From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934964AbcCJGgb (ORCPT ); Thu, 10 Mar 2016 01:36:31 -0500 Received: from mail-io0-f182.google.com ([209.85.223.182]:35799 "EHLO mail-io0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932906AbcCJGgW (ORCPT ); Thu, 10 Mar 2016 01:36:22 -0500 MIME-Version: 1.0 In-Reply-To: <20160308210013.15ee166d@lxorguk.ukuu.org.uk> References: <1457470075-4586-1-git-send-email-sbauer@eng.utah.edu> <1457470075-4586-3-git-send-email-sbauer@eng.utah.edu> <20160308210013.15ee166d@lxorguk.ukuu.org.uk> Date: Wed, 9 Mar 2016 22:36:21 -0800 X-Google-Sender-Auth: TNHWI5jONXd_YLT_gZLeUB7d0Jg Message-ID: Subject: Re: [kernel-hardening] Re: [PATCH v3 3/3] SROP mitigation: Add sysctl to disable SROP protection. From: Kees Cook To: "kernel-hardening@lists.openwall.com" Cc: Scott Bauer , LKML , "x86@kernel.org" , wmealing@redhat.com, Andi Kleen , Andy Lutomirski , Abhiram Balasubramanian Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 8, 2016 at 1:00 PM, One Thousand Gnomes wrote: > On Tue, 8 Mar 2016 13:47:55 -0700 > Scott Bauer wrote: > >> This patch adds a sysctl argument to disable SROP protection. > > Shouldn't it be a sysctl to enable it irrevocably, otherwise if I have DAC > capability I can turn off SROP and attack something to get to higher > capability levels ? > > (The way almost all distros are set up its kind of academic but for a > properly secured system it might matter). Perhaps use proc_dointvec_minmax_sysadmin instead to tie changes strictly to CAP_SYS_ADMIN? -Kees > > Alan -- Kees Cook Chrome OS & Brillo Security From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com MIME-Version: 1.0 Sender: keescook@google.com In-Reply-To: <20160308210013.15ee166d@lxorguk.ukuu.org.uk> References: <1457470075-4586-1-git-send-email-sbauer@eng.utah.edu> <1457470075-4586-3-git-send-email-sbauer@eng.utah.edu> <20160308210013.15ee166d@lxorguk.ukuu.org.uk> Date: Wed, 9 Mar 2016 22:36:21 -0800 Message-ID: From: Kees Cook Content-Type: text/plain; charset=UTF-8 Subject: Re: [kernel-hardening] Re: [PATCH v3 3/3] SROP mitigation: Add sysctl to disable SROP protection. To: "kernel-hardening@lists.openwall.com" Cc: Scott Bauer , LKML , "x86@kernel.org" , wmealing@redhat.com, Andi Kleen , Andy Lutomirski , Abhiram Balasubramanian List-ID: On Tue, Mar 8, 2016 at 1:00 PM, One Thousand Gnomes wrote: > On Tue, 8 Mar 2016 13:47:55 -0700 > Scott Bauer wrote: > >> This patch adds a sysctl argument to disable SROP protection. > > Shouldn't it be a sysctl to enable it irrevocably, otherwise if I have DAC > capability I can turn off SROP and attack something to get to higher > capability levels ? > > (The way almost all distros are set up its kind of academic but for a > properly secured system it might matter). Perhaps use proc_dointvec_minmax_sysadmin instead to tie changes strictly to CAP_SYS_ADMIN? -Kees > > Alan -- Kees Cook Chrome OS & Brillo Security