* Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree [not found] ` <CAGXu5jKP03X7+XX9Oq+vVjQJhO1+A9ZyLDD+Gsxv2nRCgVD4wQ@mail.gmail.com> @ 2018-03-06 17:42 ` Alexey Dobriyan 2018-03-06 18:03 ` Alexey Dobriyan 0 siblings, 1 reply; 3+ messages in thread From: Alexey Dobriyan @ 2018-03-06 17:42 UTC (permalink / raw) To: Kees Cook; +Cc: Andrew Morton, Jann Horn, linux-kernel On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote: > On Mon, Mar 5, 2018 at 4:07 PM, <akpm@linux-foundation.org> wrote: > > It is more natural to check for read-from-memory permissions in case of > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write > > permissions. > > NAK, this weakens the existing permission model for reading What if existing permission model is overezealous? /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened for reading and process_vm_readv(2) should do PTRACE_MODE_READ and everything else should do PTRACE_MODE_ATTACH. > cross-process memory. ptrace-readable memory can only be done with > ATTACH, and /proc/$pid/mem also requires ATTACH: > > static int mem_open(struct inode *inode, struct file *file) > { > int ret = __mem_open(inode, file, PTRACE_MODE_ATTACH); > > Only auxv and environ use READ. We should absolutely not create a pass > to a lower permission requirement here. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree 2018-03-06 17:42 ` + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree Alexey Dobriyan @ 2018-03-06 18:03 ` Alexey Dobriyan 2018-03-06 22:31 ` Kees Cook 0 siblings, 1 reply; 3+ messages in thread From: Alexey Dobriyan @ 2018-03-06 18:03 UTC (permalink / raw) To: Kees Cook; +Cc: Andrew Morton, Jann Horn, linux-kernel On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote: > On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote: > > On Mon, Mar 5, 2018 at 4:07 PM, <akpm@linux-foundation.org> wrote: > > > > It is more natural to check for read-from-memory permissions in case of > > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write > > > permissions. > > > > NAK, this weakens the existing permission model for reading > > What if existing permission model is overezealous? > > /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened > for reading and process_vm_readv(2) should do PTRACE_MODE_READ and > everything else should do PTRACE_MODE_ATTACH. Or in other words: what if there should be 3 levels: 1) permission to write to address space 2) permission to read arbitrarily from adress space 3) permission to read auxv, argv and envp Current code conflates (1) and (2). ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree 2018-03-06 18:03 ` Alexey Dobriyan @ 2018-03-06 22:31 ` Kees Cook 0 siblings, 0 replies; 3+ messages in thread From: Kees Cook @ 2018-03-06 22:31 UTC (permalink / raw) To: Alexey Dobriyan, Andy Lutomirski; +Cc: Andrew Morton, Jann Horn, LKML On Tue, Mar 6, 2018 at 10:03 AM, Alexey Dobriyan <adobriyan@gmail.com> wrote: > On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote: >> On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote: >> > On Mon, Mar 5, 2018 at 4:07 PM, <akpm@linux-foundation.org> wrote: >> >> > > It is more natural to check for read-from-memory permissions in case of >> > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write >> > > permissions. >> > >> > NAK, this weakens the existing permission model for reading >> >> What if existing permission model is overezealous? >> >> /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened >> for reading and process_vm_readv(2) should do PTRACE_MODE_READ and >> everything else should do PTRACE_MODE_ATTACH. > > Or in other words: > > what if there should be 3 levels: > 1) permission to write to address space > 2) permission to read arbitrarily from adress space > 3) permission to read auxv, argv and envp > > Current code conflates (1) and (2). There is also: 4) permission to read address layout (e.g. access to /proc/$pid/maps) 1 and 2 require ATTACH 3 and 4 require READ ATTACH is a higher bar, and I think it is appropriate here, still, for 2, since being able to examine secrets in memory should be considered a security boundary. Is there something you're trying from userspace that is being blocked? -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-06 22:31 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20180306000721.gx9qqFGe8%akpm@linux-foundation.org> [not found] ` <CAGXu5jKP03X7+XX9Oq+vVjQJhO1+A9ZyLDD+Gsxv2nRCgVD4wQ@mail.gmail.com> 2018-03-06 17:42 ` + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree Alexey Dobriyan 2018-03-06 18:03 ` Alexey Dobriyan 2018-03-06 22:31 ` Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).