Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp5697052ybi; Sun, 7 Jul 2019 10:30:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqxB0GMe0uJUFLJiBKj64Nmf/Sgzj362fQXrIlZv5RcvFsRvAdwTYn/2UXsrm36Nra2u2CVx X-Received: by 2002:a17:902:8489:: with SMTP id c9mr19243116plo.327.1562520630377; Sun, 07 Jul 2019 10:30:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562520630; cv=none; d=google.com; s=arc-20160816; b=0m3tu4AIbGFbuSRFBqWOipx3Gv+22DE7EcLN9nDWfWapYqHjfX1+BjSas2FinUdSmc Q8Es2fH1Tlv7w41v3snWwLoqLcNpppkXWWNayRU4McJ93QZfbNL4632ubiPjJyeUJ/TQ 1WSY4QaTfrSLwlBXqURyQDh0Yu053ms+tA9yaHeHL/PEtjBuWgOm6USpLgzqn580HxHD 7huSw71z0alCdyzzle524vE3eZ/og8zlyuILKmZZpHzT7F1XTd2IfQ/ryDAmeiWbBzNG WkvhC3IhQNf0PKwAg+ax2shpkAB9/YMEhJlc8a542jK1CCjC/syWZxU84Jz2KX89/LxR DPow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=HPjV5oIkkTKWgs8bzuMudxn+m/34k9ESgX/d9EjKBY4=; b=Kon8ZekxuATkV0t24dWpQpJtD4/pPnzy4GmH1rf/oIpTnTnmPJ1lXzr4ECZemefMJv skg/XuXq/0KOH8vwK780qU7HKfjYDlfQNH4L+JrwZnehT1yR3GyU+TpePtU1OgC5/3Gw fSuk5JUJMV3ERTBOlD0FIEKnvkPk1qIJcR92Io+HQ+/Tfn0A70WKmr3CeUb4gGw9p1u+ I74BXra58H0w3eg2DdNE3jhQJhAVlH55yvWoytOJ7KTo/JVlRg0jksxv+zNdoQNoiaZs dhe/iGMGSu/Cj+eULcIk7yGjZy2RK7hVjkKu+QmmmpwoMHm0mE7Qx6/4TJbtFTAgdpav HEEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TWOzKVht; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l1si16118974pgm.391.2019.07.07.10.29.47; Sun, 07 Jul 2019 10:30:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TWOzKVht; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727261AbfGGQPV (ORCPT + 99 others); Sun, 7 Jul 2019 12:15:21 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:44376 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726105AbfGGQPV (ORCPT ); Sun, 7 Jul 2019 12:15:21 -0400 Received: by mail-io1-f67.google.com with SMTP id s7so29430933iob.11; Sun, 07 Jul 2019 09:15:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HPjV5oIkkTKWgs8bzuMudxn+m/34k9ESgX/d9EjKBY4=; b=TWOzKVhtLNsWGzSmCaNZ6b/RZ3+Q0QunAQWRvFiNWs1RisWJjT0tbEfSaH4szCiWfq 82uSZ4Xvjt6zWF5p026f32NIV/sy/6hd5AsJxTSsxrgwzMPdbEP44HkqaP+B9Q8QLvGY ECPuLqNdhl4Y6DYcbNZMIdDn10XiRwz+pYUe3zKKKxaTqkouVwh3CpK/NeQ4lfy4Qzci /LwMAd/E0YTYFdoEsh6AH3BYOxqZKfKOUnfH6U1WpPC+HbFE6z/yYoBAGaPxrM2iA4PE RA7UnwRtCLj3ZAlGqYs/vpvDG83e6mXKuSofbiuIMkue5dKOkbDzFhtM4/9W0v3YYfRI BqWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HPjV5oIkkTKWgs8bzuMudxn+m/34k9ESgX/d9EjKBY4=; b=RR/Ch5zgVIJ1nhgt+7lPw6Moot8YI6A8h/O/Qi+EfWxj1882fp9VLpBKF7wtrtBgF1 8THv548aUNDohDDzOlhBkchoi4EneRTz2jokfC9CcBqSxgebNOz/i+ipds03/254Nqbe 8524Oh9eyrHY5lJ84ytDpjohUZ72zXRoPSA6mBA5mCXu+pxLH8J/stlXP6Le1gqpZWHW 19GGfoFFUY3fHE95wek2wYQeCJOyr1TJDvts6SidG0FTVYJEJyxcg8Y1RBO1WLDTZSkF TjqFuw1f89Skbd7yqBo6xotU6rYv8MQ/yJdMxr4Y2D1zERAD/YNln2Woi6Wbb1FY97jC WZfg== X-Gm-Message-State: APjAAAUNm/rVEcnOfGC1fRd6OzpjfWBfzatpkPMg1092LJuxcl/zJE1g 7W/PM5mzBCrEwoqYTei7S4M81SgCY87NwSr/KIg= X-Received: by 2002:a6b:e20a:: with SMTP id z10mr7315185ioc.76.1562516120337; Sun, 07 Jul 2019 09:15:20 -0700 (PDT) MIME-Version: 1.0 References: <1562410493-8661-1-git-send-email-s.mesoraca16@gmail.com> <1562410493-8661-12-git-send-email-s.mesoraca16@gmail.com> In-Reply-To: From: Salvatore Mesoraca Date: Sun, 7 Jul 2019 18:15:09 +0200 Message-ID: Subject: Re: [PATCH