Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp1407044ybc; Tue, 12 Nov 2019 20:52:33 -0800 (PST) X-Google-Smtp-Source: APXvYqwfttUJY6ewFKSPDxrSQCJWknE/iaRy5s5581iTKthdi/CsSyYe5YdCvW2hBYxPRQZKukwE X-Received: by 2002:aa7:d552:: with SMTP id u18mr1559187edr.86.1573620753576; Tue, 12 Nov 2019 20:52:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573620753; cv=none; d=google.com; s=arc-20160816; b=iJb7PilOLZDAc410dxJx7dIcRePUZ0qY7uPwEcgGfc5I3c41nkpFbkSgDdNBDAP/Gr Zm8+FnvSQYBX4Fym7t+uye5T69YTcHAJXCv9IbVaCtlJi3LLGdc9k2dn59IpzjSxEawr xhbKhMnbeV3FHrQfthRHSoJzYyV19LF1xkxlDD/M2enmgJ2fRmyaEJt3YCb5afQofv6x DTPI1bu9haqggo08O/+aCLsVOzC3lfPDmUJfocZse9YHt3i0sqR1+QKa7aNqWNkq6tWP HRYx/B2Z5YwMlJpaftQVNpj2V9qtUSi17X1PTrDmeNVSIxUIcMqKLABneb6oR3DEAB/0 xPMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=q6YQ7MVllY87/9BLXUEr99v3/95KXlzUegMxzZ9FmJU=; b=CykW0V1B5+8wUGRIETAmKl18ZjT9rWN8sYyb+H0T1uCBgmJg55STm6GNMDGA7rRAhr Cjcqn51wUZLLgUgTDZ5puezcFN5jMW1w692w3ayaqR+IFuMYd/rC9ap00SvBpBjrr+rY qmgBJdAGFWYCwB/1GZdafllEzisyBPIfDJKs8zvMYpfAY1RngZ8yeWJJZgSk3v27+wcy NthGbus6HxHOJd9vztmP1nIRyPPlziHMNr2L/uQinWS1GQuagElRCeihnhjWvC/xo3Tc nADk5n5USRFs1ujtimY3u6ihqklEYgFm84jcpw8HkbaE/4LxYTi9Se/JaoA/LoTSrxwh 7pqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Qu4dJD0N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 27si493357eji.207.2019.11.12.20.51.56; Tue, 12 Nov 2019 20:52:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Qu4dJD0N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727386AbfKMEvE (ORCPT + 99 others); Tue, 12 Nov 2019 23:51:04 -0500 Received: from mail.kernel.org ([198.145.29.99]:39682 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727312AbfKMEvE (ORCPT ); Tue, 12 Nov 2019 23:51:04 -0500 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 75ACE22466 for ; Wed, 13 Nov 2019 04:51:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573620662; bh=2HR5j4jMQZ8XywHpceKqovMUe9E/Z2E3JHrn6nNK8II=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Qu4dJD0Ni66AsrNrH/eEIXfa/16KZ7RZrotDsF6X9hceXsuaWXcl7wuQ7T/rYDBxl By7fSfDHWoWWQjnnO2PrLJWTvVfX3Y7TIuLKwVqfS7WLH2H6jyIEh/Y6m1lih/jDGM 5Q5PY9YsYEMdHRvMYPLKPdGpB2dHJgQuoGNdPIJE= Received: by mail-wm1-f49.google.com with SMTP id z26so478290wmi.4 for ; Tue, 12 Nov 2019 20:51:02 -0800 (PST) X-Gm-Message-State: APjAAAW5ZX7fOs3WleYpRa/etw0YibZSoc9ntZ+SjfRUb8qgM/iO0ASV KM5WLyrfG+m6oW7T4Lh+kgWUPUbMBkvFSctOcTohIw== X-Received: by 2002:a1c:16:: with SMTP id 22mr943595wma.0.1573620660911; Tue, 12 Nov 2019 20:51:00 -0800 (PST) MIME-Version: 1.0 References: <74a91362-247c-c749-5200-7bdce704ed9e@gmail.com> <20191112232239.yevpeemgxz4wy32b@wittgenstein> In-Reply-To: <20191112232239.yevpeemgxz4wy32b@wittgenstein> From: Andy Lutomirski Date: Tue, 12 Nov 2019 20:50:50 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] Allow restricting permissions in /proc/sys To: Christian Brauner Cc: Topi Miettinen , Luis Chamberlain , Kees Cook , Alexey Dobriyan , "linux-kernel@vger.kernel.org" , "open list:FILESYSTEMS (VFS and infrastructure)" , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 12, 2019 at 3:22 PM Christian Brauner wrote: > > [Cc+ linux-api@vger.kernel.org] > > since that's potentially relevant to quite a few people. > > On Sun, Nov 03, 2019 at 04:55:48PM +0200, Topi Miettinen wrote: > > Several items in /proc/sys need not be accessible to unprivileged > > tasks. Let the system administrator change the permissions, but only > > to more restrictive modes than what the sysctl tables allow. > > > > Signed-off-by: Topi Miettinen > > --- > > fs/proc/proc_sysctl.c | 41 +++++++++++++++++++++++++++++++---------- > > 1 file changed, 31 insertions(+), 10 deletions(-) > > > > diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c > > index d80989b6c344..88c4ca7d2782 100644 > > --- a/fs/proc/proc_sysctl.c > > +++ b/fs/proc/proc_sysctl.c > > @@ -818,6 +818,10 @@ static int proc_sys_permission(struct inode *inode, int > > mask) > > if ((mask & MAY_EXEC) && S_ISREG(inode->i_mode)) > > return -EACCES; > > > > + error = generic_permission(inode, mask); > > + if (error) > > + return error; > > + > > head = grab_header(inode); > > if (IS_ERR(head)) > > return PTR_ERR(head); > > @@ -837,9 +841,35 @@ static int proc_sys_setattr(struct dentry *dentry, > > struct iattr *attr) > > struct inode *inode = d_inode(dentry); > > int error; > > > > - if (attr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) > > + if (attr->ia_valid & (ATTR_UID | ATTR_GID)) > > return -EPERM; Supporting at least ATTR_GID would make this much more useful. > > > > + if (attr->ia_valid & ATTR_MODE) { > > + struct ctl_table_header *head = grab_header(inode); > > + struct ctl_table *table = PROC_I(inode)->sysctl_entry; > > + umode_t max_mode = 0777; /* Only these bits may change */ > > + > > + if (IS_ERR(head)) > > + return PTR_ERR(head); > > + > > + if (!table) /* global root - r-xr-xr-x */ > > + max_mode &= ~0222; > > + else /* > > + * Don't allow permissions to become less > > + * restrictive than the sysctl table entry > > + */ > > + max_mode &= table->mode; Style nit: please put braces around multi-line if and else branches, even if they're only multi-line because of comments. > > + > > + sysctl_head_finish(head); > > + > > + /* Execute bits only allowed for directories */ > > + if (!S_ISDIR(inode->i_mode)) > > + max_mode &= ~0111; Why is this needed?