From: tytso@mit.edu (Theodore Y. Ts'o)
To: linux-security-module@vger.kernel.org
Subject: Leaking path for set_task_comm
Date: Tue, 25 Sep 2018 23:16:45 -0400 [thread overview]
Message-ID: <20180926031645.GB3321@thunk.org> (raw)
In-Reply-To: <0CD63E6E-7512-4DD6-8858-4408416DC730@vt.edu>
On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote:
> Yes, this is exactly what I am saying.
> A process can change its own name using prctl or /proc/self/comm.
> prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
>
> A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.
None of the in-tree LSM's try to affect PR_SET_NAME. Looking at
security/commoncap.c, it's clear what is of interest is to checking
things relating to security sensitive things relating to capabilities, such as:
PR_SET_SECUREBITS
PR_CAPBSET_*
PR_*_SECUREBITS
PR_*_KEEPCAPS
PR_CAP_AMBIENT
Trying to depend on task name for anything security sensitive is at
_really_ bad idea, so it seems unlikely that a LSM would want to
protect the process name. (And if they did, the first thing I would
ask is "Why? What are you trying to do? Do you realize how many
*other* ways the process name can be spoofed or otherwise controlled
by a potentially malicious user?")
- Ted
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: TongZhang <ztong@vt.edu>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>,
adobriyan@gmail.com, akpm@linux-foundation.org,
viro@zeniv.linux.org.uk, LKML <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org,
Wenbo Shen <shenwenbosmile@gmail.com>
Subject: Re: Leaking path for set_task_comm
Date: Tue, 25 Sep 2018 23:16:45 -0400 [thread overview]
Message-ID: <20180926031645.GB3321@thunk.org> (raw)
In-Reply-To: <0CD63E6E-7512-4DD6-8858-4408416DC730@vt.edu>
On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote:
> Yes, this is exactly what I am saying.
> A process can change its own name using prctl or /proc/self/comm.
> prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
>
> A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.
None of the in-tree LSM's try to affect PR_SET_NAME. Looking at
security/commoncap.c, it's clear what is of interest is to checking
things relating to security sensitive things relating to capabilities, such as:
PR_SET_SECUREBITS
PR_CAPBSET_*
PR_*_SECUREBITS
PR_*_KEEPCAPS
PR_CAP_AMBIENT
Trying to depend on task name for anything security sensitive is at
_really_ bad idea, so it seems unlikely that a LSM would want to
protect the process name. (And if they did, the first thing I would
ask is "Why? What are you trying to do? Do you realize how many
*other* ways the process name can be spoofed or otherwise controlled
by a potentially malicious user?")
- Ted
next prev parent reply other threads:[~2018-09-26 3:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-25 17:27 Leaking path for set_task_comm Tong Zhang
2018-09-25 17:27 ` Tong Zhang
2018-09-25 18:39 ` Cyrill Gorcunov
2018-09-25 18:39 ` Cyrill Gorcunov
2018-09-26 0:44 ` TongZhang
2018-09-26 0:44 ` TongZhang
2018-09-26 3:16 ` Theodore Y. Ts'o [this message]
2018-09-26 3:16 ` Theodore Y. Ts'o
2018-09-26 22:39 ` Alan Cox
2018-09-26 22:39 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180926031645.GB3321@thunk.org \
--to=tytso@mit.edu \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.