lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 17 May 2023 17:10:47 -0700
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     Beau Belgrave <beaub@...ux.microsoft.com>
Cc:     Steven Rostedt <rostedt@...dmis.org>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-trace-kernel@...r.kernel.org,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>, bpf <bpf@...r.kernel.org>,
        David Vernet <void@...ifault.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Dave Thaler <dthaler@...rosoft.com>,
        Christian Brauner <brauner@...nel.org>,
        Christoph Hellwig <hch@...radead.org>
Subject: Re: [PATCH] tracing/user_events: Run BPF program if attached

On Wed, May 17, 2023 at 9:50 AM Beau Belgrave <beaub@...ux.microsoft.com> wrote:
> >
> > >
> > > Looks like user events were designed with intention to be unprivileged.
> > > When I looked at kernel/trace/trace_events_user.c I assumed root.
> > > I doubt other people reviewed it from security perspective.
> > >
> > > Recommending "chmod a+rw /sys/kernel/tracing/user_events_data" doesn't sound like a good idea.
> > >
> > > For example, I think the following is possible:
> > > fd = open("/sys/kernel/tracing/user_events_data")
> > > ioclt(fd, DIAG_IOCSDEL)
> > >   user_events_ioctl_del
> > >      delete_user_event(info->group, name);
> > >
> > > 'info' is different for every FD, but info->group is the same for all users/processes/fds,
> > > because only one global init_group is created.
> > > So one user can unregister other user event by knowing 'name'.
> > > A security hole, no?

...

> Regarding deleting events, only users that are given access can delete
> events. They must know the event name, just like users with access to
> delete files must know a path (and have access to it). Since the
> write_index and other details are per-process, unless the user has
> access to either /sys/kernel/tracing/events/user_events/* or
> /sys/kernel/tracing/user_events_status, they do not know which names are
> being used.
>
> If that is not enough, we could require CAP_SYSADMIN to be able to
> delete events even when they have access to the file. Users can also
> apply SELinux policies per-file to achieve further isolation, if
> required.

Whether /sys/kernel/tracing/user_events_status gets g+rw
or it gets a+rw (as your documentation recommends)
it is still a security issue.
The "event name" is trivial to find out by looking at the source code
of the target process or just "string target_binary".
Restricting to cap_sysadmin is not the answer, since you want unpriv.
SElinux is not the answer either.
Since it's unpriv, different processes should not be able to mess with
user events of other processes.
It's a fundamental requirement of any kernel api.
This has to be fixed before any bpf discussion.
If it means that you need to redesign user_events do it now and
excuses like "it's uapi now, so we cannot fix it" are not going to fly.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