Received: by 10.223.185.116 with SMTP id b49csp2448328wrg; Mon, 12 Feb 2018 09:41:16 -0800 (PST) X-Google-Smtp-Source: AH8x224UrPEuaOSHb2nklY+wUCfEcWzpdhfO+oTLE6EMLYSNeerPeYMGKfEJwFQqv+HOzeph68Ev X-Received: by 10.98.16.9 with SMTP id y9mr12485543pfi.189.1518457276870; Mon, 12 Feb 2018 09:41:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518457276; cv=none; d=google.com; s=arc-20160816; b=qaeilsno0gFFDE3d1xBb20CK8N1OZ6tYMxV0b0o+Lv/H5e34I/abKHw08t2xtxaltI NRzb1rn6gIh6qMxyOUY/cEz19A+HQ2DLWKXXVv3ZpFdKwnsYGDHz7fhpVoMnvd2EUnz8 aHXA2DimEjIxTjR1kN3DIKhu85zmukbO4FoPeKL6Wp/Xl735a31OEh9TmygB0hhYjyuk l2+tb+SvLtGj+LUvBHsBhA3WvyGAXtkOmixszoA57j+NU+IEbYWl40MpTyV7Xaf47d7H vPogDGEMGiK4WO+u49agRrUv4+PHUIVLinTh1fsKnHh69QBoMiGOo/mQHqSKPB9quv6H w4lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:arc-authentication-results; bh=l+NdyYmHY4wBslp9fNCa1a21lZ3va35Sd/l5Zwdv/i8=; b=LTuA2TC10daRckpS0GjPt2bTgB/5k4nPcFwnWrCQ4k4I2LKWubwOZX//rntUd7Em22 xlCOWSk4lBPGtFbK+KD6DpWNLvOGBjkkFo9eZmC3owIzfAyXR1xjJbYPgtfHu8JondbF xImfTJhKpdm3GkreOyCASD1TZGjIgXyKWWhp8VEr6MrnuhTaKfd9jk+jACVH1xz+E3xB yXrlthMXeqYqs1eXkfIvxeOEXYhJ6o4PqHhbI32eY+kb4NRTcS7h5hRjlF9zjVtpjJ5K C3nlmKcJLNKjXg/rwsBm9Eb1BgD1f+as2ZC8PG0S2KmIKDmphsuJO4yKFj6j2pWtk7sO t7Gg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e3si4782560pfe.252.2018.02.12.09.41.02; Mon, 12 Feb 2018 09:41:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752559AbeBLRkA (ORCPT + 99 others); Mon, 12 Feb 2018 12:40:00 -0500 Received: from mx2.suse.de ([195.135.220.15]:60212 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751063AbeBLRj6 (ORCPT ); Mon, 12 Feb 2018 12:39:58 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 21D8BAE6D; Mon, 12 Feb 2018 17:39:57 +0000 (UTC) Date: Mon, 12 Feb 2018 09:30:37 -0800 From: Davidlohr Bueso To: "Michael Kerrisk (man-pages)" Cc: Michal Hocko , Linux API , Manfred Spraul , Andrew Morton , Al Viro , Kees Cook , Linus Torvalds , Mike Waychison , LKML , "linux-mm@kvack.org" Subject: Re: shmctl(SHM_STAT) vs. /proc/sysvipc/shm permissions discrepancies Message-ID: <20180212173037.oruxafinai5tkv6t@linux-n805> Mail-Followup-To: "Michael Kerrisk (man-pages)" , Michal Hocko , Linux API , Manfred Spraul , Andrew Morton , Al Viro , Kees Cook , Linus Torvalds , Mike Waychison , LKML , "linux-mm@kvack.org" References: <20171219094848.GE2787@dhcp22.suse.cz> <20171220092025.GD4831@dhcp22.suse.cz> <20171221080203.GZ4831@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170421 (1.8.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 21 Dec 2017, Michael Kerrisk (man-pages) wrote: >Hi Michal, > >On 21 December 2017 at 09:02, Michal Hocko wrote: >> On Wed 20-12-17 17:17:46, Michael Kerrisk wrote: >>> Hello Michal, >>> >>> On 20 December 2017 at 10:20, Michal Hocko wrote: >>> > On Tue 19-12-17 17:45:40, Michael Kerrisk wrote: >>> >> But, is >>> >> there a pressing reason to make the change? (Okay, I guess iterating >>> >> using *_STAT is nicer than parsing /proc/sysvipc/*.) >>> > >>> > The reporter of this issue claims that "Reading /proc/sysvipc/shm is way >>> > slower than executing the system call." I haven't checked that but I can >>> > imagine that /proc/sysvipc/shm can take quite some time when there are >>> > _many_ segments registered. >>> >>> Yes, that makes sense. >>> >>> > So they would like to use the syscall but >>> > the interacting parties do not have compatible permissions. >>> >>> So, I don't think there is any security issue, since the same info is >>> available in /proc/sysvipc/*. >> >> Well, I am not sure this is a valid argument (maybe I just misread your >> statement). > >(Or perhaps I was not clear enough; see below) > >> Our security model _might_ be broken because of the sysipc >> proc interface existance already. I am not saying it is broken because >> I cannot see an attack vector based solely on the metadata information >> knowledge. An attacker still cannot see/modify the real data. But maybe >> there are some bugs lurking there and knowing the metadata might help to >> exploit them. I dunno. >> >> You are certainly right that modifying/adding STAT flag to comply with >> the proc interface permission model will not make the system any more >> vulnerable, though. > >Yep, that was my point. Modifying _STAT behavior won't decrease security. > >That said, /proc/sysvipc/* has been around for a long time now, and >nothing bad seems to have happened so far, AFAIK. > >>> The only question would be whether >>> change in the *_STAT behavior might surprise some applications into >>> behaving differently. I presume the chances of that are low, but if it >>> was a concert, one could add new shmctl/msgctl/semctl *_STAT_ALL (or >>> some such) operations that have the desired behavior. >> >> I would lean towards _STAT_ALL because this is Linux specific behavior >> (I have looked at what BSD does here and they are checking permissions >> for STAT as well). It would also be simpler to revert if we ever find >> that this is a leak with security consequences. So I took a crack at this, and my only doubt is whether or not the lsm security hooks should be considered or not. Specifically, should the SHM_STAT_ALL case consider security_shm_shmctl()? While the relevant persmission checks that allow for the discripancies between 0444 procfs and a 0600 via creating the ipc object are done in ipcperms() returning -1, is there a scenario where some lsm policy could change the /proc/sysvipc/ interface? If not, I think we can avoid it, but I'm not a security person. Thanks, Davidlohr > >Oh -- I was unaware of this BSD behavior. At least on the various UNIX >systems that I ever used SYSVIPC (including one or two ancient >commercial BSD derivatives), ipcs(1) showed all IPC objects. (On >FeeBSD, at least, it looks like ipcs(1) doesn't use the *_STAT >interfaces.) > >Cheers, > >Michael > > > >-- >Michael Kerrisk >Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ >Linux/UNIX System Programming Training: http://man7.org/training/