Message ID | 20240723171753.739971-1-adrian.ratiu@collabora.com (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | proc: add config & param to block forcing mem writes | expand |
On Tue, 23 Jul 2024 at 10:18, Adrian Ratiu <adrian.ratiu@collabora.com> wrote: > > This adds a Kconfig option and boot param to allow removing > the FOLL_FORCE flag from /proc/pid/mem write calls because > it can be abused. Ack, this looks much simpler. That said, I think this can be prettied up some more: > +enum proc_mem_force_state { > + PROC_MEM_FORCE_ALWAYS, > + PROC_MEM_FORCE_PTRACE, > + PROC_MEM_FORCE_NEVER > +}; > + > +#if defined(CONFIG_PROC_MEM_ALWAYS_FORCE) > +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_ALWAYS; > +#elif defined(CONFIG_PROC_MEM_FORCE_PTRACE) > +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_PTRACE; > +#else > +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_NEVER; > +#endif I think instead of that forest of #if defined(), we can just do enum proc_mem_force { PROC_MEM_FORCE_ALWAYS, PROC_MEM_FORCE_PTRACE, PROC_MEM_FORCE_NEVER }; static enum proc_mem_force proc_mem_force_override __ro_after_init = IS_ENABLED(CONFIG_PROC_MEM_ALWAYS_FORCE) ? PROC_MEM_FORCE_ALWAYS : IS_ENABLED(CONFIG_PROC_MEM_FORCE_PTRACE) ? PROC_MEM_FORCE_PTRACE : PROC_MEM_FORCE_NEVER; I also really thought we had some parser helper for this pattern: > +static int __init early_proc_mem_force_override(char *buf) > +{ > + if (!buf) > + return -EINVAL; > + > + if (strcmp(buf, "always") == 0) { > + proc_mem_force_override = PROC_MEM_FORCE_ALWAYS; .... but it turns out we only really "officially" have it for filesystem superblock parsing. Oh well. We could do #include <linux/fs_parser.h> ... struct constant_table proc_mem_force_table[] { { "ptrace", PROC_MEM_FORCE_PTRACE }, { "never", PROC_MEM_FORCE_NEVER }, { } }; ... proc_mem_force_override = lookup_constant( proc_mem_force_table, buf, PROC_MEM_FORCE_NEVER); but while that looks a bit prettier, the whole "fs_parser.h" thing is admittedly odd. Anyway, I think the patch is ok, although I also happen to think it could be a bit prettier. Linus
On Tue, 23 Jul 2024 at 11:30, Linus Torvalds <torvalds@linux-foundation.org> wrote: > > but while that looks a bit prettier, the whole "fs_parser.h" thing is > admittedly odd. .. don't get me wrong - /proc obviously *is* a filesystem, but in this context it's a boot command line parameter, not a mount option. The "constant_table" thing obviously does work outside of mount options too, it's just that it's documented and used in the context of the mount API. Linus
On Tuesday, July 23, 2024 21:30 EEST, Linus Torvalds <torvalds@linux-foundation.org> wrote: > On Tue, 23 Jul 2024 at 10:18, Adrian Ratiu <adrian.ratiu@collabora.com> wrote: > > > > This adds a Kconfig option and boot param to allow removing > > the FOLL_FORCE flag from /proc/pid/mem write calls because > > it can be abused. > > Ack, this looks much simpler. > > That said, I think this can be prettied up some more: > > > +enum proc_mem_force_state { > > + PROC_MEM_FORCE_ALWAYS, > > + PROC_MEM_FORCE_PTRACE, > > + PROC_MEM_FORCE_NEVER > > +}; > > + > > +#if defined(CONFIG_PROC_MEM_ALWAYS_FORCE) > > +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_ALWAYS; > > +#elif defined(CONFIG_PROC_MEM_FORCE_PTRACE) > > +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_PTRACE; > > +#else > > +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_NEVER; > > +#endif > > I think instead of that forest of #if defined(), we can just do > > enum proc_mem_force { > PROC_MEM_FORCE_ALWAYS, > PROC_MEM_FORCE_PTRACE, > PROC_MEM_FORCE_NEVER > }; > > static enum proc_mem_force proc_mem_force_override __ro_after_init = > IS_ENABLED(CONFIG_PROC_MEM_ALWAYS_FORCE) ? PROC_MEM_FORCE_ALWAYS : > IS_ENABLED(CONFIG_PROC_MEM_FORCE_PTRACE) ? PROC_MEM_FORCE_PTRACE : > PROC_MEM_FORCE_NEVER; > > I also really thought we had some parser helper for this pattern: > > > +static int __init early_proc_mem_force_override(char *buf) > > +{ > > + if (!buf) > > + return -EINVAL; > > + > > + if (strcmp(buf, "always") == 0) { > > + proc_mem_force_override = PROC_MEM_FORCE_ALWAYS; > .... > > but it turns out we only really "officially" have it for filesystem > superblock parsing. > > Oh well. We could do > > #include <linux/fs_parser.h> > ... > struct constant_table proc_mem_force_table[] { > { "ptrace", PROC_MEM_FORCE_PTRACE }, > { "never", PROC_MEM_FORCE_NEVER }, > { } > }; > ... > proc_mem_force_override = lookup_constant( > proc_mem_force_table, buf, PROC_MEM_FORCE_NEVER); > > but while that looks a bit prettier, the whole "fs_parser.h" thing is > admittedly odd. > > Anyway, I think the patch is ok, although I also happen to think it > could be a bit prettier. Thanks again, I am perfectly fine with using fs_parser.h. I'll wait a few days to give others a chance to review/respond, then apply your changes and send a v3. (this was actually v2, however git format-patch removed my "Changes in v2" blurb and v2 title; will add them next time)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index c1134ad5f06d..793301f360ec 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -4791,6 +4791,16 @@ printk.time= Show timing data prefixed to each printk message line Format: <bool> (1/Y/y=enable, 0/N/n=disable) + proc_mem.force_override= [KNL] + Format: {always | ptrace | never} + Traditionally /proc/pid/mem allows users to override memory + permissions. This allows people to limit that. + Can be one of: + - 'always' traditional behavior always allows mem overrides. + - 'ptrace' only allow for active ptracers. + - 'never' never allow mem permission overrides. + If not specified, default is always. + processor.max_cstate= [HW,ACPI] Limit processor to maximum C-state max_cstate=9 overrides any DMI blacklist limit. diff --git a/fs/proc/base.c b/fs/proc/base.c index 72a1acd03675..5ef14ba953a2 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -117,6 +117,40 @@ static u8 nlink_tid __ro_after_init; static u8 nlink_tgid __ro_after_init; +enum proc_mem_force_state { + PROC_MEM_FORCE_ALWAYS, + PROC_MEM_FORCE_PTRACE, + PROC_MEM_FORCE_NEVER +}; + +#if defined(CONFIG_PROC_MEM_ALWAYS_FORCE) +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_ALWAYS; +#elif defined(CONFIG_PROC_MEM_FORCE_PTRACE) +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_PTRACE; +#else +static enum proc_mem_force_state proc_mem_force_override __ro_after_init = PROC_MEM_FORCE_NEVER; +#endif + +static int __init early_proc_mem_force_override(char *buf) +{ + if (!buf) + return -EINVAL; + + if (strcmp(buf, "always") == 0) { + proc_mem_force_override = PROC_MEM_FORCE_ALWAYS; + } else if (strcmp(buf, "ptrace") == 0) { + proc_mem_force_override = PROC_MEM_FORCE_PTRACE; + } else if (strcmp(buf, "never") == 0) { + proc_mem_force_override = PROC_MEM_FORCE_NEVER; + } else { + pr_warn("proc_mem.force_override: ignoring unknown option '%s'\n", buf); + return -EINVAL; + } + + return 0; +} +early_param("proc_mem.force_override", early_proc_mem_force_override); + struct pid_entry { const char *name; unsigned int len; @@ -835,6 +869,26 @@ static int mem_open(struct inode *inode, struct file *file) return ret; } +static bool proc_mem_foll_force(struct file *file, struct mm_struct *mm) +{ + switch (proc_mem_force_override) { + case PROC_MEM_FORCE_NEVER: + return false; + case PROC_MEM_FORCE_PTRACE: { + bool ptrace_active = false; + struct task_struct *task = get_proc_task(file_inode(file)); + + if (task) { + ptrace_active = task->ptrace && task->mm == mm && task->parent == current; + put_task_struct(task); + } + return ptrace_active; + } + default: + return true; + } +} + static ssize_t mem_rw(struct file *file, char __user *buf, size_t count, loff_t *ppos, int write) { @@ -855,7 +909,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf, if (!mmget_not_zero(mm)) goto free; - flags = FOLL_FORCE | (write ? FOLL_WRITE : 0); + flags = write ? FOLL_WRITE : 0; + if (proc_mem_foll_force(file, mm)) + flags |= FOLL_FORCE; while (count > 0) { size_t this_len = min_t(size_t, count, PAGE_SIZE); diff --git a/security/Kconfig b/security/Kconfig index 412e76f1575d..a93c1a9b7c28 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -19,6 +19,38 @@ config SECURITY_DMESG_RESTRICT If you are unsure how to answer this question, answer N. +choice + prompt "Allow /proc/pid/mem access override" + default PROC_MEM_ALWAYS_FORCE + help + Traditionally /proc/pid/mem allows users to override memory + permissions for users like ptrace, assuming they have ptrace + capability. + + This allows people to limit that - either never override, or + require actual active ptrace attachment. + + Defaults to the traditional behavior (for now) + +config PROC_MEM_ALWAYS_FORCE + bool "Traditional /proc/pid/mem behavior" + help + This allows /proc/pid/mem accesses to override memory mapping + permissions if you have ptrace access rights. + +config PROC_MEM_FORCE_PTRACE + bool "Require active ptrace() use for access override" + help + This allows /proc/pid/mem accesses to override memory mapping + permissions for active ptracers like gdb. + +config PROC_MEM_NO_FORCE + bool "Never" + help + Never override memory mapping permissions + +endchoice + config SECURITY bool "Enable different security models" depends on SYSFS