| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Feb 2010 21:11:44 +0900 From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> To: viro@...IV.linux.org.uk Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] fs: Add flags to __d_path for suppressing suffix andmapping /proc/self Al Viro wrote: > > Also, procfs is usually mounted on /proc , but it can be mounted on /proc2 , > > /mnt/proc3 or /p . Thus, the caller of __d_path() can't convert /proc/PID to > > /proc/self from string returned by __d_path() because the caller can't find > > the mount point of procfs from the returned string. If the caller traverses > > dentry/vfsmount tree in order to find the mount point of procfs, it results in > > duplicating __d_path() because the the caller does not use __d_path(). > > No. If you don't care which instance it is, you can bloody well check that > superblock is that of a procfs and track the path to its root *in* *caller*. I couldn't catch. Are you suggesting that TOMOYO should not call __d_path() for dentry if dentry->d_sb->s_magic == PROC_SUPER_MAGIC ? > Instead of calling d_path and looking at vfsmount tree at all. And you'd > better do that without assumptions that no name in procfs could be a number > unrelated to PIDs (i.e. you'd need to check that parent of your candidate > is root). I'm doing IS_ROOT(parent) to check that parent of dentry is root. > BTW, *any* filesystem may be mounted at several places at once. Moreover, > different subtrees of the same fs may be found at different mountpoints. Yes. I know. > IIRC, > back when "pathname-based" checks had been discussed, their proponents said > that they don't care if rules for different instances were inconsistent and > that it's OK to have them covered sepately, as long as you default to giving > lower permissions to unrecognized ones. Why is procfs an exception? Because procfs redirects /proc/self to /proc/PID using symlink when the userspace accesses information of current process. This redirection makes it impossible for name based checks to grant only accessing information of current process. What I want to do is to undo this redirection done by procfs. Undoing this redirection makes it possible for name based checks to grant only accessing information of current process. Granting /proc/self/ is more secure than granting /proc/*/ if userspace needs to access only information of current process. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists