Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp1474711lqd; Thu, 25 Apr 2024 17:46:37 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWhrqwmCv91om+r5px/Whk5rzbkQY5iz5S7jKZa7pc67lrHMkn0vngp8kHL59YajeRkr0NgiQSpsDO6B90OsZxQ4/Fy7uKaaOEhbRzC4A== X-Google-Smtp-Source: AGHT+IErGsmdr5ExflX9ANXAyq+6Wyn/JcJpUwgp9dXgEYrupsdt1TuHND+ZE49hOthbvEqRZgUc X-Received: by 2002:a05:6870:1615:b0:22a:8e5:941 with SMTP id b21-20020a056870161500b0022a08e50941mr1076955oae.52.1714092397006; Thu, 25 Apr 2024 17:46:37 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714092396; cv=pass; d=google.com; s=arc-20160816; b=RbGRF2EVWEYB24l4v+/vKQxSm4HMJ3EuY+rltcD/UPaIi38rQc3SnmOlncWeCAJsMr GYXJcA24Oxhxrmm1qwHNbkj7S171KYYcs0WFh3qTwQ0jjshUoFXvRVqiLAco79ma56UE MothjWbqk9OXzmtYJ4vTF6R/6GIvdP9rNhNSHJ8aYAU3/TEYB1i4pGnegyj+PfjfERnJ b31rgbiq4w6Uz/mQQOBVZL8Q6a/CaOkYKTfOv+MLiqmHH8x4EqIs9JF1thZsW6HTxaBJ OnTZokLiCad7ksE3V6AYr4Cv4gYzqUazlbOdlMQZg0XZ//vybaUelCZlFc1LZuAocLne ypEg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=Ep3fnu+2+kL4NWqqCPxqUe7pdWbO780NggADdnS6QQo=; fh=OdSzXypEqe8pSf0ZVUp+fRCjy5PQ/xaRopWWxCatrDs=; b=Clj3Xb7rUKjLSfijoVOB+Eou1I7gRg8LRcKpRgYUxQa+4qVokJZ/QiE1hqdx1jxaQu 3u7KsVg4LcTNkM/gTg4lK97C6cBxa79wqnYSIe8o1Bsh7F19uYYDWUOkTsGNYkX/c3fh 4s5oegrk17DP63HM6/5S0U+YkeCDjsgVEVL7qyQybmhQoKh9MB+zoD4Y18bVSuzgTbSq UlyPKsdcNZRHpkl/6HMYBQuJw2yFALcI7IZujW8RIfByNWBWO3p6WQ8O9P/72wSoiCjB KzNFZSG8/CIhg10da3oufYEEpIspJRGcuijSfwOzi+i7UAQmM1SsWdLF1H3mRA3uS79B Xfag==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Sr2S9k9x; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-159396-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159396-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id a22-20020a631a56000000b005be03f0da68si14335017pgm.13.2024.04.25.17.46.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 17:46:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-159396-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=Sr2S9k9x; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-159396-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-159396-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 795AAB246A1 for ; Fri, 26 Apr 2024 00:43:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5B39EEA4; Fri, 26 Apr 2024 00:43:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="Sr2S9k9x" Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 498891849 for ; Fri, 26 Apr 2024 00:43:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714092216; cv=none; b=ZKhbt9KCBbx6iMm/rIXPlyjU+7HiO9rH5nQvLeJATTdIV4dxDeUP5eoQa86TCLfnwQujr3dd5VFSAxfNm51lUIKVvxZSoKcvbd5S+/KVqDFNxsuGfUwPbfNd37aw3q4I8XNu/+5MsTAYKCaCEImMwctrx9rgNOF+oiOa9k6/LnM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714092216; c=relaxed/simple; bh=jx9p20CAKDQvST0OjgmjajVjccrTXQbrwlRHo4enSOY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=LJtAUvSinV4w+ynNBiv0YeuBUTqYo/gUmQqmI0kYlVnyxan9yibGuekWwvV32OE5e3F9uD2bVXenEbqBKv919R2rqBqPDN4A8oXZdhGOM8fM08xpU7lZkfFF96UlS6QVJDQpud31K0p06e6GprOLiGOjpLqaJUfpk9IE/76/lhA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=Sr2S9k9x; arc=none smtp.client-ip=209.85.215.