* Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree
[not found] ` <CAGXu5jKP03X7+XX9Oq+vVjQJhO1+A9ZyLDD+Gsxv2nRCgVD4wQ@mail.gmail.com>
@ 2018-03-06 17:42 ` Alexey Dobriyan
2018-03-06 18:03 ` Alexey Dobriyan
0 siblings, 1 reply; 3+ messages in thread
From: Alexey Dobriyan @ 2018-03-06 17:42 UTC (permalink / raw)
To: Kees Cook; +Cc: Andrew Morton, Jann Horn, linux-kernel
On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
> On Mon, Mar 5, 2018 at 4:07 PM, <akpm@linux-foundation.org> wrote:
> > It is more natural to check for read-from-memory permissions in case of
> > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
> > permissions.
>
> NAK, this weakens the existing permission model for reading
What if existing permission model is overezealous?
/proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
everything else should do PTRACE_MODE_ATTACH.
> cross-process memory. ptrace-readable memory can only be done with
> ATTACH, and /proc/$pid/mem also requires ATTACH:
>
> static int mem_open(struct inode *inode, struct file *file)
> {
> int ret = __mem_open(inode, file, PTRACE_MODE_ATTACH);
>
> Only auxv and environ use READ. We should absolutely not create a pass
> to a lower permission requirement here.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree
2018-03-06 17:42 ` + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree Alexey Dobriyan
@ 2018-03-06 18:03 ` Alexey Dobriyan
2018-03-06 22:31 ` Kees Cook
0 siblings, 1 reply; 3+ messages in thread
From: Alexey Dobriyan @ 2018-03-06 18:03 UTC (permalink / raw)
To: Kees Cook; +Cc: Andrew Morton, Jann Horn, linux-kernel
On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote:
> On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
> > On Mon, Mar 5, 2018 at 4:07 PM, <akpm@linux-foundation.org> wrote:
>
> > > It is more natural to check for read-from-memory permissions in case of
> > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
> > > permissions.
> >
> > NAK, this weakens the existing permission model for reading
>
> What if existing permission model is overezealous?
>
> /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
> for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
> everything else should do PTRACE_MODE_ATTACH.
Or in other words:
what if there should be 3 levels:
1) permission to write to address space
2) permission to read arbitrarily from adress space
3) permission to read auxv, argv and envp
Current code conflates (1) and (2).
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree
2018-03-06 18:03 ` Alexey Dobriyan
@ 2018-03-06 22:31 ` Kees Cook
0 siblings, 0 replies; 3+ messages in thread
From: Kees Cook @ 2018-03-06 22:31 UTC (permalink / raw)
To: Alexey Dobriyan, Andy Lutomirski; +Cc: Andrew Morton, Jann Horn, LKML
On Tue, Mar 6, 2018 at 10:03 AM, Alexey Dobriyan <adobriyan@gmail.com> wrote:
> On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote:
>> On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
>> > On Mon, Mar 5, 2018 at 4:07 PM, <akpm@linux-foundation.org> wrote:
>>
>> > > It is more natural to check for read-from-memory permissions in case of
>> > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
>> > > permissions.
>> >
>> > NAK, this weakens the existing permission model for reading
>>
>> What if existing permission model is overezealous?
>>
>> /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
>> for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
>> everything else should do PTRACE_MODE_ATTACH.
>
> Or in other words:
>
> what if there should be 3 levels:
> 1) permission to write to address space
> 2) permission to read arbitrarily from adress space
> 3) permission to read auxv, argv and envp
>
> Current code conflates (1) and (2).
There is also:
4) permission to read address layout (e.g. access to /proc/$pid/maps)
1 and 2 require ATTACH
3 and 4 require READ
ATTACH is a higher bar, and I think it is appropriate here, still, for
2, since being able to examine secrets in memory should be considered
a security boundary.
Is there something you're trying from userspace that is being blocked?
-Kees
--
Kees Cook
Pixel Security
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-06 22:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20180306000721.gx9qqFGe8%akpm@linux-foundation.org>
[not found] ` <CAGXu5jKP03X7+XX9Oq+vVjQJhO1+A9ZyLDD+Gsxv2nRCgVD4wQ@mail.gmail.com>
2018-03-06 17:42 ` + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree Alexey Dobriyan
2018-03-06 18:03 ` Alexey Dobriyan
2018-03-06 22:31 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).