From mboxrd@z Thu Jan 1 00:00:00 1970 From: Willy Tarreau Subject: [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime Date: Sat, 25 Jul 2015 15:03:40 +0200 Message-ID: <20150725130340.GA17257__13223.0738331147$1437829604$gmane$org@1wt.eu> References: <7286d77aa81abc38dc40362e2439861427064f6f.1437802102.git.luto@kernel.org> <20150725062343.GA3902@1wt.eu> <20150725075052.GA3918@1wt.eu> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="VbJkn9YxBvnuCH5J" Return-path: Content-Disposition: inline In-Reply-To: <20150725075052.GA3918@1wt.eu> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andy Lutomirski Cc: "security@kernel.org" , Jan Beulich , Peter Zijlstra , Andrew Cooper , X86 ML , "linux-kernel@vger.kernel.org" , Steven Rostedt , xen-devel , Borislav Petkov , Andy Lutomirski , Sasha Levin , Boris Ostrovsky , Kees Cook List-Id: xen-devel@lists.xenproject.org --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Jul 25, 2015 at 09:50:52AM +0200, Willy Tarreau wrote: > On Fri, Jul 24, 2015 at 11:44:52PM -0700, Andy Lutomirski wrote: > > I'm all for it, but I think it should be hard-disablable in config, > > too, for the -tiny people. > > I totally agree. > > > If we add a runtime disable, let's do a > > separate patch, and you and Kees can fight over how general it should > > be. > > Initially I was thinking about changing it for a 3-state option but > that would prevent X86_16BIT from being hard-disablable, so I'll do > something completely separate. So here comes the proposed patch. It adds a default setting for the sysctl when the option is not hard-disabled (eg: distros not wanting to take risks with legacy apps). It suggests to leave the option off. In case a syscall is blocked, a printk_ratelimited() is called with relevant info (program name, pid, uid) so that the admin can decide whether it's a legitimate call or not. Eg: Denied a call to modify_ldt() from a.out[1736] (uid: 100). Adjust sysctl if this was not an exploit attempt. I personally think it completes well your series, hence the 4/3 numbering. Feel free to adopt it if you cycle another round and if you're OK with it of course. CCing Kees as well. Willy --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-x86-ldt-allow-to-disable-modify_ldt-at-runtime.patch" >>From 93cadf50b56a1f2f1e43137503edc1242f8476a7 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Sat, 25 Jul 2015 12:18:33 +0200 Subject: x86/ldt: allow to disable modify_ldt at runtime For distros who prefer not to take the risk of completely disabling the modify_ldt syscall using CONFIG_MODIFY_LDT_SYSCALL, this patch adds a sysctl to enable or/disable it at runtime, and proposes to disable it by default. This can be a safe alternative. A message is logged if an attempt was stopped so that it's easy to spot if/when it is needed. Cc: Andy Lutomirski Cc: Kees Cook Signed-off-by: Willy Tarreau --- Documentation/sysctl/kernel.txt | 15 +++++++++++++++ arch/x86/Kconfig | 17 +++++++++++++++++ arch/x86/kernel/ldt.c | 15 +++++++++++++++ kernel/sysctl.c | 12 ++++++++++++ 4 files changed, 59 insertions(+) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 6fccb69..60c7c7a 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -41,6 +41,7 @@ show up in /proc/sys/kernel: - kptr_restrict - kstack_depth_to_print [ X86 only ] - l2cr [ PPC only ] +- modify_ldt [ X86 only ] - modprobe ==> Documentation/debugging-modules.txt - modules_disabled - msg_next_id [ sysv ipc ] @@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If ============================================================== +modify_ldt: (X86 only) + +Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT +(Local Descriptor Table) may be needed to run a 16-bit or segmented code +such as Dosemu or Wine. This is done via a system call which is not needed +to run portable applications, and which can sometimes be abused to exploit +some weaknesses of the architecture, opening new vulnerabilities. + +This sysctl allows one to increase the system's security by disabling the +system call, or to restore compatibility with specific applications when it +was already disabled. + +============================================================== + modules_disabled: A toggle value indicating if modules are allowed to be loaded diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index ede52be..37f83d6 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2069,6 +2069,23 @@ config MODIFY_LDT_SYSCALL surface. Disabling it removes the modify_ldt(2) system call. Saying 'N' here may make sense for embedded or server kernels. + If really unsure, say 'Y', you'll be able to disable it at runtime. + +config DEFAULT_MODIFY_LDT_SYSCALL + bool "Allow userspace to modify the LDT by default" + depends on MODIFY_LDT_SYSCALL + default y + ---help--- + Modifying the LDT (Local Descriptor Table) may be needed to run a + 16-bit or segmented code such as Dosemu or Wine. This is done via + a system call which is not needed to run portable applications, + and which can sometimes be abused to exploit some weaknesses of + the architecture, opening new vulnerabilities. + + For this reason this option allows one to enable or disable the + feature at runtime. It is recommended to say 'N' here to leave + the system protected, and to enable it at runtime only if needed + by setting the sys.kernel.modify_ldt sysctl. source "kernel/livepatch/Kconfig" diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c index 2bcc052..cb64b85 100644 --- a/arch/x86/kernel/ldt.c +++ b/arch/x86/kernel/ldt.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -21,6 +22,11 @@ #include #include +#ifdef CONFIG_MODIFY_LDT_SYSCALL +int sysctl_modify_ldt __read_mostly = + IS_ENABLED(CONFIG_DEFAULT_MODIFY_LDT_SYSCALL); +#endif + /* context.lock is held for us, so we don't need any locking. */ static void flush_ldt(void *current_mm) { @@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr, { int ret = -ENOSYS; + if (!sysctl_modify_ldt) { + printk_ratelimited(KERN_INFO + "Denied a call to modify_ldt() from %s[%d] (uid: %d)." + " Adjust sysctl if this was not an exploit attempt.\n", + current->comm, task_pid_nr(current), + from_kuid_munged(current_user_ns(), current_uid())); + return ret; + } + switch (func) { case 0: ret = read_ldt(ptr, bytecount); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 19b62b5..3dcf8e4 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -111,6 +111,9 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max; #ifndef CONFIG_MMU extern int sysctl_nr_trim_pages; #endif +#ifdef CONFIG_MODIFY_LDT_SYSCALL +extern int sysctl_modify_ldt; +#endif /* Constants used for minimum and maximum */ #ifdef CONFIG_LOCKUP_DETECTOR @@ -960,6 +963,15 @@ static struct ctl_table kern_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, +#ifdef CONFIG_MODIFY_LDT_SYSCALL + { + .procname = "modify_ldt", + .data = &sysctl_modify_ldt, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, +#endif #endif #if defined(CONFIG_MMU) { -- 1.7.12.1 --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --VbJkn9YxBvnuCH5J--