From: Daniel Thompson <daniel.thompson@linaro.org>
To: kgdb-bugreport@lists.sourceforge.net,
Jason Wessel <jason.wessel@windriver.com>
Cc: patches@linaro.org, linaro-kernel@lists.linaro.org,
Anton Vorontsov <anton.vorontsov@linaro.org>,
linux-kernel@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>, Steven Rostedt <rostedt@goodmis.org>,
Frederic Weisbecker <fweisbec@gmail.com>,
Ingo Molnar <mingo@redhat.com>,
John Stultz <john.stultz@linaro.org>,
Colin Cross <ccross@android.com>,
kernel-team@android.com,
Daniel Thompson <daniel.thompson@linaro.org>
Subject: [RFC v2 08/10] kdb: Add kiosk mode
Date: Wed, 2 Apr 2014 16:43:58 +0100 [thread overview]
Message-ID: <1396453440-16445-9-git-send-email-daniel.thompson@linaro.org> (raw)
In-Reply-To: <1396453440-16445-1-git-send-email-daniel.thompson@linaro.org>
From: Anton Vorontsov <anton.vorontsov@linaro.org>
By issuing 'echo 1 > /sys/module/kdb/parameters/kiosk' or
booting with kdb.kiosk=1 kernel command line option, one can still have
a somewhat usable debugging facility, but not fearing that the
debugger can be used to easily gain root access or dump sensitive data.
Without the kiosk mode, obtaining the root rights via KDB is a matter of
a few commands, and works everywhere. For example, log in as a normal
user:
cbou:~$ id
uid=1001(cbou) gid=1001(cbou) groups=1001(cbou)
Now enter KDB (for example via sysrq):
Entering kdb (current=0xffff8800065bc740, pid 920) due to Keyboard Entry
kdb> ps
23 sleeping system daemon (state M) processes suppressed,
use 'ps A' to see all.
Task Addr Pid Parent [*] cpu State Thread Command
0xffff8800065bc740 920 919 1 0 R 0xffff8800065bca20 *bash
0xffff880007078000 1 0 0 0 S 0xffff8800070782e0 init
[...snip...]
0xffff8800065be3c0 918 1 0 0 S 0xffff8800065be6a0 getty
0xffff8800065b9c80 919 1 0 0 S 0xffff8800065b9f60 login
0xffff8800065bc740 920 919 1 0 R 0xffff8800065bca20 *bash
All we need is the offset of cred pointers. We can look up the offset in
the distro's kernel source, but it is unnecessary. We can just start
dumping init's task_struct, until we see the process name:
kdb> md 0xffff880007078000
0xffff880007078000 0000000000000001 ffff88000703c000 ................
0xffff880007078010 0040210000000002 0000000000000000 .....!@.........
[...snip...]
0xffff8800070782b0 ffff8800073e0580 ffff8800073e0580 ..>.......>.....
0xffff8800070782c0 0000000074696e69 0000000000000000 init............
^ Here, 'init'. Creds are just above it, so the offset is 0x02b0.
Now we set up init's creds for our non-privileged shell:
kdb> mm 0xffff8800065bc740+0x02b0 0xffff8800073e0580
0xffff8800065bc9f0 = 0xffff8800073e0580
kdb> mm 0xffff8800065bc740+0x02b8 0xffff8800073e0580
0xffff8800065bc9f8 = 0xffff8800073e0580
And thus gaining the root:
kdb> go
cbou:~$ id
uid=0(root) gid=0(root) groups=0(root)
cbou:~$ bash
root:~#
p.s. No distro enables kdb by default (although, with a nice KDB-over-KMS
feature availability, I would expect at least some would enable it), so
it's not actually some kind of a major issue.
Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
---
include/linux/kdb.h | 1 +
kernel/debug/kdb/kdb_main.c | 31 ++++++++++++++++++++++++++++++-
2 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/include/linux/kdb.h b/include/linux/kdb.h
index 784b22f..cc5ece9 100644
--- a/include/linux/kdb.h
+++ b/include/linux/kdb.h
@@ -63,6 +63,7 @@ extern atomic_t kdb_event;
#define KDB_BADLENGTH (-19)
#define KDB_NOBP (-20)
#define KDB_BADADDR (-21)
+#define KDB_NOPERM (-22)
/*
* kdb_diemsg
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index 0205e4a..808bf55 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -12,6 +12,7 @@
*/
#include <linux/ctype.h>
+#include <linux/types.h>
#include <linux/string.h>
#include <linux/kernel.h>
#include <linux/kmsg_dump.h>
@@ -23,6 +24,7 @@
#include <linux/vmalloc.h>
#include <linux/atomic.h>
#include <linux/module.h>
+#include <linux/moduleparam.h>
#include <linux/mm.h>
#include <linux/init.h>
#include <linux/kallsyms.h>
@@ -42,6 +44,12 @@
#include <linux/slab.h>
#include "kdb_private.h"
+#undef MODULE_PARAM_PREFIX
+#define MODULE_PARAM_PREFIX "kdb."
+
+static bool kdb_kiosk;
+module_param_named(kiosk, kdb_kiosk, bool, 0600);
+
#define GREP_LEN 256
char kdb_grep_string[GREP_LEN];
int kdb_grepping_flag;
@@ -121,6 +129,7 @@ static kdbmsg_t kdbmsgs[] = {
KDBMSG(BADLENGTH, "Invalid length field"),
KDBMSG(NOBP, "No Breakpoint exists"),
KDBMSG(BADADDR, "Invalid address"),
+ KDBMSG(NOPERM, "Permission denied"),
};
#undef KDBMSG
@@ -476,6 +485,14 @@ int kdbgetaddrarg(int argc, const char **argv, int *nextarg,
kdb_symtab_t symtab;
/*
+ * In kiosk mode there's no arbitrary memory access (only
+ * pre-canned status commands) thus no reasonable need for
+ * symbol lookup.
+ */
+ if (kdb_kiosk)
+ return KDB_NOPERM;
+
+ /*
* Process arguments which follow the following syntax:
*
* symbol | numeric-address [+/- numeric-offset]
@@ -1007,6 +1024,14 @@ int kdb_parse(const char *cmdstr)
if (i < kdb_max_commands) {
int result;
+
+ if (kdb_kiosk) {
+ if (!(tp->cmd_flags & (KDB_SAFE | KDB_SAFE_NO_ARGS)))
+ return KDB_NOPERM;
+ if (tp->cmd_flags & KDB_SAFE_NO_ARGS && argc > 1)
+ return KDB_NOPERM;
+ }
+
KDB_STATE_SET(CMD);
result = (*tp->cmd_func)(argc-1, (const char **)argv);
if (result && ignore_errors && result > KDB_CMD_GO)
@@ -1915,13 +1940,17 @@ static int kdb_rm(int argc, const char **argv)
* kdb_sr - This function implements the 'sr' (SYSRQ key) command
* which interfaces to the soi-disant MAGIC SYSRQ functionality.
* sr <magic-sysrq-code>
+ *
+ * Normally this command bypasses the SYSRQ enables tests, however
+ * when kiosk mode is engaged certain SYSRQ commands can be masked
+ * out.
*/
static int kdb_sr(int argc, const char **argv)
{
if (argc != 1)
return KDB_ARGCOUNT;
kdb_trap_printk++;
- __handle_sysrq_nolock(*argv[1], false);
+ __handle_sysrq_nolock(*argv[1], kdb_kiosk);
kdb_trap_printk--;
return 0;
--
1.9.0
next prev parent reply other threads:[~2014-04-02 15:45 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-02 15:43 [RFC v2 00/10] kdb: Kiosk (reduced capabilities) mode Daniel Thompson
2014-04-02 15:43 ` [RFC v2 01/10] sysrq: Implement __handle_sysrq_nolock to avoid recursive locking in kdb Daniel Thompson
2014-04-02 15:43 ` [RFC v2 02/10] kdb: Remove currently unused kdbtab_t->cmd_flags Daniel Thompson
2014-04-02 15:43 ` [RFC v2 03/10] kdb: Rename kdb_repeat_t to kdb_cmdflags_t, cmd_repeat to cmd_flags Daniel Thompson
2014-04-02 15:43 ` [RFC v2 04/10] kdb: Rename kdb_register_repeat() to kdb_register_flags() Daniel Thompson
2014-04-02 15:43 ` [RFC v2 05/10] kdb: Use KDB_REPEAT_* values as flags Daniel Thompson
2014-04-02 15:43 ` [RFC v2 06/10] kdb: Remove KDB_REPEAT_NONE flag Daniel Thompson
2014-04-02 15:43 ` [RFC v2 07/10] kdb: Mark safe commands as KDB_SAFE and KDB_SAFE_NO_ARGS Daniel Thompson
2014-04-02 15:43 ` Daniel Thompson [this message]
2014-04-02 15:43 ` [RFC v2 09/10] kdb: Improve usability of help text when running in kiosk mode Daniel Thompson
2014-04-02 15:44 ` [RFC v2 10/10] kdb: Allow access to sensitive commands to be restricted by default Daniel Thompson
2014-04-25 16:29 ` [RFC v3 0/9] kdb: Allow selective reduction in capabilities (was "kiosk mode") Daniel Thompson
2014-04-25 16:29 ` [RFC v3 1/9] sysrq: Implement __handle_sysrq_nolock to avoid recursive locking in kdb Daniel Thompson
2014-04-25 16:45 ` Steven Rostedt
2014-04-28 10:24 ` Daniel Thompson
2014-04-28 17:44 ` Colin Cross
2014-04-28 20:12 ` Daniel Thompson
2014-04-29 8:59 ` Daniel Thompson
2014-04-29 16:33 ` Colin Cross
2014-04-25 16:29 ` [RFC v3 2/9] kdb: Remove currently unused kdbtab_t->cmd_flags Daniel Thompson
2014-04-25 16:29 ` [RFC v3 3/9] kdb: Rename kdb_repeat_t to kdb_cmdflags_t, cmd_repeat to cmd_flags Daniel Thompson
2014-04-25 16:29 ` [RFC v3 4/9] kdb: Rename kdb_register_repeat() to kdb_register_flags() Daniel Thompson
2014-04-25 16:29 ` [RFC v3 5/9] kdb: Use KDB_REPEAT_* values as flags Daniel Thompson
2014-04-25 16:29 ` [RFC v3 6/9] kdb: Remove KDB_REPEAT_NONE flag Daniel Thompson
2014-04-25 16:29 ` [RFC v3 7/9] kdb: Categorize kdb commands (similar to SysRq categorization) Daniel Thompson
2014-04-25 16:57 ` Steven Rostedt
2014-04-28 10:30 ` Daniel Thompson
2014-04-25 16:29 ` [RFC v3 8/9] kdb: Add enable mask for groups of commands Daniel Thompson
2014-04-25 16:29 ` [RFC v3 9/9] kdb: Allow access to sensitive commands to be restricted by default Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 0/9] kdb: Allow selective reduction in capabilities (was "kiosk mode") Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 1/9] sysrq: Implement __handle_sysrq_nolock to avoid recursive locking in kdb Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 2/9] kdb: Remove currently unused kdbtab_t->cmd_flags Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 3/9] kdb: Rename kdb_repeat_t to kdb_cmdflags_t, cmd_repeat to cmd_flags Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 4/9] kdb: Rename kdb_register_repeat() to kdb_register_flags() Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 5/9] kdb: Use KDB_REPEAT_* values as flags Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 6/9] kdb: Remove KDB_REPEAT_NONE flag Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 7/9] kdb: Categorize kdb commands (similar to SysRq categorization) Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 8/9] kdb: Add enable mask for groups of commands Daniel Thompson
2014-05-06 13:03 ` [PATCH v4 9/9] kdb: Allow access to sensitive commands to be restricted by default Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 0/8] kdb: Allow selective reduction in capabilities (was "kiosk mode") Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 1/8] kdb: Remove currently unused kdbtab_t->cmd_flags Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 2/8] kdb: Rename kdb_repeat_t to kdb_cmdflags_t, cmd_repeat to cmd_flags Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 3/8] kdb: Rename kdb_register_repeat() to kdb_register_flags() Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 4/8] kdb: Use KDB_REPEAT_* values as flags Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 5/8] kdb: Remove KDB_REPEAT_NONE flag Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 6/8] kdb: Categorize kdb commands (similar to SysRq categorization) Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 7/8] kdb: Add enable mask for groups of commands Daniel Thompson
2014-06-19 13:19 ` [PATCH v5 8/8] kdb: Allow access to sensitive commands to be restricted by default Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 0/8] kdb: Allow selective reduction in capabilities Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 1/8] kdb: Remove currently unused kdbtab_t->cmd_flags Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 2/8] kdb: Rename kdb_repeat_t to kdb_cmdflags_t, cmd_repeat to cmd_flags Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 3/8] kdb: Rename kdb_register_repeat() to kdb_register_flags() Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 4/8] kdb: Use KDB_REPEAT_* values as flags Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 5/8] kdb: Remove KDB_REPEAT_NONE flag Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 6/8] kdb: Categorize kdb commands (similar to SysRq categorization) Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 7/8] kdb: Add enable mask for groups of commands Daniel Thompson
2014-07-11 11:33 ` [RESEND PATCH v5 3.16-rc4 8/8] kdb: Allow access to sensitive commands to be restricted by default Daniel Thompson
2014-07-11 13:16 ` [RESEND PATCH v5 3.16-rc4 0/8] kdb: Allow selective reduction in capabilities Jason Wessel
2014-08-19 14:01 ` [RESEND PATCH v5 3.17-rc1 " Daniel Thompson
2014-08-19 14:01 ` [RESEND PATCH v5 3.17-rc1 1/8] kdb: Remove currently unused kdbtab_t->cmd_flags Daniel Thompson
2014-08-19 14:01 ` [RESEND PATCH v5 3.17-rc1 2/8] kdb: Rename kdb_repeat_t to kdb_cmdflags_t, cmd_repeat to cmd_flags Daniel Thompson
2014-08-19 14:01 ` [RESEND PATCH v5 3.17-rc1 3/8] kdb: Rename kdb_register_repeat() to kdb_register_flags() Daniel Thompson
2014-08-19 14:01 ` [RESEND PATCH v5 3.17-rc1 4/8] kdb: Use KDB_REPEAT_* values as flags Daniel Thompson
2014-08-19 14:01 ` [RESEND PATCH v5 3.17-rc1 5/8] kdb: Remove KDB_REPEAT_NONE flag Daniel Thompson
2014-08-19 14:02 ` [RESEND PATCH v5 3.17-rc1 6/8] kdb: Categorize kdb commands (similar to SysRq categorization) Daniel Thompson
2014-08-19 14:02 ` [RESEND PATCH v5 3.17-rc1 7/8] kdb: Add enable mask for groups of commands Daniel Thompson
2014-08-19 14:02 ` [RESEND PATCH v5 3.17-rc1 8/8] kdb: Allow access to sensitive commands to be restricted by default Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 0/8] kdb: Allow selective reduction in capabilities Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 1/8] kdb: Remove currently unused kdbtab_t->cmd_flags Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 2/8] kdb: Rename kdb_repeat_t to kdb_cmdflags_t, cmd_repeat to cmd_flags Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 3/8] kdb: Rename kdb_register_repeat() to kdb_register_flags() Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 4/8] kdb: Use KDB_REPEAT_* values as flags Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 5/8] kdb: Remove KDB_REPEAT_NONE flag Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 6/8] kdb: Categorize kdb commands (similar to SysRq categorization) Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 7/8] kdb: Add enable mask for groups of commands Daniel Thompson
2015-01-07 16:34 ` [RESEND PATCH v5 3.19-rc2 8/8] kdb: Allow access to sensitive commands to be restricted by default Daniel Thompson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1396453440-16445-9-git-send-email-daniel.thompson@linaro.org \
--to=daniel.thompson@linaro.org \
--cc=anton.vorontsov@linaro.org \
--cc=ccross@android.com \
--cc=fweisbec@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=jason.wessel@windriver.com \
--cc=john.stultz@linaro.org \
--cc=jslaby@suse.cz \
--cc=kernel-team@android.com \
--cc=kgdb-bugreport@lists.sourceforge.net \
--cc=linaro-kernel@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=patches@linaro.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).