Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1140264imm; Fri, 27 Jul 2018 11:49:13 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfDQYYfoBeU+DlNhInyJunafEFIzA0v4cvp5L346PcK1fwXcWbCSxeNcz7aJ61kBtUcNz0P X-Received: by 2002:a63:4a61:: with SMTP id j33-v6mr7156488pgl.436.1532717353751; Fri, 27 Jul 2018 11:49:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532717353; cv=none; d=google.com; s=arc-20160816; b=D80At4rYvIBWgI22mKNs580wbcGBpRfAGyA+jBjhM1NvU3JmyfStZ3D8F22f8wqk5T Pjijn8WeMFXNoPKXJvSHDEYCMArZy11XvfOJ1tqlLGNJVMbs+SoBwdufU4NA8aPoUEo0 bZpES6juoJpu+5cC/ssQMJW4Wx642FsYdFzcTujv3Xtw1Mnz+iZf1jd7Vn6HZTKpD5ZO jjmel1vr9xVOSVtaCezaYjGSb3dXOtjpr2N2vnc6bodyzkcbl3baewD2SsStAahOGsLb 9fIOdl4bmeDaQjYOj6ibDOHVn5+xxDmP6WUp/QuWRxzIF++/R8wRlp9s4c3ChPkrGCfQ IBsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature:arc-authentication-results; bh=peCe8nZd2zfmObYGbPG/mRpbAEM9dsWSMBHp214uboM=; b=F49CpXaQHXnDKHnRN+qtx+tfozSCyvGKNrCOPP3QkGCVnhUWIkcw8BPa2phVOHCRna Ry/O6Fj9zEZJFAWaN9E6EIKNy5tiscYnTDQR+bFJkZFhEYKd/TH1IUMhZKYGwT1HD8O3 ofauAVg+sEUjUb3tDhQfZlQkM4vJ839Z0/PwSRezUxN80v8uwZEatYu/OIuVUEnEYxFE PENRUx1TMyTvp4b6us2PIANYT96KePTJnzkHqD1FDL694wgZMij6Ix8V/VoFe+10zSOH /sh6i05HxKCFzDr5P8fBgjDXNeE3cJDl6OiHDoDbsy6zdWx6wNzo2aNunmM/DyYWlLAU wchw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Yox7sid3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n7-v6si4119207pgm.612.2018.07.27.11.48.59; Fri, 27 Jul 2018 11:49:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Yox7sid3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389277AbeG0ULE (ORCPT + 99 others); Fri, 27 Jul 2018 16:11:04 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:33108 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388925AbeG0ULE (ORCPT ); Fri, 27 Jul 2018 16:11:04 -0400 Received: by mail-oi0-f66.google.com with SMTP id l10-v6so10804787oii.0 for ; Fri, 27 Jul 2018 11:47:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=peCe8nZd2zfmObYGbPG/mRpbAEM9dsWSMBHp214uboM=; b=Yox7sid3WZrjKnkcl/7zjxQgi7/2aYACpYSzItCwEk4ZnGBP9ZaefSYamhVgtL4fnL u2+SLszTVbrp1lxDgJfQA83YGNPIsOJDmq7kvqXqnZWGtzPQ8JUN64d59kXN5wCslAVe C22mVXMsYmu7wTrksNQMX20Unj6LicYHNKFdYOm1snQTUdbDKRnlFGrmDgyV31apCd6Z CBptk92A6tohOFBYBCbgrC+ZJqEoIAjU1FhOuRqvUJu2jik3qmUJm+35niTHSvRUerAC Aqi/RrWjyCoG69Be7rV5JJrIa2QJGqmL2FwkaUx6r5xOtY+SwgnEv8aMEEGi1YRD6gsu vIXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=peCe8nZd2zfmObYGbPG/mRpbAEM9dsWSMBHp214uboM=; b=qcpxFK9u/chB9B3bC4lAxOgDkPxNoQUJSnDsQRTIIwYGUSJEIJRCL4pGIzrZak0GEo 5qBcxL2qd3f7eXal6UuII/DSFxx2VWu3JFprohfN+8j6UFLtMYk9mOuXxqJTOKh6XqBj eYu/XRYtOdF+gm8NkytK56gSuor6DHvkQHQn7II7gQkVPKrJpgsuQVAPICyalmJXIgXP 4TvveEYy/R9XsnfqyZNW3Yrh6JfEqpeTCfj3g2o/yHSvwJW5vkjmKO3LPKAJcjGKmJpC OBuY21l5N2xjGF7ScT8Ep+UWgpHH5osmAAayaPq9WI56GyuunC05tcNvSvW0RPQd1qQ9 1YpQ== X-Gm-Message-State: AOUpUlG9w6U9T77sr75AZUdjy7E6Nq6ZDjuddqfwo5SMqcpk0wq6n87w 1y63ZCalxQP9SL0na7wwcQLUPL9a4G0uDAqBdwbc2w== X-Received: by 2002:aca:1c04:: with SMTP id c4-v6mr8068029oic.173.1532717273797; Fri, 27 Jul 2018 11:47:53 -0700 (PDT) MIME-Version: 1.0 References: <20180725202238.165314-1-salyzyn@android.com> <20180725210717.3b807191@vmware.local.home> <11437c3e-5131-7190-c496-7b51eb7fcc2a@android.com> <20180726153153.GA8327@kroah.com> <20180726181558.25a5c3b8@gandalf.local.home> <753E9YR1QhdsPhsFoYuXCwfUzfyntDrc_A93hMUkktMi7lbh3KUZMcbfqKVWUfi15zYhuiDFant-ROa4QNV5shx74ff4hGngq2BOJDv-hq4=@protonmail.ch> <20180727094730.3a448629@gandalf.local.home> <20180727143141.4b53d554@gandalf.local.home> In-Reply-To: From: Jann Horn Date: Fri, 27 Jul 2018 20:47:27 +0200 Message-ID: Subject: Re: [PATCH] tracing: do not leak kernel addresses To: salyzyn@google.com Cc: Steven Rostedt , Nick Desaulniers , Golden_Miller83@protonmail.ch, Greg KH , Kees Cook , salyzyn@android.com, kernel list , Ingo Molnar , kernel-team@android.com, stable@vger.kernel.org, Kernel Hardening Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 27, 2018 at 8:41 PM Mark Salyzyn wrote: > > Any system can chose to change the permissions of a sysfs node, default, = DAC (and MAC) is just layers of multi-level security (or lack thereof). As = well intentioned as a default DAC is in the kernel, leaking kernel addresse= s is still an attack surface that we want to close tightly. > > For instance on Android: > > chmod 0755 /sys/kernel/debug/tracing > > is in the common init.rc file ... > > If DAC has been adjusted at runtime to permit access to the node, I would= think that if the caller does not have all the credentials/capabilities, w= e do want the addresses to be abstracted by the kernel. If you adjust the access controls on debugfs to permit things that aren't possible upstream, you may have to add new access controls to ensure that that doesn't lead to security issues. And, in fact, you did: walleye:/ # ls -laZ /sys/kernel/debug total 0 drwxr-xr-x 100 root root u:object_r:debugfs:s0 0 2018-07-27 18:= 08 . drwxr-xr-x 19 root root u:object_r:sysfs:s0 0 1970-06-04 10:= 30 .. [...] drwxr-xr-x 6 root root u:object_r:debugfs_tracing:s0 0 1970-01-01 01:00 tracing drwxr-xr-x 2 root root u:object_r:debugfs:s0 0 1970-01-01 01:00 tsens drwxr-xr-x 2 root root u:object_r:debugfs:s0 0 1970-01-01 01:00 tzdbg drwxr-xr-x 4 root root u:object_r:debugfs_ufs:s0 0 1970-01-01 01:00 ufshcd0 drwxr-xr-x 2 root root u:object_r:debugfs:s0 0 1970-01-01 01:00 usb drwxr-xr-x 2 root root u:object_r:debugfs:s0 0 1970-01-01 01:00 usb-pdphy drwxr-xr-x 2 root root u:object_r:debugfs:s0 0 1970-01-01 01:00 usb_diag drwxr-xr-x 2 root root u:object_r:debugfs:s0 0 1970-01-01 01:00 vmem -r--r--r-- 1 root root u:object_r:debugfs:s0 0 1970-01-01 01:00 wakeup_sources drwxr-xr-x 2 root root u:object_r:debugfs:s0 0 2018-07-27 18:07 wcd_spi drwxr-xr-x 2 root root u:object_r:debugfs:s0 0 2018-07-27 18:07 wdsp0 drwxr-xr-x 2 root root u:object_r:debugfs_wlan:s0 0 2018-07-27 18:07 wlan0 drwxr-xr-x 3 root root u:object_r:debugfs:s0 0 2018-07-27 18:07 wlan_qdf Stuff in the debugfs mount is labeled as "debugfs", with a few exceptions. And the SELinux policy locks down access to debugfs: public/domain.te:neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms; > On Fri, Jul 27, 2018 at 11:31 AM, Steven Rostedt wr= ote: >> >> On Fri, 27 Jul 2018 11:13:51 -0700 >> Nick Desaulniers wrote: >> >> > I found the internal bug report (reported Jan '17, you'll have to >> > forgive me if my memory of the issue is hazy, or if the fix used at >> > the time wasn't perfect), which was reported against the Nexus 6. >> > >From the report, it was possible to `cat >> > /sys/kernel/debug/tracing/printk_formats` without being root, which I >> > can't do on my workstations much more modern kernel (Nexus 6 was >> > 3.10). So I guess the question is what governs access to files below >> > /sys/kernel/debug, and why was it missing from those kernels? I >> > assume some check was added, but either not backported to 3.10 stable >> > (or more likely not pulled in to Nexus 6's kernel through stable; >> > Android is now in a much better place for that kind of issue). >> >> As of commit 82aceae4f0d4 ("debugfs: more tightly restrict default >> mount mode") /sys/kernel/debug has been default mounted as 0700 (root >> only). But that was introduced in 3.7. Not sure why your 3.10 kernel >> didn't have that. Perhaps there's another commit that fixed >> permissions not being inherited? >> >> -- Steve >> >> -- >> You received this message because you are subscribed to the Google Group= s "kernel-team" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n email to kernel-team+unsubscribe@android.com. >> >