[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240129.145132-coarse.snow.stunned.whim-FB0Em3Z0Yuv@cyphar.com>
Date: Tue, 30 Jan 2024 01:56:47 +1100
From: Aleksa Sarai <cyphar@...har.com>
To: 孟敬姿 <mengjingzi@....ac.cn>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: Identified Redundant Capability Check in File Access under
/proc/sys
On 2024-01-28, 孟敬姿 <mengjingzi@....ac.cn> wrote:
> Hello developers,
>
> I hope this message finds you well. I wanted to bring to your
> attention an observation regarding file access under /proc/sys in the
> kernel source code.
>
> Upon review, it appears that certain files are protected by
> capabilities in the kernel source code; however, the capability check
> does not seem to be effectively enforced during file access.
>
> For example, I noticed this inconsistency in the access functions of some special files:
> 1. The access function mmap_min_addr_handler() in /proc/sys/vm/mmap_min_addr utilizes the CAP_SYS_RAWIO check.
> 2. The access function proc_dointvec_minmax_sysadmin() in /proc/sys/kernel/kptr_restrict requires the CAP_SYS_ADMIN check.
>
> Despite these capability checks in the source code, when accessing a
> file, it undergoes a UGO permission check before triggering these
> specialized file access functions. The UGO permissions for these files
> are configured as root:root rw- r-- r--, meaning only the root user
> can pass the UGO check.
>
> As a result, to access these files, one must be the root user, who
> inherently possesses all capabilities. Consequently, the capabilities
> check in the file access function seems redundant.
>
> Please consider reviewing and adjusting the capability checks in the
> mentioned access functions for better alignment with the UGO
> permissions.
These are not redundant -- opening a file and writing to a file
descriptor are different operations that can be done by:
1. The same process with the same credential set (what you're
describing);
2. The same process but with the write operation happening after a
setuid() or similar operation that changed its credentials; or
3. A different process that has been given access to the file
descriptor (passing it as an open file to a subprocess, SCM_RIGHTS,
etc.)
On Unix, access checks when opening a file for writing are different to
access checks when doing a write operation. For some sysctls, it is
prudent to restrict both the open and write operations to privileged
users.
> Thank you for your attention to this matter.
>
> Best regards,
> Jingzi Meng
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists