From: Alexey Dobriyan <adobriyan@gmail.com>
To: oleg@redhat.com
Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [RFC] Tainting tasks after poking at them
Date: Sat, 10 Apr 2021 23:22:54 +0300 [thread overview]
Message-ID: <YHIJHpUq4mE9KwCT@localhost.localdomain> (raw)
I'm not a security guy, but
The idea is to irrevocably mark task as tainted after its registers
and/or memory have been changed by another task.
The list definitely includes
* ptrace PTRACE_POKEUSER, PTRACE_POKETEXT, PTRACE_POKEDATA,
PTRACE_SETREGS, PTRACE_SETFPREGS.
* process_vm_writev(2)
If an attacker gets an arbitrary code execution in context of task T,
then every task which can be attached to from T is compromised as well
via registers/memory manipulating system calls.
Tainted flag can be examined in kernel coredumps and maybe even help
with post mortem analysis (no idea if it is really true).
Note:
struct mm_struct should be tainted as well (i've noticed right before
sending this email).
---
arch/x86/kernel/process_64.c | 2 ++
arch/x86/kernel/ptrace.c | 7 +++++++
arch/x86/kernel/tls.c | 2 ++
fs/proc/base.c | 10 ++++++++++
include/linux/sched.h | 14 ++++++++++++++
kernel/ptrace.c | 3 +++
mm/process_vm_access.c | 4 ++++
7 files changed, 42 insertions(+)
--- a/arch/x86/kernel/process_64.c
+++ b/arch/x86/kernel/process_64.c
@@ -468,6 +468,7 @@ void x86_fsbase_write_task(struct task_struct *task, unsigned long fsbase)
WARN_ON_ONCE(task == current);
task->thread.fsbase = fsbase;
+ task_set_tainted(task);
}
void x86_gsbase_write_task(struct task_struct *task, unsigned long gsbase)
@@ -475,6 +476,7 @@ void x86_gsbase_write_task(struct task_struct *task, unsigned long gsbase)
WARN_ON_ONCE(task == current);
task->thread.gsbase = gsbase;
+ task_set_tainted(task);
}
static void
--- a/arch/x86/kernel/ptrace.c
+++ b/arch/x86/kernel/ptrace.c
@@ -214,6 +214,8 @@ static int set_segment_reg(struct task_struct *task,
task_user_gs(task) = value;
}
+ task_set_tainted(task);
+
return 0;
}
@@ -315,6 +317,8 @@ static int set_segment_reg(struct task_struct *task,
break;
}
+ task_set_tainted(task);
+
return 0;
}
@@ -349,6 +353,8 @@ static int set_flags(struct task_struct *task, unsigned long value)
regs->flags = (regs->flags & ~FLAG_MASK) | (value & FLAG_MASK);
+ task_set_tainted(task);
+
return 0;
}
@@ -382,6 +388,7 @@ static int putreg(struct task_struct *child,
}
*pt_regs_access(task_pt_regs(child), offset) = value;
+ task_set_tainted(child);
return 0;
}
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
@@ -106,6 +106,8 @@ static void set_tls_desc(struct task_struct *p, int idx,
load_TLS(t, cpu);
put_cpu();
+
+ task_set_tainted(p);
}
/*
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -3149,6 +3149,14 @@ static int proc_stack_depth(struct seq_file *m, struct pid_namespace *ns,
}
#endif /* CONFIG_STACKLEAK_METRICS */
+static int proc_pid_tainted(struct seq_file *m, struct pid_namespace *_,
+ struct pid *__, struct task_struct *tsk)
+{
+ seq_putc(m, '0' + task_is_tainted(tsk));
+ seq_putc(m, '\n');
+ return 0;
+}
+
/*
* Thread groups
*/
@@ -3265,6 +3273,7 @@ static const struct pid_entry tgid_base_stuff[] = {
#ifdef CONFIG_SECCOMP_CACHE_DEBUG
ONE("seccomp_cache", S_IRUSR, proc_pid_seccomp_cache),
#endif
+ ONE("tainted", S_IRUGO, proc_pid_tainted),
};
static int proc_tgid_base_readdir(struct file *file, struct dir_context *ctx)
@@ -3598,6 +3607,7 @@ static const struct pid_entry tid_base_stuff[] = {
#ifdef CONFIG_SECCOMP_CACHE_DEBUG
ONE("seccomp_cache", S_IRUSR, proc_pid_seccomp_cache),
#endif
+ ONE("tainted", S_IRUGO, proc_pid_tainted),
};
static int proc_tid_base_readdir(struct file *file, struct dir_context *ctx)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -668,6 +668,7 @@ struct task_struct {
/* Per task flags (PF_*), defined further below: */
unsigned int flags;
unsigned int ptrace;
+ bool tainted;
#ifdef CONFIG_SMP
int on_cpu;
@@ -2026,6 +2027,19 @@ extern long sched_getaffinity(pid_t pid, struct cpumask *mask);
unsigned long sched_cpu_util(int cpu, unsigned long max);
#endif /* CONFIG_SMP */
+static inline bool task_is_tainted(const struct task_struct *tsk)
+{
+ return READ_ONCE(tsk->tainted);
+}
+
+static inline void task_set_tainted(struct task_struct *tsk)
+{
+ /* Self-flagellation is OK. */
+ if (tsk != current) {
+ WRITE_ONCE(tsk->tainted, true);
+ }
+}
+
#ifdef CONFIG_RSEQ
/*
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1297,6 +1297,9 @@ int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
copied = ptrace_access_vm(tsk, addr, &data, sizeof(data),
FOLL_FORCE | FOLL_WRITE);
+ if (copied > 0) {
+ task_set_tainted(tsk);
+ }
return (copied == sizeof(data)) ? 0 : -EIO;
}
--- a/mm/process_vm_access.c
+++ b/mm/process_vm_access.c
@@ -228,6 +228,10 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
mmput(mm);
+ if (vm_write && rc > 0) {
+ task_set_tainted(task);
+ }
+
put_task_struct:
put_task_struct(task);
reply other threads:[~2021-04-10 20:23 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YHIJHpUq4mE9KwCT@localhost.localdomain \
--to=adobriyan@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=oleg@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).