From: Tristan Schmelcher <tschmelcher@google.com> To: "Mickaël Salaün" <mic@digikod.net> Cc: linux-kernel@vger.kernel.org, Jeff Dike <jdike@addtoit.com>, Richard Weinberger <richard@nod.at>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, user-mode-linux-devel <user-mode-linux-devel@lists.sourceforge.net>, user-mode-linux-user@lists.sourceforge.net Subject: Re: [PATCH v2 1/2] um: Set secure access mode for temporary file Date: Tue, 8 Dec 2015 15:37:39 -0500 [thread overview] Message-ID: <CADNZ+wTtu5gZuztSAnY9TE0fV4cVgqr534gyDUEkp0LS=Vq4Xw@mail.gmail.com> (raw) In-Reply-To: <566449A3.6030504@digikod.net> On 6 December 2015 at 09:43, Mickaël Salaün <mic@digikod.net> wrote: > Well, I'm concerned to use umask because it is not thread-safe and drivers may use create_mem_file() in a multi-theaded context. You are right. We should perhaps set the umask to 0700 permanently during process start. But I am not sure if this will interfere with other UML code. > I prefer to stick to fchmod and handle the race-condition with O_TMPFILE unsell someone is sure that this will not create bugs :) The fchmod call is basically useless and should probably be removed. Even mmap only checks the file descriptor, not the file permissions. I have pasted a test program below if you wish to confirm. AFAICT changing the permissions after file deletion accomplishes nothing unless the attacker bizarrely chooses to hard-link the file during the race instead of opening it. #include <assert.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> int main(int argc, char **argv) { int fd = open("./foo", O_RDWR|O_CREAT|O_EXCL, 0700); assert(fd >= 0); int ret = write(fd, "bar\n", 4); assert(ret == 4); ret = fchmod(fd, 0400); assert(ret >= 0); char *buf = mmap(0, 4, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, fd, 0); assert(buf); buf[2] = 'z'; ret = munmap(buf, 4); assert(ret >= 0); return 0; }
WARNING: multiple messages have this Message-ID (diff)
From: Tristan Schmelcher <tschmelcher@google.com> To: "Mickaël Salaün" <mic@digikod.net> Cc: linux-kernel@vger.kernel.org, Jeff Dike <jdike@addtoit.com>, Richard Weinberger <richard@nod.at>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, user-mode-linux-devel <user-mode-linux-devel@lists.sourceforge.net>, user-mode-linux-user@lists.sourceforge.net Subject: Re: [PATCH v2 1/2] um: Set secure access mode for temporary file Date: Tue, 8 Dec 2015 15:37:39 -0500 [thread overview] Message-ID: <CADNZ+wTtu5gZuztSAnY9TE0fV4cVgqr534gyDUEkp0LS=Vq4Xw@mail.gmail.com> (raw) In-Reply-To: <566449A3.6030504@digikod.net> On 6 December 2015 at 09:43, Mickaël Salaün <mic@digikod.net> wrote: > Well, I'm concerned to use umask because it is not thread-safe and drivers may use create_mem_file() in a multi-theaded context. You are right. We should perhaps set the umask to 0700 permanently during process start. But I am not sure if this will interfere with other UML code. > I prefer to stick to fchmod and handle the race-condition with O_TMPFILE unsell someone is sure that this will not create bugs :) The fchmod call is basically useless and should probably be removed. Even mmap only checks the file descriptor, not the file permissions. I have pasted a test program below if you wish to confirm. AFAICT changing the permissions after file deletion accomplishes nothing unless the attacker bizarrely chooses to hard-link the file during the race instead of opening it. #include <assert.h> #include <fcntl.h> #include <sys/mman.h> #include <sys/stat.h> #include <sys/types.h> #include <unistd.h> int main(int argc, char **argv) { int fd = open("./foo", O_RDWR|O_CREAT|O_EXCL, 0700); assert(fd >= 0); int ret = write(fd, "bar\n", 4); assert(ret == 4); ret = fchmod(fd, 0400); assert(ret >= 0); char *buf = mmap(0, 4, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, fd, 0); assert(buf); buf[2] = 'z'; ret = munmap(buf, 4); assert(ret >= 0); return 0; } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2015-12-08 20:38 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-11-29 14:03 [PATCH v2 0/2] um: Protect memory mapped file Mickaël Salaün 2015-11-29 14:03 ` Mickaël Salaün 2015-11-29 14:03 ` [PATCH v2 1/2] um: Set secure access mode for temporary file Mickaël Salaün 2015-11-29 14:03 ` Mickaël Salaün 2015-12-04 17:13 ` Tristan Schmelcher 2015-12-06 11:32 ` Mickaël Salaün 2015-12-06 11:57 ` Mickaël Salaün 2015-12-06 14:43 ` Mickaël Salaün 2015-12-08 20:37 ` Tristan Schmelcher [this message] 2015-12-08 20:37 ` Tristan Schmelcher 2015-12-08 21:45 ` Richard Weinberger 2015-12-08 21:45 ` [uml-devel] " Richard Weinberger 2015-12-09 23:58 ` Mickaël Salaün 2015-11-29 14:03 ` [PATCH v2 2/2] um: Use race-free temporary file creation Mickaël Salaün 2015-11-29 14:03 ` Mickaël Salaün 2015-12-04 17:26 ` Tristan Schmelcher
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CADNZ+wTtu5gZuztSAnY9TE0fV4cVgqr534gyDUEkp0LS=Vq4Xw@mail.gmail.com' \ --to=tschmelcher@google.com \ --cc=gregkh@linuxfoundation.org \ --cc=jdike@addtoit.com \ --cc=linux-kernel@vger.kernel.org \ --cc=mic@digikod.net \ --cc=richard@nod.at \ --cc=user-mode-linux-devel@lists.sourceforge.net \ --cc=user-mode-linux-user@lists.sourceforge.net \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.