From: Michael Ellerman <mpe@ellerman.id.au>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>,
Kees Cook <keescook@chromium.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
David Laight <David.Laight@aculab.com>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"mingo\@kernel.org" <mingo@kernel.org>,
"jiangshanlai\@gmail.com" <jiangshanlai@gmail.com>,
"dipankar\@in.ibm.com" <dipankar@in.ibm.com>,
"akpm\@linux-foundation.org" <akpm@linux-foundation.org>,
"mathieu.desnoyers\@efficios.com"
<mathieu.desnoyers@efficios.com>,
"josh\@joshtriplett.org" <josh@joshtriplett.org>,
"tglx\@linutronix.de" <tglx@linutronix.de>,
"peterz\@infradead.org" <peterz@infradead.org>,
"rostedt\@goodmis.org" <rostedt@goodmis.org>,
"dhowells\@redhat.com" <dhowells@redhat.com>,
"edumazet\@google.com" <edumazet@google.com>,
"fweisbec\@gmail.com" <fweisbec@gmail.com>,
"oleg\@redhat.com" <oleg@redhat.com>,
"kernel-hardening\@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
"Tobin C. Harding" <me@tobin.cc>
Subject: Re: Long live %pK (was Re: [PATCH tip/core/rcu 02/20] torture: Prepare scripting for shift from %p to %pK)
Date: Wed, 13 Dec 2017 23:59:46 +1100 [thread overview]
Message-ID: <87r2ryaim5.fsf@concordia.ellerman.id.au> (raw)
In-Reply-To: <CA+55aFxHdAX_ztDMUyXihhUv_eftntHecGUUaV3qAtGj_ZbKCg@mail.gmail.com>
Linus Torvalds <torvalds@linux-foundation.org> writes:
> This is a perfect example of just %pK being complete shit.
>
> %pK doesn't actually do any file permissions right. It looks like it does
> it, but it's just a hot mess of garbage.
>
> And %pK doesn't even work the way you claim it does. Not in the general
> case, and only with a particular value.
Right. My email was only about the kptr_restrict = 1 case, but I didn't
actually make that clear.
But that's also sort of my point, it has multiple modes of operation,
which is useful.
> On Dec 11, 2017 21:26, "Michael Ellerman" <mpe@ellerman.id.au> wrote: I
> >
> >
> > I understand that the CAP_SYSLOG checking that %pK does is kind of
> > gross, but it does work in at least some useful cases like this.
> >
> > What am I missing?
>
>
> Just do the damn thing right, like /proc/kallsyms does these days.
>
> With the proper open time cred check, not the wrong one at io time.
OK, that's the piece I was missing - ie. what to do in the case where
%px for all users is too permissive but %p is not useful.
> Which has the added advantage that it actually does the right thing even
> when you don't have kptr_restrict set, or when you have patches to make it
> print zero even for people with capabilities.
>
> Don't depend on some random flag that has nothing to do with your actual
> example and that has random values for security.
> Just say no to kptr_restrict "logic". Your example basically depends
> entirely on one particular setting, when (a) real distributions have a
> different value and expose those pointers that your claim shouldn't be
> exposed and (b) other people are pushing for values that will hide the
> values that you claim area needed.
I'm still a bit confused by the above. Because kallsyms which is your
example of how to do it right, still uses kptr_restrict. I get that it
also checks kallsyms_for_perf(), but that's only in the
kptr_restrict = 0 case.
Anyway, I'll do a patch for vmallocinfo to do the CAP_SYSLOG check at
open time, and use that to decide if it should print 0 or the address.
I can't think of any other flag or setting to sensibly determine if
vmallocinfo should be visible, so I've just done:
if (kptr_restrict < 2 && has_capability_noaudit(current, CAP_SYSLOG))
priv->show_addrs = true;
else
priv->show_addrs = false;
So basically visible to root, unless kptr_restrict == 2, otherwise not
visible.
cheers
next prev parent reply other threads:[~2017-12-13 12:59 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-01 20:08 [PATCH tip/core/rcu 0/20] Torture-test updates for v4.16 Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 01/20] torture: Suppress CPU stall warnings during shutdown ftrace dump Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 02/20] torture: Prepare scripting for shift from %p to %pK Paul E. McKenney
2017-12-04 12:32 ` David Laight
2017-12-04 13:42 ` Paul E. McKenney
2017-12-04 14:13 ` David Laight
2017-12-04 16:11 ` Paul E. McKenney
2017-12-10 12:52 ` Andy Shevchenko
2017-12-10 18:51 ` Paul E. McKenney
2017-12-10 20:39 ` Linus Torvalds
2017-12-10 21:47 ` Paul E. McKenney
2017-12-11 19:59 ` Kees Cook
2017-12-12 16:08 ` Paul E. McKenney
[not found] ` <87wp1sa55h.fsf@concordia.ellerman.id.au>
[not found] ` <CA+55aFxHdAX_ztDMUyXihhUv_eftntHecGUUaV3qAtGj_ZbKCg@mail.gmail.com>
2017-12-13 12:59 ` Michael Ellerman [this message]
2017-12-13 18:21 ` Long live %pK (was Re: [PATCH tip/core/rcu 02/20] torture: Prepare scripting for shift from %p to %pK) Linus Torvalds
2017-12-01 20:08 ` [PATCH tip/core/rcu 03/20] rcutorture: Change printk() %p to %pK Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 04/20] torture: Reduce #ifdefs for preempt_schedule() Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 05/20] rcutorture: Preempt RCU-preempt readers more vigorously Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 06/20] rcutorture/configinit: Fix build directory error message Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 07/20] rcutorture: Remove unused script, config2frag.sh Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 08/20] rcutorture/kvm.sh: Remove unused variable, `alldone` Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 09/20] rcutorture/kvm.sh: Use consistent help text for --qemu-args Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 10/20] rcutorture/kvm.sh: Support execution from any directory Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 11/20] rcutorture/kvm-recheck-*: Improve result directory readability check Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 12/20] rcutorture: Simplify logging Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 13/20] rcutorture: Simplify functions.sh include path Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 14/20] rcutorture/kvm-build.sh: Skip build directory check Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 15/20] torture: Place all torture-test modules in one MAINTAINERS group Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 16/20] locking/locktorture: Fix rwsem reader_delay Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 17/20] locking/locktorture: Fix num reader/writer corner cases Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 18/20] torture: Make stutter less vulnerable to compilers and races Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 19/20] torture: Eliminate torture_runnable and perf_runnable Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 20/20] torture: Save a line in stutter_wait(): while -> for Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r2ryaim5.fsf@concordia.ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=David.Laight@aculab.com \
--cc=akpm@linux-foundation.org \
--cc=andy.shevchenko@gmail.com \
--cc=dhowells@redhat.com \
--cc=dipankar@in.ibm.com \
--cc=edumazet@google.com \
--cc=fweisbec@gmail.com \
--cc=jiangshanlai@gmail.com \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=me@tobin.cc \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).