From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752090AbcAXGzA (ORCPT ); Sun, 24 Jan 2016 01:55:00 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:43430 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751926AbcAXGyS (ORCPT ); Sun, 24 Jan 2016 01:54:18 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Jann Horn Cc: Al Viro , kernel-hardening@lists.openwall.com, Kees Cook , Andrew Morton , Richard Weinberger , Andy Lutomirski , Robert =?utf-8?B?xZp3acSZY2tp?= , Dmitry Vyukov , David Howells , Miklos Szeredi , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Sasha Levin , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org References: <1453502345-30416-1-git-send-email-keescook@chromium.org> <1453502345-30416-2-git-send-email-keescook@chromium.org> <87oacdyos0.fsf@x220.int.ebiederm.org> <20160123222540.GA9740@pc.thejh.net> <87mvrvwz72.fsf@x220.int.ebiederm.org> <20160124014342.GW17997@ZenIV.linux.org.uk> <20160124015643.GA6601@pc.thejh.net> <87wpqzv7jy.fsf@x220.int.ebiederm.org> <20160124063229.GA21717@pc.thejh.net> Date: Sun, 24 Jan 2016 00:44:52 -0600 In-Reply-To: <20160124063229.GA21717@pc.thejh.net> (Jann Horn's message of "Sun, 24 Jan 2016 07:32:29 +0100") Message-ID: <871t97v5ln.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX186GAQMx2jmj9ZWldLxbPdWSV7mlu+O7ng= X-SA-Exim-Connect-IP: 97.121.81.63 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.5 XMGappySubj_01 Very gappy subject * 0.7 XMSubLong Long Subject * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa01 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject * 0.0 T_TooManySym_02 5+ unique symbols in subject X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Jann Horn X-Spam-Relay-Country: X-Spam-Timing: total 693 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 3.9 (0.6%), b_tie_ro: 2.8 (0.4%), parse: 1.47 (0.2%), extract_message_metadata: 26 (3.8%), get_uri_detail_list: 3.4 (0.5%), tests_pri_-1000: 10 (1.4%), tests_pri_-950: 1.98 (0.3%), tests_pri_-900: 1.74 (0.3%), tests_pri_-400: 40 (5.8%), check_bayes: 38 (5.5%), b_tokenize: 15 (2.2%), b_tok_get_all: 10 (1.4%), b_comp_prob: 5 (0.8%), b_tok_touch_all: 3.5 (0.5%), b_finish: 0.88 (0.1%), tests_pri_0: 594 (85.6%), check_dkim_signature: 0.87 (0.1%), check_dkim_adsp: 5 (0.7%), tests_pri_500: 9 (1.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: [kernel-hardening] Re: [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jann Horn writes: > On Sun, Jan 24, 2016 at 12:02:41AM -0600, Eric W. Biederman wrote: >> Jann Horn writes: >> >> > On Sun, Jan 24, 2016 at 01:43:42AM +0000, Al Viro wrote: >> >> On Sat, Jan 23, 2016 at 07:20:17PM -0600, Eric W. Biederman wrote: >> >> >> >> > Yep. That is about the size of it. file * used to be passed to the >> >> > sysctl methods but it was removed several years ago because no one was >> >> > using it. >> >> >> >> Generally cred would be better... >> > >> >> Alternatively we could eat one more >> >> pointer in task_struct and stash a reference to that sucker there, rather >> >> than adding an explicit argument (again, with cred instead of file). >> >> Not sure... >> > >> > I think it makes sense to do this the same way as the rest of the VFS code >> > here (which passes the creds down through an argument). >> > >> > And adding the arguments everywhere doesn't really mean more work - either >> > way, someone should probably go through all of those sysctl handlers and >> > fix them up to use the file creds. >> >> Not all of them need it. It might be worth figuring out the necessary >> rigamarole to hook into sysctl_perm the way the networking code does and >> have that require the capability at open time. >> >> The advantage is that open time is when it is actually appropraite to >> check permissions. I could be wrong but I doubt there is enough madness >> with the handful of sysctl users that call capable to require the checks >> to happen on write and not on open. > > That would work - if all sysctls know whether a capability will be needed > for writing later on and don't decide it based on the written data. Is that > always true? That is certainly the common case to stick a pointer to static data in struct sysctl_table. > Looking through some of the sysctl handlers, I found proc_do_uts_string and > pid_ns_ctl_handler, which operate on a namespace looked up through current > at write time. I think that's buggy and ought to be done using the file > opener creds and on the file opener's namespaces, but where can those be > stored? Interesting point. I had not though about it from that angle. From all other angles it has just been something that would be nice to fix but I hadn't seen the need. We have all of the infrastructure needed to register sysctls per namespace and the networking stack uses it. That would not be hard to use for uts, pid and ipc namespaces as well. That would remove any race. Eric