Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp229105imm; Tue, 25 Sep 2018 20:17:57 -0700 (PDT) X-Google-Smtp-Source: ACcGV61WxQ7YsmEGMziFDLgLk6oYesWMVLHJ5iRuO/pk/ZnyYydWvybYA1MIvQIOxkF5ajomj9WW X-Received: by 2002:a17:902:e5:: with SMTP id a92-v6mr3822312pla.273.1537931877242; Tue, 25 Sep 2018 20:17:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537931877; cv=none; d=google.com; s=arc-20160816; b=bHkDJmo8Im+AmzK+5lj9BxPOSXTQ9MacHkVQ/2erJ4iduWqVpeUtsW+G8bzSxWEAUo Wm2k1AZRtIDCXdeuLEA+342Pkn7VxCocietaQZm6s7QOMLDVEV3+yLRZHL0qyzGt+DpH QW+9UL4tfCpsQ7BVH38TjpTjWu9mHe0T6rNEp6cSa1FzXLAWIXnrtQ0UwvIa5MnX3rN1 G4dQ3AurJeI8rh8t5uNjAPXNxZD8QkAXQtcG6YD5sNjKXmjM1EIpIYXzhzTWn+v1ZdP0 L/XxDr7fBid8xr1ZZ3ZRF8Appj582AcdRkRgqbEl4IQ90KD9JsZaxtySXCMq1U0mT/4J nfZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=gKJr/Bcof96UA+bEBcUC4Qrhue0Gy7wnfxneGLMlAKc=; b=on9TzI8oZF+kMih+0TkVRP71WKcdnBiJIdzlluep51KbpgDi1XY2cSBUq0oZ7bX7yl /Wh+b/rd/8Ba9ApJtG1ZlYMNmwQC3kg/wz9ud7h/YQ0qDhexXGmLPfk644BjDnERXkbX PNtARWu55ckzOFT6zAkgXVQMjgwoJBjGKaRfTTA717BmsMRXKZlbKheBEA+W5dj/RShs fzqV87ofWRBf/MIcM4SHapHxe83MAMKUwulJJTxjojliLmEGRiTqEg18UsMYHY0UMRL6 Yuy9JlJiwV98CoKyJR6zhAV4q160Ldrhca54YNwAkYMGVWASk6D87PixoJM/OkE7NDAG ghtg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=bXlBr6C9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d34-v6si4080347pld.301.2018.09.25.20.17.41; Tue, 25 Sep 2018 20:17:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=bXlBr6C9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726370AbeIZJ2T (ORCPT + 99 others); Wed, 26 Sep 2018 05:28:19 -0400 Received: from imap.thunk.org ([74.207.234.97]:47880 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726197AbeIZJ2T (ORCPT ); Wed, 26 Sep 2018 05:28:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gKJr/Bcof96UA+bEBcUC4Qrhue0Gy7wnfxneGLMlAKc=; b=bXlBr6C9foUkqvwPCUbfpeaD1W /4F7oFbmjmf0BhoMfjj5VX+K2n5XacrXqnQQeLguvHL2sLfSMUo6jeI2t5+D9Cvg3l9s4XfCwJ0xI z0lkq+1pLbTpTPyGcPRE0C83dIqS5NlFkytf4StPKrDId3SZ641cILUCh1bSrUapWcRo=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1g50Jl-0006Ax-Mr; Wed, 26 Sep 2018 03:16:51 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 9F5A37A5107; Tue, 25 Sep 2018 23:16:45 -0400 (EDT) Date: Tue, 25 Sep 2018 23:16:45 -0400 From: "Theodore Y. Ts'o" To: TongZhang Cc: Cyrill Gorcunov , adobriyan@gmail.com, akpm@linux-foundation.org, viro@zeniv.linux.org.uk, LKML , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, Wenbo Shen Subject: Re: Leaking path for set_task_comm Message-ID: <20180926031645.GB3321@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , TongZhang , Cyrill Gorcunov , adobriyan@gmail.com, akpm@linux-foundation.org, viro@zeniv.linux.org.uk, LKML , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, Wenbo Shen References: <20180925183953.GI15710@uranus> <0CD63E6E-7512-4DD6-8858-4408416DC730@vt.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0CD63E6E-7512-4DD6-8858-4408416DC730@vt.edu> User-Agent: Mutt/1.10.1 (2018-07-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 25, 2018 at 08:44:39PM -0400, TongZhang wrote: > Yes, this is exactly what I am saying. > A process can change its own name using prctl or /proc/self/comm. > prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook. > > A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm. None of the in-tree LSM's try to affect PR_SET_NAME. Looking at security/commoncap.c, it's clear what is of interest is to checking things relating to security sensitive things relating to capabilities, such as: PR_SET_SECUREBITS PR_CAPBSET_* PR_*_SECUREBITS PR_*_KEEPCAPS PR_CAP_AMBIENT Trying to depend on task name for anything security sensitive is at _really_ bad idea, so it seems unlikely that a LSM would want to protect the process name. (And if they did, the first thing I would ask is "Why? What are you trying to do? Do you realize how many *other* ways the process name can be spoofed or otherwise controlled by a potentially malicious user?") - Ted