Received: by 10.223.185.116 with SMTP id b49csp2240602wrg; Thu, 15 Feb 2018 08:36:08 -0800 (PST) X-Google-Smtp-Source: AH8x225koD6jPE5Gwf4I8GCC5gCx8js3hBAT3EXhLKn+kxigLeWW+bdYwnUqUFbdsh0whZ23fQ/j X-Received: by 10.98.4.1 with SMTP id 1mr3173451pfe.148.1518712568064; Thu, 15 Feb 2018 08:36:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518712568; cv=none; d=google.com; s=arc-20160816; b=gZYbP6P4k4ICnIteOKxlUxI5dO/Y+N0jydVi0chO4910k8OKlY70lEmKC8ob5WecQN dMUgJwu0X37jx+u4tuCUI3VAVQSFszIv7//1JGi07NrCWarDYO7GiHA69wBPZBGN5gcx bj7qd5zFq8Z2JyJompPljpC7vvhG3ED0MWAcq/AL9sMvmnmsz5YWzMjha8cHxaH8KXEl dU8N9DsKCkLbTxAAtbDf2x8i4dpAe4lLCsbsB5KiVrJDa7jPazU10yoQwBYGIodwZveG irNiP0SSh2JeJG1KEtBzWkGgHWP/GiFdwbcwW2MazxRDMTr5eixpBRfgtlwwDPYchaHE oxXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=6R9i0EYLoRzStPBaDC+Ls8Quuo1rIEd6d3JQMSSuTcY=; b=pThzc0Z2FsLL+sHQ3SPdqvSVKNXniRaxk2QLUU0O4PvtQAS/rSTt1IZuCw5IbUfpg5 qUdbPuwlK5DJVNkEiWV5IavwAbSuhxInRdMrh17b9zhPUDsnVq36sTjzac3OmiAQvgyL +xFxrRQXBTuwU67X4AmupTfD3rgbhheoTHKem7FCMc4ztGe5sJQdIEqst750YzSIQBYx +ilaY9XCsbHSgmC4U+bkKX8QkaVdeMXzElnPYvfWYF8QoJp7MDCYHcTk0CZH1S817aRq JRvGgtGYEBtj5VLjIY4ymZ9vHk0/WyMoTkP1DNpVnvbD5WzWaE0vNGDQYOnkcRzc7yod Dbbw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w24-v6si1393985plq.75.2018.02.15.08.35.51; Thu, 15 Feb 2018 08:36:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1424189AbeBOQeg (ORCPT + 99 others); Thu, 15 Feb 2018 11:34:36 -0500 Received: from smtp2.provo.novell.com ([137.65.250.81]:58178 "EHLO smtp2.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1425903AbeBOQed (ORCPT ); Thu, 15 Feb 2018 11:34:33 -0500 Received: from linux-n805.suse.de (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by smtp2.provo.novell.com with ESMTP (TLS encrypted); Thu, 15 Feb 2018 09:34:27 -0700 From: Davidlohr Bueso To: akpm@linux-foundation.org Cc: mhocko@kernel.org, mtk.manpages@gmail.com, robert.kettler@outlook.com, manfred@colorfullife.com, ebiederm@xmission.com, keescook@chromium.org, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, dave@stgolabs.net, Davidlohr Bueso Subject: [PATCH 1/3] ipc/shm: introduce shmctl(SHM_STAT_ANY) Date: Thu, 15 Feb 2018 08:24:56 -0800 Message-Id: <20180215162458.10059-2-dave@stgolabs.net> X-Mailer: git-send-email 2.13.6 In-Reply-To: <20180215162458.10059-1-dave@stgolabs.net> References: <20180215162458.10059-1-dave@stgolabs.net> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is a permission discrepancy when consulting shm ipc object metadata between /proc/sysvipc/shm (0444) and the SHM_STAT shmctl command. The later does permission checks for the object vs S_IRUGO. As such there can be cases where EACCESS is returned via syscall but the info is displayed anyways in the procfs files. While this might have security implications via info leaking (albeit no writing to the shm metadata), this behavior goes way back and showing all the objects regardless of the permissions was most likely an overlook - so we are stuck with it. Furthermore, modifying either the syscall or the procfs file can cause userspace programs to break (ie ipcs). Some applications require getting the procfs info (without root privileges) and can be rather slow in comparison with a syscall -- up to 500x in some reported cases. This patch introduces a new SHM_STAT_ANY command such that the shm ipc object permissions are ignored, and only audited instead. In addition, I've left the lsm security hook checks in place, as if some policy can block the call, then the user has no other choice than just parsing the procfs file. Signed-off-by: Davidlohr Bueso --- include/uapi/linux/shm.h | 5 +++-- ipc/shm.c | 23 ++++++++++++++++++----- security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + 4 files changed, 23 insertions(+), 7 deletions(-) diff --git a/include/uapi/linux/shm.h b/include/uapi/linux/shm.h index 4de12a39b075..dde1344f047c 100644 --- a/include/uapi/linux/shm.h +++ b/include/uapi/linux/shm.h @@ -83,8 +83,9 @@ struct shmid_ds { #define SHM_UNLOCK 12 /* ipcs ctl commands */ -#define SHM_STAT 13 -#define SHM_INFO 14 +#define SHM_STAT 13 +#define SHM_INFO 14 +#define SHM_STAT_ANY 15 /* Obsolete, used only for backwards compatibility */ struct shminfo { diff --git a/ipc/shm.c b/ipc/shm.c index 4643865e9171..60827d9c3716 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -915,14 +915,14 @@ static int shmctl_stat(struct ipc_namespace *ns, int shmid, memset(tbuf, 0, sizeof(*tbuf)); rcu_read_lock(); - if (cmd == SHM_STAT) { + if (cmd == SHM_STAT || cmd == SHM_STAT_ANY) { shp = shm_obtain_object(ns, shmid); if (IS_ERR(shp)) { err = PTR_ERR(shp); goto out_unlock; } id = shp->shm_perm.id; - } else { + } else { /* IPC_STAT */ shp = shm_obtain_object_check(ns, shmid); if (IS_ERR(shp)) { err = PTR_ERR(shp); @@ -930,9 +930,20 @@ static int shmctl_stat(struct ipc_namespace *ns, int shmid, } } - err = -EACCES; - if (ipcperms(ns, &shp->shm_perm, S_IRUGO)) - goto out_unlock; + /* + * Semantically SHM_STAT_ANY ought to be identical to + * that functionality provided by the /proc/sysvipc/ + * interface. As such, only audit these calls and + * do not do traditional S_IRUGO permission checks on + * the ipc object. + */ + if (cmd == SHM_STAT_ANY) + audit_ipc_obj(&shp->shm_perm); + else { + err = -EACCES; + if (ipcperms(ns, &shp->shm_perm, S_IRUGO)) + goto out_unlock; + } err = security_shm_shmctl(shp, cmd); if (err) @@ -1072,6 +1083,7 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) return err; } case SHM_STAT: + case SHM_STAT_ANY: case IPC_STAT: { err = shmctl_stat(ns, shmid, cmd, &sem64); if (err < 0) @@ -1245,6 +1257,7 @@ COMPAT_SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, void __user *, uptr) return err; } case IPC_STAT: + case SHM_STAT_ANY: case SHM_STAT: err = shmctl_stat(ns, shmid, cmd, &sem64); if (err < 0) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 35ef1e9045e8..373dceede50d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5734,6 +5734,7 @@ static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd) SECCLASS_SYSTEM, SYSTEM__IPC_INFO, NULL); case IPC_STAT: case SHM_STAT: + case SHM_STAT_ANY: perms = SHM__GETATTR | SHM__ASSOCIATE; break; case IPC_SET: diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 03fdecba93bb..51d22b03b0ae 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3034,6 +3034,7 @@ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) switch (cmd) { case IPC_STAT: case SHM_STAT: + case SHM_STAT_ANY: may = MAY_READ; break; case IPC_SET: -- 2.13.6