Re: [kernel-hardening] [RFC v2] procfs mount options

public inbox for kernel-hardening@lists.openwall.com
 help / color / mirror / Atom feed

From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] [RFC v2] procfs mount options
Date: Tue, 26 Jul 2011 18:50:17 +0400	[thread overview]
Message-ID: <20110726145016.GA8583@albatros> (raw)
In-Reply-To: <20110724185036.GC3510@albatros>

Hi,

This is a demonstration of procfs feature I'm writing now.  It is not
yet fully ready (need more clean code and need to divide the patch into
series), however, it's ready for some demonstration:

# mount -o remount,tgid_allowed=none,tid_allowed=none,attr_allowed=none /proc
root@albatros:~# ls -ld /proc/1
dr-x------ 8 root root 0 2011-07-26 17:57 /proc/1
# mount -o remount,tgid_allowed=stat /proc
# ls -ld /proc/1
dr-xr-xr-x 8 root root 0 2011-07-26 18:03 /proc/1
# ls -ld /proc/1/{stat,status,sched}
-rw------- 1 root root 0 2011-07-26 18:03 /proc/1/sched
-r--r--r-- 1 root root 0 2011-07-26 18:03 /proc/1/stat
-r-------- 1 root root 0 2011-07-26 18:03 /proc/1/status
# mount -o remount,tgid_allowed=all /proc
# ls -ld /proc/1/{stat,status,sched}
-rw-r--r-- 1 root root 0 2011-07-26 18:03 /proc/1/sched
-r--r--r-- 1 root root 0 2011-07-26 18:03 /proc/1/stat
-r--r--r-- 1 root root 0 2011-07-26 18:03 /proc/1/status
# ls -ld /proc/1/task/1/ 
dr-xr-xr-x 6 root root 0 2011-07-26 18:03 /proc/1/task/1/
# ls -ld /proc/1/task/1/{stat,status,sched}
-rw------- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/sched
-r-------- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/stat
-r-------- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/status
# mount -o remount,tid_allowed=sched /proc
# ls -ld /proc/1/task/1/{stat,status,sched}
-rw-r--r-- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/sched
-r-------- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/stat
-r-------- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/status
# mount -o remount,tid_allowed=all /proc
# ls -ld /proc/1/task/1/{stat,status,sched}
-rw-r--r-- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/sched
-r--r--r-- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/stat
-r--r--r-- 1 root root 0 2011-07-26 18:04 /proc/1/task/1/status
# ls -l /proc/1/attr/
итого 0
-rw------- 1 root root 0 2011-07-26 18:04 current
-rw------- 1 root root 0 2011-07-26 18:04 exec
-rw------- 1 root root 0 2011-07-26 18:04 fscreate
-rw------- 1 root root 0 2011-07-26 18:04 keycreate
-r-------- 1 root root 0 2011-07-26 18:04 prev
-rw------- 1 root root 0 2011-07-26 18:04 sockcreate
# mount -o remount,attr_allowed=exec\;sockcreate /proc
# ls -l /proc/1/attr/
итого 0
-rw------- 1 root root 0 2011-07-26 18:05 current
-rw-rw-rw- 1 root root 0 2011-07-26 18:05 exec
-rw------- 1 root root 0 2011-07-26 18:05 fscreate
-rw------- 1 root root 0 2011-07-26 18:05 keycreate
-r-------- 1 root root 0 2011-07-26 18:05 prev
-rw-rw-rw- 1 root root 0 2011-07-26 18:05 sockcreate
# mount -o remount,attr_allowed=all /proc
# ls -l /proc/1/attr/
итого 0
-rw-rw-rw- 1 root root 0 2011-07-26 18:05 current
-rw-rw-rw- 1 root root 0 2011-07-26 18:05 exec
-rw-rw-rw- 1 root root 0 2011-07-26 18:05 fscreate
-rw-rw-rw- 1 root root 0 2011-07-26 18:05 keycreate
-r--r--r-- 1 root root 0 2011-07-26 18:05 prev
-rw-rw-rw- 1 root root 0 2011-07-26 18:05 sockcreate
# mount -o remount,attr_allowed=none /proc
# ls -l /proc/1/attr/
итого 0
-rw------- 1 root root 0 2011-07-26 18:08 current
-rw------- 1 root root 0 2011-07-26 18:08 exec
-rw------- 1 root root 0 2011-07-26 18:08 fscreate
-rw------- 1 root root 0 2011-07-26 18:08 keycreate
-r-------- 1 root root 0 2011-07-26 18:08 prev
-rw------- 1 root root 0 2011-07-26 18:08 sockcreate


As you see, there are different sets for /proc/PID, /proc/PID/task/TID/,
/proc/PID/attr.  I've slightly changed the semantics and removed ".", it
is implicitly enabled iff something inside is enabled.  To deny "."
XXX=none should be passed.

Questions/comments:

1) it seems to me "\;" is hard to pass, maybe ":" is a better separator?

2) almost all tid files are copies of tgid files. coredump_filter,
mountstats, net are missing in task/.  So, maybe fully remove
tid_allowed= and copy the tgid files' permissions to the appropriate tid
files?

3) currently the implementation is somewhat slow as every file is
wrapped into additional file operations handlers.  It cannot be removed
for "fast" cases as all permissions of all files should be dynamically
recalculated for every access.  Probably I could make it faster a bit.
It is the most significant drawback of the patch :-(

Thanks,

-- 
Vasiliy Kulikov

next prev parent reply	other threads:[~2011-07-26 14:50 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20110603191153.GB514@openwall.com>
2011-06-04  5:47 ` [kernel-hardening] Re: procfs mount options Vasiliy Kulikov
2011-06-04 13:20   ` [kernel-hardening] " Solar Designer
2011-06-04 20:09     ` Vasiliy Kulikov
2011-06-04 20:59       ` Solar Designer
2011-06-05 18:24         ` [kernel-hardening] [RFC v1] " Vasiliy Kulikov
2011-06-05 19:26           ` Solar Designer
2011-06-05 19:47             ` Vasiliy Kulikov
2011-06-05 20:10               ` Solar Designer
2011-06-06 18:08                 ` Vasiliy Kulikov
2011-06-06 18:33                   ` Solar Designer
2011-06-08 17:23                     ` [kernel-hardening] [RFC v2] " Vasiliy Kulikov
2011-06-08 17:43                       ` Vasiliy Kulikov
2011-06-12  2:39                       ` Solar Designer
2011-07-24 18:55                         ` Vasiliy Kulikov
     [not found]                         ` <20110724185036.GC3510@albatros>
2011-07-26 14:50                           ` Vasiliy Kulikov [this message]
2011-07-29 17:47                             ` [kernel-hardening] procfs {tid,tgid,attr}_allowed " Vasiliy Kulikov
2011-08-04 11:23                               ` [kernel-hardening] " Vasiliy Kulikov
2011-08-10 10:02                                 ` Vasiliy Kulikov
2011-08-10 11:22                                   ` [kernel-hardening] " Solar Designer
2011-08-10 11:25                                 ` Solar Designer
2011-08-10 12:04                                   ` Vasiliy Kulikov
2011-08-10 13:34                                     ` Solar Designer
2011-08-12 18:14                                       ` Simon Marechal
2011-06-06 19:20                 ` [kernel-hardening] [RFC v1] procfs " Vasiliy Kulikov
2011-06-05 19:17         ` [kernel-hardening] " Vasiliy Kulikov
2011-06-05 19:40           ` Solar Designer
2011-06-05 19:53             ` Vasiliy Kulikov
2011-06-05 18:36 ` [kernel-hardening] Re: [owl-dev] " Vasiliy Kulikov
2011-06-05 18:47   ` [kernel-hardening] " Solar Designer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110726145016.GA8583@albatros \
    --to=segoon@openwall.com \
    --cc=kernel-hardening@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox