From: ebiederm@xmission.com (Eric W. Biederman)
To: Djalal Harouni <tixxdz@opendz.org>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Solar Designer <solar@openwall.com>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve
Date: Mon, 12 Mar 2012 14:47:43 -0700 [thread overview]
Message-ID: <m11uoxij9c.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20120312204416.GG10787@dztty> (Djalal Harouni's message of "Mon, 12 Mar 2012 21:44:16 +0100")
Djalal Harouni <tixxdz@opendz.org> writes:
> On Mon, Mar 12, 2012 at 12:13:15PM -0700, Eric W. Biederman wrote:
>> Djalal Harouni <tixxdz@opendz.org> writes:
>>
>> > Procfs files and other important objects may contain sensitive information
>> > which must not be seen, inherited or processed across execve.
>>
>> So I am dense. /proc/<pid>/mem was special in that it uses a different
>> set of checks than other files, and to do those access checks
>> /proc/<pid>/mem needed to look at exec_id.
> If you are referring to the old protection, yes it was against an ID, but
> not uniq IDs, so you can execve a suid do some tricks to have a match on IDs
> and bypass the protection, how: by opening your /proc/self/mem and pass
> the fd to the exec suid who at read/write time will process its own
> /proc/self/mem
Yes that case is silly and I don't care. I care that you seem to be
stomping all over the non-silly cases using the excuse that there
was one silly case.
>> For all of the access checks that are not written in that silly way.
>> What is wrong with ptrace_may_access run at every read/write of a file?
> As it was noted, these files change during runtime, so even if you do the
> ptrace check at each syscall (which is of course a good thing), you must be
> sure that you are doing the check on the right target and the processed
> file belongs really to the appropriate process image of the target.
The right target is by definition the current value of the process in
question.
/proc/<pid>/<attr> files are supposed to work after an exec.
Adding an exec_id to additional files simply breaks existing
applications for no good reason.
What is needed is for safety is to guard against the race of exec
happening during a read or a write, so that we don't get access
to something we shouldn't have permissions to.
In general that means reference counting or locks. All exec_id can
meaningfully be used for in the general case is a trigger to try again.
> This is not news. Alan's historical links:
> http://lkml.org/lkml/2012/1/29/35
Alan's case refers to how to handle /proc/<pid>/maps the right way.
> The previous discussion on kernel-hardening:
> (includes some variants described by Vasiliy and other problems which I'll
> try to discuss here)
> http://www.openwall.com/lists/kernel-hardening/2012/02/10/1
In your post on openwall I just see you arguing that the current
and deliberate semantics of the permission checks on the proc files are
wrong. Because the permission checks happen at access time rather than
at open time.
Well I am sorry. The permission checks have happened at access time for
ages and that is deliberate.
Furthermore one of your confused arguments seems to imply that there is
a such a thing as a /proc/self file distinct from a /proc/<pid> file.
There not. /proc/self is just a symlink into /proc/<pid> and as such
does not open new security holes.
If you expect /proc/ not to let you find out things about yourself
if you are a suid executable that just seems silly.
So in short you seem to be arguing for changing the semantics of access
of every file under /proc/<pid> because there is cognitive dissonance
between your understanding of those files and what is implemented. I
see no acknowledgement that you are arguing for a semantic change or
any arguments in favor of that change. At best I see is an argument
that says you the files don't work the way you expect which is most
definitely not sufficient for a change.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Djalal Harouni <tixxdz@opendz.org>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Solar Designer <solar@openwall.com>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve
Date: Mon, 12 Mar 2012 14:47:43 -0700 [thread overview]
Message-ID: <m11uoxij9c.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20120312204416.GG10787@dztty> (Djalal Harouni's message of "Mon, 12 Mar 2012 21:44:16 +0100")
Djalal Harouni <tixxdz@opendz.org> writes:
> On Mon, Mar 12, 2012 at 12:13:15PM -0700, Eric W. Biederman wrote:
>> Djalal Harouni <tixxdz@opendz.org> writes:
>>
>> > Procfs files and other important objects may contain sensitive information
>> > which must not be seen, inherited or processed across execve.
>>
>> So I am dense. /proc/<pid>/mem was special in that it uses a different
>> set of checks than other files, and to do those access checks
>> /proc/<pid>/mem needed to look at exec_id.
> If you are referring to the old protection, yes it was against an ID, but
> not uniq IDs, so you can execve a suid do some tricks to have a match on IDs
> and bypass the protection, how: by opening your /proc/self/mem and pass
> the fd to the exec suid who at read/write time will process its own
> /proc/self/mem
Yes that case is silly and I don't care. I care that you seem to be
stomping all over the non-silly cases using the excuse that there
was one silly case.
>> For all of the access checks that are not written in that silly way.
>> What is wrong with ptrace_may_access run at every read/write of a file?
> As it was noted, these files change during runtime, so even if you do the
> ptrace check at each syscall (which is of course a good thing), you must be
> sure that you are doing the check on the right target and the processed
> file belongs really to the appropriate process image of the target.
The right target is by definition the current value of the process in
question.
/proc/<pid>/<attr> files are supposed to work after an exec.
Adding an exec_id to additional files simply breaks existing
applications for no good reason.
What is needed is for safety is to guard against the race of exec
happening during a read or a write, so that we don't get access
to something we shouldn't have permissions to.
In general that means reference counting or locks. All exec_id can
meaningfully be used for in the general case is a trigger to try again.
> This is not news. Alan's historical links:
> http://lkml.org/lkml/2012/1/29/35
Alan's case refers to how to handle /proc/<pid>/maps the right way.
> The previous discussion on kernel-hardening:
> (includes some variants described by Vasiliy and other problems which I'll
> try to discuss here)
> http://www.openwall.com/lists/kernel-hardening/2012/02/10/1
In your post on openwall I just see you arguing that the current
and deliberate semantics of the permission checks on the proc files are
wrong. Because the permission checks happen at access time rather than
at open time.
Well I am sorry. The permission checks have happened at access time for
ages and that is deliberate.
Furthermore one of your confused arguments seems to imply that there is
a such a thing as a /proc/self file distinct from a /proc/<pid> file.
There not. /proc/self is just a symlink into /proc/<pid> and as such
does not open new security holes.
If you expect /proc/ not to let you find out things about yourself
if you are a suid executable that just seems silly.
So in short you seem to be arguing for changing the semantics of access
of every file under /proc/<pid> because there is cognitive dissonance
between your understanding of those files and what is implemented. I
see no acknowledgement that you are arguing for a semantic change or
any arguments in favor of that change. At best I see is an argument
that says you the files don't work the way you expect which is most
definitely not sufficient for a change.
Eric
next prev parent reply other threads:[~2012-03-12 21:47 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-10 23:25 [kernel-hardening] [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 1/9] exec: add a global execve counter Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 0:12 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:12 ` Linus Torvalds
2012-03-11 0:36 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:36 ` Linus Torvalds
2012-03-11 0:58 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:58 ` Linus Torvalds
2012-03-11 8:24 ` [kernel-hardening] " Solar Designer
2012-03-11 8:24 ` Solar Designer
2012-03-11 9:56 ` [kernel-hardening] " Ingo Molnar
2012-03-11 9:56 ` Ingo Molnar
2012-03-11 14:03 ` [kernel-hardening] " Alan Cox
2012-03-11 14:03 ` Alan Cox
2012-03-11 17:15 ` [kernel-hardening] " Djalal Harouni
2012-03-11 17:15 ` Djalal Harouni
2012-03-11 8:39 ` [kernel-hardening] " Djalal Harouni
2012-03-11 8:39 ` Djalal Harouni
2012-03-11 9:40 ` [kernel-hardening] " Solar Designer
2012-03-11 9:40 ` Solar Designer
2012-03-11 17:25 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 17:25 ` Oleg Nesterov
2012-03-11 17:49 ` [kernel-hardening] self_exec_id/parent_exec_id && CLONE_PARENT Oleg Nesterov
2012-03-11 17:49 ` Oleg Nesterov
2012-03-11 18:02 ` [kernel-hardening] " Linus Torvalds
2012-03-11 18:02 ` Linus Torvalds
2012-03-11 18:37 ` [kernel-hardening] " richard -rw- weinberger
