[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <360f9182-0685-7625-14db-daf821043db0@virtuozzo.com>
Date: Wed, 13 Jul 2016 12:47:10 +0200
From: Stanislav Kinsburskiy <skinsbursky@...tuozzo.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>,
Cyrill Gorcunov <gorcunov@...il.com>
CC: <peterz@...radead.org>, <mingo@...hat.com>, <mhocko@...e.com>,
<keescook@...omium.org>, <linux-kernel@...r.kernel.org>,
<mguzik@...hat.com>, <bsegall@...gle.com>,
<john.stultz@...aro.org>, <oleg@...hat.com>, <matthltc@...ibm.com>,
<akpm@...ux-foundation.org>, <luto@...capital.net>,
<vbabka@...e.cz>, <xemul@...tuozzo.com>
Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link
12.07.2016 18:52, Eric W. Biederman пишет:
> Cyrill Gorcunov <gorcunov@...il.com> writes:
>
>> On Tue, Jul 12, 2016 at 07:30:29PM +0400, Stanislav Kinsburskiy wrote:
>>> This limitation came with the reason to remove "another
>>> way for malicious code to obscure a compromised program and
>>> masquerade as a benign process" by allowing "security-concious program can use
>>> this prctl once during its early initialization to ensure the prctl cannot
>>> later be abused for this purpose":
>>>
>>> http://marc.info/?l=linux-kernel&m=133160684517468&w=2
>>>
>>> But the way how the feature can be used is the following:
>>>
>>> 1) Attach to process via ptrace (protected by CAP_SYS_PTRACE)
>>> 2) Unmap all the process file mappings, related to "exe" file.
>>> 3) Change exe link (protected by CAP_SYS_RESOURCE).
>>>
>>> IOW, some other process already has an access to process internals (and thus
>>> it's already compromised), and can inject fork and use the child of the
>>> compromised program to masquerade.
>>> Which means this limitation doesn't solve the problem it was aimed to.
>>>
>>> While removing this limitation allow to replace files from underneath of a
>>> running process as many times as required. One of the use cases is network
>>> file systems migration (NFS, to be precise) by CRIU.
>>>
>>> NFS mount can't be mounted on restore stage because network is locked.
>>> To overcome this limitation, another file system (FUSE-based) is used. Then
>>> opened files replaced by the proper ones NFS is remounted.
>>> Thus exe link replace has to be done twice: first on restore stage and second
>>> - when actual NFS was remounted.
>>>
>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@...tuozzo.com>
>> Persistent exe-link doesn't guarantee anything if you have rights to ptrace
>> task and inject own code into (from security POV). So lets rip it out.
>>
>> Acked-by: Cyrill Gorcunov <gorcunov@...nvz.org>
> I believe the original concern was someone injecting a code into a
> process and playing silly buggers with the exe link. Someone who does
> not have ptrace capability.
>
> It is completely not ok to change this until someone goes back to the
> original conversation and looks at the original threat model, and
> refutes it.
Fair enough, Eric.
That's why all the people, who were participating in original
discussion, included in the recipients list.
> Eric
>
Powered by blists - more mailing lists