From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:40670 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754171AbbK3Oze (ORCPT ); Mon, 30 Nov 2015 09:55:34 -0500 Message-ID: <1448895320.1990.69.camel@decadent.org.uk> Subject: Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users From: Ben Hutchings To: Willy Tarreau Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Konstantin Khlebnikov , Naoya Horiguchi , Mark Williamson , Andrew Morton , Linus Torvalds Date: Mon, 30 Nov 2015 14:55:20 +0000 In-Reply-To: <20151130113005.GA2440@1wt.eu> References: <20151129214703.685445143@1wt.eu> <1448848462.1990.44.camel@decadent.org.uk> <20151130070136.GB31694@1wt.eu> <20151130113005.GA2440@1wt.eu> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-Tpz0Q5+cwR7RwzE5vh63" Mime-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: --=-Tpz0Q5+cwR7RwzE5vh63 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2015-11-30 at 12:30 +0100, Willy Tarreau wrote: > On Mon, Nov 30, 2015 at 08:01:36AM +0100, Willy Tarreau wrote: > > On Mon, Nov 30, 2015 at 01:54:22AM +0000, Ben Hutchings wrote: > > > On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote: > > > This is wrong; see > > > . > >=20 > > Damned, and I now remember this discussion. The worst thing is that > > I purposely booted a machine to test the fix and was happy with it, > > I forgot this point :-( > >=20 > > > For 2.6.32 perhaps you could retain the capability check at open time > > > but store the result in private state for use at read time. > >=20 > > I'll see if it is possible to opencode security_capable() with 2.6.32's > > infrastructure, and how far this brings us. Or maybe we should even dro= p > > this one completely and leave pagemap readable only for superuser on > > 2.6.32, it doesn't seem to be that big of a deal either. >=20 > It was easy enough to open-code security_capable() in the end. I've > tested this version which works fine for me here. If that's OK for you > I'll emit an -rc2 with the last two patches. [...] > + /* do not disclose physical addresses: attack vector */ > + pm.show_pfn =3D !cap_capable(current, file->f_cred, CAP_SYS_ADMIN, SECU= RITY_CAP_AUDIT); [...] But this bypasses SELinux's additional restrictions on capabilities. I think it would be better to cherry-pick this first: commit 6037b715d6fab139742c3df8851db4c823081561 Author: Chris Wright Date:=C2=A0=C2=A0=C2=A0Wed Feb 9 22:11:51 2011 -0800 =C2=A0=C2=A0=C2=A0=C2=A0security: add cred argument to security_capable() and then you can pass file->f_cred to security_capable(). Ben.=C2=A0=C2=A0=C2=A0=C2=A0 --=20 Ben Hutchings Who are all these weirdos? - David Bowie, reading IRC for the first time --=-Tpz0Q5+cwR7RwzE5vh63 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUAVlxjWOe/yOyVhhEJAQo+HxAAj1LM3dvlV9x1/JqowJp51AdeR1TOum1F f9N9IaV+QUMLEUu4PghO5eZyMcZjPP9ojBCw4ENNEW7zOzUCWL6QpdOFEUMJU+EC jqrdaBSAP3NLd77QQ3/tYHID/0LYYtYH2WGk8kAyMsZONm1XcebaBLHWl1yq3wJF hPGO+UTEQRa1apZs2kjg1C7eQkH4FnCxixaUgTSWIxCbA6ysbHmwCnL5XHZoVDQb FDlJssjRdFn4nYXOyy2zNAl5vAiKONSafcRzO/YHFJPjSA7lVBgraWtwDbZsFY4E sQkxnUVoy7c4sr43IsyYiwN0sjA5IcBbmNsde7q6+dwoyNxbbmkD8+KF+6w9uMbf b8MvCIcpolIMMLxTXpZ6TcRWsw5KU+lv0t3bA98vNlWJJkfj0A1CpRS3eMdPCxQG 8DmhSQmBwUSCys0N6LdZIhohZFuq8pBTLo1IILUbQFtPi3MQNCxkyf5RaBRnvaID 5pkySWgfVPku9C9EAmcuEBa83OcAm74KkJ8T1ADROX6TiNjE0QcO6scyYCq1B5AV FF7UHn/Efm3nhLz9iC0MB2R5ZlrR4HyPmxysEEI4EVzbJNkNcyDPyErgwOpzMPSp +36Il1MyYeMi5S2QUyXJkqa/SFAPKAh1sZz9T7eWjqlad94LUbK1e87e2LCvWaKG xRohk34hpDc= =MvWt -----END PGP SIGNATURE----- --=-Tpz0Q5+cwR7RwzE5vh63--