From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <kees.cook@canonical.com>
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v3] security: Yama LSM
Date: Wed, 23 Jun 2010 19:28:59 -0500 [thread overview]
Message-ID: <20100624002859.GA4841@hallyn.com> (raw)
In-Reply-To: <20100623182054.GN5876@outflux.net>
Quoting Kees Cook (kees.cook@canonical.com):
> This adds the Yama Linux Security Module to collect several security
> features (symlink, hardlink, and PTRACE scope restrictions) that have
> existed in various forms over the years and have been carried outside the
> mainline kernel by other Linux distributions like Openwall and grsecurity.
>
> Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Serge E. Hallyn <serge@hallyn.com>
> +==============================================================
> diff --git a/fs/exec.c b/fs/exec.c
> index e19de6a..85092e3 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -55,6 +55,7 @@
> #include <linux/fsnotify.h>
> #include <linux/fs_struct.h>
> #include <linux/pipe_fs_i.h>
> +#include <linux/ctype.h>
>
> #include <asm/uaccess.h>
> #include <asm/mmu_context.h>
Can you explain the fs/exec.c hunk?
...
> +static int yama_ptrace_access_check(struct task_struct *child,
> + unsigned int mode)
> +{
> + int rc;
> +
> + rc = cap_ptrace_access_check(child, mode);
> + if (rc != 0)
> + return rc;
> +
> + /* require ptrace target be a child of ptracer on attach */
> + if (mode == PTRACE_MODE_ATTACH && ptrace_scope &&
> + !capable(CAP_SYS_PTRACE)) {
> + struct task_struct *walker = child;
> +
> + rcu_read_lock();
> + read_lock(&tasklist_lock);
> + while (walker->pid > 0) {
> + if (walker == current)
> + break;
> + walker = walker->real_parent;
> + }
> + if (walker->pid == 0)
> + rc = -EPERM;
Don't recall whether I ended up sending the email addressing this
last time, but task->pid is the global pid, so pid==0 does mean
what you think it does regardless of pid namespaces.
> + read_unlock(&tasklist_lock);
> + rcu_read_unlock();
> + }
> +
> + if (rc) {
> + char name[sizeof(current->comm)];
> + printk_ratelimited(KERN_INFO "ptrace of non-child"
> + " pid %d was attempted by: %s (pid %d)\n",
> + child->pid, get_task_comm(name, current),
> + current->pid);
> + }
> +
> + return rc;
> +}
> +
> +/**
> + * yama_inode_follow_link - check for symlinks in sticky world-writeable dirs
> + * @dentry: The inode/dentry of the symlink
> + * @nameidata: The path data of the symlink
> + *
> + * In the case of the protected_sticky_symlinks sysctl being enabled,
> + * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
> + * in a sticky world-writable directory. This is to protect privileged
> + * processes from failing races against path names that may change out
> + * from under them by way of other users creating malicious symlinks.
> + * It will permit symlinks to only be followed when outside a sticky
> + * world-writable directory, or when the uid of the symlink and follower
> + * match, or when the directory owner matches the symlink's owner.
> + *
> + * Returns 0 if following the symlink is allowed, -ve on error.
> + */
> +static int yama_inode_follow_link(struct dentry *dentry,
> + struct nameidata *nameidata)
> +{
> + int rc = 0;
> + const struct inode *parent;
> + const struct inode *inode;
> + const struct cred *cred;
> +
> + if (!protected_sticky_symlinks)
> + return 0;
> +
> + /* owner and follower match? */
> + cred = current_cred();
> + inode = dentry->d_inode;
> + if (cred->fsuid == inode->i_uid)
> + return 0;
This'll need user-namespace luvin' at some point, but that's my problem,
not yours.
-serge
next prev parent reply other threads:[~2010-06-24 0:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-23 18:20 [PATCH v3] security: Yama LSM Kees Cook
2010-06-24 0:28 ` Serge E. Hallyn [this message]
2010-06-24 17:02 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100624002859.GA4841@hallyn.com \
--to=serge@hallyn.com \
--cc=kees.cook@canonical.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).