[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87tu0mflnr.fsf@redhat.com>
Date: Thu, 19 Jan 2023 19:02:00 +0100
From: Giuseppe Scrivano <gscrivan@...hat.com>
To: Brian Masney <bmasney@...hat.com>
Cc: linux-kernel@...r.kernel.org, keescook@...omium.org,
bristot@...hat.com, ebiederm@...ssion.com, brauner@...nel.org,
cyphar@...har.com, viro@...iv.linux.org.uk, alexl@...hat.com,
peterz@...radead.org
Subject: Re: [PATCH v2 1/2] exec: add PR_HIDE_SELF_EXE prctl
Brian Masney <bmasney@...hat.com> writes:
> On Thu, Jan 19, 2023 at 06:07:17PM +0100, Giuseppe Scrivano wrote:
>> This patch adds a new prctl called PR_HIDE_SELF_EXE which allows
>> processes to hide their own /proc/*/exe file. When this prctl is
>> used, every access to /proc/*/exe for the calling process will
>> fail with ENOENT.
>>
>> This is useful for preventing issues like CVE-2019-5736, where an
>> attacker can gain host root access by overwriting the binary
>> in OCI runtimes through file-descriptor mishandling in containers.
>>
>> The current fix for CVE-2019-5736 is to create a read-only copy or
>> a bind-mount of the current executable, and then re-exec the current
>> process. With the new prctl, the read-only copy or bind-mount copy is
>> not needed anymore.
>>
>> While map_files/ also might contain symlinks to files in host,
>> proc_map_files_get_link() permissions checks are already sufficient.
>>
>> Signed-off-by: Giuseppe Scrivano <gscrivan@...hat.com>
>> ---
>> fs/exec.c | 1 +
>> fs/proc/base.c | 8 +++++---
>> include/linux/sched.h | 5 +++++
>> include/uapi/linux/prctl.h | 3 +++
>> kernel/sys.c | 9 +++++++++
>> tools/include/uapi/linux/prctl.h | 3 +++
>> 6 files changed, 26 insertions(+), 3 deletions(-)
>>
>> v1: https://lkml.org/lkml/2023/1/4/334
>>
>> Differences from v1:
>>
>> - amended more information in the commit message wrt map_files not
>> requiring the same protection.
>> - changed the test to verify PR_HIDE_SELF_EXE cannot be unset after
>> a fork.
>>
>> diff --git a/fs/exec.c b/fs/exec.c
>> index ab913243a367..5a5dd964c3a3 100644
>> --- a/fs/exec.c
>> +++ b/fs/exec.c
>> @@ -1855,6 +1855,7 @@ static int bprm_execve(struct linux_binprm *bprm,
>> /* execve succeeded */
>> current->fs->in_exec = 0;
>> current->in_execve = 0;
>> + task_clear_hide_self_exe(current);
>
> [snip]
>
>> rseq_execve(current);
>> acct_update_integrals(current);
>> task_numa_free(current, false);
>> diff --git a/fs/proc/base.c b/fs/proc/base.c
>> index 9e479d7d202b..959968e2da0d 100644
>> --- a/fs/proc/base.c
>> +++ b/fs/proc/base.c
>> @@ -1723,19 +1723,21 @@ static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
>> {
>> struct task_struct *task;
>> struct file *exe_file;
>> + long hide_self_exe;
>>
>> task = get_proc_task(d_inode(dentry));
>> if (!task)
>> return -ENOENT;
>> exe_file = get_task_exe_file(task);
>> + hide_self_exe = task_hide_self_exe(task);
>
> Perhaps I am missing something, but where is task_clear_hide_self_exe()
> and task_hide_self_exe() defined?
they are defined with:
TASK_PFA_TEST(HIDE_SELF_EXE, hide_self_exe)
TASK_PFA_SET(HIDE_SELF_EXE, hide_self_exe)
TASK_PFA_CLEAR(HIDE_SELF_EXE, hide_self_exe)
Regards,
Giuseppe
Powered by blists - more mailing lists