lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXu5jLvTKmScAtg0PY+gsLAofeNonx2CyFEe7NvdSa6xNeOtg@mail.gmail.com>
Date:   Tue, 6 Mar 2018 14:31:05 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Alexey Dobriyan <adobriyan@...il.com>,
        Andy Lutomirski <luto@...nel.org>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        Jann Horn <jann@...jh.net>, LKML <linux-kernel@...r.kernel.org>
Subject: Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree

On Tue, Mar 6, 2018 at 10:03 AM, Alexey Dobriyan <adobriyan@...il.com> wrote:
> On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote:
>> On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
>> > On Mon, Mar 5, 2018 at 4:07 PM,  <akpm@...ux-foundation.org> wrote:
>>
>> > > It is more natural to check for read-from-memory permissions in case of
>> > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
>> > > permissions.
>> >
>> > NAK, this weakens the existing permission model for reading
>>
>> What if existing permission model is overezealous?
>>
>> /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
>> for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
>> everything else should do PTRACE_MODE_ATTACH.
>
> Or in other words:
>
> what if there should be 3 levels:
> 1) permission to write to address space
> 2) permission to read arbitrarily from adress space
> 3) permission to read auxv, argv and envp
>
> Current code conflates (1) and (2).

There is also:

4) permission to read address layout (e.g. access to /proc/$pid/maps)

1 and 2 require ATTACH
3 and 4 require READ

ATTACH is a higher bar, and I think it is appropriate here, still, for
2, since being able to examine secrets in memory should be considered
a security boundary.

Is there something you're trying from userspace that is being blocked?

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