2012-03-11 18:37 ` richard -rw- weinberger
2012-03-11 18:39 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 18:39 ` Oleg Nesterov
2012-03-14 18:55 ` [kernel-hardening] [PATCH 0/1] (Was: self_exec_id/parent_exec_id && CLONE_PARENT) Oleg Nesterov
2012-03-14 18:55 ` Oleg Nesterov
2012-03-14 18:55 ` [kernel-hardening] [PATCH 1/1] CLONE_PARENT shouldn't allow to set ->exit_signal Oleg Nesterov
2012-03-14 18:55 ` Oleg Nesterov
2012-03-18 18:25 ` [kernel-hardening] " Linus Torvalds
2012-03-18 18:25 ` Linus Torvalds
2012-03-18 20:53 ` [kernel-hardening] " Oleg Nesterov
2012-03-18 20:53 ` Oleg Nesterov
[not found] ` <20120314190939.GC14172@redhat.com>
2012-03-19 16:02 ` [PATCH 0/3] exec_id/exit_signal fixes Oleg Nesterov
2012-03-19 16:03 ` [PATCH 1/3] exit_signal: simplify the "we have changed execution domain" logic Oleg Nesterov
2012-03-19 16:03 ` [PATCH 2/3] exit_signal: fix the "parent has changed security " Oleg Nesterov
2012-03-19 16:04 ` [PATCH 3/3] exec: move de_thread()->setmax_mm_hiwater_rss() into exec_mmap() Oleg Nesterov
2012-03-11 22:48 ` [kernel-hardening] Re: [PATCH 1/9] exec: add a global execve counter Linus Torvalds
2012-03-11 22:48 ` Linus Torvalds
2012-03-11 23:32 ` [kernel-hardening] " Djalal Harouni
2012-03-11 23:32 ` Djalal Harouni
2012-03-11 23:42 ` [kernel-hardening] " Linus Torvalds
2012-03-11 23:42 ` Linus Torvalds
2012-03-12 0:25 ` [kernel-hardening] " Djalal Harouni
2012-03-12 0:25 ` Djalal Harouni
2012-03-12 10:11 ` [kernel-hardening] " Linus Torvalds
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 14:01 ` [kernel-hardening] " Djalal Harouni
2012-03-12 14:01 ` Djalal Harouni
2012-03-12 14:01 ` Djalal Harouni
2012-03-11 23:36 ` [kernel-hardening] " Djalal Harouni
2012-03-11 23:36 ` Djalal Harouni
2012-03-12 14:34 ` [kernel-hardening] " Oleg Nesterov
2012-03-12 14:34 ` Oleg Nesterov
2012-03-10 23:25 ` [kernel-hardening] [PATCH 2/9] proc: add proc_file_private struct to store private information Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 3/9] proc: new proc_exec_id_ok() helper function Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 4/9] proc: protect /proc/<pid>/* INF files from reader across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 5/9] proc: add protection support for /proc/<pid>/* ONE files Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 6/9] proc: protect /proc/<pid>/* ONE files from reader across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 7/9] proc: protect /proc/<pid>/{maps,smaps,numa_maps} Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 8/9] proc: protect /proc/<pid>/{environ,pagemap} across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 8:05 ` [kernel-hardening] " Alexey Dobriyan
2012-03-11 8:05 ` Alexey Dobriyan
2012-03-11 17:01 ` [kernel-hardening] " Djalal Harouni
2012-03-11 17:01 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 9/9] proc: improve and clean up /proc/<pid>/mem protection Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 0:01 ` [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Linus Torvalds
2012-03-11 0:01 ` Linus Torvalds
2012-03-11 0:27 ` [kernel-hardening] " Djalal Harouni
2012-03-11 0:27 ` Djalal Harouni
2012-03-11 8:46 ` [kernel-hardening] " Djalal Harouni
2012-03-11 8:46 ` Djalal Harouni
2012-03-11 10:35 ` [kernel-hardening] exec_id protection from bad child exit signals (was: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve) Solar Designer
2012-03-11 10:35 ` Solar Designer
2012-03-11 18:20 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 18:20 ` Oleg Nesterov
2012-03-12 19:13 ` [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Eric W. Biederman
2012-03-12 19:13 ` Eric W. Biederman
2012-03-12 20:44 ` [kernel-hardening] " Djalal Harouni
2012-03-12 20:44 ` Djalal Harouni
2012-03-12 21:47 ` Eric W. Biederman [this message]
2012-03-12 21:47 ` Eric W. Biederman
2012-03-12 22:41 ` [kernel-hardening] " Djalal Harouni
2012-03-12 22:41 ` Djalal Harouni
2012-03-12 23:10 ` [kernel-hardening] " Eric W. Biederman
2012-03-12 23:10 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m11uoxij9c.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=Jason@zx2c4.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=segoon@openwall.com \
--cc=solar@openwall.com \
--cc=tixxdz@opendz.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wilsons@start.ca \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.