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-5ce2aada130so1135621a12.1 for ; Thu, 25 Apr 2024 17:43:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1714092214; x=1714697014; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Ep3fnu+2+kL4NWqqCPxqUe7pdWbO780NggADdnS6QQo=; b=Sr2S9k9xgjVUtJHfI0duv8gokAp0wMilh31EeD7cseLdwofZklXhsGCJ3MLML7Ozp6 ERLSZmIMaGm82ehmTS3UgT4bZZxkvQteO1lqZJPQj1DF1+CCwiyuPDSPVC2MafdFFB5d 9We9TOmPQVC4eByqx9H8axueo0Sxs4ygu70J8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714092214; x=1714697014; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ep3fnu+2+kL4NWqqCPxqUe7pdWbO780NggADdnS6QQo=; b=q5oyZUfu55oSdyiToQol72Wo3Tmv89BG6PXfchkCJWAYPSKmfE3vIxr1W2MOWfBy7S G/NrK/z5ozbNyuJNM/NvF8fWtIDgRZNEL9sLtaOCzY8Kmh1qgHBiuz7YODTsSN5Gsa3H LlU9X7Gu43h9t7ckYPLbYNObLwK3jzAa/55fklEeywy2OydcP6SIxTX8ubijCnxByijJ BKPZ1zvrSi1xEBFAR5bknp7uWmmiHlS1M6xK4iJyHPit6quQDLZJ9qxCUo4mOr9W/zAX PaQvbYJbwReayP8/WDUWtz2/i7DOtRvZUSFxVRjRb12fJFyJrgzpdVwCGbR/NX95TRw3 Wf9w== X-Forwarded-Encrypted: i=1; AJvYcCVfeQ72FORa3+y6rRYhR+1Ub1wVbBHKT3C2JzeagqsPZXBytYdAO20RmOeXI8dQjbKjmdD/SEXMxqYlhbRfxRd4pHzU3OfmjPwwnRcW X-Gm-Message-State: AOJu0Yx4WEyMMsMbUYqJSIglAdTNukMkVH50XBu+jMYWwy7/pBUXCKc0 Yb2JIrfN8MbseQwnlOlPzz+/u88hDH7VhENTrScdX8iiU9IBx6rvakmEBfD/lA== X-Received: by 2002:a05:6a21:3286:b0:1ac:3660:4831 with SMTP id yt6-20020a056a21328600b001ac36604831mr1854570pzb.1.1714092214613; Thu, 25 Apr 2024 17:43:34 -0700 (PDT) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id p8-20020a17090a930800b002a513cc466esm15263915pjo.45.2024.04.25.17.43.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Apr 2024 17:43:34 -0700 (PDT) Date: Thu, 25 Apr 2024 17:43:33 -0700 From: Kees Cook To: Kent Overstreet Cc: Andrew Morton , Matthew Wilcox , Suren Baghdasaryan , linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] alloc_tag: Tighten file permissions on /proc/allocinfo Message-ID: <202404251740.81F21E54@keescook> References: <20240425200844.work.184-kees@kernel.org> <64cngpnwyav4odustofs6hgsh7htpc5nu23tx4lb3vxaltmqf2@sxn63f2gg4gu> <202404251532.F8860056AE@keescook> <20240425164718.e8e187dd0c5b0a87371d8316@linux-foundation.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Thu, Apr 25, 2024 at 08:27:05PM -0400, Kent Overstreet wrote: > On Thu, Apr 25, 2024 at 04:47:18PM -0700, Andrew Morton wrote: > > On Thu, 25 Apr 2024 15:42:30 -0700 Kees Cook wrote: > > > > > > The concern about leaking image layout could be addressed by sorting the > > > > output before returning to userspace. > > > > > > It's trivial to change permissions from the default 0400 at boot time. > > > It can even have groups and ownership changed, etc. This is why we have > > > per-mount-namespace /proc instances: > > > > > > # chgrp sysmonitor /proc/allocinfo > > > # chmod 0440 /proc/allocinfo > > > > > > Poof, instant role-based access control. :) > > > > Conversely, the paranoid could set it to 0400 at boot also. > > > > > I'm just trying to make the _default_ safe. > > > > Agree with this. > > > > Semi-seriously, how about we set the permissions to 0000 and force > > distributors/users to make a decision. > > I'm ok with 0400 for now since it's consistent with slabinfo, but I'd > really like to see a sysctl for debug info paranoia. We shouldn't be > leaving this to the distros; we're the ones with the expertise to say > what would be covered by that sysctl. We've not had great luck with sysctls (see userns sysctl discussions) since they don't provide sufficient granularity. All this said, I'm still not excited about any of these files living in /proc at all -- we were supposed to use /sys for this kind of thing, but its interface wasn't great for this kind of more "free-form" data, and debugfs isn't good for production interfaces. /proc really should only have pid information -- we end up exposing these top-level files to every mount namespace with a /proc mount. :( But that's a yet-to-be-solved problem... -Kees -- Kees Cook