linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: TongZhang <ztong@vt.edu>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>,
	adobriyan@gmail.com, akpm@linux-foundation.org,
	viro@zeniv.linux.org.uk, LKML <linux-kernel@vger.kernel.org>,
	linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Wenbo Shen <shenwenbosmile@gmail.com>
Subject: Re: Leaking path for set_task_comm
Date: Tue, 25 Sep 2018 23:16:45 -0400	[thread overview]
Message-ID: <20180926031645.GB3321@thunk.org> (raw)
In-Reply-To: <0CD63E6E-7512-4DD6-8858-4408416DC730@vt.edu>

On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote:
> Yes, this is exactly what I am saying.
> A process can change its own name using prctl or /proc/self/comm.
> prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
> 
> A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.

None of the in-tree LSM's try to affect PR_SET_NAME.  Looking at
security/commoncap.c, it's clear what is of interest is to checking
things relating to security sensitive things relating to capabilities, such as:

       PR_SET_SECUREBITS
       PR_CAPBSET_*
       PR_*_SECUREBITS
       PR_*_KEEPCAPS
       PR_CAP_AMBIENT

Trying to depend on task name for anything security sensitive is at
_really_ bad idea, so it seems unlikely that a LSM would want to
protect the process name.  (And if they did, the first thing I would
ask is "Why?  What are you trying to do?  Do you realize how many
*other* ways the process name can be spoofed or otherwise controlled
by a potentially malicious user?")

					- Ted

  reply	other threads:[~2018-09-26  3:16 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-25 17:27 Leaking path for set_task_comm Tong Zhang
2018-09-25 18:39 ` Cyrill Gorcunov
2018-09-26  0:44   ` TongZhang
2018-09-26  3:16     ` Theodore Y. Ts'o [this message]
2018-09-26 22:39       ` Alan Cox

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180926031645.GB3321@thunk.org \
    --to=tytso@mit.edu \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=gorcunov@gmail.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=shenwenbosmile@gmail.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=ztong@vt.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).