* Leaking path for set_task_comm @ 2018-09-25 17:27 ` Tong Zhang 0 siblings, 0 replies; 10+ messages in thread From: Tong Zhang @ 2018-09-25 17:27 UTC (permalink / raw) To: linux-security-module Kernel Version: 4.18.5 Problem Description: When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl. We discovered a leaking path that can also use method implemented in fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM?s decision. - Tong ^ permalink raw reply [flat|nested] 10+ messages in thread
* Leaking path for set_task_comm @ 2018-09-25 17:27 ` Tong Zhang 0 siblings, 0 replies; 10+ messages in thread From: Tong Zhang @ 2018-09-25 17:27 UTC (permalink / raw) To: adobriyan, akpm, viro, gorcunov Cc: linux-kernel, linux-fsdevel, linux-security-module, wenbo.s Kernel Version: 4.18.5 Problem Description: When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl. We discovered a leaking path that can also use method implemented in fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision. - Tong ^ permalink raw reply [flat|nested] 10+ messages in thread
* Leaking path for set_task_comm 2018-09-25 17:27 ` Tong Zhang @ 2018-09-25 18:39 ` Cyrill Gorcunov -1 siblings, 0 replies; 10+ messages in thread From: Cyrill Gorcunov @ 2018-09-25 18:39 UTC (permalink / raw) To: linux-security-module On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote: > Kernel Version: 4.18.5 > > Problem Description: > > When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl. > > We discovered a leaking path that can also use method implemented in > fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM?s decision. I don't understand how it is a problem. Could you please explain? procfs/comm is created with S_IRUGO|S_IWUSR permissions. So prctl and procfs are simply different interfaces. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Leaking path for set_task_comm @ 2018-09-25 18:39 ` Cyrill Gorcunov 0 siblings, 0 replies; 10+ messages in thread From: Cyrill Gorcunov @ 2018-09-25 18:39 UTC (permalink / raw) To: Tong Zhang Cc: adobriyan, akpm, viro, linux-kernel, linux-fsdevel, linux-security-module, wenbo.s On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote: > Kernel Version: 4.18.5 > > Problem Description: > > When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl. > > We discovered a leaking path that can also use method implemented in > fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision. I don't understand how it is a problem. Could you please explain? procfs/comm is created with S_IRUGO|S_IWUSR permissions. So prctl and procfs are simply different interfaces. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Leaking path for set_task_comm 2018-09-25 18:39 ` Cyrill Gorcunov @ 2018-09-26 0:44 ` TongZhang -1 siblings, 0 replies; 10+ messages in thread From: TongZhang @ 2018-09-26 0:44 UTC (permalink / raw) To: linux-security-module Yes, this is exactly what I am saying. A process can change its own name using prctl or /proc/self/comm. prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook. A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm. > On Sep 25, 2018, at 2:39 PM, Cyrill Gorcunov <gorcunov@gmail.com> wrote: > > On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote: >> Kernel Version: 4.18.5 >> >> Problem Description: >> >> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl. >> >> We discovered a leaking path that can also use method implemented in >> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM?s decision. > > I don't understand how it is a problem. Could you please explain? > procfs/comm is created with S_IRUGO|S_IWUSR permissions. So > prctl and procfs are simply different interfaces. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Leaking path for set_task_comm @ 2018-09-26 0:44 ` TongZhang 0 siblings, 0 replies; 10+ messages in thread From: TongZhang @ 2018-09-26 0:44 UTC (permalink / raw) To: Cyrill Gorcunov Cc: adobriyan, akpm, viro, LKML, linux-fsdevel, linux-security-module, Wenbo Shen Yes, this is exactly what I am saying. A process can change its own name using prctl or /proc/self/comm. prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook. A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm. > On Sep 25, 2018, at 2:39 PM, Cyrill Gorcunov <gorcunov@gmail.com> wrote: > > On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote: >> Kernel Version: 4.18.5 >> >> Problem Description: >> >> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl. >> >> We discovered a leaking path that can also use method implemented in >> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision. > > I don't understand how it is a problem. Could you please explain? > procfs/comm is created with S_IRUGO|S_IWUSR permissions. So > prctl and procfs are simply different interfaces. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Leaking path for set_task_comm 2018-09-26 0:44 ` TongZhang @ 2018-09-26 3:16 ` Theodore Y. Ts'o -1 siblings, 0 replies; 10+ messages in thread From: Theodore Y. Ts'o @ 2018-09-26 3:16 UTC (permalink / raw) To: linux-security-module On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote: > Yes, this is exactly what I am saying. > A process can change its own name using prctl or /proc/self/comm. > prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook. > > A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm. None of the in-tree LSM's try to affect PR_SET_NAME. Looking at security/commoncap.c, it's clear what is of interest is to checking things relating to security sensitive things relating to capabilities, such as: PR_SET_SECUREBITS PR_CAPBSET_* PR_*_SECUREBITS PR_*_KEEPCAPS PR_CAP_AMBIENT Trying to depend on task name for anything security sensitive is at _really_ bad idea, so it seems unlikely that a LSM would want to protect the process name. (And if they did, the first thing I would ask is "Why? What are you trying to do? Do you realize how many *other* ways the process name can be spoofed or otherwise controlled by a potentially malicious user?") - Ted ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Leaking path for set_task_comm @ 2018-09-26 3:16 ` Theodore Y. Ts'o 0 siblings, 0 replies; 10+ messages in thread From: Theodore Y. Ts'o @ 2018-09-26 3:16 UTC (permalink / raw) To: TongZhang Cc: Cyrill Gorcunov, adobriyan, akpm, viro, LKML, linux-fsdevel, linux-security-module, Wenbo Shen On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote: > Yes, this is exactly what I am saying. > A process can change its own name using prctl or /proc/self/comm. > prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook. > > A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm. None of the in-tree LSM's try to affect PR_SET_NAME. Looking at security/commoncap.c, it's clear what is of interest is to checking things relating to security sensitive things relating to capabilities, such as: PR_SET_SECUREBITS PR_CAPBSET_* PR_*_SECUREBITS PR_*_KEEPCAPS PR_CAP_AMBIENT Trying to depend on task name for anything security sensitive is at _really_ bad idea, so it seems unlikely that a LSM would want to protect the process name. (And if they did, the first thing I would ask is "Why? What are you trying to do? Do you realize how many *other* ways the process name can be spoofed or otherwise controlled by a potentially malicious user?") - Ted ^ permalink raw reply [flat|nested] 10+ messages in thread
* Leaking path for set_task_comm 2018-09-26 3:16 ` Theodore Y. Ts'o @ 2018-09-26 22:39 ` Alan Cox -1 siblings, 0 replies; 10+ messages in thread From: Alan Cox @ 2018-09-26 22:39 UTC (permalink / raw) To: linux-security-module > Trying to depend on task name for anything security sensitive is at > _really_ bad idea, so it seems unlikely that a LSM would want to > protect the process name. (And if they did, the first thing I would > ask is "Why? What are you trying to do? Do you realize how many > *other* ways the process name can be spoofed or otherwise controlled > by a potentially malicious user?") Two processes that should not be able to otherwise communicate can keep changing their name to a chunk of data, waiting for an ack flag name change back. Alan ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Leaking path for set_task_comm @ 2018-09-26 22:39 ` Alan Cox 0 siblings, 0 replies; 10+ messages in thread From: Alan Cox @ 2018-09-26 22:39 UTC (permalink / raw) To: Theodore Y. Ts'o; +Cc: TongZhang, Cyrill Gorcunov, adobriyan, akpm, viro > Trying to depend on task name for anything security sensitive is at > _really_ bad idea, so it seems unlikely that a LSM would want to > protect the process name. (And if they did, the first thing I would > ask is "Why? What are you trying to do? Do you realize how many > *other* ways the process name can be spoofed or otherwise controlled > by a potentially malicious user?") Two processes that should not be able to otherwise communicate can keep changing their name to a chunk of data, waiting for an ack flag name change back. Alan ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-09-28 14:05 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-09-25 17:27 Leaking path for set_task_comm Tong Zhang 2018-09-25 17:27 ` Tong Zhang 2018-09-25 18:39 ` Cyrill Gorcunov 2018-09-25 18:39 ` Cyrill Gorcunov 2018-09-26 0:44 ` TongZhang 2018-09-26 0:44 ` TongZhang 2018-09-26 3:16 ` Theodore Y. Ts'o 2018-09-26 3:16 ` Theodore Y. Ts'o 2018-09-26 22:39 ` Alan Cox 2018-09-26 22:39 ` Alan Cox
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.