Kernel Version: 4.18.5
Problem Description:
When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
We discovered a leaking path that can also use method implemented in
fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision.
- Tong
On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
> Kernel Version: 4.18.5
>
> Problem Description:
>
> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
>
> We discovered a leaking path that can also use method implemented in
> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision.
I don't understand how it is a problem. Could you please explain?
procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
prctl and procfs are simply different interfaces.
Yes, this is exactly what I am saying.
A process can change its own name using prctl or /proc/self/comm.
prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.
> On Sep 25, 2018, at 2:39 PM, Cyrill Gorcunov <[email protected]> wrote:
>
> On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
>> Kernel Version: 4.18.5
>>
>> Problem Description:
>>
>> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
>>
>> We discovered a leaking path that can also use method implemented in
>> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision.
>
> I don't understand how it is a problem. Could you please explain?
> procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
> prctl and procfs are simply different interfaces.
On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote:
> Yes, this is exactly what I am saying.
> A process can change its own name using prctl or /proc/self/comm.
> prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
>
> A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.
None of the in-tree LSM's try to affect PR_SET_NAME. Looking at
security/commoncap.c, it's clear what is of interest is to checking
things relating to security sensitive things relating to capabilities, such as:
PR_SET_SECUREBITS
PR_CAPBSET_*
PR_*_SECUREBITS
PR_*_KEEPCAPS
PR_CAP_AMBIENT
Trying to depend on task name for anything security sensitive is at
_really_ bad idea, so it seems unlikely that a LSM would want to
protect the process name. (And if they did, the first thing I would
ask is "Why? What are you trying to do? Do you realize how many
*other* ways the process name can be spoofed or otherwise controlled
by a potentially malicious user?")
- Ted
> Trying to depend on task name for anything security sensitive is at
> _really_ bad idea, so it seems unlikely that a LSM would want to
> protect the process name. (And if they did, the first thing I would
> ask is "Why? What are you trying to do? Do you realize how many
> *other* ways the process name can be spoofed or otherwise controlled
> by a potentially malicious user?")
Two processes that should not be able to otherwise communicate can keep
changing their name to a chunk of data, waiting for an ack flag name
change back.
Alan