Re: [RFC][PATCH 1/2] fs proc: make pagemap a privileged interface

From: Andrew Morton
Date: Thu Mar 12 2015 - 18:35:40 EST

Next message: Rafael J. Wysocki: "Re: [PATCH v10 14/21] ACPI / processor: Make it possible to get CPU hardware ID via GICC"
Previous message: Rafael J. Wysocki: "Re: [PATCH v10 06/21] ACPI / sleep: Introduce CONFIG_ACPI_GENERIC_SLEEP"
In reply to: Dave Hansen: "Re: [RFC][PATCH 1/2] fs proc: make pagemap a privileged interface"
Next in thread: Dave Hansen: "Re: [RFC][PATCH 1/2] fs proc: make pagemap a privileged interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 09 Mar 2015 13:43:21 -0700 Dave Hansen <dave@xxxxxxxx> wrote:

>
> From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
>
> Physical addresses are sensitive information. There are
> existing, known exploits that are made easier if physical
> information is available. Here is one example:
>
> http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf
>
> If you know the physical address of something you also know at
> which kernel virtual address you can find something (modulo
> highmem). It means that things that keep the kernel from
> accessing user mappings (like SMAP/SMEP) can be worked around
> because the _kernel_ mapping can get used instead.
>
> But, /proc/$pid/pagemap exposes the physical addresses of all
> pages accessible to userspace. This works against all of the
> efforts to keep kernel addresses out of places where unprivileged
> apps can find them.
>
> This patch introduces a "paranoid" option for /proc. It can be
> enabled like this:
>
> mount -o remount,paranoid /proc
>
> Or when /proc is mounted initially. When 'paranoid' mode is
> active, opens to /proc/$pid/pagemap will return -EPERM for users
> without CAP_SYS_RAWIO. It can be disabled like this:
>
> mount -o remount,notparanoid /proc
>
> The option is applied to the pid namespace, so an app that wanted
> a separate policy from the rest of the system could get run in
> its own pid namespace.
>
> I'm not really that stuck on the name. I'm not opposed to making
> it apply only to pagemap or to giving it a pagemap-specific
> name.

Do we really need to disable pagemap entirely? What happens if we just
obscure the addresses (ie: zero them)?

> pagemap is also the kind of feature that could be used to escalate
> privileged from root in to the kernel. It probably needs to be
> protected in the same way that /dev/mem or module loading is in
> cases where the kernel needs to be protected from root, thus the
> choice to use CAP_SYS_RAWIO.

Confused. If you have root, you can do mount -o notparanoid.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rafael J. Wysocki: "Re: [PATCH v10 14/21] ACPI / processor: Make it possible to get CPU hardware ID via GICC"
Previous message: Rafael J. Wysocki: "Re: [PATCH v10 06/21] ACPI / sleep: Introduce CONFIG_ACPI_GENERIC_SLEEP"
In reply to: Dave Hansen: "Re: [RFC][PATCH 1/2] fs proc: make pagemap a privileged interface"
Next in thread: Dave Hansen: "Re: [RFC][PATCH 1/2] fs proc: make pagemap a privileged interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]