| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110726104713.37273143@notabene.brown>
Date: Tue, 26 Jul 2011 10:47:13 +1000
From: NeilBrown <neilb@...e.de>
To: Solar Designer <solar@...nwall.com>
Cc: Vasiliy Kulikov <segoon@...nwall.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Stephen Smalley <sds@...ho.nsa.gov>,
kernel-hardening@...ts.openwall.com,
James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...e.de>,
Andrew Morton <akpm@...ux-foundation.org>,
"David S. Miller" <davem@...emloft.net>,
Jiri Slaby <jslaby@...e.cz>,
Alexander Viro <viro@...iv.linux.org.uk>,
linux-fsdevel@...r.kernel.org,
KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
Eric Paris <eparis@...hat.com>, Willy Tarreau <w@....eu>,
Sebastian Krahmer <krahmer@...e.de>
Subject: Re: [kernel-hardening] [PATCH] move RLIMIT_NPROC check from
set_user() to do_execve_common()
On Tue, 26 Jul 2011 03:40:13 +0400 Solar Designer <solar@...nwall.com> wrote:
> Vasiliy,
>
> On Mon, Jul 25, 2011 at 09:14:23PM +0400, Vasiliy Kulikov wrote:
> > @@ -1433,6 +1433,19 @@ static int do_execve_common(const char *filename,
> > struct files_struct *displaced;
> > bool clear_in_exec;
> > int retval;
> > + const struct cred *cred = current_cred();
> > +
> > + /*
> > + * We move the actual failure in case of RLIMIT_NPROC excess from
> > + * set*uid() to execve() because too many poorly written programs
> > + * don't check setuid() return code. Here we additionally recheck
> > + * whether NPROC limit is still exceeded.
> > + */
> > + if ((current->flags & PF_NPROC_EXCEEDED) &&
> > + atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
> > + retval = -EAGAIN;
> > + goto out_ret;
> > + }
>
> Do you possibly need:
>
> current->flags &= ~PF_NPROC_EXCEEDED;
>
> somewhere after this point?
>
> I think it's weird to have past set_user() failure affect other than the
> very next execve().
So we are hoping that no program uses execvp() or similar... Maybe that is
reasonable but "in for a penny, in for a pound" - I'd fail them all.
I think the flag should only be cleared once we notice that the limit is no
longer exceeded. So clearing the flag can appear *after* the code you quote
above, but not in the middle of it.
>
> Perhaps also reset the flag on fork() because we have an RLIMIT_NPROC
> check on fork() anyway.
I agree it should be cleared here too.
>
> Thanks,
>
> Alexander
But there is still the issue of 'zygot' like services....
Let me try another suggestion. Instead of catching the error in
do_execve_common, how about we catch it in do_mmap_pgoff.
i.e. if the flag is set and an attempt it made to create an executable
mapping, we check the user->processes against the limit then - either failing
or clearing the flag and succeeding.
This will stop an execve, and an attempt to load a shared library and call it.
In the case of 'exec' the process will get a SIGKILL as well, which is
probably a good thing.
Thoughts?
NeilBrown
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists