From: Kees Cook <keescook@chromium.org>
To: Dominik Czarnota <dominik.czarnota@trailofbits.com>
Cc: Kees Cook <keescook@chromium.org>,
stable@vger.kernel.org, Jessica Yu <jeyu@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>, Andrii Nakryiko <andriin@fb.com>,
KP Singh <kpsingh@chromium.org>,
"Naveen N. Rao" <naveen.n.rao@linux.ibm.com>,
Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>,
"David S. Miller" <davem@davemloft.net>,
Masami Hiramatsu <mhiramat@kernel.org>,
Jakub Kicinski <kuba@kernel.org>,
"Steven Rostedt (VMware)" <rostedt@goodmis.org>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Will Deacon <will@kernel.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Marc Zyngier <maz@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Matteo Croce <mcroce@redhat.com>,
Edward Cree <ecree@solarflare.com>,
Nicolas Dichtel <nicolas.dichtel@6wind.com>,
Alexander Lobakin <alobakin@dlink.ru>,
Thomas Richter <tmricht@linux.ibm.com>,
Ingo Molnar <mingo@kernel.org>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/5] kallsyms: Refactor kallsyms_show_value() to take cred
Date: Thu, 2 Jul 2020 16:26:34 -0700 [thread overview]
Message-ID: <20200702232638.2946421-2-keescook@chromium.org> (raw)
In-Reply-To: <20200702232638.2946421-1-keescook@chromium.org>
In order to perform future tests against the cred saved during open(),
switch kallsyms_show_value() to operate on a cred, and have all current
callers pass current_cred(). This makes it very obvious where callers
are checking the wrong credential in their "read" contexts. These will
be fixed in the coming patches.
Additionally switch return value to bool, since it is always used as a
direct permission check, not a 0-on-success, negative-on-error style
function return.
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/filter.h | 2 +-
include/linux/kallsyms.h | 5 +++--
kernel/kallsyms.c | 17 +++++++++++------
kernel/kprobes.c | 4 ++--
kernel/module.c | 2 +-
5 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index 259377723603..55104f6c78e8 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -889,7 +889,7 @@ static inline bool bpf_dump_raw_ok(void)
/* Reconstruction of call-sites is dependent on kallsyms,
* thus make dump the same restriction.
*/
- return kallsyms_show_value() == 1;
+ return kallsyms_show_value(current_cred());
}
struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h
index 98338dc6b5d2..481273f0c72d 100644
--- a/include/linux/kallsyms.h
+++ b/include/linux/kallsyms.h
@@ -18,6 +18,7 @@
#define KSYM_SYMBOL_LEN (sizeof("%s+%#lx/%#lx [%s]") + (KSYM_NAME_LEN - 1) + \
2*(BITS_PER_LONG*3/10) + (MODULE_NAME_LEN - 1) + 1)
+struct cred;
struct module;
static inline int is_kernel_inittext(unsigned long addr)
@@ -98,7 +99,7 @@ int lookup_symbol_name(unsigned long addr, char *symname);
int lookup_symbol_attrs(unsigned long addr, unsigned long *size, unsigned long *offset, char *modname, char *name);
/* How and when do we show kallsyms values? */
-extern int kallsyms_show_value(void);
+extern bool kallsyms_show_value(const struct cred *cred);
#else /* !CONFIG_KALLSYMS */
@@ -158,7 +159,7 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u
return -ERANGE;
}
-static inline int kallsyms_show_value(void)
+static inline bool kallsyms_show_value(const struct cred *cred)
{
return false;
}
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 16c8c605f4b0..bb14e64f62a4 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -644,19 +644,20 @@ static inline int kallsyms_for_perf(void)
* Otherwise, require CAP_SYSLOG (assuming kptr_restrict isn't set to
* block even that).
