Re: [PATCH v2 0/9] procfs: protect /proc/<pid>/* files withfile->f_cred

From: Djalal Harouni
Date: Wed Oct 02 2013 - 14:42:03 EST


On Wed, Oct 02, 2013 at 07:26:43PM +0100, Djalal Harouni wrote:
> On Wed, Oct 02, 2013 at 11:00:26AM -0700, Andy Lutomirski wrote:
> > On Wed, Oct 2, 2013 at 10:48 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> > > I think revoking the fd would be great. Does that mechanism exist?
> >
> > There's this thing that never got merged.
> >
> > http://thread.gmane.org/gmane.linux.kernel/1523331
> >
> > But doing it more directly should be reasonably straightforward. Either:
> >
> > (a) when a process execs and privileges change, find all the old proc
> > inodes, mark them dead, and unlink them, or
> Will take a look at it.
>
> > (b) add self_exec_id to all the proc file private_data entries (or
> > somewhere else). Then just make sure that they're unchanged. I think
> > the bug last time around was because the self_exec_id and struct pid
> > weren't being compared together.
> The bug was about self_exec_id not beeing unique. self_exec_id stuff
> must be unique during life time as it's done currently in grsecurity
> with exec_id.
I forget to mention that I've already proposed this (b) solution, but after
the discussion with Eric, I came to the conclusion that we could allow
the fd to be passed to the process if the original opener had enough
privileges. In either case we want to check the privileges, otherwise ps
and other tool will not report data if target tasks do execve.

--
Djalal Harouni
http://opendz.org
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/