From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755730AbcAWDT3 (ORCPT ); Fri, 22 Jan 2016 22:19:29 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:33375 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755406AbcAWDT0 (ORCPT ); Fri, 22 Jan 2016 22:19:26 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Kees Cook Cc: Andrew Morton , Al Viro , Richard Weinberger , Andy Lutomirski , Robert =?utf-8?B?xZp3acSZY2tp?= , Dmitry Vyukov , David Howells , Miklos Szeredi , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Sasha Levin , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com References: <1453502345-30416-1-git-send-email-keescook@chromium.org> <1453502345-30416-2-git-send-email-keescook@chromium.org> Date: Fri, 22 Jan 2016 21:10:07 -0600 In-Reply-To: <1453502345-30416-2-git-send-email-keescook@chromium.org> (Kees Cook's message of "Fri, 22 Jan 2016 14:39:04 -0800") Message-ID: <87oacdyos0.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX19/cauruX+QvbPAP4UVf1cW2FskEDCmOeE= X-SA-Exim-Connect-IP: 97.121.81.63 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.7 XMSubLong Long Subject * 0.5 XMGappySubj_01 Very gappy subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Kees Cook X-Spam-Relay-Country: X-Spam-Timing: total 297 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 4.2 (1.4%), b_tie_ro: 3.0 (1.0%), parse: 1.12 (0.4%), extract_message_metadata: 15 (4.9%), get_uri_detail_list: 1.95 (0.7%), tests_pri_-1000: 5 (1.8%), tests_pri_-950: 1.21 (0.4%), tests_pri_-900: 1.06 (0.4%), tests_pri_-400: 24 (8.1%), check_bayes: 23 (7.6%), b_tokenize: 7 (2.3%), b_tok_get_all: 7 (2.5%), b_comp_prob: 2.6 (0.9%), b_tok_touch_all: 3.4 (1.1%), b_finish: 0.77 (0.3%), tests_pri_0: 237 (80.0%), check_dkim_signature: 0.53 (0.2%), check_dkim_adsp: 2.9 (1.0%), tests_pri_500: 4.0 (1.4%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Kees Cook writes: > Several sysctls expect a state where the highest value (in extra2) is > locked once set for that boot. Yama does this, and kptr_restrict should > be doing it. This extracts Yama's logic and adds it to the existing > proc_dointvec_minmax_sysadmin, taking care to avoid the simple boolean > states (which do not get locked). Since Yama wants to be checking a > different capability, we build wrappers for both cases (CAP_SYS_ADMIN > and CAP_SYS_PTRACE). Sigh this sysctl appears susceptible to known attacks. In my quick skim I believe this sysctl implementation that checks capabilities is susceptible to attacks where the already open file descriptor is set as stdout on a setuid root application. Can we come up with an interface that isn't exploitable by an application that will act as a setuid cat? Eric > -#ifdef CONFIG_PRINTK > -static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, > - void __user *buffer, size_t *lenp, loff_t *ppos) > +int proc_dointvec_minmax_cap(int cap, struct ctl_table *table, int write, > + void __user *buffer, size_t *lenp, loff_t *ppos) > { > - if (write && !capable(CAP_SYS_ADMIN)) > + struct ctl_table table_copy; > + int value; > + > + /* Require init capabilities to make changes. */ > + if (write && !capable(cap)) > return -EPERM; > > - return proc_dointvec_minmax(table, write, buffer, lenp, ppos); > + /* > + * To deal with const sysctl tables, we make a copy to perform > + * the locking. When data is >1 and ==extra2, lock extra1 to > + * extra2 to stop the value from being changed any further at > + * runtime. > + */ > + table_copy = *table; > + value = *(int *)table_copy.data; > + if (value > 1 && value == *(int *)table_copy.extra2) > + table_copy.extra1 = table_copy.extra2; > + > + return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos); > } > -#endif From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com From: ebiederm@xmission.com (Eric W. Biederman) References: <1453502345-30416-1-git-send-email-keescook@chromium.org> <1453502345-30416-2-git-send-email-keescook@chromium.org> Date: Fri, 22 Jan 2016 21:10:07 -0600 In-Reply-To: <1453502345-30416-2-git-send-email-keescook@chromium.org> (Kees Cook's message of "Fri, 22 Jan 2016 14:39:04 -0800") Message-ID: <87oacdyos0.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain Subject: [kernel-hardening] Re: [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin To: Kees Cook Cc: Andrew Morton , Al Viro , Richard Weinberger , Andy Lutomirski , Robert =?utf-8?B?xZp3acSZY2tp?= , Dmitry Vyukov , David Howells , Miklos Szeredi , Kostya Serebryany , Alexander Potapenko , Eric Dumazet , Sasha Levin , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com List-ID: Kees Cook writes: > Several sysctls expect a state where the highest value (in extra2) is > locked once set for that boot. Yama does this, and kptr_restrict should > be doing it. This extracts Yama's logic and adds it to the existing > proc_dointvec_minmax_sysadmin, taking care to avoid the simple boolean > states (which do not get locked). Since Yama wants to be checking a > different capability, we build wrappers for both cases (CAP_SYS_ADMIN > and CAP_SYS_PTRACE). Sigh this sysctl appears susceptible to known attacks. In my quick skim I believe this sysctl implementation that checks capabilities is susceptible to attacks where the already open file descriptor is set as stdout on a setuid root application. Can we come up with an interface that isn't exploitable by an application that will act as a setuid cat? Eric > -#ifdef CONFIG_PRINTK > -static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write, > - void __user *buffer, size_t *lenp, loff_t *ppos) > +int proc_dointvec_minmax_cap(int cap, struct ctl_table *table, int write, > + void __user *buffer, size_t *lenp, loff_t *ppos) > { > - if (write && !capable(CAP_SYS_ADMIN)) > + struct ctl_table table_copy; > + int value; > + > + /* Require init capabilities to make changes. */ > + if (write && !capable(cap)) > return -EPERM; > > - return proc_dointvec_minmax(table, write, buffer, lenp, ppos); > + /* > + * To deal with const sysctl tables, we make a copy to perform > + * the locking. When data is >1 and ==extra2, lock extra1 to > + * extra2 to stop the value from being changed any further at > + * runtime. > + */ > + table_copy = *table; > + value = *(int *)table_copy.data; > + if (value > 1 && value == *(int *)table_copy.extra2) > + table_copy.extra1 = table_copy.extra2; > + > + return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos); > } > -#endif