Received: by 10.213.65.68 with SMTP id h4csp4403904imn; Tue, 10 Apr 2018 14:28:03 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+O48Jg5lxtQqJmBsG3VklblCUYWE0+o77irssEaxkA8Brj+Zu5JtSl9QqAl6ZnCoRKCIt6 X-Received: by 10.101.67.6 with SMTP id j6mr1457505pgq.126.1523395683769; Tue, 10 Apr 2018 14:28:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523395683; cv=none; d=google.com; s=arc-20160816; b=lZY/honPH4ntWQg+QamMHcMOkrAKaz9KbZXzv42ZKyEyG+S+b9hsB8Y4QKQPCTlvh3 adBb2o1ACJxPuOUVw9Wgt1qD8SQNzrO96IdIxt2N1iXsPyE2dJcO+Bq13XvkDhGTix89 YjShNw7QkzkmF0XMyVw3cJ6T40jX7aA6o9qqTmGSQe8exp5/0eO+IBByA643+fw/UK+W owQIEWaSjLiWYlm+3UOM0wVOjYLMU3k9xX7IciHLOMCCVfXDO3Z7RwvfjyaeBN9zMQWb ZTXRdhe7eH4B3XEwkSZ0QvrTduvpXqpddhqjh34GqoJIk6i+k2F57DvpG/fhQsmRmyTx Hz1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=jQlUz9Tv3bkkUQkjq+zhW4LAd7rqZV0Oljw5aRgTPR4=; b=atDQwZb3vUyl2wqDHOcR99NYOehiKPyLTbboHDIX/nZGNLWjqKo+kgkxCTtQ/VT1Lx rkQbdGo1pJk/gOCvu79h8GGfxse3oFGK5j4Mt+afqmhWqd4L9XmaSGqUFwRxW8rIKL79 s0+MhBeJSM4fhOyLlW7c5EoXq9zRvjUTNJfWWgfoxNGGIrc8TKstw4C4wDo/Clt4A1Ry nH88o9CmDrW+D3clAP3F6c6EK5ysEG8mK8NavgKzRT/6TkrGKpWFp4c+A6pQFrDdZukE p9lBX4VyFj+tGQbXW9kSJZuFhtqmE8dI+FvIRdagyBkaXmQ/n0k4/jXpVuWaghsXXVQN gC/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=uRA9TAds; dkim=fail header.i=@chromium.org header.s=google header.b=dA8u2NJQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f15si2394127pgu.563.2018.04.10.14.27.15; Tue, 10 Apr 2018 14:28:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=uRA9TAds; dkim=fail header.i=@chromium.org header.s=google header.b=dA8u2NJQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752275AbeDJVXV (ORCPT + 99 others); Tue, 10 Apr 2018 17:23:21 -0400 Received: from mail-ua0-f193.google.com ([209.85.217.193]:44318 "EHLO mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752272AbeDJVXT (ORCPT ); Tue, 10 Apr 2018 17:23:19 -0400 Received: by mail-ua0-f193.google.com with SMTP id r16so8295475uak.11 for ; Tue, 10 Apr 2018 14:23:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jQlUz9Tv3bkkUQkjq+zhW4LAd7rqZV0Oljw5aRgTPR4=; b=uRA9TAdsUICwzcUIHloNT3dbaBDOqqJec8mqrfHtyKfHevdSMt/HEYgr/dFladVHRE xGrY7f/IkM9AOKxvro/QFOHZ0XmVH0vYFKsEYdhA4xFqZFQwDXA9f5se2VwgYaMXUyna 04XRclU9rl7HqAwNYJe3HGWiUt2esYzm9eBMZCfY5uxmKqIAhYu6kxPf143geCvKTGHH a4qPj0+96DLhhV5VzLsvVxD9n6+IDUZppyMvk6RFyuUAn3SSTLHMq25BxPvxxh3tzHBG Psu1uziFthSGyzL5+/JPPHUBmNxr5TNfPYFQyrEjqW2aaVBN6x2LZCnqhiBERCdX+58H 6nhw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jQlUz9Tv3bkkUQkjq+zhW4LAd7rqZV0Oljw5aRgTPR4=; b=dA8u2NJQ5QWtmQNvD3kPna1RnVn64dlgVwgvF9imrg7nqQqKogXO2FXQ9WWkwh2qy7 wVj3F/R/okGRF2sqYRjrzMdhYp4tqheKqL6UiFhdcw2l9ZnMvAznS0AbkoM/mR6Rotl6 ts+6iS0dlocI2eoF2BBYYnP2tHV5w4bdMcTx8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jQlUz9Tv3bkkUQkjq+zhW4LAd7rqZV0Oljw5aRgTPR4=; b=kFrIUCGAHWKn8+eu3Dm7nsfiedEad4TUC44aKqywU5JHgdUva4p9vt4ARGNkfSnzmO uKm4Pfm7qAuaMri4azQ/b7F8lo8unZ/IwWBBRQICKVm+lWYhBOYDQlhwarTdLBdFHFOA 7xIeubG1ug7VEAdmTvb+guIrQ5SlBzbv0Vty1CSUWIB47zpNDFNlBM4UXfVKOVtG1BgG HJBa7+2IXww0nnmHNxbT/Y4DtHz2AAmzhv7sULbiVMVnmTx9SweTjo6fUJySzf9dvwPy yJRDOkT1XRYxPSyj+jZX5zEVNXV122iPq1iTessY2dWFtw+Z48woaZqDy296Oq5p7F1p loag== X-Gm-Message-State: ALQs6tAR4lICQ4u8kTWoN6pMMY+zb1Y27kUAavDMow5JUvZXnHQ6I3Dt vbc7K9HoT6Sx3Npkyh8usHl0eyUJJUW+4IptYxkNdJhiKdk= X-Received: by 10.176.48.239 with SMTP id d15mr1648375uam.0.1523395398045; Tue, 10 Apr 2018 14:23:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 10 Apr 2018 14:23:17 -0700 (PDT) In-Reply-To: References: <1519729200-16056-1-git-send-email-s.mesoraca16@gmail.com> From: Kees Cook Date: Tue, 10 Apr 2018 14:23:17 -0700 X-Google-Sender-Auth: B4mZrW1dbiUDR2NvfFlgK3-8TvU Message-ID: Subject: Re: [PATCH v4] Protected FIFOs and regular files To: Salvatore Mesoraca Cc: LKML , Kernel Hardening , "linux-fsdevel@vger.kernel.org" , Alan Cox , Alexander Viro , David Laight , Ian Campbell , Jann Horn , Matthew Wilcox , Pavel Vasilyev , Solar Designer , "Eric W. Biederman" , "Tobin C. Harding" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 28, 2018 at 1:22 AM, Salvatore Mesoraca wrote: > 2018-02-27 21:22 GMT+01:00 Kees Cook : >> On Tue, Feb 27, 2018 at 11:47 AM, Kees Cook wrote: >>> On Tue, Feb 27, 2018 at 3:00 AM, Salvatore Mesoraca >>> wrote: >>>> Disallows open of FIFOs or regular files not owned by the user in world >>>> writable sticky directories, unless the owner is the same as that of >>>> the directory or the file is opened without the O_CREAT flag. >>>> The purpose is to make data spoofing attacks harder. >>>> This protection can be turned on and off separately for FIFOs and regular >>>> files via sysctl, just like the symlinks/hardlinks protection. >>>> This patch is based on Openwall's "HARDEN_FIFO" feature by Solar >>>> Designer. >>>> >>>> This is a brief list of old vulnerabilities that could have been prevented >>>> by this feature, some of them even allow for privilege escalation: >>>> CVE-2000-1134 >>>> CVE-2007-3852 >>>> CVE-2008-0525 >>>> CVE-2009-0416 >>>> CVE-2011-4834 >>>> CVE-2015-1838 >>>> CVE-2015-7442 >>>> CVE-2016-7489 >>>> >>>> This list is not meant to be complete. It's difficult to track down >>>> all vulnerabilities of this kind because they were often reported >>>> without any mention of this particular attack vector. >>>> In fact, before hardlinks/symlinks restrictions, fifos/regular >>>> files weren't the favorite vehicle to exploit them. >>>> >>>> Suggested-by: Solar Designer >>>> Suggested-by: Kees Cook >>>> Signed-off-by: Salvatore Mesoraca >>>> [...] >>> >>> I think this looks great. >>> >>> Acked-by: Kees Cook >> >> Tested-by: Kees Cook > > Awesome! Thank you very much for your help! Salvatore, do you want to send this again as a v5 with my two follow-up patches, as I have them here: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/userspace/protected-creat or would you like me to send those? I would expect this series to land via the -mm tree, since that tends to be the catch-all. (In which case, the series should be To: akpm with everyone else in Cc.) -Kees -- Kees Cook Pixel Security