*/
-int kallsyms_show_value(void)
+bool kallsyms_show_value(const struct cred *cred)
{
switch (kptr_restrict) {
case 0:
if (kallsyms_for_perf())
- return 1;
+ return true;
/* fallthrough */
case 1:
- if (has_capability_noaudit(current, CAP_SYSLOG))
- return 1;
+ if (security_capable(cred, &init_user_ns, CAP_SYSLOG,
+ CAP_OPT_NOAUDIT) == 0)
+ return true;
/* fallthrough */
default:
- return 0;
+ return false;
}
}
@@ -673,7 +674,11 @@ static int kallsyms_open(struct inode *inode, struct file *file)
return -ENOMEM;
reset_iter(iter, 0);
- iter->show_value = kallsyms_show_value();
+ /*
+ * Instead of checking this on every s_show() call, cache
+ * the result here at open time.
+ */
+ iter->show_value = kallsyms_show_value(file->f_cred);
return 0;
}
diff --git a/kernel/kprobes.c b/kernel/kprobes.c
index 4a904cc56d68..d4de217e4a91 100644
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -2448,7 +2448,7 @@ static void report_probe(struct seq_file *pi, struct kprobe *p,
else
kprobe_type = "k";
- if (!kallsyms_show_value())
+ if (!kallsyms_show_value(current_cred()))
addr = NULL;
if (sym)
@@ -2540,7 +2540,7 @@ static int kprobe_blacklist_seq_show(struct seq_file *m, void *v)
* If /proc/kallsyms is not showing kernel address, we won't
* show them here either.
*/
- if (!kallsyms_show_value())
+ if (!kallsyms_show_value(current_cred()))
seq_printf(m, "0x%px-0x%px\t%ps\n", NULL, NULL,
(void *)ent->start_addr);
else
diff --git a/kernel/module.c b/kernel/module.c
index e8a198588f26..a5022ae84e50 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -4377,7 +4377,7 @@ static int modules_open(struct inode *inode, struct file *file)
if (!err) {
struct seq_file *m = file->private_data;
- m->private = kallsyms_show_value() ? NULL : (void *)8ul;
+ m->private = kallsyms_show_value(current_cred()) ? NULL : (void *)8ul;
}
return err;
--
2.25.1
next prev parent reply other threads:[~2020-07-02 23:27 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-02 23:26 [PATCH 0/5] Refactor kallsyms_show_value() users for correct cred Kees Cook
2020-07-02 23:26 ` Kees Cook [this message]
2020-07-02 23:26 ` [PATCH 2/5] module: Refactor section attr into bin attribute Kees Cook
2020-07-03 6:02 ` Greg Kroah-Hartman
2020-07-03 15:29 ` Kees Cook
2020-07-08 16:10 ` Jessica Yu
2020-07-02 23:26 ` [PATCH 3/5] module: Do not expose section addresses to non-CAP_SYSLOG Kees Cook
2020-07-08 16:12 ` Jessica Yu
2020-07-02 23:26 ` [PATCH 4/5] kprobes: Do not expose probe " Kees Cook
2020-07-03 1:00 ` Linus Torvalds
2020-07-03 15:13 ` Kees Cook
2020-07-03 15:50 ` Kees Cook
2020-07-05 20:10 ` Linus Torvalds
2020-07-05 20:19 ` Kees Cook
2020-07-10 14:09 ` Masami Hiramatsu
2020-07-02 23:26 ` [PATCH 5/5] bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok() Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200702232638.2946421-2-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=0x7f454c46@gmail.com \
--cc=adobriyan@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alobakin@dlink.ru \
--cc=andriin@fb.com \
--cc=anil.s.keshavamurthy@intel.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dominik.czarnota@trailofbits.com \
--cc=ecree@solarflare.com \
--cc=gregkh@linuxfoundation.org \
--cc=jeyu@kernel.org \
--cc=kafai@fb.com \
--cc=kpsingh@chromium.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=maz@kernel.org \
--cc=mcroce@redhat.com \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=naveen.n.rao@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=rostedt@goodmis.org \
--cc=songliubraving@fb.com \
--cc=stable@vger.kernel.org \
--cc=tmricht@linux.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).