Re: [PATCH 0/6] enable writing to /proc/pid/mem

From: Al Viro
Date: Tue Mar 08 2011 - 20:31:09 EST

Next message: Jon Brenner: "[PATCH 2.6.38-rc7]TAOS 258x: Device Driver"
Previous message: Dave Chinner: "Re: [PATCH v3] Check for immutable/append flag in fallocate path"
In reply to: Stephen Wilson: "[PATCH 6/6] proc: enable writing to /proc/pid/mem"
Next in thread: Stephen Wilson: "Re: [PATCH 0/6] enable writing to /proc/pid/mem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 08, 2011 at 07:42:17PM -0500, Stephen Wilson wrote:
> For a long time /proc/pid/mem has provided a read-only interface, at least
> since 2.4.0. However, a write capability has existed "forever" in tree via the
> function mem_write(), disabled with an #ifdef along with the comment "this is a
> security hazard". Currently, the main problem with mem_write() is that between
> the time permissions are checked and the actual write the target task could
> exec a setuid-root binary.
>
> This patch series enables safe writes to /proc/pid/mem. The principle strategy
> is to get a reference to the target task's mm before the permission check, and
> to hold that reference until after the write completes.

One note: I'd rather prefer approach similar to mm_for_maps(). IOW, instead
of "check, then get mm, then check _again_ to decide if we are allowed to
use it", just turn check_mm_permissions() into a function that returns
you a safe mm or gives you NULL (or, better yet, ERR_PTR(...)). With all
checks done within that sucker.

Then mem_read() and mem_write() wouldn't need to recheck anything again
and the same helper would be usable for other things as well. I mean
something like this: (*WARNING* - completely untested)

err = mutex_lock_killable(&tsk->signal->cred_guard_mutex);
if (err)
return ERR_PTR(err);

mm = get_tsk_mm(tsk);
if (!mm) {
mm = ERR_PTR(-EPERM); /* maybe EINVAL here? */
} else if (mm != current->mm) {
int match;
/*
* If current is actively ptrace'ing, and would also be
* permitted to freshly attach with ptrace now, permit it.
*/
if (!tsk_is_stopped_or_traced(tsk))
goto Eperm;
rcu_read_lock();
match = (tracehook_tracer_tsk(tsk) == current);
rcu_read_unlock();
if (!match)
goto Eperm;
if (!ptrace_may_access(tsk, PTRACE_MODE_ATTACH))
goto Eperm;
}
mutex_unlock(&tsk->signal->cred_guard_mutex);
return mm;
Eperm:
mutex_unlock(&tsk->signal->cred_guard_mutex);
mmput(mm);
return ERR_PTR(-EPERM);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jon Brenner: "[PATCH 2.6.38-rc7]TAOS 258x: Device Driver"
Previous message: Dave Chinner: "Re: [PATCH v3] Check for immutable/append flag in fallocate path"
In reply to: Stephen Wilson: "[PATCH 6/6] proc: enable writing to /proc/pid/mem"
Next in thread: Stephen Wilson: "Re: [PATCH 0/6] enable writing to /proc/pid/mem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]