From patchwork Fri Sep 23 20:40:37 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 9348853 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C946B607F2 for ; Fri, 23 Sep 2016 20:41:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B68102ADD9 for ; Fri, 23 Sep 2016 20:41:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AB3592ADDC; Fri, 23 Sep 2016 20:41:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5B5A22ADD9 for ; Fri, 23 Sep 2016 20:41:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761378AbcIWUlI (ORCPT ); Fri, 23 Sep 2016 16:41:08 -0400 Received: from thejh.net ([37.221.195.125]:48255 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758893AbcIWUkx (ORCPT ); Fri, 23 Sep 2016 16:40:53 -0400 Received: from pc.thejh.net (pc.vpn [192.168.44.2]) by thejh.net (Postfix) with ESMTPSA id 7247518091D; Fri, 23 Sep 2016 22:40:51 +0200 (CEST) From: Jann Horn To: Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise , Ben Hutchings , Andy Lutomirski , Linus Torvalds Cc: linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Subject: [PATCH v2 7/8] fs/proc: fix attr access check Date: Fri, 23 Sep 2016 22:40:37 +0200 Message-Id: <1474663238-22134-8-git-send-email-jann@thejh.net> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1474663238-22134-1-git-send-email-jann@thejh.net> References: <1474663238-22134-1-git-send-email-jann@thejh.net> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Make sure files in /proc/$pid/attr/ can only be written by the task that opened them. This prevents an attacking process from changing the security context of another process that it can force to write attacker-controlled data into an attacker-supplied file descriptor. I'm not sure what the impact of this is. changed in v2: - changed privunit-using code Signed-off-by: Jann Horn --- fs/proc/base.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/fs/proc/base.c b/fs/proc/base.c index 15845cf..27f369d 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2484,6 +2484,18 @@ out: } #ifdef CONFIG_SECURITY +static int proc_pid_attr_open(struct inode *inode, struct file *file) +{ + struct luid *opener_privunit; + + opener_privunit = kmalloc(sizeof(struct luid), GFP_KERNEL); + if (opener_privunit == NULL) + return -ENOMEM; + *opener_privunit = current->self_privunit; + file->private_data = opener_privunit; + return 0; +} + static ssize_t proc_pid_attr_read(struct file * file, char __user * buf, size_t count, loff_t *ppos) { @@ -2512,6 +2524,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, void *page; ssize_t length; struct task_struct *task = get_proc_task(inode); + struct luid *opener_privunit = file->private_data; length = -ESRCH; if (!task) @@ -2535,9 +2548,29 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, if (length < 0) goto out_free; + /* + * Ensure that a process can't be tricked into writing into its own attr + * files without intending to do so. + * + * SELinux has a rule that prevents anyone other than `task` from + * writing, but if the fd stays open across execve, or is sent across a + * unix domain socket or whatever, that is bypassable. + * Same thing in AppArmor and in Smack. + * + * To prevent this, compare the opener's exec_id with the target's to + * ensure that they're in the same task group and no exec happened in + * the meantime. + * + * Why is this a file and not a prctl or whatever. :/ + */ + length = -EACCES; + if (!luid_eq(opener_privunit, &task->self_privunit)) + goto out_unlock; + length = security_setprocattr(task, (char*)file->f_path.dentry->d_name.name, page, count); +out_unlock: mutex_unlock(&task->signal->cred_guard_mutex); out_free: kfree(page); @@ -2547,10 +2580,20 @@ out_no_task: return length; } +static int proc_pid_attr_release(struct inode *inode, struct file *file) +{ + struct luid *opener_privunit = file->private_data; + + kfree(opener_privunit); + return 0; +} + static const struct file_operations proc_pid_attr_operations = { + .open = proc_pid_attr_open, .read = proc_pid_attr_read, .write = proc_pid_attr_write, .llseek = generic_file_llseek, + .release = proc_pid_attr_release, }; static const struct pid_entry attr_dir_stuff[] = {