From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Richard Weinberger" <richard@nod.at>,
"Andy Lutomirski" <luto@amacapital.net>,
"Robert Święcki" <robert@swiecki.net>,
"Dmitry Vyukov" <dvyukov@google.com>,
"David Howells" <dhowells@redhat.com>,
"Miklos Szeredi" <mszeredi@suse.cz>,
"Kostya Serebryany" <kcc@google.com>,
"Alexander Potapenko" <glider@google.com>,
"Eric Dumazet" <edumazet@google.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin
Date: Fri, 22 Jan 2016 21:10:07 -0600 [thread overview]
Message-ID: <87oacdyos0.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <1453502345-30416-2-git-send-email-keescook@chromium.org> (Kees Cook's message of "Fri, 22 Jan 2016 14:39:04 -0800")
Kees Cook <keescook@chromium.org> writes:
> Several sysctls expect a state where the highest value (in extra2) is
> locked once set for that boot. Yama does this, and kptr_restrict should
> be doing it. This extracts Yama's logic and adds it to the existing
> proc_dointvec_minmax_sysadmin, taking care to avoid the simple boolean
> states (which do not get locked). Since Yama wants to be checking a
> different capability, we build wrappers for both cases (CAP_SYS_ADMIN
> and CAP_SYS_PTRACE).
Sigh this sysctl appears susceptible to known attacks.
In my quick skim I believe this sysctl implementation that checks
capabilities is susceptible to attacks where the already open file
descriptor is set as stdout on a setuid root application.
Can we come up with an interface that isn't exploitable by an
application that will act as a setuid cat?
Eric
> -#ifdef CONFIG_PRINTK
> -static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
> - void __user *buffer, size_t *lenp, loff_t *ppos)
> +int proc_dointvec_minmax_cap(int cap, struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp, loff_t *ppos)
> {
> - if (write && !capable(CAP_SYS_ADMIN))
> + struct ctl_table table_copy;
> + int value;
> +
> + /* Require init capabilities to make changes. */
> + if (write && !capable(cap))
> return -EPERM;
>
> - return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
> + /*
> + * To deal with const sysctl tables, we make a copy to perform
> + * the locking. When data is >1 and ==extra2, lock extra1 to
> + * extra2 to stop the value from being changed any further at
> + * runtime.
> + */
> + table_copy = *table;
> + value = *(int *)table_copy.data;
> + if (value > 1 && value == *(int *)table_copy.extra2)
> + table_copy.extra1 = table_copy.extra2;
> +
> + return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
> }
> -#endif
next prev parent reply other threads:[~2016-01-23 3:19 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-22 22:39 [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook
2016-01-22 22:39 ` [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin Kees Cook
2016-01-23 3:10 ` Eric W. Biederman [this message]
2016-01-23 22:25 ` [kernel-hardening] " Jann Horn
2016-01-24 1:20 ` Eric W. Biederman
2016-01-24 1:43 ` Al Viro
2016-01-24 1:56 ` Jann Horn
2016-01-24 6:02 ` Eric W. Biederman
2016-01-24 6:32 ` Jann Horn
2016-01-24 6:44 ` Eric W. Biederman
2016-01-22 22:39 ` [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook
2016-01-22 22:47 ` Robert Święcki
2016-01-22 22:50 ` Kees Cook
2016-01-22 22:55 ` Robert Święcki
2016-01-22 23:00 ` Kees Cook
2016-01-23 0:44 ` Serge Hallyn
2016-01-23 0:44 ` Serge Hallyn
2016-01-23 0:59 ` [kernel-hardening] " Ben Hutchings
2016-01-24 20:59 ` Kees Cook
2016-01-24 22:20 ` Andy Lutomirski
2016-01-25 18:51 ` Kees Cook
2016-01-22 22:49 ` [PATCH 0/2] " Richard Weinberger
2016-01-23 3:02 ` Eric W. Biederman
2016-01-24 20:57 ` Kees Cook
2016-01-26 7:38 ` [kernel-hardening] " Serge Hallyn
2016-01-24 22:22 ` Andy Lutomirski
2016-01-25 18:51 ` Kees Cook
2016-01-25 18:53 ` Andy Lutomirski
2016-01-25 18:56 ` Kees Cook
2016-01-25 19:33 ` Eric W. Biederman
2016-01-25 22:34 ` Kees Cook
2016-01-25 23:33 ` Andy Lutomirski
2016-01-26 2:27 ` [kernel-hardening] " Daniel Micay
2016-01-26 4:57 ` Eric W. Biederman
2016-01-26 14:38 ` Josh Boyer
2016-01-26 14:46 ` Austin S. Hemmelgarn
2016-01-26 14:56 ` Josh Boyer
2016-01-26 17:20 ` [kernel-hardening] " Serge Hallyn
2016-01-26 19:56 ` Josh Boyer
2016-01-26 20:11 ` Austin S. Hemmelgarn
2016-01-26 17:15 ` Serge Hallyn
2016-01-26 18:09 ` Austin S. Hemmelgarn
2016-01-26 18:27 ` Andy Lutomirski
2016-01-26 18:45 ` Austin S. Hemmelgarn
2016-01-26 23:15 ` Kees Cook
2016-01-26 23:13 ` Kees Cook
2016-01-27 10:27 ` Eric W. Biederman
2016-01-27 12:32 ` Austin S. Hemmelgarn
2016-01-28 14:41 ` Robert Święcki
2016-01-26 16:37 ` Kees Cook
2016-01-28 8:56 ` [kernel-hardening] " Serge E. Hallyn
2016-01-28 12:53 ` Austin S. Hemmelgarn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87oacdyos0.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mszeredi@suse.cz \
--cc=richard@nod.at \
--cc=robert@swiecki.net \
--cc=sasha.levin@oracle.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome