From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753420Ab1G0CQQ (ORCPT ); Tue, 26 Jul 2011 22:16:16 -0400 Received: from cantor2.suse.de ([195.135.220.15]:38740 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751532Ab1G0CQM (ORCPT ); Tue, 26 Jul 2011 22:16:12 -0400 Date: Wed, 27 Jul 2011 12:15:49 +1000 From: NeilBrown To: Vasiliy Kulikov Cc: kernel-hardening@lists.openwall.com, Solar Designer , Linus Torvalds , Stephen Smalley , James Morris , linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Andrew Morton , "David S. Miller" , Jiri Slaby , Alexander Viro , linux-fsdevel@vger.kernel.org, KOSAKI Motohiro , Eric Paris , Willy Tarreau , Sebastian Krahmer Subject: Re: [patch v2] move RLIMIT_NPROC check from set_user() to do_execve_common() Message-ID: <20110727121549.67a84d18@notabene.brown> In-Reply-To: <20110726144848.GA7133@albatros> References: <1310759683.30257.123.camel@moss-pluto> <20110721140936.632d2c8b@notabene.brown> <20110721124830.GA1325@openwall.com> <20110721193939.GA3914@openwall.com> <20110725171423.GA3739@albatros> <20110725234013.GB24110@openwall.com> <20110726104713.37273143@notabene.brown> <20110726011629.GA24610@openwall.com> <20110726141118.32f948e0@notabene.brown> <20110726144848.GA7133@albatros> X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.1; x86_64-unknown-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 26 Jul 2011 18:48:48 +0400 Vasiliy Kulikov wrote: > Neil, Solar, > > On Tue, Jul 26, 2011 at 14:11 +1000, NeilBrown wrote: > > I don't really see that failing mmap is any more hackish than failing execve. > > > > Both are certainly hacks. It is setuid that should fail, but that is > > problematic. > > > > We seem to agree that it is acceptable to delay the failure until the process > > actually tries to run some code for the user. I just think that > > mapping-a-file-for-exec is a more direct measure of "trying to run some code > > for the user" than "execve" is. > > > > So they are both hacks, but one it more thorough than the other. In the > > world of security I would hope that "thorough" would win. > > Well, I don't mind against something more generic than the check in > execve(), however, the usefulness of the check in mmap() is unclear to > me. You want to make more programs fail after setuid(), but does mmap > stops really many programs? Do you know any program doing mmap/dlopen > after setuid() call? What if the program will not do any mmap/dlopen > and e.g. start to handle network connections or do some computations? > I suppose the latter case is much more often than mmap/dlopen. I think I didn't make myself clear. I don't mean we should intercept the mmap system call. I mean we could intercept the internal kernel function do_mmap_pgoff. This is used by the mmap system call but also (and more importantly) by the execve system call and the uselib system call. So any attempt to map a file and execute the code in that file - whether via exec or via mapping a shared object - will go through do_mmap_pgoff. So if we disable do_mmap_pgoff() requests which ask for execute permission when a setuid has caused RLIMIT_NPROC to be exceeded, then we catch every attempt to run the user's code as the user. I won't catch a situation where an interpreter is already loaded into the root-owned process and the setuid is followed by loading a script and running that, it is isn't perfect. But I think it is more general than just trapping in execve. NeilBrown