On Thu, Jul 24, 2014 at 05:48:28PM +0400, Andrew Vagin wrote: > On Tue, Jul 22, 2014 at 01:07:51PM -0700, Kees Cook wrote: > > > - @exe_fd is referred from /proc/$pid/exe and when generating > > > coredump. We uses prctl_set_mm_exe_file_locked helper to update > > > this member, so exe-file link modification remains one-shot > > > action. > > > > Controlling exe_fd without privileges may turn out to be dangerous. At > > least things like tomoyo examine it for making policy decisions (see > > tomoyo_manager()). > > > > We don't want to reduce security. How can we get a process with a > target exe link, which executes our code? > > We can execute the target file and attach to it with ptrace. ptrace > allows to inject and execute any code. > > So if we are sure that we are able to do a previous scenario, we can > safely change exe-link, can't we? > > prctl already has a check of permissions to execute the target file. > If we execute a file. What can prevent us to attach to the process with > ptrace? > > The file can have a suid bit, so after executing it we may lose ability > to attach to it. To check that we can check that uid and gid is zero > in a current userns (local root). > > What else do we need to check?
Good question. I suppose plain check for local root should be enough. Guys, I'm about to send a new series for review. Please take a look once time permit. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
