| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150727213716.GA19783@1wt.eu> Date: Mon, 27 Jul 2015 23:37:16 +0200 From: Willy Tarreau <w@....eu> To: Kees Cook <keescook@...omium.org> Cc: Andy Lutomirski <luto@...capital.net>, Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Steven Rostedt <rostedt@...dmis.org>, "security@...nel.org" <security@...nel.org>, X86 ML <x86@...nel.org>, Borislav Petkov <bp@...en8.de>, Sasha Levin <sasha.levin@...cle.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Boris Ostrovsky <boris.ostrovsky@...cle.com>, Andrew Cooper <andrew.cooper3@...rix.com>, Jan Beulich <jbeulich@...e.com>, xen-devel <xen-devel@...ts.xen.org> Subject: Re: [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime On Mon, Jul 27, 2015 at 12:04:54PM -0700, Kees Cook wrote: > On Sat, Jul 25, 2015 at 6:03 AM, Willy Tarreau <w@....eu> wrote: > > On Sat, Jul 25, 2015 at 09:50:52AM +0200, Willy Tarreau wrote: > >> On Fri, Jul 24, 2015 at 11:44:52PM -0700, Andy Lutomirski wrote: > >> > I'm all for it, but I think it should be hard-disablable in config, > >> > too, for the -tiny people. > >> > >> I totally agree. > >> > >> > If we add a runtime disable, let's do a > >> > separate patch, and you and Kees can fight over how general it should > >> > be. > >> > >> Initially I was thinking about changing it for a 3-state option but > >> that would prevent X86_16BIT from being hard-disablable, so I'll do > >> something completely separate. > > > > So here comes the proposed patch. It adds a default setting for the > > sysctl when the option is not hard-disabled (eg: distros not wanting > > to take risks with legacy apps). It suggests to leave the option off. > > In case a syscall is blocked, a printk_ratelimited() is called with > > relevant info (program name, pid, uid) so that the admin can decide > > whether it's a legitimate call or not. Eg: > > > > Denied a call to modify_ldt() from a.out[1736] (uid: 100). Adjust sysctl if this was not an exploit attempt. > > > > I personally think it completes well your series, hence the 4/3 numbering. > > Feel free to adopt it if you cycle another round and if you're OK with it > > of course. > > > > CCing Kees as well. > > This patch looks reasonable, but I'd prefer a tri-state (enable, > disable, hard-disable). That was my first goal initially until I realized that the current two options make it possible to also get rid of X86_16BIT as Andy did. I don't see how to do this with the 3-state mode. > I do something like this for Yama's ptrace > zero to max_scope range (which "pins" to max_scope if set): > > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/yama/yama_lsm.c#n361 I agree with this and initially I intended to do something approximately like this when I realized that for this specific case it didn't match the pattern. In fact here we have the opportunity to completely remove support for LDT changes, not just the modify_ldt() syscall. Then it makes sense to have the two options here. Regards, Willy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists