From patchwork Sun Oct 30 21:46:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 9404741 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 399CC6022E for ; Sun, 30 Oct 2016 21:47:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 373C528E58 for ; Sun, 30 Oct 2016 21:47:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2BE1328E73; Sun, 30 Oct 2016 21:47:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDD9C28E58 for ; Sun, 30 Oct 2016 21:47:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754142AbcJ3Vq6 (ORCPT ); Sun, 30 Oct 2016 17:46:58 -0400 Received: from thejh.net ([37.221.195.125]:54424 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752136AbcJ3Vqw (ORCPT ); Sun, 30 Oct 2016 17:46:52 -0400 Received: from pc.thejh.net (pc.vpn [192.168.44.2]) by thejh.net (Postfix) with ESMTPSA id 39F4A181592; Sun, 30 Oct 2016 22:46:50 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thejh.net; s=s2016; t=1477864011; bh=IRI0C65V1fqO+Xkgpu1sTeorsk3G1r6jC7ipuwS03xo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EZjEn6djrXUB3x5akuxFoDvKqnXL6KdBy+WIeP32H9LHpzngyR5bT51kYTQ7CY2+L 6Wk6/cfG0mYRGY/Ry4E+cVSVdqZ4xEARZhUpcOD+Vxd9rOt/GnSltCcXyfxranzy9a hX93Yj0fNJBWBhBG68YA/Ph+mBxBNzZbOLtTMcF3vaADPzOrQCn52F28zV2hm0g9LD Ppyh3mWeW21AUBHs7eEDReHN+zmjw4zLMdLW0PeBKjC5P3GxNAfly4oVzz6j22krqk y+O14Z6jLf9Wym1r02b/jj0griDzqL2K6i4U6Rfj3B2+6L6peZgzlY6FThs2FPEYUh nbRILKsEXQsHQ== From: Jann Horn To: Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric W. Biederman" , Thomas Gleixner , Benjamin LaHaise , Ben Hutchings , Andy Lutomirski , Linus Torvalds , Krister Johansen Cc: linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Subject: [PATCH v3 6/8] fs/proc: fix attr access check Date: Sun, 30 Oct 2016 22:46:36 +0100 Message-Id: <1477863998-3298-7-git-send-email-jann@thejh.net> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1477863998-3298-1-git-send-email-jann@thejh.net> References: <1477863998-3298-1-git-send-email-jann@thejh.net> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Make sure files in /proc/$pid/attr/ can only be written by the task that opened them. This prevents an attacking process from changing the security context of another process that it can force to write attacker-controlled data into an attacker-supplied file descriptor. I'm not sure what the impact of this is. changed in v2: - changed privunit-using code Signed-off-by: Jann Horn --- fs/proc/base.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/fs/proc/base.c b/fs/proc/base.c index 32ea9bc3d320..cbba490543e2 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2518,6 +2518,18 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx, } #ifdef CONFIG_SECURITY +static int proc_pid_attr_open(struct inode *inode, struct file *file) +{ + struct luid *opener_privunit; + + opener_privunit = kmalloc(sizeof(struct luid), GFP_KERNEL); + if (opener_privunit == NULL) + return -ENOMEM; + *opener_privunit = current->privunit; + file->private_data = opener_privunit; + return 0; +} + static ssize_t proc_pid_attr_read(struct file * file, char __user * buf, size_t count, loff_t *ppos) { @@ -2546,6 +2558,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, void *page; ssize_t length; struct task_struct *task = get_proc_task(inode); + struct luid *opener_privunit = file->private_data; length = -ESRCH; if (!task) @@ -2569,9 +2582,29 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, if (length < 0) goto out_free; + /* + * Ensure that a process can't be tricked into writing into its own attr + * files without intending to do so. + * + * SELinux has a rule that prevents anyone other than `task` from + * writing, but if the fd stays open across execve, or is sent across a + * unix domain socket or whatever, that is bypassable. + * Same thing in AppArmor and in Smack. + * + * To prevent this, compare the opener's exec_id with the target's to + * ensure that they're in the same task group and no exec happened in + * the meantime. + * + * Why is this a file and not a prctl or whatever. :/ + */ + length = -EACCES; + if (!luid_eq(opener_privunit, &task->privunit)) + goto out_unlock; + length = security_setprocattr(task, (char*)file->f_path.dentry->d_name.name, page, count); +out_unlock: mutex_unlock(&task->signal->cred_guard_mutex); out_free: kfree(page); @@ -2581,10 +2614,20 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, return length; } +static int proc_pid_attr_release(struct inode *inode, struct file *file) +{ + struct luid *opener_privunit = file->private_data; + + kfree(opener_privunit); + return 0; +} + static const struct file_operations proc_pid_attr_operations = { + .open = proc_pid_attr_open, .read = proc_pid_attr_read, .write = proc_pid_attr_write, .llseek = generic_file_llseek, + .release = proc_pid_attr_release, }; static const struct pid_entry attr_dir_stuff[] = {