[PATCH] VFS: add config options to enable link restrictions

From: Kees Cook
Date: Fri Oct 26 2012 - 14:50:19 EST

Next message: Naoya Horiguchi: "Re: [PATCH 2/3] ext4: introduce ext4_error_remove_page"
Previous message: Linus Torvalds: "Re: [PATCH 1/3] x86/mm: only do a local TLB flush in ptep_set_access_flags()"
Next in thread: Al Viro: "Re: [PATCH] VFS: add config options to enable link restrictions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are situations where devices running without initrds may need
very early protection from link vulnerabilities, so make these sysctls
configurable at build time, since 561ec64ae67e ("VFS: don't do protected
{sym,hard}links by default") has disabled the protections by default.

Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
fs/Kconfig | 39 +++++++++++++++++++++++++++++++++++++++
fs/namei.c | 6 ++++--
2 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/fs/Kconfig b/fs/Kconfig
index f95ae3a..46ae2dc 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -276,4 +276,43 @@ endif # NETWORK_FILESYSTEMS
source "fs/nls/Kconfig"
source "fs/dlm/Kconfig"

+config PROTECTED_SYMLINKS
+ bool "Protect symlink following in sticky world-writable dirs"
+ default n
+ help
+ Solve the class of ToCToU symlink race vulnerabilities by
+ permitting symlinks to be followed only when outside a sticky
+ world-writable directory, or when the uid of the symlink and
+ follower match, or when the directory and symlink owners match.
+
+ When PROC_SYSCTL is enabled, this setting can also be controlled
+ via /proc/sys/kernel/protected_symlinks.
+
+ See Documentation/sysctl/fs.txt for details.
+
+config PROTECTED_SYMLINKS_SYSCTL
+ int
+ default "1" if PROTECTED_SYMLINKS
+ default "0"
+
+config PROTECTED_HARDLINKS
+ bool "Protect hardlink creation to non-accessible files"
+ default n
+ help
+ Solve the class of ToCToU hardlink race vulnerabilities by
+ permitting hardlinks to be created only when to a regular file
+ that is owned by the user, or is readable and writable by the
+ user. Also blocks users from "pinning" vulnerable setuid/setgid
+ programs from being upgraded by the administrator.
+
+ When PROC_SYSCTL is enabled, this setting can also be controlled
+ via /proc/sys/kernel/protected_hardlinks.
+
+ See Documentation/sysctl/fs.txt for details.
+
+config PROTECTED_HARDLINKS_SYSCTL
+ int
+ default "1" if PROTECTED_HARDLINKS
+ default "0"
+
endmenu
diff --git a/fs/namei.c b/fs/namei.c
index 937f9d5..21854df 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -705,8 +705,10 @@ static inline void put_link(struct nameidata *nd, struct path *link, void *cooki
path_put(link);
}

-int sysctl_protected_symlinks __read_mostly = 0;
-int sysctl_protected_hardlinks __read_mostly = 0;
+int sysctl_protected_symlinks __read_mostly =
+ CONFIG_PROTECTED_SYMLINKS_SYSCTL;
+int sysctl_protected_hardlinks __read_mostly =
+ CONFIG_PROTECTED_HARDLINKS_SYSCTL;

/**
* may_follow_link - Check symlink following for unsafe situations
--
1.7.9.5

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Naoya Horiguchi: "Re: [PATCH 2/3] ext4: introduce ext4_error_remove_page"
Previous message: Linus Torvalds: "Re: [PATCH 1/3] x86/mm: only do a local TLB flush in ptep_set_access_flags()"
Next in thread: Al Viro: "Re: [PATCH] VFS: add config options to enable link restrictions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]