Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp4711754ybi; Sat, 6 Jul 2019 11:22:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqxDDL/43KbpDps/KAR1/rGi9cXyNtYZtBpTHHOvW5wtbkTYWBjwKUJ5llboVwqQaH5SfNHg X-Received: by 2002:a65:498c:: with SMTP id r12mr11887069pgs.27.1562437333015; Sat, 06 Jul 2019 11:22:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562437333; cv=none; d=google.com; s=arc-20160816; b=gn9eAmH6I1q1J8nnMwckWE+ZL2cezhs0+7iPOrF1eoO2G3zVqu2aZf5H1Gwoa0XpG1 Rx225MUDCHEt6sna2Jqm2QIIlDcsQ9tm8k3cMz/MlJVXcwZVM0yPfX9nAshKwHcPrYPI 95RaDr08MKjNuBgvcHbXonot1PhxuDXK7i1R5rhkPjvzOGQZBu+DlfHsSRu5R/VIbav0 0XzapG8NQCf747p6EufJfIcDz/tJmtMg/GByfQpLquTEm9yw0IhTeKUBlQC+59NOnXj7 o66tpoK9DBDGk0/QcaafHbToC7CtdL87qqeDttPuJ626Jf6YWTpqnobyK+9Zq9IGodx1 +yGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=vjy9ZMLMCWdJezrwnUnOrpuuoAl0MqUTiwkUbUfsV0k=; b=iUY1pRNTx5FqvnpBQY09yzJCkZ1DxDGERpC+k8yvjcjuc2vic/ujNVW2ymkPDOBQmQ LEC5D+ACAH+YwS7+Uae5074UJQJKoGPAXMeISagbrCCriKSXLui/ZjIAZpp0Y0sy44UI oA7iYEF/03mp5xttrrQrOvX0eD9IcAlYdjlQgm9ASTxdFi3B60wiRCGisjOen248FJq9 FjVYbpOryjEkmFRzxTrce89Bw7qhmlo2FzOc95HJF/A07jawjlJ0BpCwFmCBxouoIc/V th8Hqj2guulK3dcy3G8PQsH2qskyWeIWT5rNPCLjpxB/7Q4G9RS3U2hhXyoyTBqs4PFn PM3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UjWcfa2y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q25si13893414pfn.280.2019.07.06.11.21.57; Sat, 06 Jul 2019 11:22:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=UjWcfa2y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727068AbfGFSVD (ORCPT + 99 others); Sat, 6 Jul 2019 14:21:03 -0400 Received: from mail-ot1-f66.google.com ([209.85.210.66]:39643 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726743AbfGFSVD (ORCPT ); Sat, 6 Jul 2019 14:21:03 -0400 Received: by mail-ot1-f66.google.com with SMTP id r21so7395135otq.6 for ; Sat, 06 Jul 2019 11:21:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vjy9ZMLMCWdJezrwnUnOrpuuoAl0MqUTiwkUbUfsV0k=; b=UjWcfa2yuiQr3pr6jvHS9G7b7/XrW6vhOl4h4FyA2pkmQyD/Ukwh09WsYtkSmGlf36 NaUNZYVoR4bKyHeWOylNLEXv5vLpalbjvzXxCYVwPOWxoj3K9lMpnkwGWJIVWHgk/Aam fgp58HCVxZAA3ggPprt8eU47o+2iD3IHtRrmkvzuzEKjw9xrg42OYiz27ZrFCVg3ZiAw PPhz7cmQ8J6Y7yCj4QkHQyabon240CsqoSLHPPTtKWV93yHoxLdYcTf8yeghcgy4y7Y1 B9Juh+11Z1nJ1KPi3G3ufLi7AjloCOX15qfZkMELt6FbO4ouAg7q+pMykjE4c8bjWO5z 4bhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vjy9ZMLMCWdJezrwnUnOrpuuoAl0MqUTiwkUbUfsV0k=; b=kqCbTwTxxOvd7kWLOpLn9dR8+9eF8eaQZSL1sR4JVYPK8AlGVxuOkrtnEEWf6t56tY ANDB4KDEZgo7PS5c/GNaYqUyLCrby9XB2KylA6rvd3m6TDLEj5VN77wWnIix1a0kIZMp HMiNLEwM8tKR0pDgf7QEZRW4JwkP6BcCnxM5jXTqdMSYy5ZF19vawgTtVHPBK0SbC3Ae QUg1LmXQ3nDd2yyTmyPYxbftlaMFUdYbxB0VARnmBk46hFV4ZKA+ok3Y6lR2FGimw6li UqYUQDqu2dQ2TcupJsbAhxKq3fbz5QYVFoyZi9ubLqlk9JFGg0wfzNtbI+i09beuUllt boHw== X-Gm-Message-State: APjAAAVuL3U0JQAFR3zqHG2DlvkExlXfj9307rWAxp/wQ5B/u4Nn7RDF zHnPAlBKH4xurKqMmxLvJ0t9Y9tSiLdw1Kd0upLhWx38a9w= X-Received: by 2002:a9d:5a91:: with SMTP