From: Kees Cook <keescook@chromium.org>
To: Christian Brauner <brauner@kernel.org>
Cc: Adrian Ratiu <adrian.ratiu@collabora.com>,
linux-fsdevel@vger.kernel.org, kernel@collabora.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
Guenter Roeck <groeck@chromium.org>,
Doug Anderson <dianders@chromium.org>,
Jann Horn <jannh@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Randy Dunlap <rdunlap@infradead.org>,
Mike Frysinger <vapier@chromium.org>
Subject: Re: [PATCH v2] proc: allow restricting /proc/pid/mem writes
Date: Tue, 5 Mar 2024 01:41:29 -0800 [thread overview]
Message-ID: <202403050134.784D787337@keescook> (raw)
In-Reply-To: <20240305-attentat-robust-b0da8137b7df@brauner>
On Tue, Mar 05, 2024 at 09:59:47AM +0100, Christian Brauner wrote:
> > > Uhm, this will break the seccomp notifier, no? So you can't turn on
> > > SECURITY_PROC_MEM_RESTRICT_WRITE when you want to use the seccomp
> > > notifier to do system call interception and rewrite memory locations of
> > > the calling task, no? Which is very much relied upon in various
> > > container managers and possibly other security tools.
> > >
> > > Which means that you can't turn this on in any of the regular distros.
> >
> > FWIW, it's a run-time toggle, but yes, let's make sure this works
> > correctly.
> >
> > > So you need to either account for the calling task being a seccomp
> > > supervisor for the task whose memory it is trying to access or you need
> > > to provide a migration path by adding an api that let's caller's perform
> > > these writes through the seccomp notifier.
> >
> > How do seccomp supervisors that use USER_NOTIF do those kinds of
> > memory writes currently? I thought they were actually using ptrace?
> > Everything I'm familiar with is just using SECCOMP_IOCTL_NOTIF_ADDFD,
> > and not doing fancy memory pokes.
>
> For example, incus has a seccomp supervisor such that each container
> gets it's own goroutine that is responsible for handling system call
> interception.
>
> If a container is started the container runtime connects to an AF_UNIX
> socket to register with the seccomp supervisor. It stays connected until
> it stops. Everytime a system call is performed that is registered in the
> seccomp notifier filter the container runtime will send a AF_UNIX
> message to the seccomp supervisor. This will include the following fds:
>
> - the pidfd of the task that performed the system call (we should
> actually replace this with SO_PEERPIDFD now that we have that)
> - the fd of the task's memory to /proc/<pid>/mem
>
> The seccomp supervisor will then perform the system call interception
> including the required memory reads and writes.
Okay, so the patch would very much break that. Some questions, though:
- why not use process_vm_writev()?
- does the supervisor depend on FOLL_FORCE?
Perhaps is is sufficient to block the use of FOLL_FORCE?
I took a look at the Chrome OS exploit, and I _think_ it is depending
on the FOLL_FORCE behavior (it searches for a symbol to overwrite that
if I'm following correctly is in a read-only region), but some of the
binaries don't include source code, so I couldn't easily see what was
being injected. Mike or Adrian can you confirm this?
--
Kees Cook
next prev parent reply other threads:[~2024-03-05 9:41 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-01 21:34 [PATCH v2] proc: allow restricting /proc/pid/mem writes Adrian Ratiu
2024-03-01 23:55 ` Kees Cook
2024-03-02 10:31 ` Adrian Ratiu
2024-03-04 14:06 ` Adrian Ratiu
2024-03-04 17:42 ` Kees Cook
2024-03-04 13:20 ` Christian Brauner
2024-03-04 13:48 ` Adrian Ratiu
2024-03-04 14:05 ` Christian Brauner
2024-03-04 14:35 ` Adrian Ratiu
2024-03-04 17:56 ` Kees Cook
2024-03-04 17:49 ` Kees Cook
2024-03-05 8:59 ` Christian Brauner
2024-03-05 9:41 ` Kees Cook [this message]
2024-03-05 9:58 ` Christian Brauner
2024-03-05 10:12 ` Kees Cook
2024-03-05 10:32 ` Christian Brauner
2024-03-05 18:37 ` Kees Cook
2024-03-05 19:34 ` Adrian Ratiu
2024-03-05 19:38 ` Kees Cook
2024-03-06 10:31 ` Christian Brauner
2024-03-05 11:03 ` Christian Brauner
2024-03-05 18:33 ` Kees Cook
2024-03-06 10:49 ` Matt Denton
2024-03-05 15:38 ` Adrian Ratiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202403050134.784D787337@keescook \
--to=keescook@chromium.org \
--cc=adrian.ratiu@collabora.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=dianders@chromium.org \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=kernel@collabora.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rdunlap@infradead.org \
--cc=vapier@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.