouni <tixxdz@opendz.org> wrote:
> > The /proc/*/stack contains sensitive information and currently its mode
> > is 0444. Change this to 0400 so the VFS will be able to block
> > unprivileged processes to get file descriptors on arbitrary privileged
> > /proc/*/stack files.
> >
> > The /proc/*/stack is a /procfs ONE file that shares the same ->open()
> > file operation with other ONE files. Doing a ptrace_may_access() check
> > during open() might break userspace from accessing other ONE files
> > like /proc/*/stat and /proc/*/statm.
> >
> > Therfore make it 0400 for now, and improve its check during ->read()
> > in the next following patch.
> >
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Eric W. Biederman <ebiederm@xmission.com>
> > Signed-off-by: Djalal Harouni <tixxdz@opendz.org>
> 
> While the rest of the series is being discussed, I think it would be
> nice to at least get this into the tree. Fixing this reduces which
> processes are exposed to ASLR leaks. The rest of the series closes the
> remaining holes.
> 
> I would if it would be valuable adding a test for the identified leak
> conditions to some test suite? LTP perhaps?
I'm not familiar with LTP, but I guess a small program that perform I/O
redirection and execve a suid-exec will do it?

I'll try to add code comment in fs/proc/base.c


> -Kees
> 
> -- 
> Kees Cook
> Chrome OS Security

-- 
Djalal Harouni
http://opendz.org

WARNING: multiple messages have this Message-ID (diff)

From: Djalal Harouni <tixxdz@opendz.org>
To: Kees Cook <keescook@chromium.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Ingo Molnar <mingo@kernel.org>,
	"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
	Cyrill Gorcunov <gorcunov@openvz.org>,
	LKML <linux-kernel@vger.kernel.org>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
	tixxdz@gmail.com
Subject: Re: [PATCH 06/12] procfs: make /proc/*/stack 0400
Date: Sat, 28 Sep 2013 15:35:23 +0100	[thread overview]
Message-ID: <20130928143523.GA2199@dztty> (raw)
In-Reply-To: <CAGXu5jJKH6WPSMnqALOEjqGb6ZoeyYzj5vemk=2z4KPZyg=ptw@mail.gmail.com>

On Thu, Sep 26, 2013 at 03:43:24PM -0500, Kees Cook wrote:
> On Wed, Sep 25, 2013 at 3:14 PM, Djalal Harouni <tixxdz@opendz.org> wrote:
> > The /proc/*/stack contains sensitive information and currently its mode
> > is 0444. Change this to 0400 so the VFS will be able to block
> > unprivileged processes to get file descriptors on arbitrary privileged
> > /proc/*/stack files.
> >
> > The /proc/*/stack is a /procfs ONE file that shares the same ->open()
> > file operation with other ONE files. Doing a ptrace_may_access() check
> > during open() might break userspace from accessing other ONE files
> > like /proc/*/stat and /proc/*/statm.
> >
> > Therfore make it 0400 for now, and improve its check during ->read()
> > in the next following patch.
> >
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: Eric W. Biederman <ebiederm@xmission.com>
> > Signed-off-by: Djalal Harouni <tixxdz@opendz.org>
> 
> While the rest of the series is being discussed, I think it would be
> nice to at least get this into the tree. Fixing this reduces which
> processes are exposed to ASLR leaks. The rest of the series closes the
> remaining holes.
> 
> I would if it would be valuable adding a test for the identified leak
> conditions to some test suite? LTP perhaps?
I'm not familiar with LTP, but I guess a small program that perform I/O
redirection and execve a suid-exec will do it?

I'll try to add code comment in fs/proc/base.c


> -Kees
> 
> -- 
> Kees Cook
> Chrome OS Security

-- 
Djalal Harouni
http://opendz.org

next prev parent reply	other threads:[~2013-09-28 14:35 UTC|newest]

Thread overview: 48+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-25 20:14 [kernel-hardening] [PATCH 0/12] procfs: protect /proc/<pid>/* files with file->f_cred Djalal Harouni
2013-09-25 20:14 ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 01/12] procfs: add proc_same_open_cred() to check if the cred have changed Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 02/12] procfs: add proc_allow_access() to check if file's opener may access task Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 03/12] procfs: Document the proposed solution to protect procfs entries Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 04/12] seq_file: Make seq_file able to access the file's opener cred Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-26  0:22   ` [kernel-hardening] " Linus Torvalds
2013-09-26  0:22     ` Linus Torvalds
2013-09-26  3:02     ` [kernel-hardening] " Al Viro
2013-09-26  3:02       ` Al Viro
2013-09-27  8:37       ` [kernel-hardening] " Djalal Harouni
2013-09-27  8:37         ` Djalal Harouni
2013-09-28 14:57       ` [kernel-hardening] " Djalal Harouni
2013-09-28 14:57         ` Djalal Harouni
2013-09-27  8:34     ` [kernel-hardening] " Djalal Harouni
2013-09-27  8:34       ` Djalal Harouni
2013-09-26  2:42   ` [kernel-hardening] " Al Viro
2013-09-26  2:42     ` Al Viro
2013-09-25 20:14 ` [kernel-hardening] [PATCH 05/12] seq_file: set the seq_file->f_cred during seq_open() Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 06/12] procfs: make /proc/*/stack 0400 Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-26 20:43   ` [kernel-hardening] " Kees Cook
2013-09-26 20:43     ` Kees Cook
2013-09-28 14:35     ` Djalal Harouni [this message]
2013-09-28 14:35       ` Djalal Harouni
2013-10-02 19:52       ` [kernel-hardening] " Kees Cook
2013-10-02 19:52         ` Kees Cook
2013-09-29 10:37     ` [kernel-hardening] " Djalal Harouni
2013-09-29 10:37       ` Djalal Harouni
2013-10-02 19:49       ` [kernel-hardening] " Kees Cook
2013-10-02 19:49         ` Kees Cook
2013-09-25 20:14 ` [kernel-hardening] [PATCH 07/12] procfs: add permission checks on the file's opener of /proc/*/stack Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 08/12] procfs: add permission checks on the file's opener of /proc/*/personality Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 09/12] procfs: add permission checks on the file's opener of /proc/*/stat Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 10/12] procfs: move PROC_BLOCK_SIZE declaration up to make it visible Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 11/12] procfs: improve permission checks on /proc/*/syscall Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni
2013-09-25 20:14 ` [kernel-hardening] [PATCH 12/12] user_ns: seq_file: use the user_ns that is embedded in the f_cred struct Djalal Harouni
2013-09-25 20:14   ` Djalal Harouni

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130928143523.GA2199@dztty \
    --to=tixxdz@opendz.org \
    --cc=akpm@linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=gorcunov@openvz.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=serge.hallyn@ubuntu.com \
    --cc=tixxdz@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.