From: ebiederm@xmission.com (Eric W. Biederman)
To: Djalal Harouni <tixxdz@opendz.org>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Solar Designer <solar@openwall.com>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve
Date: Mon, 12 Mar 2012 12:13:15 -0700 [thread overview]
Message-ID: <m1pqchocok.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1331421919-15499-1-git-send-email-tixxdz@opendz.org> (Djalal Harouni's message of "Sun, 11 Mar 2012 00:25:10 +0100")
Djalal Harouni <tixxdz@opendz.org> writes:
> Procfs files and other important objects may contain sensitive information
> which must not be seen, inherited or processed across execve.
So I am dense. /proc/<pid>/mem was special in that it uses a different
set of checks than other files, and to do those access checks
/proc/<pid>/mem needed to look at exec_id.
For all of the access checks that are not written in that silly way.
What is wrong with ptrace_may_access run at every read/write of a file?
We redo all of the permission checks every time so that should avoid
races.
I really think you are trying to solve something that is not broken.
Certainly I could not see your argument for why anything but
/proc/<pid>/mem needs attention.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Djalal Harouni <tixxdz@opendz.org>
Cc: linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexey Dobriyan <adobriyan@gmail.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Solar Designer <solar@openwall.com>,
WANG Cong <xiyou.wangcong@gmail.com>,
James Morris <james.l.morris@oracle.com>,
Oleg Nesterov <oleg@redhat.com>,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Greg KH <gregkh@linuxfoundation.org>, Ingo Molnar <mingo@elte.hu>,
Stephen Wilson <wilsons@start.ca>,
"Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve
Date: Mon, 12 Mar 2012 12:13:15 -0700 [thread overview]
Message-ID: <m1pqchocok.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <1331421919-15499-1-git-send-email-tixxdz@opendz.org> (Djalal Harouni's message of "Sun, 11 Mar 2012 00:25:10 +0100")
Djalal Harouni <tixxdz@opendz.org> writes:
> Procfs files and other important objects may contain sensitive information
> which must not be seen, inherited or processed across execve.
So I am dense. /proc/<pid>/mem was special in that it uses a different
set of checks than other files, and to do those access checks
/proc/<pid>/mem needed to look at exec_id.
For all of the access checks that are not written in that silly way.
What is wrong with ptrace_may_access run at every read/write of a file?
We redo all of the permission checks every time so that should avoid
races.
I really think you are trying to solve something that is not broken.
Certainly I could not see your argument for why anything but
/proc/<pid>/mem needs attention.
Eric
next prev parent reply other threads:[~2012-03-12 19:13 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-10 23:25 [kernel-hardening] [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 1/9] exec: add a global execve counter Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 0:12 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:12 ` Linus Torvalds
2012-03-11 0:36 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:36 ` Linus Torvalds
2012-03-11 0:58 ` [kernel-hardening] " Linus Torvalds
2012-03-11 0:58 ` Linus Torvalds
2012-03-11 8:24 ` [kernel-hardening] " Solar Designer
2012-03-11 8:24 ` Solar Designer
2012-03-11 9:56 ` [kernel-hardening] " Ingo Molnar
2012-03-11 9:56 ` Ingo Molnar
2012-03-11 14:03 ` [kernel-hardening] " Alan Cox
2012-03-11 14:03 ` Alan Cox
2012-03-11 17:15 ` [kernel-hardening] " Djalal Harouni
2012-03-11 17:15 ` Djalal Harouni
2012-03-11 8:39 ` [kernel-hardening] " Djalal Harouni
2012-03-11 8:39 ` Djalal Harouni
2012-03-11 9:40 ` [kernel-hardening] " Solar Designer
2012-03-11 9:40 ` Solar Designer
2012-03-11 17:25 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 17:25 ` Oleg Nesterov
2012-03-11 17:49 ` [kernel-hardening] self_exec_id/parent_exec_id && CLONE_PARENT Oleg Nesterov
2012-03-11 17:49 ` Oleg Nesterov
2012-03-11 18:02 ` [kernel-hardening] " Linus Torvalds
2012-03-11 18:02 ` Linus Torvalds
2012-03-11 18:37 ` [kernel-hardening] " richard -rw- weinberger
2012-03-11 18:37 ` richard -rw- weinberger
2012-03-11 18:39 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 18:39 ` Oleg Nesterov
2012-03-14 18:55 ` [kernel-hardening] [PATCH 0/1] (Was: self_exec_id/parent_exec_id && CLONE_PARENT) Oleg Nesterov
2012-03-14 18:55 ` Oleg Nesterov
2012-03-14 18:55 ` [kernel-hardening] [PATCH 1/1] CLONE_PARENT shouldn't allow to set ->exit_signal Oleg Nesterov
2012-03-14 18:55 ` Oleg Nesterov
2012-03-18 18:25 ` [kernel-hardening] " Linus Torvalds
2012-03-18 18:25 ` Linus Torvalds
2012-03-18 20:53 ` [kernel-hardening] " Oleg Nesterov
2012-03-18 20:53 ` Oleg Nesterov
[not found] ` <20120314190939.GC14172@redhat.com>
2012-03-19 16:02 ` [PATCH 0/3] exec_id/exit_signal fixes Oleg Nesterov
2012-03-19 16:03 ` [PATCH 1/3] exit_signal: simplify the "we have changed execution domain" logic Oleg Nesterov
2012-03-19 16:03 ` [PATCH 2/3] exit_signal: fix the "parent has changed security " Oleg Nesterov
2012-03-19 16:04 ` [PATCH 3/3] exec: move de_thread()->setmax_mm_hiwater_rss() into exec_mmap() Oleg Nesterov
2012-03-11 22:48 ` [kernel-hardening] Re: [PATCH 1/9] exec: add a global execve counter Linus Torvalds
2012-03-11 22:48 ` Linus Torvalds
2012-03-11 23:32 ` [kernel-hardening] " Djalal Harouni
2012-03-11 23:32 ` Djalal Harouni
2012-03-11 23:42 ` [kernel-hardening] " Linus Torvalds
2012-03-11 23:42 ` Linus Torvalds
2012-03-12 0:25 ` [kernel-hardening] " Djalal Harouni
2012-03-12 0:25 ` Djalal Harouni
2012-03-12 10:11 ` [kernel-hardening] " Linus Torvalds
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 10:11 ` Linus Torvalds
2012-03-12 14:01 ` [kernel-hardening] " Djalal Harouni
2012-03-12 14:01 ` Djalal Harouni
2012-03-12 14:01 ` Djalal Harouni
2012-03-11 23:36 ` [kernel-hardening] " Djalal Harouni
2012-03-11 23:36 ` Djalal Harouni
2012-03-12 14:34 ` [kernel-hardening] " Oleg Nesterov
2012-03-12 14:34 ` Oleg Nesterov
2012-03-10 23:25 ` [kernel-hardening] [PATCH 2/9] proc: add proc_file_private struct to store private information Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 3/9] proc: new proc_exec_id_ok() helper function Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 4/9] proc: protect /proc/<pid>/* INF files from reader across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 5/9] proc: add protection support for /proc/<pid>/* ONE files Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 6/9] proc: protect /proc/<pid>/* ONE files from reader across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 7/9] proc: protect /proc/<pid>/{maps,smaps,numa_maps} Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 8/9] proc: protect /proc/<pid>/{environ,pagemap} across execve Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 8:05 ` [kernel-hardening] " Alexey Dobriyan
2012-03-11 8:05 ` Alexey Dobriyan
2012-03-11 17:01 ` [kernel-hardening] " Djalal Harouni
2012-03-11 17:01 ` Djalal Harouni
2012-03-10 23:25 ` [kernel-hardening] [PATCH 9/9] proc: improve and clean up /proc/<pid>/mem protection Djalal Harouni
2012-03-10 23:25 ` Djalal Harouni
2012-03-11 0:01 ` [kernel-hardening] Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Linus Torvalds
2012-03-11 0:01 ` Linus Torvalds
2012-03-11 0:27 ` [kernel-hardening] " Djalal Harouni
2012-03-11 0:27 ` Djalal Harouni
2012-03-11 8:46 ` [kernel-hardening] " Djalal Harouni
2012-03-11 8:46 ` Djalal Harouni
2012-03-11 10:35 ` [kernel-hardening] exec_id protection from bad child exit signals (was: Re: [PATCH 0/9] proc: protect /proc/<pid>/* files across execve) Solar Designer
2012-03-11 10:35 ` Solar Designer
2012-03-11 18:20 ` [kernel-hardening] " Oleg Nesterov
2012-03-11 18:20 ` Oleg Nesterov
2012-03-12 19:13 ` Eric W. Biederman [this message]
2012-03-12 19:13 ` [PATCH 0/9] proc: protect /proc/<pid>/* files across execve Eric W. Biederman
2012-03-12 20:44 ` [kernel-hardening] " Djalal Harouni
2012-03-12 20:44 ` Djalal Harouni
2012-03-12 21:47 ` [kernel-hardening] " Eric W. Biederman
2012-03-12 21:47 ` Eric W. Biederman
2012-03-12 22:41 ` [kernel-hardening] " Djalal Harouni
2012-03-12 22:41 ` Djalal Harouni
2012-03-12 23:10 ` [kernel-hardening] " Eric W. Biederman
2012-03-12 23:10 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1pqchocok.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=Jason@zx2c4.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=segoon@openwall.com \
--cc=solar@openwall.com \
--cc=tixxdz@opendz.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wilsons@start.ca \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.