lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 25 Jul 2014 16:01:57 +0200
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	David Drysdale <drysdale@...gle.com>,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC:	Alexander Viro <viro@...iv.linux.org.uk>,
	Meredydd Luff <meredydd@...atehouse.org>,
	Kees Cook <keescook@...omium.org>,
	James Morris <james.l.morris@...cle.com>,
	Andy Lutomirski <luto@...capital.net>,
	Paul Moore <paul@...l-moore.com>,
	Christoph Hellwig <hch@...radead.org>,
	linux-api@...r.kernel.org
Subject: Re: [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH

Il 25/07/2014 15:47, David Drysdale ha scritto:
> @@ -1996,6 +2013,17 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
>  		if (arg2 || arg3 || arg4 || arg5)
>  			return -EINVAL;
>  		return current->no_new_privs ? 1 : 0;
> +	case PR_SET_OPENAT_BENEATH:
> +		if (arg2 != 1 || arg4 || arg5)
> +			return -EINVAL;
> +		if ((arg3 & ~(PR_SET_OPENAT_BENEATH_TSYNC)) != 0)
> +			return -EINVAL;
> +		error = prctl_set_openat_beneath(me, arg3);
> +		break;
> +	case PR_GET_OPENAT_BENEATH:
> +		if (arg2 || arg3 || arg4 || arg5)
> +			return -EINVAL;
> +		return me->openat_beneath;
>  	case PR_GET_THP_DISABLE:
>  		if (arg2 || arg3 || arg4 || arg5)
>  			return -EINVAL;
> 

Why are you always forbidding a change of prctl from 1 to 0?  It should
be safe if current->no_new_privs is clear.

Do new threads inherit from the parent?

Also, I wonder if you need something like this check:

        /*
         * Installing a seccomp filter requires that the task has
         * CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
         * This avoids scenarios where unprivileged tasks can affect the
         * behavior of privileged children.
         */
        if (!current->no_new_privs &&
            security_capable_noaudit(current_cred(), current_user_ns(),
                                     CAP_SYS_ADMIN) != 0)
                return -EACCES;

Paolo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists