lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 30 Dec 2018 21:28:54 +0800
From:   "Lee, Chun-Yi" <joeyli.kernel@...il.com>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "Rafael J . Wysocki" <rafael.j.wysocki@...el.com>,
        Pavel Machek <pavel@....cz>, Len Brown <len.brown@...el.com>,
        "Martin K . Petersen" <martin.petersen@...cle.com>,
        Randy Dunlap <rdunlap@...radead.org>,
        Joe Perches <joe@...ches.com>,
        Bart Van Assche <bvanassche@....org>
Cc:     linux-kernel@...r.kernel.org, linux-pm@...r.kernel.org,
        "Lee, Chun-Yi" <jlee@...e.com>, Chen Yu <yu.c.chen@...el.com>,
        Giovanni Gherdovich <ggherdovich@...e.cz>,
        Jann Horn <jannh@...gle.com>, Andy Lutomirski <luto@...nel.org>
Subject: [PATCH 0/2] [RFC] sysfs: Add hook for checking the file capability of opener

There have some discussion in the following mail loop about checking
capability in sysfs write handler:
    https://lkml.org/lkml/2018/9/13/978

Sometimes we check the capability in sysfs implementation by using
capable function. But the checking can be bypassed by opening sysfs
file within an unprivileged process then writing the file within a
privileged process. The tricking way has been exposed by Andy Lutomirski
for CVE-2013-1959.

Because the sysfs_ops does not forward the file descriptor to the
show/store callback, there doesn't have chance to check the capability
of file's opener. This patch adds the hook to sysfs_ops that allows
different implementation in object and attribute levels for checking
file capable before accessing sysfs interfaces.

The callback function of kobject sysfs_ops is the first implementation
of new hook. It casts attribute to kobj_attribute then calls the file
capability callback function of attribute level. The same logic can
be implemented in other sysfs file types, like: device, driver and
bus type. 

The capability checking logic in wake_lock/wake_unlock sysfs interface
is the first example for kobject. It will check the opener's capability.

Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>
Cc: Chen Yu <yu.c.chen@...el.com>
Cc: Giovanni Gherdovich <ggherdovich@...e.cz>
Cc: Jann Horn <jannh@...gle.com>
Cc: Andy Lutomirski <luto@...nel.org>
Cc: Pavel Machek <pavel@....cz>
Cc: Len Brown <len.brown@...el.com>
Cc: "Martin K. Petersen" <martin.petersen@...cle.com>
Cc: Randy Dunlap <rdunlap@...radead.org>
Cc: Joe Perches <joe@...ches.com>
Cc: Bart Van Assche <bvanassche@....org>
Signed-off-by: "Lee, Chun-Yi" <jlee@...e.com>

Lee, Chun-Yi (2):
  sysfs: Add hook for checking the file capable
  PM / Sleep: Checking the file capability when writing wak lock
    interface

 fs/sysfs/file.c         |  8 ++++++++
 include/linux/kobject.h |  2 ++
 include/linux/sysfs.h   |  2 ++
 kernel/power/main.c     | 14 ++++++++++++++
 kernel/power/wakelock.c |  6 ------
 lib/kobject.c           | 26 ++++++++++++++++++++++++++
 6 files changed, 52 insertions(+), 6 deletions(-)

-- 
2.13.6

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