|
Message-ID: <20110727121549.67a84d18@notabene.brown> Date: Wed, 27 Jul 2011 12:15:49 +1000 From: NeilBrown <neilb@...e.de> To: Vasiliy Kulikov <segoon@...nwall.com> Cc: kernel-hardening@...ts.openwall.com, Solar Designer <solar@...nwall.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Stephen Smalley <sds@...ho.nsa.gov>, James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org, Greg Kroah-Hartman <gregkh@...e.de>, Andrew Morton <akpm@...ux-foundation.org>, "David S. Miller" <davem@...emloft.net>, Jiri Slaby <jslaby@...e.cz>, Alexander Viro <viro@...iv.linux.org.uk>, linux-fsdevel@...r.kernel.org, KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>, Eric Paris <eparis@...hat.com>, Willy Tarreau <w@....eu>, Sebastian Krahmer <krahmer@...e.de> Subject: Re: [patch v2] move RLIMIT_NPROC check from set_user() to do_execve_common() On Tue, 26 Jul 2011 18:48:48 +0400 Vasiliy Kulikov <segoon@...nwall.com> wrote: > Neil, Solar, > > On Tue, Jul 26, 2011 at 14:11 +1000, NeilBrown wrote: > > I don't really see that failing mmap is any more hackish than failing execve. > > > > Both are certainly hacks. It is setuid that should fail, but that is > > problematic. > > > > We seem to agree that it is acceptable to delay the failure until the process > > actually tries to run some code for the user. I just think that > > mapping-a-file-for-exec is a more direct measure of "trying to run some code > > for the user" than "execve" is. > > > > So they are both hacks, but one it more thorough than the other. In the > > world of security I would hope that "thorough" would win. > > Well, I don't mind against something more generic than the check in > execve(), however, the usefulness of the check in mmap() is unclear to > me. You want to make more programs fail after setuid(), but does mmap > stops really many programs? Do you know any program doing mmap/dlopen > after setuid() call? What if the program will not do any mmap/dlopen > and e.g. start to handle network connections or do some computations? > I suppose the latter case is much more often than mmap/dlopen. I think I didn't make myself clear. I don't mean we should intercept the mmap system call. I mean we could intercept the internal kernel function do_mmap_pgoff. This is used by the mmap system call but also (and more importantly) by the execve system call and the uselib system call. So any attempt to map a file and execute the code in that file - whether via exec or via mapping a shared object - will go through do_mmap_pgoff. So if we disable do_mmap_pgoff() requests which ask for execute permission when a setuid has caused RLIMIT_NPROC to be exceeded, then we catch every attempt to run the user's code as the user. I won't catch a situation where an interpreter is already loaded into the root-owned process and the setuid is followed by loading a script and running that, it is isn't perfect. But I think it is more general than just trapping in execve. NeilBrown
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.