v5 11/12] S.A.R.A.: /proc/*/mem write limitation To: Jann Horn Cc: kernel list , Kernel Hardening , Linux-MM , linux-security-module , Alexander Viro , Brad Spengler , Casey Schaufler , Christoph Hellwig , Kees Cook , PaX Team , "Serge E. Hallyn" , Thomas Gleixner , James Morris Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jann Horn wrote: > > On Sat, Jul 6, 2019 at 12:55 PM Salvatore Mesoraca > wrote: > > Prevent a task from opening, in "write" mode, any /proc/*/mem > > file that operates on the task's mm. > > A process could use it to overwrite read-only memory, bypassing > > S.A.R.A. restrictions. > [...] > > +static void sara_task_to_inode(struct task_struct *t, struct inode *i) > > +{ > > + get_sara_inode_task(i) = t; > > This looks bogus. Nothing is actually holding a reference to `t` here, right? I think you are right, I should probably store the PID here. > > +} > > + > > static struct security_hook_list data_hooks[] __lsm_ro_after_init = { > > LSM_HOOK_INIT(cred_prepare, sara_cred_prepare), > > LSM_HOOK_INIT(cred_transfer, sara_cred_transfer), > > LSM_HOOK_INIT(shm_alloc_security, sara_shm_alloc_security), > > + LSM_HOOK_INIT(task_to_inode, sara_task_to_inode), > > }; > [...] > > +static int sara_file_open(struct file *file) > > +{ > > + struct task_struct *t; > > + struct mm_struct *mm; > > + u16 sara_wxp_flags = get_current_sara_wxp_flags(); > > + > > + /* > > + * Prevent write access to /proc/.../mem > > + * if it operates on the mm_struct of the > > + * current process: it could be used to > > + * bypass W^X. > > + */ > > + > > + if (!sara_enabled || > > + !wxprot_enabled || > > + !(sara_wxp_flags & SARA_WXP_WXORX) || > > + !(file->f_mode & FMODE_WRITE)) > > + return 0; > > + > > + t = get_sara_inode_task(file_inode(file)); > > + if (unlikely(t != NULL && > > + strcmp(file->f_path.dentry->d_name.name, > > + "mem") == 0)) { > > This should probably at least have a READ_ONCE() somewhere in case the > file concurrently gets renamed? My understanding here is that /proc/$pid/mem files cannot be renamed. t != NULL implies we are in procfs. Under these assumptions I think that that code is fine. Am I wrong? > > + get_task_struct(t); > > + mm = get_task_mm(t); > > + put_task_struct(t); > > Getting and dropping a reference to the task_struct here is completely > useless. Either you have a reference, in which case you don't need to > take another one, or you don't have a reference, in which case you > also can't take one. Absolutely agree. > > + if (unlikely(mm == current->mm)) > > + sara_warn_or_goto(error, > > + "write access to /proc/*/mem"); > > Why is the current process so special that it must be protected more > than other processes? Is the idea here to rely on other protections to > protect all other tasks? This should probably come with a comment that > explains this choice. Yes, I should have spent some more words here. Access to /proc/$pid/mem from other processes is already regulated by security_ptrace_access_check (i.e. Yama). Unfortunately, that hook is ignored when "mm == current->mm". It seems that there is some user-space software that relies on /proc/self/mem being writable (cfr. commit f511c0b17b08). Thank you for your suggestions.