Re: [PATCH v5 2/2] proc: restrict /proc/pid/mem

Linux Documentation
 help / color / mirror / Atom feed

From: "Adrian Ratiu" <adrian.ratiu@collabora.com>
To: "Kees Cook" <kees@kernel.org>
Cc: linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
	linux-doc@vger.kernel.org, kernel@collabora.com, gbiv@google.com,
	ryanbeltran@google.com, inglorion@google.com,
	ajordanr@google.com, jorgelo@chromium.org,
	"Guenter Roeck" <groeck@chromium.org>,
	"Doug Anderson" <dianders@chromium.org>,
	"Jann Horn" <jannh@google.com>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Randy Dunlap" <rdunlap@infradead.org>,
	"Christian Brauner" <brauner@kernel.org>,
	"Jeff Xu" <jeffxu@google.com>,
	"Mike Frysinger" <vapier@chromium.org>
Subject: Re: [PATCH v5 2/2] proc: restrict /proc/pid/mem
Date: Fri, 07 Jun 2024 11:38:12 +0100	[thread overview]
Message-ID: <2724ac-6662e300-3-2336898@243510220> (raw)
In-Reply-To: <202406060917.8DEE8E3@keescook>

On Thursday, June 06, 2024 20:45 EEST, Kees Cook <kees@kernel.org> wrote:

> On Wed, Jun 05, 2024 at 07:49:31PM +0300, Adrian Ratiu wrote:
> > +	proc_mem.restrict_foll_force= [KNL]
> > +			Format: {all | ptracer}
> > +			Restricts the use of the FOLL_FORCE flag for /proc/*/mem access.
> > +			If restricted, the FOLL_FORCE flag will not be added to vm accesses.
> > +			Can be one of:
> > +			- 'all' restricts all access unconditionally.
> > +			- 'ptracer' allows access only for ptracer processes.
> > +			If not specified, FOLL_FORCE is always used.
> 
> It dawns on me that we likely need an "off" setting for these in case it
> was CONFIG-enabled...

Indeed, having CONFIG-enabled and disabling entirely via kernel
params is a valid usecase (eg for debug images with no restriction).

Will do in v6.

> 
> > +static int __init early_proc_mem_restrict_##name(char *buf)			\
> > +{										\
> > +	if (!buf)								\
> > +		return -EINVAL;							\
> > +										\
> > +	if (strcmp(buf, "all") == 0)						\
> > +		static_key_slow_inc(&proc_mem_restrict_##name##_all.key);	\
> > +	else if (strcmp(buf, "ptracer") == 0)					\
> > +		static_key_slow_inc(&proc_mem_restrict_##name##_ptracer.key);	\
> > +	return 0;								\
> > +}										\
> > +early_param("proc_mem.restrict_" #name, early_proc_mem_restrict_##name)
> 
> Why slow_inc here instead of the normal static_key_enable/disable?

No real reason, my mind was just more attuned to the inc/dec
semantics, however in this case we can just use enable/disable,
especially if they're faster.

I'll do this in v6.

> 
> And we should report misparsing too, so perhaps:

Ack

> > +static int __mem_open_access_permitted(struct file *file, struct task_struct *task)
> > +{
> > +	bool is_ptracer;
> > +
> > +	rcu_read_lock();
> > +	is_ptracer = current == ptrace_parent(task);
> > +	rcu_read_unlock();
> > +
> > +	if (file->f_mode & FMODE_WRITE) {
> > +		/* Deny if writes are unconditionally disabled via param */
> > +		if (static_branch_maybe(CONFIG_PROC_MEM_RESTRICT_OPEN_WRITE_DEFAULT,
> > +					&proc_mem_restrict_open_write_all))
> > +			return -EACCES;
> > +
> > +		/* Deny if writes are allowed only for ptracers via param */
> > +		if (static_branch_maybe(CONFIG_PROC_MEM_RESTRICT_OPEN_WRITE_PTRACE_DEFAULT,
> > +					&proc_mem_restrict_open_write_ptracer) &&
> > +		    !is_ptracer)
> > +			return -EACCES;
> > +	}
> > +
> > +	if (file->f_mode & FMODE_READ) {
> > +		/* Deny if reads are unconditionally disabled via param */
> > +		if (static_branch_maybe(CONFIG_PROC_MEM_RESTRICT_OPEN_READ_DEFAULT,
> > +					&proc_mem_restrict_open_read_all))
> > +			return -EACCES;
> > +
> > +		/* Deny if reads are allowed only for ptracers via param */
> > +		if (static_branch_maybe(CONFIG_PROC_MEM_RESTRICT_OPEN_READ_PTRACE_DEFAULT,
> > +					&proc_mem_restrict_open_read_ptracer) &&
> > +		    !is_ptracer)
> > +			return -EACCES;
> > +	}
> > +
> > +	return 0; /* R/W are not restricted */
> > +}
> 
> Given how deeply some of these behaviors may be in userspace, it might
> be more friendly to report the new restrictions with a pr_notice() so
> problems can be more easily tracked down. For example:
> 
> static void report_mem_rw_rejection(const char *action, struct task_struct *task)
> {
> 	pr_warn_ratelimited("Denied %s of /proc/%d/mem (%s) by pid %d (%s)\n",
> 			    action, task_pid_nr(task), task->comm,
> 			    task_pid_nr(current), current->comm);
> }
> 
> ...
> 
> 	if (file->f_mode & FMODE_WRITE) {
> 		/* Deny if writes are unconditionally disabled via param */
> 		if (static_branch_maybe(CONFIG_PROC_MEM_RESTRICT_OPEN_WRITE_DEFAULT,
> 					&proc_mem_restrict_open_write_all)) {
> 			report_mem_rw_reject("all open-for-write");
> 			return -EACCES;
> 		}
> 
> 		/* Deny if writes are allowed only for ptracers via param */
> 		if (static_branch_maybe(CONFIG_PROC_MEM_RESTRICT_OPEN_WRITE_PTRACE_DEFAULT,
> 					&proc_mem_restrict_open_write_ptracer) &&
> 		    !is_ptracer)
> 			report_mem_rw_reject("non-ptracer open-for-write");
> 			return -EACCES;
> 	}
> 
> etc

Yes, will do in v6.

> Can we adjust the Kconfigs to match the bootparam arguments? i.e.
> instead of two for each mode, how about one with 3 settings ("all",
> "ptrace", or "off")

Sure. Thank you for all the code! All your help designing this
and code contributions are very much appreciated!

Do you want to be listed as co-author in v6?

next prev parent reply	other threads:[~2024-06-07 10:38 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-05 16:49 [PATCH v5 1/2] proc: pass file instead of inode to proc_mem_open Adrian Ratiu
2024-06-05 16:49 ` [PATCH v5 2/2] proc: restrict /proc/pid/mem Adrian Ratiu
2024-06-06 17:45   ` Kees Cook
2024-06-07 10:38     ` Adrian Ratiu [this message]
2024-06-12 18:13     ` Adrian Ratiu
2024-06-12 18:23       ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2724ac-6662e300-3-2336898@243510220 \
    --to=adrian.ratiu@collabora.com \
    --cc=ajordanr@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=brauner@kernel.org \
    --cc=dianders@chromium.org \
    --cc=gbiv@google.com \
    --cc=groeck@chromium.org \
    --cc=inglorion@google.com \
    --cc=jannh@google.com \
    --cc=jeffxu@google.com \
    --cc=jorgelo@chromium.org \
    --cc=kees@kernel.org \
    --cc=kernel@collabora.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=rdunlap@infradead.org \
    --cc=ryanbeltran@google.com \
    --cc=vapier@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox