| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Nov 2015 09:02:41 +1100 From: Dave Chinner <david@...morbit.com> To: Kees Cook <keescook@...omium.org> Cc: Jan Kara <jack@...e.cz>, Theodore Ts'o <tytso@....edu>, Andy Lutomirski <luto@...capital.net>, Theodore Tso <tytso@...gle.com>, Willy Tarreau <w@....eu>, Dirk Steinmetz <public@...tdrjgfuzkfg.com>, Michael Kerrisk-manpages <mtk.manpages@...il.com>, Serge Hallyn <serge.hallyn@...ntu.com>, Seth Forshee <seth.forshee@...onical.com>, Alexander Viro <viro@...iv.linux.org.uk>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, "Eric W . Biederman" <ebiederm@...ssion.com>, Serge Hallyn <serge.hallyn@...onical.com>, "security@...nel.org" <security@...nel.org> Subject: Re: [RFC] namei: prevent sgid-hardlinks for unmapped gids On Thu, Nov 19, 2015 at 12:11:11PM -0800, Kees Cook wrote: > On Tue, Nov 10, 2015 at 7:08 AM, Jan Kara <jack@...e.cz> wrote: > > On Sat 07-11-15 21:02:06, Ted Tso wrote: > >> On Fri, Nov 06, 2015 at 09:05:57PM -0800, Kees Cook wrote: > >> > >>>> They're certainly not used early enough -- we need to remove suid when > >> > >>>> the page becomes writable via mmap (wp_page_shared), not when > >> > >>>> writeback happens, or at least not only when writeback happens. > >> > >>> > >> > >>> Well, I'm shy about the change there. For example, we don't strip in > >> > >>> on open(RDWR), just on write(). > >> > >> > >> > >> I take it back. Hooking wp_page_shared looks expensive. :) Maybe we do > >> > >> need to hook the mmap? > >> > > > >> > > But file_update_time already pokes at the same (or nearby) cachelines, > >> > > I think -- why would it be expensive? The whole thing could be > >> > > guarded by if (unlikely(is setuid)), right? > >> > > >> > Yeah, true. I added file_remove_privs calls near all the > >> > file_update_time calls, to no effect. Added to wp_page_shared too, > >> > nothing. Hmmm. > >> > >> Why not put the the should_remove_suid() call in > >> filemap_page_mkwrite(), or maybe do_page_mkwrite()? > > > > page_mkwrite() callbacks are IMHO the right place for this check (and > > change). Just next to file_update_time() call. You get proper filesystem > > Should file_update_time() just be modified to include > file_remove_privs()? They seem to regularly go together. They might have similar call sites, but they are completely different operations. timestamp updates are optional, highly configurable and behaviour is filesystem implementation specific, whilst file_remove_privs() is mandatory and must be done in a crash-safe manner (i.e. via transactions). Hence, IMO, they need to be kept separate even if the call sites are similar. Cheers, Dave. -- Dave Chinner david@...morbit.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists