From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753366AbcAXBaI (ORCPT <rfc822;w@1wt.eu>);
	Sat, 23 Jan 2016 20:30:08 -0500
Received: from out01.mta.xmission.com ([166.70.13.231]:34599 "EHLO
	out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751978AbcAXBaE (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sat, 23 Jan 2016 20:30:04 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: Jann Horn <jann@thejh.net>
Cc: kernel-hardening@lists.openwall.com, Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>, Richard Weinberger <richard@nod.at>,
        Andy Lutomirski <luto@amacapital.net>,
        Robert =?utf-8?B?xZp3acSZY2tp?= <robert@swiecki.net>,
        Dmitry Vyukov <dvyukov@google.com>,
        David Howells <dhowells@redhat.com>, Miklos Szeredi <mszeredi@suse.cz>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Eric Dumazet <edumazet@google.com>,
        Sasha Levin <sasha.levin@oracle.com>, linux-doc@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <1453502345-30416-1-git-send-email-keescook@chromium.org>
	<1453502345-30416-2-git-send-email-keescook@chromium.org>
	<87oacdyos0.fsf@x220.int.ebiederm.org>
	<20160123222540.GA9740@pc.thejh.net>
Date: Sat, 23 Jan 2016 19:20:17 -0600
In-Reply-To: <20160123222540.GA9740@pc.thejh.net> (Jann Horn's message of
	"Sat, 23 Jan 2016 23:25:40 +0100")
Message-ID: <87mvrvwz72.fsf@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-AID: U2FsdGVkX1+Tstssg/O9jNi4YC2njG4vBijgEvAadvM=
X-SA-Exim-Connect-IP: 97.121.81.63
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  1.5 XMNoVowels Alpha-numberic number with no vowels
	*  0.7 XMSubLong Long Subject
	*  0.5 XMGappySubj_01 Very gappy subject
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
	*  1.7 FUZZY_CREDIT BODY: Attempt to obfuscate words in spam
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5000]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa07 1397; Body=1 Fuz1=1 Fuz2=1]
	*  0.0 T_TooManySym_01 4+ unique symbols in subject
	*  0.0 T_TooManySym_02 5+ unique symbols in subject
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ****;Jann Horn <jann@thejh.net>
X-Spam-Relay-Country: 
X-Spam-Timing: total 339 ms - load_scoreonly_sql: 0.05 (0.0%),
	signal_user_changed: 4.3 (1.3%), b_tie_ro: 3.0 (0.9%), parse: 1.12 (0.3%),
	extract_message_metadata: 17 (5.1%), get_uri_detail_list: 1.78 (0.5%),
	tests_pri_-1000: 6 (1.9%), tests_pri_-950: 1.28 (0.4%), tests_pri_-900: 1.07
	(0.3%), tests_pri_-400: 25 (7.3%), check_bayes: 23 (6.9%), b_tokenize: 7
	(2.0%), b_tok_get_all: 8 (2.3%), b_comp_prob: 3.0 (0.9%), b_tok_touch_all:
	3.4 (1.0%), b_finish: 0.78 (0.2%), tests_pri_0: 273 (80.7%),
	check_dkim_signature: 0.52 (0.2%), check_dkim_adsp: 22 (6.5%), tests_pri_500:
	6 (1.7%), poll_dns_idle: 0.13 (0.0%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [kernel-hardening] Re: [PATCH 1/2] sysctl: expand use of proc_dointvec_minmax_sysadmin
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Jann Horn <jann@thejh.net> writes:

> On Fri, Jan 22, 2016 at 09:10:07PM -0600, Eric W. Biederman wrote:
>> Kees Cook <keescook@chromium.org> writes:
>> 
>> > Several sysctls expect a state where the highest value (in extra2) is
>> > locked once set for that boot. Yama does this, and kptr_restrict should
>> > be doing it. This extracts Yama's logic and adds it to the existing
>> > proc_dointvec_minmax_sysadmin, taking care to avoid the simple boolean
>> > states (which do not get locked). Since Yama wants to be checking a
>> > different capability, we build wrappers for both cases (CAP_SYS_ADMIN
>> > and CAP_SYS_PTRACE).
>> 
>> Sigh this sysctl appears susceptible to known attacks.
>> 
>> In my quick skim I believe this sysctl implementation that checks
>> capabilities is susceptible to attacks where the already open file
>> descriptor is set as stdout on a setuid root application.
>> 
>> Can we come up with an interface that isn't exploitable by an
>> application that will act as a setuid cat?
>
> Adding the struct file * to the parameters of all proc_handler
> functions would work, right? (Or just filp->f_cred? That would be
> less generic.)
>
> A quick grep says that's just about 160 functions that'll need to
> be changed. :/

Yep.  That is about the size of it.  file * used to be passed to the
sysctl methods but it was removed several years ago because no one was
using it.

Eric