From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754829AbcGLQsH (ORCPT ); Tue, 12 Jul 2016 12:48:07 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:33599 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752450AbcGLQsE (ORCPT ); Tue, 12 Jul 2016 12:48:04 -0400 Date: Tue, 12 Jul 2016 19:48:00 +0300 From: Cyrill Gorcunov To: Stanislav Kinsburskiy Cc: peterz@infradead.org, mingo@redhat.com, mhocko@suse.com, keescook@chromium.org, linux-kernel@vger.kernel.org, mguzik@redhat.com, bsegall@google.com, john.stultz@linaro.org, ebiederm@xmission.com, oleg@redhat.com, matthltc@us.ibm.com, akpm@linux-foundation.org, luto@amacapital.net, vbabka@suse.cz, xemul@virtuozzo.com Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link Message-ID: <20160712164800.GD3661@uranus.lan> References: <20160712152940.24895.61315.stgit@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160712152940.24895.61315.stgit@localhost.localdomain> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 12, 2016 at 07:30:29PM +0400, Stanislav Kinsburskiy wrote: > This limitation came with the reason to remove "another > way for malicious code to obscure a compromised program and > masquerade as a benign process" by allowing "security-concious program can use > this prctl once during its early initialization to ensure the prctl cannot > later be abused for this purpose": > > http://marc.info/?l=linux-kernel&m=133160684517468&w=2 > > But the way how the feature can be used is the following: > > 1) Attach to process via ptrace (protected by CAP_SYS_PTRACE) > 2) Unmap all the process file mappings, related to "exe" file. > 3) Change exe link (protected by CAP_SYS_RESOURCE). > > IOW, some other process already has an access to process internals (and thus > it's already compromised), and can inject fork and use the child of the > compromised program to masquerade. > Which means this limitation doesn't solve the problem it was aimed to. > > While removing this limitation allow to replace files from underneath of a > running process as many times as required. One of the use cases is network > file systems migration (NFS, to be precise) by CRIU. > > NFS mount can't be mounted on restore stage because network is locked. > To overcome this limitation, another file system (FUSE-based) is used. Then > opened files replaced by the proper ones NFS is remounted. > Thus exe link replace has to be done twice: first on restore stage and second > - when actual NFS was remounted. > > Signed-off-by: Stanislav Kinsburskiy Persistent exe-link doesn't guarantee anything if you have rights to ptrace task and inject own code into (from security POV). So lets rip it out. Acked-by: Cyrill Gorcunov