From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
Cyrill Gorcunov <gorcunov@gmail.com>
Cc: <peterz@infradead.org>, <mingo@redhat.com>, <mhocko@suse.com>,
<keescook@chromium.org>, <linux-kernel@vger.kernel.org>,
<mguzik@redhat.com>, <bsegall@google.com>,
<john.stultz@linaro.org>, <oleg@redhat.com>,
<matthltc@us.ibm.com>, <akpm@linux-foundation.org>,
<luto@amacapital.net>, <vbabka@suse.cz>, <xemul@virtuozzo.com>
Subject: Re: [PATCH] prctl: remove one-shot limitation for changing exe link
Date: Wed, 13 Jul 2016 12:47:10 +0200 [thread overview]
Message-ID: <360f9182-0685-7625-14db-daf821043db0@virtuozzo.com> (raw)
In-Reply-To: <87inwa2406.fsf@x220.int.ebiederm.org>
12.07.2016 18:52, Eric W. Biederman пишет:
> Cyrill Gorcunov <gorcunov@gmail.com> writes:
>
>> On Tue, Jul 12, 2016 at 07:30:29PM +0400, Stanislav Kinsburskiy wrote:
>>> This limitation came with the reason to remove "another
>>> way for malicious code to obscure a compromised program and
>>> masquerade as a benign process" by allowing "security-concious program can use
>>> this prctl once during its early initialization to ensure the prctl cannot
>>> later be abused for this purpose":
>>>
>>> http://marc.info/?l=linux-kernel&m=133160684517468&w=2
>>>
>>> But the way how the feature can be used is the following:
>>>
>>> 1) Attach to process via ptrace (protected by CAP_SYS_PTRACE)
>>> 2) Unmap all the process file mappings, related to "exe" file.
>>> 3) Change exe link (protected by CAP_SYS_RESOURCE).
>>>
>>> IOW, some other process already has an access to process internals (and thus
>>> it's already compromised), and can inject fork and use the child of the
>>> compromised program to masquerade.
>>> Which means this limitation doesn't solve the problem it was aimed to.
>>>
>>> While removing this limitation allow to replace files from underneath of a
>>> running process as many times as required. One of the use cases is network
>>> file systems migration (NFS, to be precise) by CRIU.
>>>
>>> NFS mount can't be mounted on restore stage because network is locked.
>>> To overcome this limitation, another file system (FUSE-based) is used. Then
>>> opened files replaced by the proper ones NFS is remounted.
>>> Thus exe link replace has to be done twice: first on restore stage and second
>>> - when actual NFS was remounted.
>>>
>>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>> Persistent exe-link doesn't guarantee anything if you have rights to ptrace
>> task and inject own code into (from security POV). So lets rip it out.
>>
>> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
> I believe the original concern was someone injecting a code into a
> process and playing silly buggers with the exe link. Someone who does
> not have ptrace capability.
>
> It is completely not ok to change this until someone goes back to the
> original conversation and looks at the original threat model, and
> refutes it.
Fair enough, Eric.
That's why all the people, who were participating in original
discussion, included in the recipients list.
> Eric
>
next prev parent reply other threads:[~2016-07-13 10:47 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-12 15:30 [PATCH] prctl: remove one-shot limitation for changing exe link Stanislav Kinsburskiy
2016-07-12 16:42 ` Oleg Nesterov
2016-07-12 16:52 ` Stanislav Kinsburskiy
2016-07-12 17:01 ` Oleg Nesterov
2016-07-12 16:48 ` Cyrill Gorcunov
2016-07-12 16:52 ` Eric W. Biederman
2016-07-12 17:29 ` Cyrill Gorcunov
2016-07-12 21:42 ` Cyrill Gorcunov
2016-07-13 10:47 ` Stanislav Kinsburskiy [this message]
2016-07-18 20:11 ` One Thousand Gnomes
2016-07-20 11:30 ` Stanislav Kinsburskiy
[not found] ` <8a863273-c571-63d6-c0c3-637dff5645a3@virtuozzo.com>
2016-07-25 18:21 ` Eric W. Biederman
2016-07-25 19:22 ` Cyrill Gorcunov
2016-07-25 19:56 ` Eric W. Biederman
2016-07-26 8:34 ` Cyrill Gorcunov
2016-07-30 17:31 ` Eric W. Biederman
2016-07-30 20:28 ` Mateusz Guzik
2016-07-31 18:45 ` Eric W. Biederman
2016-07-31 18:45 ` Eric W. Biederman
2016-08-22 15:40 ` Richard Guy Briggs
2016-07-31 22:43 ` Cyrill Gorcunov
2016-07-31 22:49 ` Andy Lutomirski
2016-08-01 9:04 ` Cyrill Gorcunov
2016-08-10 10:48 ` Stanislav Kinsburskiy
2016-07-26 10:21 ` Stanislav Kinsburskiy
2016-07-12 15:42 Stanislav Kinsburskiy
[not found] <1d254efe-5410-40c4-af4b-9e898682d0b3@email.android.com>
2016-07-13 10:15 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=360f9182-0685-7625-14db-daf821043db0@virtuozzo.com \
--to=skinsbursky@virtuozzo.com \
--cc=akpm@linux-foundation.org \
--cc=bsegall@google.com \
--cc=ebiederm@xmission.com \
--cc=gorcunov@gmail.com \
--cc=john.stultz@linaro.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=matthltc@us.ibm.com \
--cc=mguzik@redhat.com \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=vbabka@suse.cz \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.