[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87wpqzv7jy.fsf@x220.int.ebiederm.org>
Date: Sun, 24 Jan 2016 00:02:41 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Jann Horn <jann@...jh.net>
Cc: Al Viro <viro@...IV.linux.org.uk>,
kernel-hardening@...ts.openwall.com,
Kees Cook <keescook@...omium.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Richard Weinberger <richard@....at>,
Andy Lutomirski <luto@...capital.net>,
Robert Święcki <robert@...ecki.net>,
Dmitry Vyukov <dvyukov@...gle.com>,
David Howells <dhowells@...hat.com>,
Miklos Szeredi <mszeredi@...e.cz>,
Kostya Serebryany <kcc@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
Sasha Levin <sasha.levin@...cle.com>,
linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [kernel-hardening] Re: [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin
Jann Horn <jann@...jh.net> writes:
> On Sun, Jan 24, 2016 at 01:43:42AM +0000, Al Viro wrote:
>> On Sat, Jan 23, 2016 at 07:20:17PM -0600, Eric W. Biederman wrote:
>>
>> > Yep. That is about the size of it. file * used to be passed to the
>> > sysctl methods but it was removed several years ago because no one was
>> > using it.
>>
>> Generally cred would be better...
>
>> Alternatively we could eat one more
>> pointer in task_struct and stash a reference to that sucker there, rather
>> than adding an explicit argument (again, with cred instead of file).
>> Not sure...
>
> I think it makes sense to do this the same way as the rest of the VFS code
> here (which passes the creds down through an argument).
>
> And adding the arguments everywhere doesn't really mean more work - either
> way, someone should probably go through all of those sysctl handlers and
> fix them up to use the file creds.
Not all of them need it. It might be worth figuring out the necessary
rigamarole to hook into sysctl_perm the way the networking code does and
have that require the capability at open time.
The advantage is that open time is when it is actually appropraite to
check permissions. I could be wrong but I doubt there is enough madness
with the handful of sysctl users that call capable to require the checks
to happen on write and not on open.
Eric
Powered by blists - more mailing lists