[PATCH 0/2] um: Protect memory mapped file

[PATCH 0/2] um: Protect memory mapped file

[Mickaël Salaün]

These patches protect the memory mapped file.

Mickaël Salaün (2):
  um: Set secure access mode for temporary file
  um: Use race-free temporary file creation

 arch/um/os-Linux/mem.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

-- 
2.6.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

Replace the default insecure mode 0777 with 0700 for temporary file.

Prohibit other users to change the executable mapped code.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 arch/um/os-Linux/mem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
index 897e9ad..798aeb4 100644
--- a/arch/um/os-Linux/mem.c
+++ b/arch/um/os-Linux/mem.c
@@ -142,7 +142,7 @@ static int __init create_tmp_file(unsigned long long len)
 	if (fd < 0)
 		exit(1);
 
-	err = fchmod(fd, 0777);
+	err = fchmod(fd, 0700);
 	if (err < 0) {
 		perror("fchmod");
 		exit(1);
-- 
2.6.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[PATCH 2/2] um: Use race-free temporary file creation

[Mickaël Salaün]

Open the memory mapped file with the O_TMPFILE flag when available.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 arch/um/os-Linux/mem.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
index 798aeb4..fe52e2d 100644
--- a/arch/um/os-Linux/mem.c
+++ b/arch/um/os-Linux/mem.c
@@ -106,6 +106,18 @@ static int __init make_tempfile(const char *template)
 		}
 	}
 
+#ifdef O_TMPFILE
+	fd = open(tempdir, O_CLOEXEC | O_RDWR | O_EXCL | O_TMPFILE, 0700);
+	/*
+	 * If the running system does not support O_TMPFILE flag then retry
+	 * without it.
+	 */
+	if (fd != -1 || (errno != EINVAL && errno != EISDIR &&
+			errno != EOPNOTSUPP))
+		return fd;
+	errno = 0;
+#endif
+
 	tempname = malloc(strlen(tempdir) + strlen(template) + 1);
 	if (tempname == NULL)
 		return -1;
-- 
2.6.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [uml-devel] [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
> Replace the default insecure mode 0777 with 0700 for temporary file.
> 
> Prohibit other users to change the executable mapped code.

Hmm, isn't the tmp file already unlinked at this stage?

Thanks,
//richard

------------------------------------------------------------------------------
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Re: [uml-devel] [PATCH 2/2] um: Use race-free temporary file creation

[Richard Weinberger]

Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
> Open the memory mapped file with the O_TMPFILE flag when available.
> 
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> ---
>  arch/um/os-Linux/mem.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
> index 798aeb4..fe52e2d 100644
> --- a/arch/um/os-Linux/mem.c
> +++ b/arch/um/os-Linux/mem.c
> @@ -106,6 +106,18 @@ static int __init make_tempfile(const char *template)
>  		}
>  	}
>  
> +#ifdef O_TMPFILE
> +	fd = open(tempdir, O_CLOEXEC | O_RDWR | O_EXCL | O_TMPFILE, 0700);
> +	/*
> +	 * If the running system does not support O_TMPFILE flag then retry
> +	 * without it.
> +	 */
> +	if (fd != -1 || (errno != EINVAL && errno != EISDIR &&

Why are you handling EISDIR?

> +			errno != EOPNOTSUPP))
> +		return fd;
> +	errno = 0;

Why are you resetting errno?

Thanks,
//richard

------------------------------------------------------------------------------
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

[-- Attachment #1: Type: text/plain, Size: 644 bytes --]


On 28/11/2015 22:40, Richard Weinberger wrote:
> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>
>> Prohibit other users to change the executable mapped code.
> 
> Hmm, isn't the tmp file already unlinked at this stage?
> 

Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description.

 Mickaël

1. http://man7.org/linux/man-pages/man3/mkstemp.3.html#NOTES



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
> 
> On 28/11/2015 22:40, Richard Weinberger wrote:
>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>
>>> Prohibit other users to change the executable mapped code.
>>
>> Hmm, isn't the tmp file already unlinked at this stage?
>>
> 
> Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description.

Yes, someone can open it before the unlink. But you change the file mode after that.
How does it improve the situation? The attacker has already the file handle.

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 2/2] um: Use race-free temporary file creation

[Mickaël Salaün]

[-- Attachment #1: Type: text/plain, Size: 1578 bytes --]


On 28/11/2015 23:07, Richard Weinberger wrote:
> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>> Open the memory mapped file with the O_TMPFILE flag when available.
>>
>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
>> ---
>>  arch/um/os-Linux/mem.c | 12 ++++++++++++
>>  1 file changed, 12 insertions(+)
>>
>> diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
>> index 798aeb4..fe52e2d 100644
>> --- a/arch/um/os-Linux/mem.c
>> +++ b/arch/um/os-Linux/mem.c
>> @@ -106,6 +106,18 @@ static int __init make_tempfile(const char *template)
>>  		}
>>  	}
>>  
>> +#ifdef O_TMPFILE
>> +	fd = open(tempdir, O_CLOEXEC | O_RDWR | O_EXCL | O_TMPFILE, 0700);
>> +	/*
>> +	 * If the running system does not support O_TMPFILE flag then retry
>> +	 * without it.
>> +	 */
>> +	if (fd != -1 || (errno != EINVAL && errno != EISDIR &&
> 
> Why are you handling EISDIR?

I follow the man page for open [1], I think it was a workaround needed for some kernel versions just after the O_TMPFILE was added but before the support for EOPNOTSUPP.
We may need to add the EACCES too for some version of glibc [2, 3]?

1. http://man7.org/linux/man-pages/man2/openat.2.html#BUGS
2. Commit 69a91c237ab0ebe4e9fdeaf6d0090c85275594ec and https://sourceware.org/bugzilla/show_bug.cgi?id=17523
3. https://bugs.gentoo.org/529044

> 
>> +			errno != EOPNOTSUPP))
>> +		return fd;
>> +	errno = 0;
> 
> Why are you resetting errno?

It's to ignore/reset the error code from open, but it may not be needed because of the next call to malloc?

 Mickaël


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

Re: [PATCH 2/2] um: Use race-free temporary file creation

[Richard Weinberger]

Am 28.11.2015 um 23:56 schrieb Mickaël Salaün:
> 
> On 28/11/2015 23:07, Richard Weinberger wrote:
>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>> Open the memory mapped file with the O_TMPFILE flag when available.
>>>
>>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
>>> ---
>>>  arch/um/os-Linux/mem.c | 12 ++++++++++++
>>>  1 file changed, 12 insertions(+)
>>>
>>> diff --git a/arch/um/os-Linux/mem.c b/arch/um/os-Linux/mem.c
>>> index 798aeb4..fe52e2d 100644
>>> --- a/arch/um/os-Linux/mem.c
>>> +++ b/arch/um/os-Linux/mem.c
>>> @@ -106,6 +106,18 @@ static int __init make_tempfile(const char *template)
>>>  		}
>>>  	}
>>>  
>>> +#ifdef O_TMPFILE
>>> +	fd = open(tempdir, O_CLOEXEC | O_RDWR | O_EXCL | O_TMPFILE, 0700);
>>> +	/*
>>> +	 * If the running system does not support O_TMPFILE flag then retry
>>> +	 * without it.
>>> +	 */
>>> +	if (fd != -1 || (errno != EINVAL && errno != EISDIR &&
>>
>> Why are you handling EISDIR?
> 
> I follow the man page for open [1], I think it was a workaround needed for some kernel versions just after the O_TMPFILE was added but before the support for EOPNOTSUPP.
> We may need to add the EACCES too for some version of glibc [2, 3]?

Makes sense! :)

> 1. http://man7.org/linux/man-pages/man2/openat.2.html#BUGS
> 2. Commit 69a91c237ab0ebe4e9fdeaf6d0090c85275594ec and https://sourceware.org/bugzilla/show_bug.cgi?id=17523
> 3. https://bugs.gentoo.org/529044
> 
>>
>>> +			errno != EOPNOTSUPP))
>>> +		return fd;
>>> +	errno = 0;
>>
>> Why are you resetting errno?
> 
> It's to ignore/reset the error code from open, but it may not be needed because of the next call to malloc?

But then you'd have to reset errno after every syscall. :-)

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Mickaël Salaün]

[-- Attachment #1: Type: text/plain, Size: 1064 bytes --]



On 28/11/2015 23:55, Richard Weinberger wrote:
> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>
>> On 28/11/2015 22:40, Richard Weinberger wrote:
>>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>>
>>>> Prohibit other users to change the executable mapped code.
>>>
>>> Hmm, isn't the tmp file already unlinked at this stage?
>>>
>>
>> Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description.
> 
> Yes, someone can open it before the unlink. But you change the file mode after that.
> How does it improve the situation? The attacker has already the file handle.

The attacker could have the file handle only in a read-only mode, which is a bit different than being able to write and execute arbitrary code thanks to a file descriptor mapped RWX :)

 Mickaël


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

Re: [PATCH 2/2] um: Use race-free temporary file creation

[Mickaël Salaün]

[-- Attachment #1: Type: text/plain, Size: 341 bytes --]


>>>> +			errno != EOPNOTSUPP))
>>>> +		return fd;
>>>> +	errno = 0;
>>>
>>> Why are you resetting errno?
>>
>> It's to ignore/reset the error code from open, but it may not be needed because of the next call to malloc?
> 
> But then you'd have to reset errno after every syscall. :-)

OK, I will remove it then :)

 Mickaël


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

Re: [PATCH 1/2] um: Set secure access mode for temporary file

[Richard Weinberger]

Am 29.11.2015 um 00:00 schrieb Mickaël Salaün:
> 
> 
> On 28/11/2015 23:55, Richard Weinberger wrote:
>> Am 28.11.2015 um 23:52 schrieb Mickaël Salaün:
>>>
>>> On 28/11/2015 22:40, Richard Weinberger wrote:
>>>> Am 28.11.2015 um 22:32 schrieb Mickaël Salaün:
>>>>> Replace the default insecure mode 0777 with 0700 for temporary file.
>>>>>
>>>>> Prohibit other users to change the executable mapped code.
>>>>
>>>> Hmm, isn't the tmp file already unlinked at this stage?
>>>>
>>>
>>> Yes, but if someone could open it before the unlink e.g. because of the umask (which does not seems to be the case thanks to mkstemp, but remains unspecified [1]), this user should then be able to have write access to the file descriptor/description.
>>
>> Yes, someone can open it before the unlink. But you change the file mode after that.
>> How does it improve the situation? The attacker has already the file handle.
> 
> The attacker could have the file handle only in a read-only mode, which is a bit different than being able to write and execute arbitrary code thanks to a file descriptor mapped RWX :)

Fair point. Please describe this in detail in the patch changelog. :-)

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/