From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ed1-f65.google.com ([209.85.208.65]:42797 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725948AbeLGHD5 (ORCPT ); Fri, 7 Dec 2018 02:03:57 -0500 MIME-Version: 1.0 References: <18d54cd3edbf4fd3a7c01962f41ead58@cnbox5.mioffice.cn> In-Reply-To: From: =?UTF-8?B?56iL5rSL?= Date: Fri, 7 Dec 2018 15:03:37 +0800 Message-ID: Subject: Re: > [PATCH] Security: Handle hidepid option correctly To: Andrew Morton , nnk@google.com Cc: Alexey Dobriyan , David Howells , "Peter Zijlstra (Intel)" , Al Viro , Johannes Weiner , Davidlohr Bueso , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-fsdevel-owner@vger.kernel.org List-ID: @Nick. Would mind giving this patch an "Acked-by"? This issue causes any Android who uses latest kernel cannot mount proc with "hidepid=3D2" option. Which causes problems =E7=A8=8B=E6=B4=8B =E4=BA=8E2018=E5=B9=B412=E6=9C=885= =E6=97=A5=E5=91=A8=E4=B8=89 =E4=B8=8B=E5=8D=883:26=E5=86=99=E9=81=93=EF=BC= =9A > > Anyone who can review my patch? > > =E7=A8=8B=E6=B4=8B =E4=BA=8E2018=E5=B9=B411=E6=9C= =8830=E6=97=A5=E5=91=A8=E4=BA=94 =E4=B8=8A=E5=8D=8810:34=E5=86=99=E9=81=93= =EF=BC=9A > > > > Here is an article illustrates the details. > > https://medium.com/@topjohnwu/from-anime-game-to-android-system-securit= y-vulnerability-9b955a182f20 > > > > And There is a similar fix on kernel-4.4: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/comm= it/?id=3D99663be772c827b8f5f594fe87eb4807be1994e5 > > > > Q: Other filesystems parse the options from fill_super(). Is proc spec= ial in some fashion? > > A: According to my research, start_kernel will call proc_mount first, a= nd initialize sb->s_root before any userspace process runs. If others want = to mount it, all options will be ignored. > > AOSP change here: https://android-review.googlesource.com/c/platfo= rm/system/core/+/181345/4/init/init.cpp > > At first I though we should mount it with MS_REMOUNT flag. But ker= nel will crash if we did this. > > > > Q: Why is this considered to be security sensitive? I can guess, but = I'd like to know your reasoning. > > A: See the article above. It's part of Android sanbox. > > > > > > > [PATCH] Security: Handle hidepid option correctly > > > > Why is this considered to be security sensitive? I can guess, but I'd = like to know your reasoning. > > > > On Thu, 29 Nov 2018 19:08:21 +0800 mailto:d17103513@gmail.com wrote: > > > > > From: Cheng Yang > > > > > > The proc_parse_options() call from proc_mount() runs only once at boo= t > > > time. So on any later mount attempt, any mount options are ignored > > > because ->s_root is already initialized. > > > As a consequence, "mount -o " will ignore the options. The > > > only way to change mount options is "mount -o remount,". > > > To fix this, parse the mount options unconditionally. > > > > > > --- a/fs/proc/inode.c > > > +++ b/fs/proc/inode.c > > > @@ -493,13 +493,9 @@ struct inode *proc_get_inode(struct super_block > > > *sb, struct proc_dir_entry *de) > > > > > > int proc_fill_super(struct super_block *s, void *data, int silent) = { > > > -struct pid_namespace *ns =3D get_pid_ns(s->s_fs_info); > > > struct inode *root_inode; > > > int ret; > > > > > > -if (!proc_parse_options(data, ns)) > > > -return -EINVAL; > > > - > > > /* User space would break if executables or devices appear on proc *= / > > > s->s_iflags |=3D SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV; > > > s->s_flags |=3D SB_NODIRATIME | SB_NOSUID | SB_NOEXEC; diff --git > > > a/fs/proc/root.c b/fs/proc/root.c index f4b1a9d..f5f3bf3 100644 > > > --- a/fs/proc/root.c > > > +++ b/fs/proc/root.c > > > @@ -98,6 +98,9 @@ static struct dentry *proc_mount(struct file_system= _type *fs_type, > > > ns =3D task_active_pid_ns(current); > > > } > > > > > > +if (!proc_parse_options(data, ns)) > > > +return ERR_PTR(-EINVAL); > > > + > > > return mount_ns(fs_type, flags, data, ns, ns->user_ns, > > > proc_fill_super); } > > > > Other filesystems parse the options from fill_super(). Is proc special= in some fashion? > > > > #/******=E6=9C=AC=E9=82=AE=E4=BB=B6=E5=8F=8A=E5=85=B6=E9=99=84=E4=BB=B6= =E5=90=AB=E6=9C=89=E5=B0=8F=E7=B1=B3=E5=85=AC=E5=8F=B8=E7=9A=84=E4=BF=9D=E5= =AF=86=E4=BF=A1=E6=81=AF=EF=BC=8C=E4=BB=85=E9=99=90=E4=BA=8E=E5=8F=91=E9=80= =81=E7=BB=99=E4=B8=8A=E9=9D=A2=E5=9C=B0=E5=9D=80=E4=B8=AD=E5=88=97=E5=87=BA= =E7=9A=84=E4=B8=AA=E4=BA=BA=E6=88=96=E7=BE=A4=E7=BB=84=E3=80=82=E7=A6=81=E6= =AD=A2=E4=BB=BB=E4=BD=95=E5=85=B6=E4=BB=96=E4=BA=BA=E4=BB=A5=E4=BB=BB=E4=BD= =95=E5=BD=A2=E5=BC=8F=E4=BD=BF=E7=94=A8=EF=BC=88=E5=8C=85=E6=8B=AC=E4=BD=86= =E4=B8=8D=E9=99=90=E4=BA=8E=E5=85=A8=E9=83=A8=E6=88=96=E9=83=A8=E5=88=86=E5= =9C=B0=E6=B3=84=E9=9C=B2=E3=80=81=E5=A4=8D=E5=88=B6=E3=80=81=E6=88=96=E6=95= =A3=E5=8F=91=EF=BC=89=E6=9C=AC=E9=82=AE=E4=BB=B6=E4=B8=AD=E7=9A=84=E4=BF=A1= =E6=81=AF=E3=80=82=E5=A6=82=E6=9E=9C=E6=82=A8=E9=94=99=E6=94=B6=E4=BA=86=E6= =9C=AC=E9=82=AE=E4=BB=B6=EF=BC=8C=E8=AF=B7=E6=82=A8=E7=AB=8B=E5=8D=B3=E7=94= =B5=E8=AF=9D=E6=88=96=E9=82=AE=E4=BB=B6=E9=80=9A=E7=9F=A5=E5=8F=91=E4=BB=B6= =E4=BA=BA=E5=B9=B6=E5=88=A0=E9=99=A4=E6=9C=AC=E9=82=AE=E4=BB=B6=EF=BC=81 Th= is e-mail and its attachments contain confidential information from XIAOMI,= which is intended only for the person or entity whose address is listed ab= ove. Any use of the information contained herein in any way (including, but= not limited to, total or partial disclosure, reproduction, or disseminatio= n) by persons other than the intended recipient(s) is prohibited. If you re= ceive this e-mail in error, please notify the sender by phone or email imme= diately and delete it!******/#