From: Tristan Schmelcher <tschmelcher@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-kernel@vger.kernel.org, Jeff Dike <jdike@addtoit.com>,
Richard Weinberger <richard@nod.at>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
user-mode-linux-devel
<user-mode-linux-devel@lists.sourceforge.net>,
user-mode-linux-user@lists.sourceforge.net
Subject: Re: [PATCH v2 1/2] um: Set secure access mode for temporary file
Date: Tue, 8 Dec 2015 15:37:39 -0500 [thread overview]
Message-ID: <CADNZ+wTtu5gZuztSAnY9TE0fV4cVgqr534gyDUEkp0LS=Vq4Xw@mail.gmail.com> (raw)
In-Reply-To: <566449A3.6030504@digikod.net>
On 6 December 2015 at 09:43, Mickaël Salaün <mic@digikod.net> wrote:
> Well, I'm concerned to use umask because it is not thread-safe and drivers may use create_mem_file() in a multi-theaded context.
You are right. We should perhaps set the umask to 0700 permanently
during process start. But I am not sure if this will interfere with
other UML code.
> I prefer to stick to fchmod and handle the race-condition with O_TMPFILE unsell someone is sure that this will not create bugs :)
The fchmod call is basically useless and should probably be removed.
Even mmap only checks the file descriptor, not the file permissions. I
have pasted a test program below if you wish to confirm. AFAICT
changing the permissions after file deletion accomplishes nothing
unless the attacker bizarrely chooses to hard-link the file during the
race instead of opening it.
#include <assert.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char **argv) {
int fd = open("./foo", O_RDWR|O_CREAT|O_EXCL, 0700);
assert(fd >= 0);
int ret = write(fd, "bar\n", 4);
assert(ret == 4);
ret = fchmod(fd, 0400);
assert(ret >= 0);
char *buf = mmap(0, 4, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, fd, 0);
assert(buf);
buf[2] = 'z';
ret = munmap(buf, 4);
assert(ret >= 0);
return 0;
}
WARNING: multiple messages have this Message-ID (diff)
From: Tristan Schmelcher <tschmelcher@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-kernel@vger.kernel.org, Jeff Dike <jdike@addtoit.com>,
Richard Weinberger <richard@nod.at>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
user-mode-linux-devel
<user-mode-linux-devel@lists.sourceforge.net>,
user-mode-linux-user@lists.sourceforge.net
Subject: Re: [PATCH v2 1/2] um: Set secure access mode for temporary file
Date: Tue, 8 Dec 2015 15:37:39 -0500 [thread overview]
Message-ID: <CADNZ+wTtu5gZuztSAnY9TE0fV4cVgqr534gyDUEkp0LS=Vq4Xw@mail.gmail.com> (raw)
In-Reply-To: <566449A3.6030504@digikod.net>
On 6 December 2015 at 09:43, Mickaël Salaün <mic@digikod.net> wrote:
> Well, I'm concerned to use umask because it is not thread-safe and drivers may use create_mem_file() in a multi-theaded context.
You are right. We should perhaps set the umask to 0700 permanently
during process start. But I am not sure if this will interfere with
other UML code.
> I prefer to stick to fchmod and handle the race-condition with O_TMPFILE unsell someone is sure that this will not create bugs :)
The fchmod call is basically useless and should probably be removed.
Even mmap only checks the file descriptor, not the file permissions. I
have pasted a test program below if you wish to confirm. AFAICT
changing the permissions after file deletion accomplishes nothing
unless the attacker bizarrely chooses to hard-link the file during the
race instead of opening it.
#include <assert.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char **argv) {
int fd = open("./foo", O_RDWR|O_CREAT|O_EXCL, 0700);
assert(fd >= 0);
int ret = write(fd, "bar\n", 4);
assert(ret == 4);
ret = fchmod(fd, 0400);
assert(ret >= 0);
char *buf = mmap(0, 4, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED, fd, 0);
assert(buf);
buf[2] = 'z';
ret = munmap(buf, 4);
assert(ret >= 0);
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2015-12-08 20:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-29 14:03 [PATCH v2 0/2] um: Protect memory mapped file Mickaël Salaün
2015-11-29 14:03 ` Mickaël Salaün
2015-11-29 14:03 ` [PATCH v2 1/2] um: Set secure access mode for temporary file Mickaël Salaün
2015-11-29 14:03 ` Mickaël Salaün
2015-12-04 17:13 ` Tristan Schmelcher
2015-12-06 11:32 ` Mickaël Salaün
2015-12-06 11:57 ` Mickaël Salaün
2015-12-06 14:43 ` Mickaël Salaün
2015-12-08 20:37 ` Tristan Schmelcher [this message]
2015-12-08 20:37 ` Tristan Schmelcher
2015-12-08 21:45 ` Richard Weinberger
2015-12-08 21:45 ` [uml-devel] " Richard Weinberger
2015-12-09 23:58 ` Mickaël Salaün
2015-11-29 14:03 ` [PATCH v2 2/2] um: Use race-free temporary file creation Mickaël Salaün
2015-11-29 14:03 ` Mickaël Salaün
2015-12-04 17:26 ` Tristan Schmelcher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADNZ+wTtu5gZuztSAnY9TE0fV4cVgqr534gyDUEkp0LS=Vq4Xw@mail.gmail.com' \
--to=tschmelcher@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=jdike@addtoit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mic@digikod.net \
--cc=richard@nod.at \
--cc=user-mode-linux-devel@lists.sourceforge.net \
--cc=user-mode-linux-user@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.