From: David Rientjes <rientjes@google.com>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: kernel-hardening@lists.openwall.com,
Christoph Lameter <cl@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>, Matt Mackall <mpm@selenic.com>,
linux-mm@kvack.org, Kees Cook <kees@ubuntu.com>,
Dave Hansen <dave@linux.vnet.ibm.com>,
Valdis.Kletnieks@vt.edu,
Linus Torvalds <torvalds@linux-foundation.org>,
Alan Cox <alan@linux.intel.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] mm: restrict access to slab files under procfs and sysfs
Date: Tue, 27 Sep 2011 11:21:22 -0700 (PDT) [thread overview]
Message-ID: <alpine.DEB.2.00.1109271117200.17876@chino.kir.corp.google.com> (raw)
In-Reply-To: <20110927175453.GA3393@albatros>
On Tue, 27 Sep 2011, Vasiliy Kulikov wrote:
> Historically /proc/slabinfo and files under /sys/kernel/slab/* have
> world read permissions and are accessible to the world. slabinfo
> contains rather private information related both to the kernel and
> userspace tasks. Depending on the situation, it might reveal either
> private information per se or information useful to make another
> targeted attack. Some examples of what can be learned by
> reading/watching for /proc/slabinfo entries:
>
> 1) dentry (and different *inode*) number might reveal other processes fs
> activity. The number of dentry "active objects" doesn't strictly show
> file count opened/touched by a process, however, there is a good
> correlation between them. The patch "proc: force dcache drop on
> unauthorized access" relies on the privacy of dentry count.
>
> 2) different inode entries might reveal the same information as (1), but
> these are more fine granted counters. If a filesystem is mounted in a
> private mount point (or even a private namespace) and fs type differs from
> other mounted fs types, fs activity in this mount point/namespace is
> revealed. If there is a single ecryptfs mount point, the whole fs
> activity of a single user is revealed. Number of files in ecryptfs
> mount point is a private information per se.
>
> 3) fuse_* reveals number of files / fs activity of a user in a user
> private mount point. It is approx. the same severity as ecryptfs
> infoleak in (2).
>
> 4) sysfs_dir_cache similar to (2) reveals devices' addition/removal,
> which can be otherwise hidden by "chmod 0700 /sys/". With 0444 slabinfo
> the precise number of sysfs files is known to the world.
>
> 5) buffer_head might reveal some kernel activity. With other
> information leaks an attacker might identify what specific kernel
> routines generate buffer_head activity.
>
> 6) *kmalloc* infoleaks are very situational. Attacker should watch for
> the specific kmalloc size entry and filter the noise related to the unrelated
> kernel activity. If an attacker has relatively silent victim system, he
> might get rather precise counters.
>
> Additional information sources might significantly increase the slabinfo
> infoleak benefits. E.g. if an attacker knows that the processes
> activity on the system is very low (only core daemons like syslog and
> cron), he may run setxid binaries / trigger local daemon activity /
> trigger network services activity / await sporadic cron jobs activity
> / etc. and get rather precise counters for fs and network activity of
> these privileged tasks, which is unknown otherwise.
>
>
> Also hiding slabinfo and /sys/kernel/slab/* is a one step to complicate
> exploitation of kernel heap overflows (and possibly, other bugs). The
> related discussion:
>
> http://thread.gmane.org/gmane.linux.kernel/1108378
>
>
> To keep compatibility with old permission model where non-root
> monitoring daemon could watch for kernel memleaks though slabinfo one
> should do:
>
> groupadd slabinfo
> usermod -a -G slabinfo $MONITOR_USER
>
> And add the following commands to init scripts (to mountall.conf in
> Ubuntu's upstart case):
>
> chmod g+r /proc/slabinfo /sys/kernel/slab/*/*
> chgrp slabinfo /proc/slabinfo /sys/kernel/slab/*/*
>
> Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
> Reviewed-by: Kees Cook <kees@ubuntu.com>
> Reviewed-by: Dave Hansen <dave@linux.vnet.ibm.com>
> CC: Christoph Lameter <cl@gentwo.org>
> CC: Pekka Enberg <penberg@cs.helsinki.fi>
> CC: Valdis.Kletnieks@vt.edu
> CC: Linus Torvalds <torvalds@linux-foundation.org>
> CC: David Rientjes <rientjes@google.com>
> CC: Alan Cox <alan@linux.intel.com>
Acked-by: David Rientjes <rientjes@google.com>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-09-27 18:21 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-27 17:54 Vasiliy Kulikov
2011-09-27 17:56 ` [PATCH 2/2] mm: restrict access to /proc/meminfo Vasiliy Kulikov
2011-09-27 18:27 ` David Rientjes
2011-09-27 19:14 ` Vasiliy Kulikov
2011-09-27 19:38 ` Vasiliy Kulikov
2011-09-27 20:03 ` Christoph Lameter
2011-09-27 20:33 ` David Rientjes
2011-09-27 20:47 ` Christoph Lameter
2011-09-28 20:31 ` Dave Hansen
2011-09-28 20:52 ` Alan Cox
2011-09-29 0:43 ` Valdis.Kletnieks
2011-09-29 14:11 ` Christoph Lameter
2011-09-29 16:18 ` Vasiliy Kulikov
2011-09-29 16:30 ` Dave Hansen
2011-09-29 16:43 ` [kernel-hardening] " Vasiliy Kulikov
2011-09-29 16:57 ` Valdis.Kletnieks
2011-09-29 17:25 ` [kernel-hardening] " Vasiliy Kulikov
2011-09-29 17:28 ` Vasiliy Kulikov
2011-09-28 21:46 ` Andrew Morton
2011-09-30 19:53 ` Vasiliy Kulikov
2011-09-30 20:03 ` Andrew Morton
2011-09-30 20:12 ` Vasiliy Kulikov
2011-09-30 20:15 ` Dave Hansen
2011-09-27 18:08 ` [PATCH 1/2] mm: restrict access to slab files under procfs and sysfs Christoph Lameter
2011-09-27 19:16 ` Vasiliy Kulikov
2011-09-27 19:35 ` Christoph Lameter
2011-09-27 18:21 ` David Rientjes [this message]
2011-09-27 20:00 ` Pekka Enberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.00.1109271117200.17876@chino.kir.corp.google.com \
--to=rientjes@google.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=alan@linux.intel.com \
--cc=cl@linux-foundation.org \
--cc=dave@linux.vnet.ibm.com \
--cc=kees@ubuntu.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mpm@selenic.com \
--cc=penberg@kernel.org \
--cc=segoon@openwall.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox