From: Giuseppe Scrivano <gscrivan@redhat.com>
To: Aleksa Sarai <cyphar@cyphar.com>
Cc: linux-kernel@vger.kernel.org, keescook@chromium.org,
bristot@redhat.com, ebiederm@xmission.com, brauner@kernel.org,
viro@zeniv.linux.org.uk, alexl@redhat.com, peterz@infradead.org,
bmasney@redhat.com
Subject: Re: [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl
Date: Tue, 24 Jan 2023 08:29:49 +0100 [thread overview]
Message-ID: <87h6wgcrv6.fsf@redhat.com> (raw)
In-Reply-To: <20230124015348.6rvic5g6ymsfvj4e@senku> (Aleksa Sarai's message of "Tue, 24 Jan 2023 12:53:48 +1100")
Aleksa Sarai <cyphar@cyphar.com> writes:
> On 2023-01-20, Giuseppe Scrivano <gscrivan@redhat.com> wrote:
>> This patch adds a new prctl called PR_HIDE_SELF_EXE which allows
>> processes to hide their own /proc/*/exe file. When this prctl is
>> used, every access to /proc/*/exe for the calling process will
>> fail with ENOENT.
>>
>> This is useful for preventing issues like CVE-2019-5736, where an
>> attacker can gain host root access by overwriting the binary
>> in OCI runtimes through file-descriptor mishandling in containers.
>>
>> The current fix for CVE-2019-5736 is to create a read-only copy or
>> a bind-mount of the current executable, and then re-exec the current
>> process. With the new prctl, the read-only copy or bind-mount copy is
>> not needed anymore.
>>
>> While map_files/ also might contain symlinks to files in host,
>> proc_map_files_get_link() permissions checks are already sufficient.
>
> I suspect this doesn't protect against the execve("/proc/self/exe")
> tactic (because it clears the bit on execve), so I'm not sure this is
> much safer than PR_SET_DUMPABLE (yeah, it stops root in the source
> userns from accessing /proc/$pid/exe but the above attack makes that no
> longer that important).
it protects against that attack too. It clears the bit _after_ the
execve() syscall is done.
If you attempt execve("/proc/self/exe") you still get ENOENT:
```
#include <stdlib.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <unistd.h>
int main(void)
{
int ret;
ret = prctl(65, 1, 0, 0, 0);
if (ret != 0)
exit(1);
execl("/proc/self/exe", "foo", NULL);
exit(2);
}
```
# strace -e prctl,execve ./hide-self-exe
execve("./hide-self-exe", ["./hide-self-exe"], 0x7fff975a3690 /* 39 vars */) = 0
prctl(0x41 /* PR_??? */, 0x1, 0, 0, 0) = 0
execve("/proc/self/exe", ["foo"], 0x7ffcf51868b8 /* 39 vars */) = -1 ENOENT (No such file or directory)
+++ exited with 2 +++
I've also tried execv'ing with a script that uses "#!/proc/self/exe" and
I get the same ENOENT.
>
> I think the only way to fix this properly is by blocking re-opens of
> magic links that have more permissions than they originally did. I just
> got back from vacation, but I'm working on fixing up [1] so it's ready
> to be an RFC so we can close this hole once and for all.
so that relies on the fact opening /proc/self/exe with O_WRONLY fails
with ETXTBSY?
> [1]: https://github.com/cyphar/linux/tree/magiclink/open_how-reopen
>
>>
>> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
>> ---
>> v2: https://lkml.org/lkml/2023/1/19/849
>>
>> Differences from v2:
>>
>> - fixed the test to check PR_SET_HIDE_SELF_EXE after fork
>>
>> v1: https://lkml.org/lkml/2023/1/4/334
>>
>> Differences from v1:
>>
>> - amended more information in the commit message wrt map_files not
>> requiring the same protection.
>> - changed the test to verify PR_HIDE_SELF_EXE cannot be unset after
>> a fork.
>>
>> fs/exec.c | 1 +
>> fs/proc/base.c | 8 +++++---
>> include/linux/sched.h | 5 +++++
>> include/uapi/linux/prctl.h | 3 +++
>> kernel/sys.c | 9 +++++++++
>> tools/include/uapi/linux/prctl.h | 3 +++
>> 6 files changed, 26 insertions(+), 3 deletions(-)
>>
>> diff --git a/fs/exec.c b/fs/exec.c
>> index ab913243a367..5a5dd964c3a3 100644
>> --- a/fs/exec.c
>> +++ b/fs/exec.c
>> @@ -1855,6 +1855,7 @@ static int bprm_execve(struct linux_binprm *bprm,
>> /* execve succeeded */
>> current->fs->in_exec = 0;
>> current->in_execve = 0;
>> + task_clear_hide_self_exe(current);
>> rseq_execve(current);
>> acct_update_integrals(current);
>> task_numa_free(current, false);
>> diff --git a/fs/proc/base.c b/fs/proc/base.c
>> index 9e479d7d202b..959968e2da0d 100644
>> --- a/fs/proc/base.c
>> +++ b/fs/proc/base.c
>> @@ -1723,19 +1723,21 @@ static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
>> {
>> struct task_struct *task;
>> struct file *exe_file;
>> + long hide_self_exe;
>>
>> task = get_proc_task(d_inode(dentry));
>> if (!task)
>> return -ENOENT;
>> exe_file = get_task_exe_file(task);
>> + hide_self_exe = task_hide_self_exe(task);
>> put_task_struct(task);
>> - if (exe_file) {
>> + if (exe_file && !hide_self_exe) {
>> *exe_path = exe_file->f_path;
>> path_get(&exe_file->f_path);
>> fput(exe_file);
>> return 0;
>> - } else
>> - return -ENOENT;
>> + }
>> + return -ENOENT;
>> }
>>
>> static const char *proc_pid_get_link(struct dentry *dentry,
>> diff --git a/include/linux/sched.h b/include/linux/sched.h
>> index 853d08f7562b..8db32d5fc285 100644
>> --- a/include/linux/sched.h
>> +++ b/include/linux/sched.h
>> @@ -1790,6 +1790,7 @@ static __always_inline bool is_percpu_thread(void)
>> #define PFA_SPEC_IB_DISABLE 5 /* Indirect branch speculation restricted */
>> #define PFA_SPEC_IB_FORCE_DISABLE 6 /* Indirect branch speculation permanently restricted */
>> #define PFA_SPEC_SSB_NOEXEC 7 /* Speculative Store Bypass clear on execve() */
>> +#define PFA_HIDE_SELF_EXE 8 /* Hide /proc/self/exe for the process */
>>
>> #define TASK_PFA_TEST(name, func) \
>> static inline bool task_##func(struct task_struct *p) \
>> @@ -1832,6 +1833,10 @@ TASK_PFA_CLEAR(SPEC_IB_DISABLE, spec_ib_disable)
>> TASK_PFA_TEST(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable)
>> TASK_PFA_SET(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable)
>>
>> +TASK_PFA_TEST(HIDE_SELF_EXE, hide_self_exe)
>> +TASK_PFA_SET(HIDE_SELF_EXE, hide_self_exe)
>> +TASK_PFA_CLEAR(HIDE_SELF_EXE, hide_self_exe)
>> +
>> static inline void
>> current_restore_flags(unsigned long orig_flags, unsigned long flags)
>> {
>> diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
>> index a5e06dcbba13..f12f3df12468 100644
>> --- a/include/uapi/linux/prctl.h
>> +++ b/include/uapi/linux/prctl.h
>> @@ -284,4 +284,7 @@ struct prctl_mm_map {
>> #define PR_SET_VMA 0x53564d41
>> # define PR_SET_VMA_ANON_NAME 0
>>
>> +#define PR_SET_HIDE_SELF_EXE 65
>> +#define PR_GET_HIDE_SELF_EXE 66
>> +
>> #endif /* _LINUX_PRCTL_H */
>> diff --git a/kernel/sys.c b/kernel/sys.c
>> index 5fd54bf0e886..e992f1b72973 100644
>> --- a/kernel/sys.c
>> +++ b/kernel/sys.c
>> @@ -2626,6 +2626,15 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
>> case PR_SET_VMA:
>> error = prctl_set_vma(arg2, arg3, arg4, arg5);
>> break;
>> + case PR_SET_HIDE_SELF_EXE:
>> + if (arg2 != 1 || arg3 || arg4 || arg5)
>> + return -EINVAL;
>> + task_set_hide_self_exe(current);
>> + break;
>> + case PR_GET_HIDE_SELF_EXE:
>> + if (arg2 || arg3 || arg4 || arg5)
>> + return -EINVAL;
>> + return task_hide_self_exe(current) ? 1 : 0;
>> default:
>> error = -EINVAL;
>> break;
>> diff --git a/tools/include/uapi/linux/prctl.h b/tools/include/uapi/linux/prctl.h
>> index a5e06dcbba13..f12f3df12468 100644
>> --- a/tools/include/uapi/linux/prctl.h
>> +++ b/tools/include/uapi/linux/prctl.h
>> @@ -284,4 +284,7 @@ struct prctl_mm_map {
>> #define PR_SET_VMA 0x53564d41
>> # define PR_SET_VMA_ANON_NAME 0
>>
>> +#define PR_SET_HIDE_SELF_EXE 65
>> +#define PR_GET_HIDE_SELF_EXE 66
>> +
>> #endif /* _LINUX_PRCTL_H */
>> --
>> 2.38.1
>>
next prev parent reply other threads:[~2023-01-24 7:30 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-20 10:25 [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl Giuseppe Scrivano
2023-01-20 10:25 ` [PATCH v3 2/2] selftests: add tests for prctl(SET_HIDE_SELF_EXE) Giuseppe Scrivano
2023-01-20 16:05 ` Brian Masney
2023-01-23 18:41 ` [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl Colin Walters
2023-01-23 19:21 ` Giuseppe Scrivano
2023-01-23 22:07 ` Colin Walters
2023-01-23 22:54 ` Giuseppe Scrivano
2023-01-23 23:14 ` Colin Walters
2023-01-24 1:53 ` Aleksa Sarai
2023-01-24 7:29 ` Giuseppe Scrivano [this message]
2023-01-25 15:28 ` Aleksa Sarai
2023-01-25 16:30 ` Giuseppe Scrivano
2023-01-29 13:59 ` Colin Walters
2023-01-29 16:58 ` Christian Brauner
2023-01-29 18:12 ` Colin Walters
2023-01-30 9:53 ` Christian Brauner
2023-01-30 10:06 ` Christian Brauner
2023-01-30 21:52 ` Colin Walters
2023-01-31 14:17 ` Giuseppe Scrivano
2023-02-25 0:27 ` Andrei Vagin
2023-02-28 14:19 ` Giuseppe Scrivano
2023-01-26 8:25 ` Christian Brauner
2023-01-24 19:17 ` Andrei Vagin
2023-01-27 12:31 ` Christian Brauner
2023-01-27 20:34 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h6wgcrv6.fsf@redhat.com \
--to=gscrivan@redhat.com \
--cc=alexl@redhat.com \
--cc=bmasney@redhat.com \
--cc=brauner@kernel.org \
--cc=bristot@redhat.com \
--cc=cyphar@cyphar.com \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.