[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110914160724.GA10612@albatros>
Date: Wed, 14 Sep 2011 20:07:25 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: Cyrill Gorcunov <gorcunov@...il.com>
Cc: Pavel Machek <pavel@....cz>, Andrew Morton <akpm00@...il.com>,
linux-kernel@...r.kernel.org, containers@...ts.osdl.org,
linux-fsdevel@...r.kernel.org,
Kirill Shutemov <kirill@...temov.name>,
Pavel Emelyanov <xemul@...allels.com>,
James Bottomley <jbottomley@...allels.com>,
Nathan Lynch <ntl@...ox.com>, Zan Lynx <zlynx@....org>,
Daniel Lezcano <dlezcano@...ibm.com>,
Tejun Heo <tj@...nel.org>,
Alexey Dobriyan <adobriyan@...il.com>,
Al Viro <viro@...IV.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [patch 2/2] fs, proc: Introduce the /proc/<pid>/map_files/
directory v12
On Wed, Sep 14, 2011 at 20:00 +0400, Cyrill Gorcunov wrote:
> On Wed, Sep 14, 2011 at 06:48:41PM +0400, Vasiliy Kulikov wrote:
> ...
> >
> > Actually now I see the difference between having something mapped and
> > having an _fd_ of this something.
> >
> > Relevant code:
> >
> > +static struct dentry *
> > +proc_map_files_instantiate(struct inode *dir, struct dentry *dentry,
> > + struct task_struct *task, const void *ptr)
> > +{
> > ...
> > + inode->i_mode = S_IFLNK;
> > +
> > + if (file->f_mode & FMODE_READ)
> > + inode->i_mode |= S_IRUSR | S_IXUSR;
> > + if (file->f_mode & FMODE_WRITE)
> > + inode->i_mode |= S_IWUSR | S_IXUSR;
> >
> >
> > If you have a write mmap area, but no fd, you may not trunc a file; with
> > map_files/ you may get an fd and ftrunc it.
> >
>
> This stands for anonymous memory, and if you have enough rights to
> access the task this ftruncate is the last problem (since having ptrace
> access to the task I _aready_ can trash various stuff inside, i dont need
> even bother to look into map_files/ or whatever). So I don't see how
> ftruncate migh harm you here?
No, I mean something else. Assume you have a task, which does the
steps:
1) opens some sensitive file as root. This file is e.g. 0700.
2) mmaps the file via opened fd, either RO or RW.
3) closes fd.
4) drops root.
Now it has a mapping of a privileged file, but cannot get fd of it
anyhow. With map_files/ he may open his own /proc/$$/map_files/, pass
ptrace() check, and get fd of the privileged file. He cannot explicitly
open it as it is 0700, but he may open it via map_files/ and get RO/RW
fd.
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists