From: Al Viro <viro@ZenIV.linux.org.uk>
To: Stephen Wilson <wilsons@start.ca>
Cc: linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>,
Rik van Riel <riel@redhat.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Roland McGrath <roland@redhat.com>,
Matt Mackall <mpm@selenic.com>,
David Rientjes <rientjes@google.com>,
Nick Piggin <npiggin@kernel.dk>,
Andrea Arcangeli <aarcange@redhat.com>,
Mel Gorman <mel@csn.ul.ie>, Ingo Molnar <mingo@elte.hu>,
Michel Lespinasse <walken@google.com>,
Hugh Dickins <hughd@google.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/6] enable writing to /proc/pid/mem
Date: Wed, 9 Mar 2011 01:30:17 +0000 [thread overview]
Message-ID: <20110309013017.GY22723@ZenIV.linux.org.uk> (raw)
In-Reply-To: <1299631343-4499-1-git-send-email-wilsons@start.ca>
On Tue, Mar 08, 2011 at 07:42:17PM -0500, Stephen Wilson wrote:
> For a long time /proc/pid/mem has provided a read-only interface, at least
> since 2.4.0. However, a write capability has existed "forever" in tree via the
> function mem_write(), disabled with an #ifdef along with the comment "this is a
> security hazard". Currently, the main problem with mem_write() is that between
> the time permissions are checked and the actual write the target task could
> exec a setuid-root binary.
>
> This patch series enables safe writes to /proc/pid/mem. The principle strategy
> is to get a reference to the target task's mm before the permission check, and
> to hold that reference until after the write completes.
One note: I'd rather prefer approach similar to mm_for_maps(). IOW, instead
of "check, then get mm, then check _again_ to decide if we are allowed to
use it", just turn check_mm_permissions() into a function that returns
you a safe mm or gives you NULL (or, better yet, ERR_PTR(...)). With all
checks done within that sucker.
Then mem_read() and mem_write() wouldn't need to recheck anything again
and the same helper would be usable for other things as well. I mean
something like this: (*WARNING* - completely untested)
err = mutex_lock_killable(&tsk->signal->cred_guard_mutex);
if (err)
return ERR_PTR(err);
mm = get_tsk_mm(tsk);
if (!mm) {
mm = ERR_PTR(-EPERM); /* maybe EINVAL here? */
} else if (mm != current->mm) {
int match;
/*
* If current is actively ptrace'ing, and would also be
* permitted to freshly attach with ptrace now, permit it.
*/
if (!tsk_is_stopped_or_traced(tsk))
goto Eperm;
rcu_read_lock();
match = (tracehook_tracer_tsk(tsk) == current);
rcu_read_unlock();
if (!match)
goto Eperm;
if (!ptrace_may_access(tsk, PTRACE_MODE_ATTACH))
goto Eperm;
}
mutex_unlock(&tsk->signal->cred_guard_mutex);
return mm;
Eperm:
mutex_unlock(&tsk->signal->cred_guard_mutex);
mmput(mm);
return ERR_PTR(-EPERM);
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-03-09 1:30 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-09 0:42 [PATCH 0/6] enable writing to /proc/pid/mem Stephen Wilson
2011-03-09 0:42 ` [PATCH 1/6] mm: use mm_struct to resolve gate vma's in __get_user_pages Stephen Wilson
2011-03-09 5:19 ` KOSAKI Motohiro
2011-03-09 6:06 ` Al Viro
2011-03-09 12:38 ` Stephen Wilson
2011-03-09 0:42 ` [PATCH 2/6] mm: factor out main logic of access_process_vm Stephen Wilson
2011-03-09 0:42 ` [PATCH 3/6] mm: implement access_remote_vm Stephen Wilson
2011-03-09 0:42 ` [PATCH 4/6] proc: disable mem_write after exec Stephen Wilson
2011-03-09 5:22 ` KOSAKI Motohiro
2011-03-09 0:42 ` [PATCH 5/6] proc: make check_mem_permission() return an mm_struct on success Stephen Wilson
2011-03-09 6:20 ` KOSAKI Motohiro
2011-03-09 0:42 ` [PATCH 6/6] proc: enable writing to /proc/pid/mem Stephen Wilson
2011-03-09 1:30 ` Al Viro [this message]
2011-03-09 2:15 ` [PATCH 0/6] " Stephen Wilson
2011-03-09 2:33 ` Al Viro
2011-03-09 2:47 ` Stephen Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110309013017.GY22723@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=hughd@google.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mel@csn.ul.ie \
--cc=mingo@elte.hu \
--cc=mpm@selenic.com \
--cc=npiggin@kernel.dk \
--cc=riel@redhat.com \
--cc=rientjes@google.com \
--cc=roland@redhat.com \
--cc=walken@google.com \
--cc=wilsons@start.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).