All of lore.kernel.org
 help / color / mirror / Atom feed
* [RFC Patch] kcore: restrict access to the whole memory
@ 2010-12-22 11:21 Amerigo Wang
  2010-12-22 23:02 ` Andrew Morton
  0 siblings, 1 reply; 4+ messages in thread
From: Amerigo Wang @ 2010-12-22 11:21 UTC (permalink / raw)
  To: linux-kernel
  Cc: WANG Cong, Andrew Morton, Neil Horman, WANG Cong,
	Frederic Weisbecker, Wu Fengguang, Dan Carpenter, Tejun Heo

This patch restricts /proc/kcore from accessing the whole memory,
instead, only an ELF header can be read.

The initial patch was done by Vivek.

Signed-off-by: WANG Cong <amwang@redhat.com>

---
diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig
index 6a00688..2fd1df1 100644
--- a/fs/proc/Kconfig
+++ b/fs/proc/Kconfig
@@ -32,6 +32,14 @@ config PROC_KCORE
 	bool "/proc/kcore support" if !ARM
 	depends on PROC_FS && MMU
 
+config STRICT_PROC_KCORE
+	bool "Only export an ELF header from /proc/kcore"
+	depends on PROC_KCORE
+	default n
+	help
+	If this option is enabled, only an ELF header can be read from
+	/proc/kcore, instead of a whole ELF image.
+
 config PROC_VMCORE
 	bool "/proc/vmcore support"
 	depends on PROC_FS && CRASH_DUMP
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index 6f37c39..c45ff00 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -90,7 +90,12 @@ static size_t get_kcore_size(int *nphdr, size_t *elf_buflen)
 			roundup(sizeof(struct elf_prpsinfo), 4) +
 			roundup(sizeof(struct task_struct), 4);
 	*elf_buflen = PAGE_ALIGN(*elf_buflen);
+#ifdef CONFIG_STRICT_PROC_KCORE
+	return *elf_buflen;
+#else
 	return size + *elf_buflen;
+#endif
+
 }
 
 static void free_kclist_ents(struct list_head *head)
@@ -429,7 +434,7 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
 	size_t size, tsz;
 	size_t elf_buflen;
 	int nphdr;
-	unsigned long start;
+	unsigned long __maybe_unused start;
 
 	read_lock(&kclist_lock);
 	size = get_kcore_size(&nphdr, &elf_buflen);
@@ -473,6 +478,9 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
 	} else
 		read_unlock(&kclist_lock);
 
+#ifdef CONFIG_STRICT_PROC_KCORE
+	return acc;
+#else
 	/*
 	 * Check to see if our file offset matches with any of
 	 * the addresses in the elf_phdr on our list.
@@ -537,6 +545,7 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
 	}
 
 	return acc;
+#endif
 }
 
 

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [RFC Patch] kcore: restrict access to the whole memory
  2010-12-22 11:21 [RFC Patch] kcore: restrict access to the whole memory Amerigo Wang
@ 2010-12-22 23:02 ` Andrew Morton
  2010-12-23 10:01   ` Cong Wang
  0 siblings, 1 reply; 4+ messages in thread
From: Andrew Morton @ 2010-12-22 23:02 UTC (permalink / raw)
  To: Amerigo Wang
  Cc: linux-kernel, Neil Horman, WANG Cong, Frederic Weisbecker,
	Wu Fengguang, Dan Carpenter, Tejun Heo

On Wed, 22 Dec 2010 19:21:59 +0800
Amerigo Wang <amwang@redhat.com> wrote:

> This patch restricts /proc/kcore from accessing the whole memory,
> instead, only an ELF header can be read.
> 
> The initial patch was done by Vivek.

Getting a bit tired of this.

Are we supposed to be mind-readers?  How else are we to work out why
you think Linux needs this feature?  What problems it solves?  What
applications are expected to break and what the breakage patterns are? 
Why the benefits are worth the maintenance costs and the risk of
breakage?  Why it's done with a config option and not a boot-time or
runtime tunable?

c'mon, you guys have been around long enough to understand this stuff.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [RFC Patch] kcore: restrict access to the whole memory
  2010-12-22 23:02 ` Andrew Morton
@ 2010-12-23 10:01   ` Cong Wang
  2010-12-23 14:39     ` Eugene Teo
  0 siblings, 1 reply; 4+ messages in thread
From: Cong Wang @ 2010-12-23 10:01 UTC (permalink / raw)
  To: Andrew Morton
  Cc: linux-kernel, Neil Horman, WANG Cong, Frederic Weisbecker,
	Wu Fengguang, Dan Carpenter, Tejun Heo, Eugene Teo

于 2010年12月23日 07:02, Andrew Morton 写道:
> On Wed, 22 Dec 2010 19:21:59 +0800
> Amerigo Wang<amwang@redhat.com>  wrote:
>
>> This patch restricts /proc/kcore from accessing the whole memory,
>> instead, only an ELF header can be read.
>>
>> The initial patch was done by Vivek.
>
> Getting a bit tired of this.
>
> Are we supposed to be mind-readers?  How else are we to work out why
> you think Linux needs this feature?  What problems it solves?  What
> applications are expected to break and what the breakage patterns are?
> Why the benefits are worth the maintenance costs and the risk of
> breakage?  Why it's done with a config option and not a boot-time or
> runtime tunable?
>

Oh, sorry, I forgot to mention this is for security reasons,
I am adding Eugene into Cc so that he can explain more about this.

Yeah, I thought about sysctl too, but it is really weird for me
to control /proc/kcore contents via an sysctl file, I think
an Kconfig is enough.

Thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [RFC Patch] kcore: restrict access to the whole memory
  2010-12-23 10:01   ` Cong Wang
@ 2010-12-23 14:39     ` Eugene Teo
  0 siblings, 0 replies; 4+ messages in thread
From: Eugene Teo @ 2010-12-23 14:39 UTC (permalink / raw)
  To: Cong Wang
  Cc: Andrew Morton, linux-kernel, Neil Horman, WANG Cong,
	Frederic Weisbecker, Wu Fengguang, Dan Carpenter, Tejun Heo,
	Vivek Goyal, Arjan van de Ven

On 12/23/2010 06:01 PM, Cong Wang wrote:
> 于 2010年12月23日 07:02, Andrew Morton 写道:
>> On Wed, 22 Dec 2010 19:21:59 +0800
>> Amerigo Wang<amwang@redhat.com> wrote:
>>
>>> This patch restricts /proc/kcore from accessing the whole memory,
>>> instead, only an ELF header can be read.
>>>
>>> The initial patch was done by Vivek.
>>
>> Getting a bit tired of this.
>>
>> Are we supposed to be mind-readers? How else are we to work out why
>> you think Linux needs this feature? What problems it solves? What
>> applications are expected to break and what the breakage patterns are?
>> Why the benefits are worth the maintenance costs and the risk of
>> breakage? Why it's done with a config option and not a boot-time or
>> runtime tunable?

As opposed to /dev/{mem,kmem}, /proc/kcore is read-only. It is meant to 
be a preventive measure to disallow privileged users from reading the 
kcore file beyond the ELF headers as it can contain sensitive 
information. This is based on a patch that we have been carrying in Red 
Hat Enterprise Linux 5 for a few years. I believe other distributions 
also have similar restrictions.

Thanks, Eugene


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-12-23 14:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-12-22 11:21 [RFC Patch] kcore: restrict access to the whole memory Amerigo Wang
2010-12-22 23:02 ` Andrew Morton
2010-12-23 10:01   ` Cong Wang
2010-12-23 14:39     ` Eugene Teo

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.