[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCETrVq7eUppdWxrY_DaqtLivFT1QDCwA9P=5pvSh+PhM3DWg@mail.gmail.com>
Date: Wed, 9 Mar 2016 22:46:46 -0800
From: Andy Lutomirski <luto@...capital.net>
To: Kees Cook <keescook@...omium.org>
Cc: "kernel-hardening@...ts.openwall.com"
<kernel-hardening@...ts.openwall.com>,
Scott Bauer <sbauer@....utah.edu>,
LKML <linux-kernel@...r.kernel.org>,
"x86@...nel.org" <x86@...nel.org>, wmealing@...hat.com,
Andi Kleen <ak@...ux.intel.com>,
Abhiram Balasubramanian <abhiram@...utah.edu>
Subject: Re: [kernel-hardening] Re: [PATCH v3 3/3] SROP mitigation: Add sysctl
to disable SROP protection.
On Wed, Mar 9, 2016 at 10:36 PM, Kees Cook <keescook@...omium.org> wrote:
> On Tue, Mar 8, 2016 at 1:00 PM, One Thousand Gnomes
> <gnomes@...rguk.ukuu.org.uk> wrote:
>> On Tue, 8 Mar 2016 13:47:55 -0700
>> Scott Bauer <sbauer@....utah.edu> wrote:
>>
>>> This patch adds a sysctl argument to disable SROP protection.
>>
>> Shouldn't it be a sysctl to enable it irrevocably, otherwise if I have DAC
>> capability I can turn off SROP and attack something to get to higher
>> capability levels ?
>>
>> (The way almost all distros are set up its kind of academic but for a
>> properly secured system it might matter).
>
> Perhaps use proc_dointvec_minmax_sysadmin instead to tie changes
> strictly to CAP_SYS_ADMIN?
I don't see why this needs to be irrevocable. If you have
CAP_SYS_ADMIN or write access to /proc or whatever, you can do much
worse things than turning off a user-level mitigation. For example,
you can ptrace things. Also, you're already root, so what's the
point?
--Andy
Powered by blists - more mailing lists