From: Linus Torvalds <torvalds@linux-foundation.org>
To: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: linux-mm <linux-mm@kvack.org>,
Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Mark Williamson <mwilliamson@undo-software.com>,
Pavel Emelyanov <xemul@parallels.com>,
Linux API <linux-api@vger.kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Vlastimil Babka <vbabka@suse.cz>, Pavel Machek <pavel@ucw.cz>,
Mark Seaborn <mseaborn@chromium.org>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
Daniel James <djames@undo-software.com>,
Finn Grimwood <fgrimwood@undo-software.com>
Subject: Re: [PATCH v2 2/3] pagemap: hide physical addresses from non-privileged users
Date: Tue, 12 May 2015 08:06:32 -0700 [thread overview]
Message-ID: <CA+55aFyKpWrt_Ajzh1rzp_GcwZ4=6Y=kOv8hBz172CFJp6L8Tg@mail.gmail.com> (raw)
In-Reply-To: <20150512094305.24768.51807.stgit@buzz>
On Tue, May 12, 2015 at 2:43 AM, Konstantin Khlebnikov
<khlebnikov@yandex-team.ru> wrote:
> @@ -1260,6 +1269,8 @@ static ssize_t pagemap_read(struct file *file, char __user *buf,
> if (!count)
> goto out_task;
>
> + /* do not disclose physical addresses: attack vector */
> + pm.show_pfn = capable(CAP_SYS_ADMIN);
> pm.v2 = soft_dirty_cleared;
> pm.len = (PAGEMAP_WALK_SIZE >> PAGE_SHIFT);
> pm.buffer = kmalloc(pm.len * PM_ENTRY_BYTES, GFP_TEMPORARY);
NO! Dammit, no, no, no!
How many times must people do this major security faux-pas before we learn?
WE DO NOT CHECK CURRENT CAPABILITIES AT READ/WRITE TIME!
It's a bug. It's a security issue. It's not how Unix capabilities work!
Capabilities are checked at open time.:
> @@ -1335,9 +1346,6 @@ out:
>
> static int pagemap_open(struct inode *inode, struct file *file)
> {
> - /* do not disclose physical addresses: attack vector */
> - if (!capable(CAP_SYS_ADMIN))
> - return -EPERM;
THIS is where you are supposed to check for capabilities. The place
where you removed it!
The reason we check capabilities at open time, and open time ONLY is
because that is really very integral to the whole Unix security model.
Otherwise, you get into this situation:
- unprivileged process opens file
- unprivileged process tricks suid process to do the actual access for it
where the traditional model is to just force a "write()" by opening
the file as stderr, and then executing a suid process (traditionally
"sudo") that writes an error message to it.
So *don't* do permission checks using read/write time credentials.
They are wrong.
Now, if there is some reason that you really can't do it when opening
the file, and you actually need to use capability information at
read/write time, you use the "file->f_cred" field, which is the
open-time capabilities. So you _can_ do permission checks at
read/write time, but you have to use the credentials of the opener,
not "current".
So in this case, I guess you could use
pm.show_pfn = file_ns_capable(file, &init_user_ns, CAP_SYS_ADMIN);
if you really need to do this at read time, and cannot fill in that
"show_pfn" at open-time.
Linus
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-05-12 15:06 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-12 9:43 [PATCH RFC 0/3] pagemap: make useable for non-privilege users Konstantin Khlebnikov
2015-05-12 9:43 ` [PATCH v2 1/3] pagemap: add mmap-exclusive bit for marking pages mapped only here Konstantin Khlebnikov
2015-05-12 10:40 ` Kirill A. Shutemov
2015-05-13 10:59 ` Konstantin Khlebnikov
2015-05-12 12:05 ` Mark Williamson
2015-05-13 10:51 ` Konstantin Khlebnikov
2015-05-14 18:50 ` Mark Williamson
2015-05-15 9:39 ` Konstantin Khlebnikov
2015-05-12 9:43 ` [PATCH v2 2/3] pagemap: hide physical addresses from non-privileged users Konstantin Khlebnikov
2015-05-12 11:22 ` Mark Williamson
2015-05-12 15:06 ` Linus Torvalds [this message]
2015-05-12 15:41 ` Konstantin Khlebnikov
2015-05-12 9:43 ` [PATCH v2 3/3] pagemap: switch to the new format and do some cleanup Konstantin Khlebnikov
2015-05-12 10:54 ` Kirill A. Shutemov
2015-05-13 11:39 ` Konstantin Khlebnikov
2015-05-12 11:13 ` [PATCH RFC 0/3] pagemap: make useable for non-privilege users Mark Williamson
2015-05-14 18:40 ` Mark Williamson
2015-06-08 12:53 ` Mark Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+55aFyKpWrt_Ajzh1rzp_GcwZ4=6Y=kOv8hBz172CFJp6L8Tg@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=akpm@linux-foundation.org \
--cc=djames@undo-software.com \
--cc=fgrimwood@undo-software.com \
--cc=khlebnikov@yandex-team.ru \
--cc=kirill@shutemov.name \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mseaborn@chromium.org \
--cc=mwilliamson@undo-software.com \
--cc=n-horiguchi@ah.jp.nec.com \
--cc=pavel@ucw.cz \
--cc=vbabka@suse.cz \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox