From: Cyrill Gorcunov <gorcunov@openvz.org>
To: Matt Helsley <matthltc@us.ibm.com>
Cc: Oleg Nesterov <oleg@redhat.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Pavel Emelyanov <xemul@parallels.com>,
Kees Cook <keescook@chromium.org>, Tejun Heo <tj@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] c/r: prctl: Add ability to set new mm_struct::exe_file v3
Date: Tue, 13 Mar 2012 10:26:25 +0400 [thread overview]
Message-ID: <20120313062625.GA1912@moon> (raw)
In-Reply-To: <20120313024511.GF19584@count0.beaverton.ibm.com>
On Mon, Mar 12, 2012 at 07:45:11PM -0700, Matt Helsley wrote:
> >
> > Indeed. But I think any change will mean compatibility broken, programs
> > may rely on one-shot or multi-shot behaviour. So I personally vote
> > for more flexible approach here.
>
> Very true. In fact thinking about this prctl a bit more makes me more certain
> that one-shot is better and it ought to stay that way forever. The
> flexibility to change the /proc/pid/exe symlink could be yet another
> way for malicious code to obscure a compromised program and
> masquerade as a benign process. That's a problem inherent in this prctl
> whether its one-shot or multi-shot. However, if you use the one-shot
> approach then a security-concious program can use this prctl once
> during its early initialization to ensure the prctl cannot later be abused
> for this purpose.
>
Hi Matt,
well, sure our tool can live with one-shot approach (and I'll update it)
but not that only program with CAP_RESOURCE granted can do that, ie it's
not any arbitrary program in a system.
> > names -- how would he know if a program did change own /proc/pid/exe
> > at all? Note it's not that important how many times the symlink was
> > changed there is simply no way to find out if it was changed at all,
> > and actually from my POV it's a win for transparent c/r, that was
> > all the idea.
>
> I am quite aware of the c/r use for this prctl :). However I also
> wonder if there aren't serious malicious uses of it. I'm not saying the
> symlink has to be perfectly accurate at all times, but it's easy and
> reasonable to make it much harder to abuse this particular prctl for
> malicious purposes by making it one-shot.
>
ok, convinced, I'll update the patch ;)
> With this patch -- especially the multi-shot form -- the symlink will
> be entirely under the control of (potentially untrusted) userspace code
> and the admin is totally at the mercy of the userspace code. In
> single-shot form programs could use the prctl() to ensure the symlink
> could not be changed later -- the restart tool would be the only program
> that would need to ensure that prctl() had not been used since the last
> exec*().
>
> If we're going to let userspace do arbitrary things to the symlink I can't
> help but wonder why we can't skip the prctl() altogether and just enable
> MAP_EXECUTABLE in mmap().
Well, hard to tell from my side. At moment I don't see problem in allowing
MAP_EXECUTABLE in mmap, but -mm guys help needed. I'm sure there were a reason
why it's not allowed.
Cyrill
next prev parent reply other threads:[~2012-03-13 6:26 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-08 16:51 [RFC] c/r: prctl: Add ability to set new mm_struct::exe_file v3 Cyrill Gorcunov
2012-03-08 18:26 ` Oleg Nesterov
2012-03-08 19:03 ` Cyrill Gorcunov
2012-03-08 19:05 ` Oleg Nesterov
2012-03-08 19:25 ` Cyrill Gorcunov
2012-03-08 19:25 ` Oleg Nesterov
2012-03-08 19:36 ` Cyrill Gorcunov
2012-03-08 21:48 ` Cyrill Gorcunov
2012-03-09 12:48 ` Oleg Nesterov
2012-03-09 12:57 ` Cyrill Gorcunov
2012-03-09 13:35 ` Cyrill Gorcunov
2012-03-09 13:47 ` Oleg Nesterov
2012-03-09 14:13 ` Cyrill Gorcunov
2012-03-09 14:26 ` Oleg Nesterov
2012-03-09 14:42 ` Cyrill Gorcunov
2012-03-09 15:21 ` Oleg Nesterov
2012-03-09 15:42 ` Cyrill Gorcunov
2012-03-09 22:02 ` Matt Helsley
2012-03-09 22:39 ` Cyrill Gorcunov
2012-03-09 23:59 ` Matt Helsley
2012-03-10 7:48 ` Cyrill Gorcunov
2012-03-13 2:45 ` Matt Helsley
2012-03-13 6:26 ` Cyrill Gorcunov [this message]
2012-03-13 7:18 ` Cyrill Gorcunov
2012-03-13 15:43 ` Oleg Nesterov
2012-03-13 16:00 ` Cyrill Gorcunov
2012-03-13 16:04 ` Cyrill Gorcunov
2012-03-13 16:44 ` Oleg Nesterov
2012-03-14 1:41 ` Matt Helsley
2012-03-14 5:47 ` Cyrill Gorcunov
2012-03-14 22:21 ` Matt Helsley
2012-03-14 22:48 ` Cyrill Gorcunov
2012-03-14 0:36 ` Matt Helsley
2012-03-09 21:46 ` Matt Helsley
2012-03-09 21:52 ` Cyrill Gorcunov
2012-03-08 19:31 ` Kees Cook
2012-03-08 19:40 ` Cyrill Gorcunov
2012-03-08 20:02 ` Andy Lutomirski
2012-03-08 20:06 ` Kees Cook
2012-03-08 20:07 ` Cyrill Gorcunov
2012-03-08 20:15 ` Andy Lutomirski
2012-03-08 20:21 ` Cyrill Gorcunov
2012-03-08 20:24 ` Andy Lutomirski
2012-03-08 20:28 ` Cyrill Gorcunov
2012-03-08 21:57 ` Cyrill Gorcunov
2012-03-08 22:03 ` Kees Cook
2012-03-08 22:12 ` Cyrill Gorcunov
2012-03-08 22:14 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120313062625.GA1912@moon \
--to=gorcunov@openvz.org \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=matthltc@us.ibm.com \
--cc=oleg@redhat.com \
--cc=tj@kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox