Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1134852imm; Fri, 27 Jul 2018 11:42:50 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcJp3VSYVuClxkULY3LF/SgfpHycw1hKSVYVsmCEhYENtLHoCYDCbbYEi3A8NCI1XcfX01X X-Received: by 2002:a63:d946:: with SMTP id e6-v6mr2154348pgj.24.1532716970289; Fri, 27 Jul 2018 11:42:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532716970; cv=none; d=google.com; s=arc-20160816; b=xzeiHw7DdEcGfoYQu3/UeYwv3fgiaJW7wEUCPPvf1QuApfwxZWqkNBsdo+6oaCEKnD 7n+6M0mHAIFBnFiyu4HUXqUB813v1CCYuzKGurfTB/tUXd4J6V0Eo+ySQNtrhfGHlLcm /L/0mo5TQAY0eOj0JLTDzx3cyCwfaPmkPIXcFQ0Hp4XhhRiSzozNAQQ9bmcK2svo8F/Z ryDmGfL8kWPHap6Ua9CYpaqt3GzSyXBl3dZ2hNdDUKOc2aNSRN35brn/MUzbrpBmdzy6 8ePACsQefeQigdY1l/932TepSpwloWUsW+SUAoP9bnSyLdXqOzxLsAFyKLxgUDsIHs2y tHig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=kkYrRag/tGEYG6vmkzPdrcFtBDXq4VG0bc0u46u1XxQ=; b=WgGM2RsPqDbXvUevq+DTzo6pZBUC3QUk76BzYh1P9yG4pBt+xhH5JhRvoYk3iG7I3b CTkBqM1EZ1Txhg7Yp2ptXaMjuP/QTAYK42ksB4GnBhpiwR+kwi408LZW1cdl8UbIUBEg rVMV9YfKn4Qyn8A+jirKQSUZ0McH8Gco70fvJUfn/89TM58Mpsq8eUgX1I5xyFYjyl+m HUAoeqxDb5lIhAccuwRx9bjQZR2Eo5WKr87zqLyH7aqDX/L5LFfqiues8PzWSHn3n6Qx ZwmeJpYHp7J+i6XIxqhJ/vlsVQQZ/Db85jkXa5K/JTjalB/fZ69NMH/7bzqcnYXeEghL x/OA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=nZun9kKo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5-v6si3988370plx.517.2018.07.27.11.42.34; Fri, 27 Jul 2018 11:42:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=nZun9kKo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389119AbeG0UEP (ORCPT + 99 others); Fri, 27 Jul 2018 16:04:15 -0400 Received: from mail-oi0-f68.google.com ([209.85.218.68]:35776 "EHLO mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388964AbeG0UEP (ORCPT ); Fri, 27 Jul 2018 16:04:15 -0400 Received: by mail-oi0-f68.google.com with SMTP id i12-v6so10778228oik.2 for ; Fri, 27 Jul 2018 11:41:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kkYrRag/tGEYG6vmkzPdrcFtBDXq4VG0bc0u46u1XxQ=; b=nZun9kKob85S1LVw5PjBTrtC1OdBm64qZzvyUP6yfHo3jKb4yMiBwidA7NH2WRr2Q/ GC+NZGt1SvW7vsWE+bXFq4ILLW6axhlyG8uI2QvIqtZcS1/oQXcsYQe7Jn9//IFI+kl5 U2t4N+2QwNy4DXqRl5AObU3WDKKgkwm55SoYazH64lskhH3z91A1YPvxFICCmeV0Xg1s K/HM0xV04emQE9jAlOGZEMAk5nmLUyC7tVWic+63zicj5w56kZvmBTZ6fVfxH/wcZ+jw NubAvNL5L+8+Q0GhgnoriKQLkezr+xnZqjLVS7xbQwRCsly6bUFEgXVZh/+vVUNaDh6b GbGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kkYrRag/tGEYG6vmkzPdrcFtBDXq4VG0bc0u46u1XxQ=; b=ja+Pp07TP6hAnJGIYiwOPaotHdCRFVeX0a5L5W9EeiBER0UE/Sajq0S64Lvx66LoCx oazwIksWvZ0hDlwrXXCuZKuOsS8+2C3LrMK/EnPvPa5IoABz7Yr2Dt24MCTgT1mVt8M9 M3naRGfJegd1wxiWl5/by/mGjdTl42jKq0+VikaWMI+ftlp5PaarzxFys6xhwEYuxJ2E 1yx5l7EZbDgSOCMFia6KfKS8yUXXKSXWYIbOyAoZVdZR6OlD68SHBZSy4kON8n1BZFpn Mm7fVjRVRyHIQXr9Gldko2tJIkgXREBjbF4t1EGTLxGCBY22LgYbiqvSOVb7EAWLJYef tHPg== X-Gm-Message-State: AOUpUlG/sJ+i03m1kyS+Y4OeJCBs15+8mM9Z/ABovb1ErCxna4RpbIyJ fIKEjvk6ZywdAcbJg78Yfg09VzgjIFco1jkamkLeoA== X-Received: by 2002:aca:e6cd:: with SMTP id d196-v6mr7394940oih.94.1532716866043; Fri, 27 Jul 2018 11:41:06 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ac9:750d:0:0:0:0:0 with HTTP; Fri, 27 Jul 2018 11:41:05 -0700 (PDT) In-Reply-To: <20180727143141.4b53d554@gandalf.local.home> References: <20180725202238.165314-1-salyzyn@android.com> <20180725210717.3b807191@vmware.local.home> <11437c3e-5131-7190-c496-7b51eb7fcc2a@android.com> <20180726153153.GA8327@kroah.com> <20180726181558.25a5c3b8@gandalf.local.home> <753E9YR1QhdsPhsFoYuXCwfUzfyntDrc_A93hMUkktMi7lbh3KUZMcbfqKVWUfi15zYhuiDFant-ROa4QNV5shx74ff4hGngq2BOJDv-hq4=@protonmail.ch> <20180727094730.3a448629@gandalf.local.home> <20180727143141.4b53d554@gandalf.local.home> From: Mark Salyzyn Date: Fri, 27 Jul 2018 11:41:05 -0700 Message-ID: Subject: Re: [PATCH] tracing: do not leak kernel addresses To: Steven Rostedt Cc: Nick Desaulniers , Jann Horn , Golden_Miller83@protonmail.ch, greg@kroah.com, Kees Cook , Mark Salyzyn , LKML , mingo@redhat.com, Android Kernel Team , stable@vger.kernel.org, kernel-hardening@lists.openwall.com Content-Type: multipart/alternative; boundary="0000000000005830330571ff7440" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --0000000000005830330571ff7440 Content-Type: text/plain; charset="UTF-8" Any system can chose to change the permissions of a sysfs node, default, DAC (and MAC) is just layers of multi-level security (or lack thereof). As well intentioned as a default DAC is in the kernel, leaking kernel addresses is still an attack surface that we want to close tightly. For instance on Android: chmod 0755 /sys/kernel/debug/tracing is in the common init.rc file ... If DAC has been adjusted at runtime to permit access to the node, I would think that if the caller does not have all the credentials/capabilities, we do want the addresses to be abstracted by the kernel. -- Mark On Fri, Jul 27, 2018 at 11:31 AM, Steven Rostedt wrote: > On Fri, 27 Jul 2018 11:13:51 -0700 > Nick Desaulniers wrote: > > > I found the internal bug report (reported Jan '17, you'll have to > > forgive me if my memory of the issue is hazy, or if the fix used at > > the time wasn't perfect), which was reported against the Nexus 6. > > >From the report, it was possible to `cat > > /sys/kernel/debug/tracing/printk_formats` without being root, which I > > can't do on my workstations much more modern kernel (Nexus 6 was > > 3.10). So I guess the question is what governs access to files below > > /sys/kernel/debug, and why was it missing from those kernels? I > > assume some check was added, but either not backported to 3.10 stable > > (or more likely not pulled in to Nexus 6's kernel through stable; > > Android is now in a much better place for that kind of issue). > > As of commit 82aceae4f0d4 ("debugfs: more tightly restrict default > mount mode") /sys/kernel/debug has been default mounted as 0700 (root > only). But that was introduced in 3.7. Not sure why your 3.10 kernel > didn't have that. Perhaps there's another commit that fixed > permissions not being inherited? > > -- Steve > > -- > You received this message because you are subscribed to the Google Groups > "kernel-team" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kernel-team+unsubscribe@android.com. > > --0000000000005830330571ff7440 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Any system can chose to change the permissions of a sysfs = node, default, DAC (and MAC) is just layers of multi-level security (or lac= k thereof). As well intentioned as a default DAC is in the kernel, leaking = kernel addresses is still an attack surface that we want to close tightly.<= div>
For instance on Android:

=C2=A0= =C2=A0 =C2=A0chmod 0755 /sys/kernel/debug/tracing

is in the common init.rc file ...

If DAC has= been adjusted at runtime to permit access to the node, I would think that = if the caller does not have all the credentials/capabilities, we do want th= e addresses to be abstracted by the kernel.

= -- Mark

On Fri, Jul 27, 2018 at 11:31 AM, Steven Rostedt <rostedt@goodmis.org<= /a>> wrote:
On= Fri, 27 Jul 2018 11:13:51 -0700
Nick Desaulniers <ndesaulnier= s@google.com> wrote:

> I found the internal bug report (reported Jan '17, you'll have= to
> forgive me if my memory of the issue is hazy, or if the fix used at > the time wasn't perfect), which was reported against the Nexus 6.<= br> > >From the report, it was possible to `cat=C2=A0
> /sys/kernel/debug/tracing/printk_formats` without being root, whi= ch I
> can't do on my workstations much more modern kernel (Nexus 6 was > 3.10).=C2=A0 So I guess the question is what governs access to files b= elow
> /sys/kernel/debug, and why was it missing from those kernels?=C2=A0 I<= br> > assume some check was added, but either not backported to 3.10 stable<= br> > (or more likely not pulled in to Nexus 6's kernel through stable;<= br> > Android is now in a much better place for that kind of issue).

As of commit 82aceae4f0d4 ("debugfs: more tightly restrict defa= ult
mount mode") /sys/kernel/debug has been default mounted as 0700 (root<= br> only). But that was introduced in 3.7. Not sure why your 3.10 kernel
didn't have that. Perhaps there's another commit that fixed
permissions not being inherited?

-- Steve

--
You received this message because you are subscribed to the Google Groups &= quot;kernel-team" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to kernel-tea= m+unsubscribe@android.com.


--0000000000005830330571ff7440--