lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 25 Jul 2014 09:00:33 -0700
From:	Andy Lutomirski <luto@...capital.net>
To:	Paolo Bonzini <pbonzini@...hat.com>
Cc:	Al Viro <viro@...iv.linux.org.uk>,
	LSM List <linux-security-module@...r.kernel.org>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Paul Moore <paul@...l-moore.com>,
	James Morris <james.l.morris@...cle.com>,
	David Drysdale <drysdale@...gle.com>,
	Kees Cook <keescook@...omium.org>,
	Linux API <linux-api@...r.kernel.org>,
	Meredydd Luff <meredydd@...atehouse.org>,
	Christoph Hellwig <hch@...radead.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH

On Jul 25, 2014 7:02 AM, "Paolo Bonzini" <pbonzini@...hat.com> wrote:
>
> Il 25/07/2014 15:47, David Drysdale ha scritto:
> > @@ -1996,6 +2013,17 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
> >               if (arg2 || arg3 || arg4 || arg5)
> >                       return -EINVAL;
> >               return current->no_new_privs ? 1 : 0;
> > +     case PR_SET_OPENAT_BENEATH:
> > +             if (arg2 != 1 || arg4 || arg5)
> > +                     return -EINVAL;
> > +             if ((arg3 & ~(PR_SET_OPENAT_BENEATH_TSYNC)) != 0)
> > +                     return -EINVAL;
> > +             error = prctl_set_openat_beneath(me, arg3);
> > +             break;
> > +     case PR_GET_OPENAT_BENEATH:
> > +             if (arg2 || arg3 || arg4 || arg5)
> > +                     return -EINVAL;
> > +             return me->openat_beneath;
> >       case PR_GET_THP_DISABLE:
> >               if (arg2 || arg3 || arg4 || arg5)
> >                       return -EINVAL;
> >
>
> Why are you always forbidding a change of prctl from 1 to 0?  It should
> be safe if current->no_new_privs is clear.

I don't immediately see why you're forbidding unsettling it at all.
If you need it to be sticky, then use seccomp or Capsicum to make it
sticky.

Also, the way implementation is dangerously racy -- if anyone pokes at
adjacent bitfields without the lock, they can get corrupted.  Try
basing on Kees' seccomp tree or security-next and using the new atomic
flags field.


--Andy

>
> Do new threads inherit from the parent?
>
> Also, I wonder if you need something like this check:
>
>         /*
>          * Installing a seccomp filter requires that the task has
>          * CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
>          * This avoids scenarios where unprivileged tasks can affect the
>          * behavior of privileged children.
>          */
>         if (!current->no_new_privs &&
>             security_capable_noaudit(current_cred(), current_user_ns(),
>                                      CAP_SYS_ADMIN) != 0)
>                 return -EACCES;
>
> Paolo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists