| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Nov 2009 09:49:28 -0800
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc: linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, john.johansen@...onical.com
Subject: Re: [PATCH 00/23] Removal of binary sysctl support
Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> writes:
> Acked-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
>
> But please wait a bit. We need to solve the twist below.
Agreed.
> Indeed. TOMOYO and AppArmor need a hint for prepending "/proc" prefix.
> A simple implementation which adds one bit to task_struct is shown below.
> In this way, not only the file permission checks inside dentry_open()
> but also the directory permission checks inside vfs_path_lookup() can be
> prepended "/proc" prefix. AppArmor might want to prepend "/proc" inside
> vfs_path_lookup().
There don't appear to be any security hooks in vfs_path_lookup().
>
> Regards.
> ----------------------------------------
> [PATCH 1/2] sysctl: Add in_sysctl flag to task_struct.
>
> Pathname based access control prepends "/proc" prefix to the pathname obtained
> by traversing ctl_table tree when binary sysctl is requested.
>
> Now, binary sysctl code was rewritten to use internal vfs mount of /proc but
> currently there is no hint which can give pathname based access control a
> chance to prepend "/proc" prefix.
Actually there is.
> [PATCH 1/2] TOMOYO: prepend /proc prefix for binary sysctl.
>
> The pathname obtained by binary_sysctl() starts with "/sys".
> This patch prepends "/proc" prefix if the pathname was obtained inside
> binary_sysctl() so that TOMOYO checks a pathname which starts with "/proc/sys".
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> ---
> security/tomoyo/realpath.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> --- sysctl-2.6.orig/security/tomoyo/realpath.c
> +++ sysctl-2.6/security/tomoyo/realpath.c
> @@ -108,6 +108,14 @@ int tomoyo_realpath_from_path2(struct pa
> spin_unlock(&dcache_lock);
> path_put(&root);
> path_put(&ns_root);
> + /* Prepend "/proc" prefix if binary_sysctl(). */
> + if (!IS_ERR(sp) && current->in_sysctl) {
> + sp -= 5;
> + if (sp >= newname)
> + memcpy(sp, "/proc", 5);
> + else
> + sp = ERR_PTR(-ENOMEM);
> + }
> }
> if (IS_ERR(sp))
> error = PTR_ERR(sp);
Instead of current->in_sysctl we can just look at the path and see if
it is the root of the mount chain and if the fs is proc.
Something like:
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index 5f2e332..0b55faa 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -108,6 +108,15 @@ int tomoyo_realpath_from_path2(struct path *path, char *newname,
spin_unlock(&dcache_lock);
path_put(&root);
path_put(&ns_root);
+ /* Prepend "/proc" prefix if using internal proc vfs mount. */
+ if (!IS_ERR(sp) && (path->mnt->mnt_parent == path->mnt) &&
+ (strcmp(path->mnt->mnt_sb->s_type->name, "proc") == 0)) {
+ sp -= 5;
+ if (sp >= newname)
+ memcpy(sp, "/proc", 5);
+ else
+ sp = ERR_PTR(-ENOMEM);
+ }
}
if (IS_ERR(sp))
error = PTR_ERR(sp);
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists