Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking

From: Ingo Molnar
Date: Thu Nov 04 2010 - 10:11:25 EST

Next message: Rik van Riel: "Re: [PATCH] Revalidate page->mapping in do_generic_file_read()"
Previous message: Wojtek Zabolotny: "kernel 2.6.33.7 (the highest version with RT patch) does not workwith b44 ethernet controller"
In reply to: Ingo Molnar: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking"
Next in thread: Marcus Meissner: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Ingo Molnar <mingo@xxxxxxx> wrote:

> * Marcus Meissner <meissner@xxxxxxx> wrote:
>
> > On Thu, Nov 04, 2010 at 12:46:48PM +0100, Ingo Molnar wrote:
> > >
> > > * Marcus Meissner <meissner@xxxxxxx> wrote:
> > >
> > > > Hi,
> > > >
> > > > Making /proc/kallsyms readable only for root makes it harder for attackers to
> > > > write generic kernel exploits by removing one source of knowledge where things are
> > > > in the kernel.
> > >
> > > Cc:-ed Linus - i think he argued in favor of such a patch in the past.
> > >
> > > I generally agree with such patches (i have written some myself), but there's a few
> > > questions with this one, which make this limited change ineffective and which make
> > > it harder to implement a fuller patch that makes it truly harder to figure out the
> > > precise kernel build:
> > >
> > > - The real security obstruction effect is very small from this measure alone: the
> > > overwhelming majority of our users are running distro kernels, so the Symbol.map
> > > file (and hence 99% of /proc/kallsyms content) is well-known - unless we also
> > > restrict 'uname -r' from nonprivileged users-ace. Hiding that might make sense -
> > > but the two should be in one patch really.
> >
> > Of course. System.map and others also need to turn to mode 400.
>
> That is not what I meant, at all.
>
> It's not the System.map _on the system_.
>
> It's the SuSE or Fedora kernel rpm package with a System.map in it, which package
> the attacker can download from a hundred mirrors on the internet, based on 'uname
> -r' output.

For example, on a Fedora testbox i have this version info:

$ uname -r
2.6.35.6-48.fc14.x86_64

Any attacker can download that rpm from:

http://download.fedora.redhat.com/pub/fedora/linux/updates/14/x86_64/kernel-2.6.35.6-48.fc14.x86_64.rpm

And can extract the System.map from it, using rpm2cpio and cpio -i -d. That will
include all the symbol addresses - without the attacker having any access to the
System.map or /proc/kallsyms on this particular box.

I.e. on distro kernel installations (which comprise the _vast_ majority of our
userbase) your patch brings little security benefits.

What i suggested in later parts of my mail might provide more security: to sandbox
kernel version information from unprivileged user-space - if we decide that we want
to sandbox kernel version information ...

That is a big if, because it takes a considerable amount of work. Would be worth
trying it - but feel-good non-solutions that do not bring much improvement to the
majority of users IMHO hinder such efforts.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rik van Riel: "Re: [PATCH] Revalidate page->mapping in do_generic_file_read()"
Previous message: Wojtek Zabolotny: "kernel 2.6.33.7 (the highest version with RT patch) does not workwith b44 ethernet controller"
In reply to: Ingo Molnar: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease ofattacking"
Next in thread: Marcus Meissner: "Re: [PATCH] kernel: make /proc/kallsyms mode 400 to reduce ease of attacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]