Re: [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl

From: Christian Brauner
Date: Fri Jan 27 2023 - 07:31:47 EST

Next message: Linus Walleij: "Re: [PATCH] dt-bindings: pinctrl: mediatek: Fix child node name patterns"
Previous message: Sumit Garg: "Re: [PATCH v5 2/2] arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step"
In reply to: Andrei Vagin: "Re: [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl"
Next in thread: Kees Cook: "Re: [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx>

On Fri, 20 Jan 2023 11:25:11 +0100, Giuseppe Scrivano wrote:
> This patch adds a new prctl called PR_HIDE_SELF_EXE which allows
> processes to hide their own /proc/*/exe file. When this prctl is
> used, every access to /proc/*/exe for the calling process will
> fail with ENOENT.
>
> This is useful for preventing issues like CVE-2019-5736, where an
> attacker can gain host root access by overwriting the binary
> in OCI runtimes through file-descriptor mishandling in containers.
>
> [...]

Only needed for privileged sandboxes. The userspace mitigations Aleksa
and I did for the CVE in all affected runtimes back then are nifty but
complicated. The patch is a decent compromise.
Picking up this prctl() for now,

[1/2] exec: add PR_HIDE_SELF_EXE prctl
commit: 673301182d473ef61a98c292cf64650c73117172
[2/2] selftests: add tests for prctl(SET_HIDE_SELF_EXE)
commit: bafa339eda3f79d567386e1fae59bb0537156c96

Next message: Linus Walleij: "Re: [PATCH] dt-bindings: pinctrl: mediatek: Fix child node name patterns"
Previous message: Sumit Garg: "Re: [PATCH v5 2/2] arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step"
In reply to: Andrei Vagin: "Re: [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl"
Next in thread: Kees Cook: "Re: [PATCH v3 1/2] exec: add PR_HIDE_SELF_EXE prctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]