LKML Archive on lore.kernel.org
 help / color / Atom feed
From: Michael Ellerman <mpe@ellerman.id.au>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>,
	Kees Cook <keescook@chromium.org>,
	"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
	David Laight <David.Laight@aculab.com>,
	"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"mingo\@kernel.org" <mingo@kernel.org>,
	"jiangshanlai\@gmail.com" <jiangshanlai@gmail.com>,
	"dipankar\@in.ibm.com" <dipankar@in.ibm.com>,
	"akpm\@linux-foundation.org" <akpm@linux-foundation.org>,
	"mathieu.desnoyers\@efficios.com"
	<mathieu.desnoyers@efficios.com>,
	"josh\@joshtriplett.org" <josh@joshtriplett.org>,
	"tglx\@linutronix.de" <tglx@linutronix.de>,
	"peterz\@infradead.org" <peterz@infradead.org>,
	"rostedt\@goodmis.org" <rostedt@goodmis.org>,
	"dhowells\@redhat.com" <dhowells@redhat.com>,
	"edumazet\@google.com" <edumazet@google.com>,
	"fweisbec\@gmail.com" <fweisbec@gmail.com>,
	"oleg\@redhat.com" <oleg@redhat.com>,
	"kernel-hardening\@lists.openwall.com" 
	<kernel-hardening@lists.openwall.com>,
	"Tobin C. Harding" <me@tobin.cc>
Subject: Re: Long live %pK (was Re: [PATCH tip/core/rcu 02/20] torture: Prepare scripting for shift from %p to %pK)
Date: Wed, 13 Dec 2017 23:59:46 +1100
Message-ID: <87r2ryaim5.fsf@concordia.ellerman.id.au> (raw)
In-Reply-To: <CA+55aFxHdAX_ztDMUyXihhUv_eftntHecGUUaV3qAtGj_ZbKCg@mail.gmail.com>

Linus Torvalds <torvalds@linux-foundation.org> writes:

> This is a perfect example of just %pK being complete shit.
>
> %pK doesn't actually do any file permissions right. It looks like it does
> it, but it's just a hot mess of garbage.
>
> And %pK doesn't even work the way you claim it does. Not in the general
> case, and only with a particular value.

Right. My email was only about the kptr_restrict = 1 case, but I didn't
actually make that clear.

But that's also sort of my point, it has multiple modes of operation,
which is useful.

> On Dec 11, 2017 21:26, "Michael Ellerman" <mpe@ellerman.id.au> wrote: I
> >
> >
> > I understand that the CAP_SYSLOG checking that %pK does is kind of
> > gross, but it does work in at least some useful cases like this.
> >
> > What am I missing?
>
>
> Just do the damn thing right, like /proc/kallsyms does these days.
>
> With the proper open time cred check, not the wrong one at io time.

OK, that's the piece I was missing - ie. what to do in the case where
%px for all users is too permissive but %p is not useful.

> Which has the added advantage that it actually does the right thing even
> when you don't have kptr_restrict set, or when you have patches to make it
> print zero even for people with capabilities.
>
> Don't depend on some random flag that has nothing to do with your actual
> example and that has random values for security.

> Just say no to kptr_restrict "logic". Your example basically depends
> entirely on one particular setting, when (a) real distributions have a
> different value and expose those pointers that your claim shouldn't be
> exposed and (b) other people are pushing for values that will hide the
> values that you claim area needed.

I'm still a bit confused by the above. Because kallsyms which is your
example of how to do it right, still uses kptr_restrict. I get that it
also checks kallsyms_for_perf(), but that's only in the
kptr_restrict = 0 case.

Anyway, I'll do a patch for vmallocinfo to do the CAP_SYSLOG check at
open time, and use that to decide if it should print 0 or the address.

I can't think of any other flag or setting to sensibly determine if
vmallocinfo should be visible, so I've just done:

	if (kptr_restrict < 2 && has_capability_noaudit(current, CAP_SYSLOG))
		priv->show_addrs = true;
	else
		priv->show_addrs = false;

So basically visible to root, unless kptr_restrict == 2, otherwise not
visible. 

cheers

  parent reply index

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-01 20:08 [PATCH tip/core/rcu 0/20] Torture-test updates for v4.16 Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 01/20] torture: Suppress CPU stall warnings during shutdown ftrace dump Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 02/20] torture: Prepare scripting for shift from %p to %pK Paul E. McKenney
2017-12-04 12:32   ` David Laight
2017-12-04 13:42     ` Paul E. McKenney
2017-12-04 14:13       ` David Laight
2017-12-04 16:11         ` Paul E. McKenney
2017-12-10 12:52           ` Andy Shevchenko
2017-12-10 18:51             ` Paul E. McKenney
2017-12-10 20:39             ` Linus Torvalds
2017-12-10 21:47               ` Paul E. McKenney
2017-12-11 19:59                 ` Kees Cook
2017-12-12 16:08                   ` Paul E. McKenney
     [not found]               ` <87wp1sa55h.fsf@concordia.ellerman.id.au>
     [not found]                 ` <CA+55aFxHdAX_ztDMUyXihhUv_eftntHecGUUaV3qAtGj_ZbKCg@mail.gmail.com>
2017-12-13 12:59                   ` Michael Ellerman [this message]
2017-12-13 18:21                     ` Long live %pK (was Re: [PATCH tip/core/rcu 02/20] torture: Prepare scripting for shift from %p to %pK) Linus Torvalds
2017-12-01 20:08 ` [PATCH tip/core/rcu 03/20] rcutorture: Change printk() %p to %pK Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 04/20] torture: Reduce #ifdefs for preempt_schedule() Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 05/20] rcutorture: Preempt RCU-preempt readers more vigorously Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 06/20] rcutorture/configinit: Fix build directory error message Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 07/20] rcutorture: Remove unused script, config2frag.sh Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 08/20] rcutorture/kvm.sh: Remove unused variable, `alldone` Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 09/20] rcutorture/kvm.sh: Use consistent help text for --qemu-args Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 10/20] rcutorture/kvm.sh: Support execution from any directory Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 11/20] rcutorture/kvm-recheck-*: Improve result directory readability check Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 12/20] rcutorture: Simplify logging Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 13/20] rcutorture: Simplify functions.sh include path Paul E. McKenney
2017-12-01 20:08 ` [PATCH tip/core/rcu 14/20] rcutorture/kvm-build.sh: Skip build directory check Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 15/20] torture: Place all torture-test modules in one MAINTAINERS group Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 16/20] locking/locktorture: Fix rwsem reader_delay Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 17/20] locking/locktorture: Fix num reader/writer corner cases Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 18/20] torture: Make stutter less vulnerable to compilers and races Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 19/20] torture: Eliminate torture_runnable and perf_runnable Paul E. McKenney
2017-12-01 20:09 ` [PATCH tip/core/rcu 20/20] torture: Save a line in stutter_wait(): while -> for Paul E. McKenney

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87r2ryaim5.fsf@concordia.ellerman.id.au \
    --to=mpe@ellerman.id.au \
    --cc=David.Laight@aculab.com \
    --cc=akpm@linux-foundation.org \
    --cc=andy.shevchenko@gmail.com \
    --cc=dhowells@redhat.com \
    --cc=dipankar@in.ibm.com \
    --cc=edumazet@google.com \
    --cc=fweisbec@gmail.com \
    --cc=jiangshanlai@gmail.com \
    --cc=josh@joshtriplett.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=me@tobin.cc \
    --cc=mingo@kernel.org \
    --cc=oleg@redhat.com \
    --cc=paulmck@linux.vnet.ibm.com \
    --cc=peterz@infradead.org \
    --cc=rostedt@goodmis.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git
	git clone --mirror https://lore.kernel.org/lkml/7 lkml/git/7.git
	git clone --mirror https://lore.kernel.org/lkml/8 lkml/git/8.git
	git clone --mirror https://lore.kernel.org/lkml/9 lkml/git/9.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git