From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754869AbbK3POk (ORCPT ); Mon, 30 Nov 2015 10:14:40 -0500 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:57441 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754332AbbK3POi (ORCPT ); Mon, 30 Nov 2015 10:14:38 -0500 Date: Mon, 30 Nov 2015 16:14:21 +0100 From: Willy Tarreau To: Ben Hutchings Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Konstantin Khlebnikov , Naoya Horiguchi , Mark Williamson , Andrew Morton , Linus Torvalds Subject: Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users Message-ID: <20151130151421.GB2519@1wt.eu> References: <20151129214703.685445143@1wt.eu> <1448848462.1990.44.camel@decadent.org.uk> <20151130070136.GB31694@1wt.eu> <20151130113005.GA2440@1wt.eu> <1448895320.1990.69.camel@decadent.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1448895320.1990.69.camel@decadent.org.uk> User-Agent: Mutt/1.4.2.3i Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 30, 2015 at 02:55:20PM +0000, Ben Hutchings wrote: > On Mon, 2015-11-30 at 12:30 +0100, Willy Tarreau wrote: > > On Mon, Nov 30, 2015 at 08:01:36AM +0100, Willy Tarreau wrote: > > > On Mon, Nov 30, 2015 at 01:54:22AM +0000, Ben Hutchings wrote: > > > > On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote: > > > > This is wrong; see > > > > . > > > > > > Damned, and I now remember this discussion. The worst thing is that > > > I purposely booted a machine to test the fix and was happy with it, > > > I forgot this point :-( > > > > > > > For 2.6.32 perhaps you could retain the capability check at open time > > > > but store the result in private state for use at read time. > > > > > > I'll see if it is possible to opencode security_capable() with 2.6.32's > > > infrastructure, and how far this brings us. Or maybe we should even drop > > > this one completely and leave pagemap readable only for superuser on > > > 2.6.32, it doesn't seem to be that big of a deal either. > > > > It was easy enough to open-code security_capable() in the end. I've > > tested this version which works fine for me here. If that's OK for you > > I'll emit an -rc2 with the last two patches. > [...] > > + /* do not disclose physical addresses: attack vector */ > > + pm.show_pfn = !cap_capable(current, file->f_cred, CAP_SYS_ADMIN, SECURITY_CAP_AUDIT); > [...] > > But this bypasses SELinux's additional restrictions on capabilities. Got it, I didn't think about it. > I think it would be better to cherry-pick this first: > > commit 6037b715d6fab139742c3df8851db4c823081561 > Author: Chris Wright > Date:   Wed Feb 9 22:11:51 2011 -0800 > >     security: add cred argument to security_capable() > > and then you can pass file->f_cred to security_capable(). That makes sense indeed, the patch should fit nicely. Thanks for the pointer. Willy From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from wtarreau.pck.nerim.net ([62.212.114.60]:57441 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754332AbbK3POi (ORCPT ); Mon, 30 Nov 2015 10:14:38 -0500 Date: Mon, 30 Nov 2015 16:14:21 +0100 From: Willy Tarreau To: Ben Hutchings Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Konstantin Khlebnikov , Naoya Horiguchi , Mark Williamson , Andrew Morton , Linus Torvalds Subject: Re: [PATCH 2.6.32 19/38] [PATCH 19/38] pagemap: hide physical addresses from non-privileged users Message-ID: <20151130151421.GB2519@1wt.eu> References: <20151129214703.685445143@1wt.eu> <1448848462.1990.44.camel@decadent.org.uk> <20151130070136.GB31694@1wt.eu> <20151130113005.GA2440@1wt.eu> <1448895320.1990.69.camel@decadent.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1448895320.1990.69.camel@decadent.org.uk> Sender: stable-owner@vger.kernel.org List-ID: On Mon, Nov 30, 2015 at 02:55:20PM +0000, Ben Hutchings wrote: > On Mon, 2015-11-30 at 12:30 +0100, Willy Tarreau wrote: > > On Mon, Nov 30, 2015 at 08:01:36AM +0100, Willy Tarreau wrote: > > > On Mon, Nov 30, 2015 at 01:54:22AM +0000, Ben Hutchings wrote: > > > > On Sun, 2015-11-29 at 22:47 +0100, Willy Tarreau wrote: > > > > This is wrong; see > > > > . > > > > > > Damned, and I now remember this discussion. The worst thing is that > > > I purposely booted a machine to test the fix and was happy with it, > > > I forgot this point :-( > > > > > > > For 2.6.32 perhaps you could retain the capability check at open time > > > > but store the result in private state for use at read time. > > > > > > I'll see if it is possible to opencode security_capable() with 2.6.32's > > > infrastructure, and how far this brings us. Or maybe we should even drop > > > this one completely and leave pagemap readable only for superuser on > > > 2.6.32, it doesn't seem to be that big of a deal either. > > > > It was easy enough to open-code security_capable() in the end. I've > > tested this version which works fine for me here. If that's OK for you > > I'll emit an -rc2 with the last two patches. > [...] > > + /* do not disclose physical addresses: attack vector */ > > + pm.show_pfn = !cap_capable(current, file->f_cred, CAP_SYS_ADMIN, SECURITY_CAP_AUDIT); > [...] > > But this bypasses SELinux's additional restrictions on capabilities. Got it, I didn't think about it. > I think it would be better to cherry-pick this first: > > commit 6037b715d6fab139742c3df8851db4c823081561 > Author: Chris Wright > Date:���Wed Feb 9 22:11:51 2011 -0800 > > ����security: add cred argument to security_capable() > > and then you can pass file->f_cred to security_capable(). That makes sense indeed, the patch should fit nicely. Thanks for the pointer. Willy