lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <201002162111.AIH87095.OQOMVFtFOHSLJF@I-love.SAKURA.ne.jp>
Date:	Tue, 16 Feb 2010 21:11:44 +0900
From:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To:	viro@...IV.linux.org.uk
Cc:	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] fs: Add flags to __d_path for suppressing suffix andmapping /proc/self

Al Viro wrote:
> > Also, procfs is usually mounted on /proc , but it can be mounted on /proc2 ,
> > /mnt/proc3 or /p . Thus, the caller of __d_path() can't convert /proc/PID to
> > /proc/self from string returned by __d_path() because the caller can't find
> > the mount point of procfs from the returned string. If the caller traverses
> > dentry/vfsmount tree in order to find the mount point of procfs, it results in
> > duplicating __d_path() because the the caller does not use __d_path().
>
> No.  If you don't care which instance it is, you can bloody well check that
> superblock is that of a procfs and track the path to its root *in* *caller*.

I couldn't catch. Are you suggesting that TOMOYO should not call __d_path() for
dentry if dentry->d_sb->s_magic == PROC_SUPER_MAGIC ?

> Instead of calling d_path and looking at vfsmount tree at all.  And you'd
> better do that without assumptions that no name in procfs could be a number
> unrelated to PIDs (i.e. you'd need to check that parent of your candidate
> is root).

I'm doing IS_ROOT(parent) to check that parent of dentry is root.

> BTW, *any* filesystem may be mounted at several places at once.  Moreover,
> different subtrees of the same fs may be found at different mountpoints.

Yes. I know.

> IIRC,
> back when "pathname-based" checks had been discussed, their proponents said
> that they don't care if rules for different instances were inconsistent and
> that it's OK to have them covered sepately, as long as you default to giving
> lower permissions to unrecognized ones.  Why is procfs an exception?

Because procfs redirects /proc/self to /proc/PID using symlink when the
userspace accesses information of current process. This redirection makes it
impossible for name based checks to grant only accessing information of
current process.

What I want to do is to undo this redirection done by procfs. Undoing this
redirection makes it possible for name based checks to grant only accessing
information of current process.

Granting /proc/self/ is more secure than granting /proc/*/ if userspace needs
to access only information of current process.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