id w17mr4400771oth.32.1562437262037; Sat, 06 Jul 2019 11:21:02 -0700 (PDT) MIME-Version: 1.0 References: <1562410493-8661-1-git-send-email-s.mesoraca16@gmail.com> <1562410493-8661-12-git-send-email-s.mesoraca16@gmail.com> In-Reply-To: <1562410493-8661-12-git-send-email-s.mesoraca16@gmail.com> From: Jann Horn Date: Sat, 6 Jul 2019 20:20:35 +0200 Message-ID: Subject: Re: [PATCH v5 11/12] S.A.R.A.: /proc/*/mem write limitation To: Salvatore Mesoraca Cc: kernel list , Kernel Hardening , Linux-MM , linux-security-module , Alexander Viro , Brad Spengler , Casey Schaufler , Christoph Hellwig , James Morris , Kees Cook , PaX Team , "Serge E. Hallyn" , Thomas Gleixner Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 6, 2019 at 12:55 PM Salvatore Mesoraca wrote: > Prevent a task from opening, in "write" mode, any /proc/*/mem > file that operates on the task's mm. > A process could use it to overwrite read-only memory, bypassing > S.A.R.A. restrictions. [...] > +static void sara_task_to_inode(struct task_struct *t, struct inode *i) > +{ > + get_sara_inode_task(i) = t; This looks bogus. Nothing is actually holding a reference to `t` here, right? > +} > + > static struct security_hook_list data_hooks[] __lsm_ro_after_init = { > LSM_HOOK_INIT(cred_prepare, sara_cred_prepare), > LSM_HOOK_INIT(cred_transfer, sara_cred_transfer), > LSM_HOOK_INIT(shm_alloc_security, sara_shm_alloc_security), > + LSM_HOOK_INIT(task_to_inode, sara_task_to_inode), > }; [...] > +static int sara_file_open(struct file *file) > +{ > + struct task_struct *t; > + struct mm_struct *mm; > + u16 sara_wxp_flags = get_current_sara_wxp_flags(); > + > + /* > + * Prevent write access to /proc/.../mem > + * if it operates on the mm_struct of the > + * current process: it could be used to > + * bypass W^X. > + */ > + > + if (!sara_enabled || > + !wxprot_enabled || > + !(sara_wxp_flags & SARA_WXP_WXORX) || > + !(file->f_mode & FMODE_WRITE)) > + return 0; > + > + t = get_sara_inode_task(file_inode(file)); > + if (unlikely(t != NULL && > + strcmp(file->f_path.dentry->d_name.name, > + "mem") == 0)) { This should probably at least have a READ_ONCE() somewhere in case the file concurrently gets renamed? > + get_task_struct(t); > + mm = get_task_mm(t); > + put_task_struct(t); Getting and dropping a reference to the task_struct here is completely useless. Either you have a reference, in which case you don't need to take another one, or you don't have a reference, in which case you also can't take one. > + if (unlikely(mm == current->mm)) > + sara_warn_or_goto(error, > + "write access to /proc/*/mem"); Why is the current process so special that it must be protected more than other processes? Is the idea here to rely on other protections to protect all other tasks? This should probably come with a comment that explains this choice. > + mmput(mm); > + } > + return 0; > +error: > + mmput(mm); > + return -EACCES; > +}