From: Topi Miettinen <toiwoton@gmail.com>
To: Luis Chamberlain <mcgrof@kernel.org>,
Kees Cook <keescook@chromium.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"open list:FILESYSTEMS (VFS and infrastructure)"
<linux-fsdevel@vger.kernel.org>
Subject: [PATCH] Allow restricting permissions in /proc/sys
Date: Sun, 3 Nov 2019 16:55:48 +0200 [thread overview]
Message-ID: <74a91362-247c-c749-5200-7bdce704ed9e@gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2909 bytes --]
Several items in /proc/sys need not be accessible to unprivileged
tasks. Let the system administrator change the permissions, but only
to more restrictive modes than what the sysctl tables allow.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
fs/proc/proc_sysctl.c | 41 +++++++++++++++++++++++++++++++----------
1 file changed, 31 insertions(+), 10 deletions(-)
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index d80989b6c344..88c4ca7d2782 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -818,6 +818,10 @@ static int proc_sys_permission(struct inode *inode,
int mask)
if ((mask & MAY_EXEC) && S_ISREG(inode->i_mode))
return -EACCES;
+ error = generic_permission(inode, mask);
+ if (error)
+ return error;
+
head = grab_header(inode);
if (IS_ERR(head))
return PTR_ERR(head);
@@ -837,9 +841,35 @@ static int proc_sys_setattr(struct dentry *dentry,
struct iattr *attr)
struct inode *inode = d_inode(dentry);
int error;
- if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
+ if (attr->ia_valid & (ATTR_UID | ATTR_GID))
return -EPERM;
+ if (attr->ia_valid & ATTR_MODE) {
+ struct ctl_table_header *head = grab_header(inode);
+ struct ctl_table *table = PROC_I(inode)->sysctl_entry;
+ umode_t max_mode = 0777; /* Only these bits may change */
+
+ if (IS_ERR(head))
+ return PTR_ERR(head);
+
+ if (!table) /* global root - r-xr-xr-x */
+ max_mode &= ~0222;
+ else /*
+ * Don't allow permissions to become less
+ * restrictive than the sysctl table entry
+ */
+ max_mode &= table->mode;
+
+ sysctl_head_finish(head);
+
+ /* Execute bits only allowed for directories */
+ if (!S_ISDIR(inode->i_mode))
+ max_mode &= ~0111;
+
+ if (attr->ia_mode & ~S_IFMT & ~max_mode)
+ return -EPERM;
+ }
+
error = setattr_prepare(dentry, attr);
if (error)
return error;
@@ -853,17 +883,8 @@ static int proc_sys_getattr(const struct path
*path, struct kstat *stat,
u32 request_mask, unsigned int query_flags)
{
struct inode *inode = d_inode(path->dentry);
- struct ctl_table_header *head = grab_header(inode);
- struct ctl_table *table = PROC_I(inode)->sysctl_entry;
-
- if (IS_ERR(head))
- return PTR_ERR(head);
generic_fillattr(inode, stat);
- if (table)
- stat->mode = (stat->mode & S_IFMT) | table->mode;
-
- sysctl_head_finish(head);
return 0;
}
--
2.24.0.rc1
[-- Attachment #2: 0001-Allow-restricting-permissions-in-proc-sys.patch --]
[-- Type: text/x-diff, Size: 2597 bytes --]
From 14ad2d9034ecb43b60f59f6422e597a780c65cd9 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sun, 3 Nov 2019 16:36:43 +0200
Subject: [PATCH] Allow restricting permissions in /proc/sys
Several items in /proc/sys need not be accessible to unprivileged
tasks. Let the system administrator change the permissions, but only
to more restrictive modes than what the sysctl tables allow.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
fs/proc/proc_sysctl.c | 41 +++++++++++++++++++++++++++++++----------
1 file changed, 31 insertions(+), 10 deletions(-)
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index d80989b6c344..88c4ca7d2782 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -818,6 +818,10 @@ static int proc_sys_permission(struct inode *inode, int mask)
if ((mask & MAY_EXEC) && S_ISREG(inode->i_mode))
return -EACCES;
+ error = generic_permission(inode, mask);
+ if (error)
+ return error;
+
head = grab_header(inode);
if (IS_ERR(head))
return PTR_ERR(head);
@@ -837,9 +841,35 @@ static int proc_sys_setattr(struct dentry *dentry, struct iattr *attr)
struct inode *inode = d_inode(dentry);
int error;
- if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID))
+ if (attr->ia_valid & (ATTR_UID | ATTR_GID))
return -EPERM;
+ if (attr->ia_valid & ATTR_MODE) {
+ struct ctl_table_header *head = grab_header(inode);
+ struct ctl_table *table = PROC_I(inode)->sysctl_entry;
+ umode_t max_mode = 0777; /* Only these bits may change */
+
+ if (IS_ERR(head))
+ return PTR_ERR(head);
+
+ if (!table) /* global root - r-xr-xr-x */
+ max_mode &= ~0222;
+ else /*
+ * Don't allow permissions to become less
+ * restrictive than the sysctl table entry
+ */
+ max_mode &= table->mode;
+
+ sysctl_head_finish(head);
+
+ /* Execute bits only allowed for directories */
+ if (!S_ISDIR(inode->i_mode))
+ max_mode &= ~0111;
+
+ if (attr->ia_mode & ~S_IFMT & ~max_mode)
+ return -EPERM;
+ }
+
error = setattr_prepare(dentry, attr);
if (error)
return error;
@@ -853,17 +883,8 @@ static int proc_sys_getattr(const struct path *path, struct kstat *stat,
u32 request_mask, unsigned int query_flags)
{
struct inode *inode = d_inode(path->dentry);
- struct ctl_table_header *head = grab_header(inode);
- struct ctl_table *table = PROC_I(inode)->sysctl_entry;
-
- if (IS_ERR(head))
- return PTR_ERR(head);
generic_fillattr(inode, stat);
- if (table)
- stat->mode = (stat->mode & S_IFMT) | table->mode;
-
- sysctl_head_finish(head);
return 0;
}
--
2.24.0.rc1
next reply other threads:[~2019-11-03 14:55 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-03 14:55 Topi Miettinen [this message]
2019-11-03 17:56 ` [PATCH] Allow restricting permissions in /proc/sys Theodore Y. Ts'o
2019-11-03 19:24 ` Topi Miettinen
2019-11-12 23:15 ` Kees Cook
2019-11-03 18:50 ` Eric W. Biederman
2019-11-03 19:38 ` Topi Miettinen
2019-11-04 15:44 ` Eric W. Biederman
2019-11-04 17:58 ` Topi Miettinen
2019-11-04 23:41 ` Eric W. Biederman
2019-11-05 7:35 ` Topi Miettinen
2019-11-12 23:19 ` Kees Cook
2019-11-13 1:04 ` Luis Chamberlain
2019-11-12 23:22 ` Christian Brauner
2019-11-12 23:22 ` Christian Brauner
2019-11-13 4:50 ` Andy Lutomirski
2019-11-13 4:50 ` Andy Lutomirski
2019-11-13 10:52 ` Topi Miettinen
2019-11-13 10:52 ` Topi Miettinen
2019-11-13 16:00 ` Jann Horn
2019-11-13 16:00 ` Jann Horn
2019-11-13 16:19 ` Topi Miettinen
2019-11-13 16:19 ` Topi Miettinen
2019-11-13 16:40 ` Jann Horn
2019-11-13 16:40 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74a91362-247c-c749-5200-7bdce704ed9e@gmail.com \
--to=toiwoton@gmail.com \
--cc=adobriyan@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.