From: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
To: peterz@infradead.org, mingo@redhat.com
Cc: mhocko@suse.com, keescook@chromium.org,
linux-kernel@vger.kernel.org, mguzik@redhat.com,
bsegall@google.com, john.stultz@linaro.org,
ebiederm@xmission.com, oleg@redhat.com, gorcunov@openvz.org,
matthltc@us.ibm.com, akpm@linux-foundation.org,
luto@amacapital.net, vbabka@suse.cz, xemul@virtuozzo.com
Subject: [PATCH] prctl: remove one-shot limitation for changing exe link
Date: Tue, 12 Jul 2016 19:30:29 +0400 [thread overview]
Message-ID: <20160712152940.24895.61315.stgit@localhost.localdomain> (raw)
This limitation came with the reason to remove "another
way for malicious code to obscure a compromised program and
masquerade as a benign process" by allowing "security-concious program can use
this prctl once during its early initialization to ensure the prctl cannot
later be abused for this purpose":
http://marc.info/?l=linux-kernel&m=133160684517468&w=2
But the way how the feature can be used is the following:
1) Attach to process via ptrace (protected by CAP_SYS_PTRACE)
2) Unmap all the process file mappings, related to "exe" file.
3) Change exe link (protected by CAP_SYS_RESOURCE).
IOW, some other process already has an access to process internals (and thus
it's already compromised), and can inject fork and use the child of the
compromised program to masquerade.
Which means this limitation doesn't solve the problem it was aimed to.
While removing this limitation allow to replace files from underneath of a
running process as many times as required. One of the use cases is network
file systems migration (NFS, to be precise) by CRIU.
NFS mount can't be mounted on restore stage because network is locked.
To overcome this limitation, another file system (FUSE-based) is used. Then
opened files replaced by the proper ones NFS is remounted.
Thus exe link replace has to be done twice: first on restore stage and second
- when actual NFS was remounted.
Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
---
include/linux/sched.h | 4 +++-
kernel/sys.c | 10 ----------
2 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 553af29..83b5f2d 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -518,7 +518,9 @@ static inline int get_dumpable(struct mm_struct *mm)
/* leave room for more dump flags */
#define MMF_VM_MERGEABLE 16 /* KSM may merge identical pages */
#define MMF_VM_HUGEPAGE 17 /* set when VM_HUGEPAGE is set on vma */
-#define MMF_EXE_FILE_CHANGED 18 /* see prctl_set_mm_exe_file() */
+/* This ine-shot flag is droped due to necessivity of changing exe once again
+ * on NFS restore */
+//#define MMF_EXE_FILE_CHANGED 18 /* see prctl_set_mm_exe_file() */
#define MMF_HAS_UPROBES 19 /* has uprobes */
#define MMF_RECALC_UPROBES 20 /* MMF_HAS_UPROBES can be wrong */
diff --git a/kernel/sys.c b/kernel/sys.c
index 89d5be4..fd6f508 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1696,16 +1696,6 @@ static int prctl_set_mm_exe_file(struct mm_struct *mm, unsigned int fd)
fput(exe_file);
}
- /*
- * The symlink can be changed only once, just to disallow arbitrary
- * transitions malicious software might bring in. This means one
- * could make a snapshot over all processes running and monitor
- * /proc/pid/exe changes to notice unusual activity if needed.
- */
- err = -EPERM;
- if (test_and_set_bit(MMF_EXE_FILE_CHANGED, &mm->flags))
- goto exit;
-
err = 0;
/* set the new file, lockless */
get_file(exe.file);
next reply other threads:[~2016-07-12 16:10 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-12 15:30 Stanislav Kinsburskiy [this message]
2016-07-12 16:42 ` [PATCH] prctl: remove one-shot limitation for changing exe link Oleg Nesterov
2016-07-12 16:52 ` Stanislav Kinsburskiy
2016-07-12 17:01 ` Oleg Nesterov
2016-07-12 16:48 ` Cyrill Gorcunov
2016-07-12 16:52 ` Eric W. Biederman
2016-07-12 17:29 ` Cyrill Gorcunov
2016-07-12 21:42 ` Cyrill Gorcunov
2016-07-13 10:47 ` Stanislav Kinsburskiy
2016-07-18 20:11 ` One Thousand Gnomes
2016-07-20 11:30 ` Stanislav Kinsburskiy
[not found] ` <8a863273-c571-63d6-c0c3-637dff5645a3@virtuozzo.com>
2016-07-25 18:21 ` Eric W. Biederman
2016-07-25 19:22 ` Cyrill Gorcunov
2016-07-25 19:56 ` Eric W. Biederman
2016-07-26 8:34 ` Cyrill Gorcunov
2016-07-30 17:31 ` Eric W. Biederman
2016-07-30 20:28 ` Mateusz Guzik
2016-07-31 18:45 ` Eric W. Biederman
2016-08-22 15:40 ` Richard Guy Briggs
2016-07-31 22:43 ` Cyrill Gorcunov
2016-07-31 22:49 ` Andy Lutomirski
2016-08-01 9:04 ` Cyrill Gorcunov
2016-08-10 10:48 ` Stanislav Kinsburskiy
2016-07-26 10:21 ` Stanislav Kinsburskiy
2016-07-12 15:42 Stanislav Kinsburskiy
[not found] <1d254efe-5410-40c4-af4b-9e898682d0b3@email.android.com>
2016-07-13 10:15 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160712152940.24895.61315.stgit@localhost.localdomain \
--to=skinsbursky@virtuozzo.com \
--cc=akpm@linux-foundation.org \
--cc=bsegall@google.com \
--cc=ebiederm@xmission.com \
--cc=gorcunov@openvz.org \
--cc=john.stultz@linaro.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=matthltc@us.ibm.com \
--cc=mguzik@redhat.com \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=vbabka@suse.cz \
--cc=xemul@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).