Identified Redundant Capability Check in File Access under /proc/sys

Identified Redundant Capability Check in File Access under /proc/sys

[孟敬姿]

Hello developers,

I hope this message finds you well. I wanted to bring to your attention an observation regarding file access under /proc/sys in the kernel source code.

Upon review, it appears that certain files are protected by capabilities in the kernel source code; however, the capability check does not seem to be effectively enforced during file access.

For example, I noticed this inconsistency in the access functions of some special files:
1. The access function mmap_min_addr_handler() in /proc/sys/vm/mmap_min_addr utilizes the CAP_SYS_RAWIO check.
2. The access function proc_dointvec_minmax_sysadmin() in /proc/sys/kernel/kptr_restrict requires the CAP_SYS_ADMIN check.

Despite these capability checks in the source code, when accessing a file, it undergoes a UGO permission check before triggering these specialized file access functions. The UGO permissions for these files are configured as root:root rw- r-- r--, meaning only the root user can pass the UGO check.

As a result, to access these files, one must be the root user, who inherently possesses all capabilities. Consequently, the capabilities check in the file access function seems redundant.

Please consider reviewing and adjusting the capability checks in the mentioned access functions for better alignment with the UGO permissions.

Thank you for your attention to this matter.

Best regards,
Jingzi Meng

Re: Identified Redundant Capability Check in File Access under /proc/sys

[Aleksa Sarai]

[-- Attachment #1: Type: text/plain, Size: 2359 bytes --]

On 2024-01-28, 孟敬姿 <mengjingzi@iie.ac.cn> wrote:
> Hello developers,
> 
> I hope this message finds you well. I wanted to bring to your
> attention an observation regarding file access under /proc/sys in the
> kernel source code.
> 
> Upon review, it appears that certain files are protected by
> capabilities in the kernel source code; however, the capability check
> does not seem to be effectively enforced during file access.
> 
> For example, I noticed this inconsistency in the access functions of some special files:
> 1. The access function mmap_min_addr_handler() in /proc/sys/vm/mmap_min_addr utilizes the CAP_SYS_RAWIO check.
> 2. The access function proc_dointvec_minmax_sysadmin() in /proc/sys/kernel/kptr_restrict requires the CAP_SYS_ADMIN check.
> 
> Despite these capability checks in the source code, when accessing a
> file, it undergoes a UGO permission check before triggering these
> specialized file access functions. The UGO permissions for these files
> are configured as root:root rw- r-- r--, meaning only the root user
> can pass the UGO check.
> 
> As a result, to access these files, one must be the root user, who
> inherently possesses all capabilities. Consequently, the capabilities
> check in the file access function seems redundant.
> 
> Please consider reviewing and adjusting the capability checks in the
> mentioned access functions for better alignment with the UGO
> permissions.

These are not redundant -- opening a file and writing to a file
descriptor are different operations that can be done by:

 1. The same process with the same credential set (what you're
    describing);
 2. The same process but with the write operation happening after a
    setuid() or similar operation that changed its credentials; or
 3. A different process that has been given access to the file
    descriptor (passing it as an open file to a subprocess, SCM_RIGHTS,
	etc.)

On Unix, access checks when opening a file for writing are different to
access checks when doing a write operation. For some sysctls, it is
prudent to restrict both the open and write operations to privileged
users.

> Thank you for your attention to this matter.
> 
> Best regards,
> Jingzi Meng

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]