mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: "Andrew Morton" <akpm@linux-foundation.org>,
	"Al Viro" <viro@zeniv.linux.org.uk>,
	"Richard Weinberger" <richard@nod.at>,
	"Andy Lutomirski" <luto@amacapital.net>,
	"Robert Święcki" <robert@swiecki.net>,
	"Dmitry Vyukov" <dvyukov@google.com>,
	"David Howells" <dhowells@redhat.com>,
	"Miklos Szeredi" <mszeredi@suse.cz>,
	"Kostya Serebryany" <kcc@google.com>,
	"Alexander Potapenko" <glider@google.com>,
	"Eric Dumazet" <edumazet@google.com>,
	"Sasha Levin" <sasha.levin@oracle.com>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin
Date: Fri, 22 Jan 2016 21:10:07 -0600	[thread overview]
Message-ID: <87oacdyos0.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <1453502345-30416-2-git-send-email-keescook@chromium.org> (Kees Cook's message of "Fri, 22 Jan 2016 14:39:04 -0800")

Kees Cook <keescook@chromium.org> writes:

> Several sysctls expect a state where the highest value (in extra2) is
> locked once set for that boot. Yama does this, and kptr_restrict should
> be doing it. This extracts Yama's logic and adds it to the existing
> proc_dointvec_minmax_sysadmin, taking care to avoid the simple boolean
> states (which do not get locked). Since Yama wants to be checking a
> different capability, we build wrappers for both cases (CAP_SYS_ADMIN
> and CAP_SYS_PTRACE).

Sigh this sysctl appears susceptible to known attacks.

In my quick skim I believe this sysctl implementation that checks
capabilities is susceptible to attacks where the already open file
descriptor is set as stdout on a setuid root application.

Can we come up with an interface that isn't exploitable by an
application that will act as a setuid cat?

Eric

> -#ifdef CONFIG_PRINTK
> -static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
> -				void __user *buffer, size_t *lenp, loff_t *ppos)
> +int proc_dointvec_minmax_cap(int cap, struct ctl_table *table, int write,
> +			     void __user *buffer, size_t *lenp, loff_t *ppos)
>  {
> -	if (write && !capable(CAP_SYS_ADMIN))
> +	struct ctl_table table_copy;
> +	int value;
> +
> +	/* Require init capabilities to make changes. */
> +	if (write && !capable(cap))
>  		return -EPERM;
>  
> -	return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
> +	/*
> +	 * To deal with const sysctl tables, we make a copy to perform
> +	 * the locking. When data is >1 and ==extra2, lock extra1 to
> +	 * extra2 to stop the value from being changed any further at
> +	 * runtime.
> +	 */
> +	table_copy = *table;
> +	value = *(int *)table_copy.data;
> +	if (value > 1 && value == *(int *)table_copy.extra2)
> +		table_copy.extra1 = table_copy.extra2;
> +
> +	return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
>  }
> -#endif

  reply	other threads:[~2016-01-23  3:19 UTC|newest]

Thread overview: 52+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-22 22:39 [PATCH 0/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook
2016-01-22 22:39 ` [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin Kees Cook
2016-01-23  3:10   ` Eric W. Biederman [this message]
2016-01-23 22:25     ` [kernel-hardening] " Jann Horn
2016-01-24  1:20       ` Eric W. Biederman
2016-01-24  1:43         ` Al Viro
2016-01-24  1:56           ` Jann Horn
2016-01-24  6:02             ` Eric W. Biederman
2016-01-24  6:32               ` Jann Horn
2016-01-24  6:44                 ` Eric W. Biederman
2016-01-22 22:39 ` [PATCH 2/2] sysctl: allow CLONE_NEWUSER to be disabled Kees Cook
2016-01-22 22:47   ` Robert Święcki
2016-01-22 22:50     ` Kees Cook
2016-01-22 22:55       ` Robert Święcki
2016-01-22 23:00         ` Kees Cook
2016-01-23  0:44           ` Serge Hallyn
2016-01-23  0:44           ` Serge Hallyn
2016-01-23  0:59           ` [kernel-hardening] " Ben Hutchings
2016-01-24 20:59             ` Kees Cook
2016-01-24 22:20               ` Andy Lutomirski
2016-01-25 18:51                 ` Kees Cook
2016-01-22 22:49 ` [PATCH 0/2] " Richard Weinberger
2016-01-23  3:02 ` Eric W. Biederman
2016-01-24 20:57   ` Kees Cook
2016-01-26  7:38     ` [kernel-hardening] " Serge Hallyn
2016-01-24 22:22   ` Andy Lutomirski
2016-01-25 18:51     ` Kees Cook
2016-01-25 18:53       ` Andy Lutomirski
2016-01-25 18:56         ` Kees Cook
2016-01-25 19:33           ` Eric W. Biederman
2016-01-25 22:34             ` Kees Cook
2016-01-25 23:33               ` Andy Lutomirski
2016-01-26  2:27               ` [kernel-hardening] " Daniel Micay
2016-01-26  4:57               ` Eric W. Biederman
2016-01-26 14:38                 ` Josh Boyer
2016-01-26 14:46                   ` Austin S. Hemmelgarn
2016-01-26 14:56                     ` Josh Boyer
2016-01-26 17:20                       ` [kernel-hardening] " Serge Hallyn
2016-01-26 19:56                         ` Josh Boyer
2016-01-26 20:11                           ` Austin S. Hemmelgarn
2016-01-26 17:15                   ` Serge Hallyn
2016-01-26 18:09                     ` Austin S. Hemmelgarn
2016-01-26 18:27                       ` Andy Lutomirski
2016-01-26 18:45                         ` Austin S. Hemmelgarn
2016-01-26 23:15                         ` Kees Cook
2016-01-26 23:13                     ` Kees Cook
2016-01-27 10:27                       ` Eric W. Biederman
2016-01-27 12:32                         ` Austin S. Hemmelgarn
2016-01-28 14:41                         ` Robert Święcki
2016-01-26 16:37                 ` Kees Cook
2016-01-28  8:56                 ` [kernel-hardening] " Serge E. Hallyn
2016-01-28 12:53                   ` Austin S. Hemmelgarn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87oacdyos0.fsf@x220.int.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=akpm@linux-foundation.org \
    --cc=dhowells@redhat.com \
    --cc=dvyukov@google.com \
    --cc=edumazet@google.com \
    --cc=glider@google.com \
    --cc=kcc@google.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mszeredi@suse.cz \
    --cc=richard@nod.at \
    --cc=robert@swiecki.net \
    --cc=sasha.levin@oracle.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome