Re: [PATCH] [RFC][WIP] namespace.c: Allow some unprivileged proc mounts when not fully visible

2018-04-13 Thread Djalal Harouni
On Wed, Apr 4, 2018 at 4:45 PM, Eric W. Biederman wrote: [...] > > The only option I have seen proposed that might qualify as something > general purpose and simple is a new filesystem that is just the process > directories of proc. As there would in essence be no files that would > need restrict

Re: module: add debugging alias parsing support

2017-12-04 Thread Djalal Harouni
On Mon, Dec 4, 2017 at 2:58 PM, Jessica Yu wrote: > +++ Djalal Harouni [04/12/17 10:01 +0100]: >> >> On Thu, Nov 30, 2017 at 7:39 PM, Luis R. Rodriguez >> wrote: >>> >>> On Thu, Nov 30, 2017 at 02:17:11PM +0100, Jessica Yu wrote: >>>> >>

Re: module: add debugging alias parsing support

2017-12-04 Thread Djalal Harouni
On Thu, Nov 30, 2017 at 7:39 PM, Luis R. Rodriguez wrote: > On Thu, Nov 30, 2017 at 02:17:11PM +0100, Jessica Yu wrote: >> Just some quick questions - are there any plans to use these in-kernel >> module aliases anywhere else? Or are you using them just for debugging? > > As-is for now just debugg

Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules

2017-11-30 Thread Djalal Harouni
On Thu, Nov 30, 2017 at 3:16 PM, Theodore Ts'o wrote: > On Thu, Nov 30, 2017 at 09:50:27AM +0100, Djalal Harouni wrote: >> In embedded systems we can't maintain a SELinux policy, distro man >> power hardly manage. We have abstracted seccomp etc, but the kernel >> in

Re: [PATCH v5 next 3/5] modules:capabilities: automatic module loading restriction

2017-11-30 Thread Djalal Harouni
On Thu, Nov 30, 2017 at 2:23 AM, Luis R. Rodriguez wrote: > On Mon, Nov 27, 2017 at 06:18:36PM +0100, Djalal Harouni wrote: >> diff --git a/include/linux/module.h b/include/linux/module.h >> index 5cbb239..c36aed8 100644 >> --- a/include/linux/module.h >> +++ b/include/

Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules

2017-11-30 Thread Djalal Harouni
On Thu, Nov 30, 2017 at 7:51 AM, Daniel Micay wrote: [...] > Lots of potential module attack surface also gets eliminated by default > via their SELinux whitelists for /dev, /sys, /proc, debugfs, ioctl > commands, etc. The global seccomp whitelist might be relevant in some > cases too. In embedde

Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules

2017-11-28 Thread Djalal Harouni
On Wed, Nov 29, 2017 at 12:23 AM, Theodore Ts'o wrote: > On Tue, Nov 28, 2017 at 01:33:40PM -0800, Kees Cook wrote: >> As I've said before, this isn't a theoretical attack surface. This >> year alone there have been three known-exploitable flaws exposed by >> autoloading: >> >> The exploit for CVE

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

2017-11-28 Thread Djalal Harouni
On Tue, Nov 28, 2017 at 11:18 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 10:33:27PM +0100, Djalal Harouni wrote: >> On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez >> wrote: >> > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: >> >&

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

2017-11-28 Thread Djalal Harouni
On Tue, Nov 28, 2017 at 10:16 PM, Luis R. Rodriguez wrote: > On Tue, Nov 28, 2017 at 12:11:34PM -0800, Kees Cook wrote: >> On Tue, Nov 28, 2017 at 11:14 AM, Luis R. Rodriguez >> wrote: >> > kmod is just a helper to poke userpsace to load a module, that's it. >> > >> > The old init_module() and n

Re: [kernel-hardening] Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules

2017-11-28 Thread Djalal Harouni
On Tue, Nov 28, 2017 at 9:33 PM, Linus Torvalds wrote: > On Tue, Nov 28, 2017 at 12:20 PM, Kees Cook wrote: >> >> So what's the right path forward for allowing a way to block >> autoloading? Separate existing request_module() calls into "must be >> privileged" and "can be unpriv" first, then rewo

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

2017-11-28 Thread Djalal Harouni
Hi Luis, On Tue, Nov 28, 2017 at 8:14 PM, Luis R. Rodriguez wrote: > On Mon, Nov 27, 2017 at 06:18:34PM +0100, Djalal Harouni wrote: > ... > >> After a discussion with Rusty Russell [1], the suggestion was to pass >> the capability from request_module() to security_kernel_mo

Re: [PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules

2017-11-27 Thread Djalal Harouni
Hi Linus, On Mon, Nov 27, 2017 at 7:44 PM, Linus Torvalds wrote: > On Mon, Nov 27, 2017 at 9:18 AM, Djalal Harouni wrote: >> This uses the new request_module_cap() facility to directly propagate >> CAP_NET_ADMIN capability and the 'netdev' module prefix to the >>

Re: [PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

2017-11-27 Thread Djalal Harouni
Hi Randy, On Mon, Nov 27, 2017 at 7:48 PM, Randy Dunlap wrote: > Hi, > > Mostly typos/spellos... > > > On 11/27/2017 09:18 AM, Djalal Harouni wrote: >> Cc: Serge Hallyn >> Cc: Andy Lutomirski >> Suggested-by: Rusty Russell >> Suggested-by: K

Re: [PATCH v5 next 0/5] Improve Module autoloading infrastructure

2017-11-27 Thread Djalal Harouni
Hi Linus, On Mon, Nov 27, 2017 at 8:12 PM, Linus Torvalds wrote: > On Mon, Nov 27, 2017 at 11:02 AM, Linus Torvalds > wrote: >> >> Now, the above will not necessarily work with a legacy /dev/ directory >> where al the nodes have been pre-populated, and opening the device >> node is supposed to l

[PATCH v5 next 3/5] modules:capabilities: automatic module loading restriction

2017-11-27 Thread Djalal Harouni
ading is disabled forever. [1] http://www.openwall.com/lists/oss-security/2017/02/22/3 [2] https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074 [3] http://www.openwall.com/lists/oss-security/2017/03/29/2 [4] http://www.openwall.com/lists/oss-security/2017/03/07/6 [5] https://a13xp0p0v.

[PATCH v5 next 4/5] modules:capabilities: add a per-task modules auto-load mode

2017-11-27 Thread Djalal Harouni
w.openwall.com/lists/oss-security/2017/02/22/3 [2] https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074 [3] http://www.openwall.com/lists/oss-security/2017/03/29/2 [4] http://www.openwall.com/lists/oss-security/2017/03/07/6 [5] https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html

[PATCH v5 next 1/5] modules:capabilities: add request_module_cap()

2017-11-27 Thread Djalal Harouni
ed on patch by Rusty Russell and discussion with Kees Cook: [1] https://lkml.org/lkml/2017/4/26/735 [2] https://lkml.org/lkml/2017/5/23/775 Cc: Serge Hallyn Cc: Andy Lutomirski Suggested-by: Rusty Russell Suggested-by: Kees Cook Signed-off-by: Djalal Harouni --- include/linux/kmod.h |

[PATCH v5 next 5/5] net: modules: use request_module_cap() to load 'netdev-%s' modules

2017-11-27 Thread Djalal Harouni
ns from Rusty Russel and Kees Cook [1] [1] https://lkml.org/lkml/2017/4/26/735 Cc: Ben Hutchings Cc: James Morris Cc: Serge Hallyn Cc: Solar Designer Cc: Andy Lutomirski Suggested-by: Rusty Russell Suggested-by: Kees Cook Signed-off-by: Djalal Harouni --- net/core/dev_ioctl.c | 4 +++

[PATCH v5 next 2/5] modules:capabilities: add cap_kernel_module_request() permission check

2017-11-27 Thread Djalal Harouni
patch. Cc: James Morris Cc: Serge Hallyn Cc: Andy Lutomirski Cc: Ben Hutchings Suggested-by: Rusty Russell Suggested-by: Kees Cook Signed-off-by: Djalal Harouni --- include/linux/module.h | 10 ++ include/linux/security.h | 4 +++- kernel/module.c | 23

[PATCH v5 next 0/5] Improve Module autoloading infrastructure

2017-11-27 Thread Djalal Harouni
by: Kees Cook *) Improved documentation. *) Removed unused code. # Changes since v1: *) Renamed module to ModAutoRestrict *) Improved documentation to explicity refer to module autoloading. *) Switched to use the new task_security_alloc() hook. *) Switched from rhash tables to use task->security since

Re: [PATCH RFC v3 2/7] proc: move /proc/{self|thread-self} dentries to proc_fs_info

2017-11-10 Thread Djalal Harouni
On Fri, Nov 10, 2017 at 11:31 AM, Alexey Dobriyan wrote: > On 11/9/17, Djalal Harouni wrote: > >> struct proc_fs_info { >> struct pid_namespace *pid_ns; >> + struct dentry *proc_self; /* For /proc/self/ */ >> + struct dentry *proc_thread_

Re: [PATCH RFC v3 3/7] proc: add helpers to set and get proc hidepid and gid mount options

2017-11-10 Thread Djalal Harouni
On Fri, Nov 10, 2017 at 11:36 AM, Alexey Dobriyan wrote: > On 11/9/17, Djalal Harouni wrote: >> --- a/fs/proc/base.c >> +++ b/fs/proc/base.c > >> -static bool has_pid_permissions(struct pid_namespace *pid, >> +static bool has_pid_permissions(struct proc_fs_

Re: [PATCH RFC v3 6/7] proc: support new 'pids=all|ptraceable' mount option

2017-11-10 Thread Djalal Harouni
On Fri, Nov 10, 2017 at 3:38 AM, Andy Lutomirski wrote: > On Thu, Nov 9, 2017 at 8:14 AM, Djalal Harouni wrote: >> This patch introduces the new 'pids' mount option, as it was discussed >> and suggested by Andy Lutomirski [1]. >> >> * If 'pids='

Re: [PATCH RFC v3 4/7] proc: support mounting private procfs instances inside same pid namespace

2017-11-10 Thread Djalal Harouni
On Fri, Nov 10, 2017 at 3:53 AM, James Morris wrote: > On Thu, 9 Nov 2017, Djalal Harouni wrote: > >> This should allow later after real testing to have a smooth transition >> to a procfs with default private instances. >> >> [1] >> https://lists.linuxfoun

Re: [PATCH RFC v3 1/7] proc: add proc_fs_info struct to store proc information

2017-11-10 Thread Djalal Harouni
On Fri, Nov 10, 2017 at 11:26 AM, Alexey Dobriyan wrote: > On 11/9/17, Djalal Harouni wrote: > >> +struct proc_fs_info { >> + struct pid_namespace *pid_ns; >> +}; > >> +static inline struct proc_fs_info *proc_sb(struct super_block *sb) >> +{ >>

[PATCH RFC v3 1/7] proc: add proc_fs_info struct to store proc information

2017-11-09 Thread Djalal Harouni
it-discuss/2017-January/004215.html [2] http://www.openwall.com/lists/kernel-hardening/2017/10/05/5 [3] http://lxr.free-electrons.com/source/Documentation/filesystems/devpts.txt?v=3.14 Cc: Kees Cook Cc: Greg Kroah-Hartman Suggested-by: Andy Lutomirski Signed-off-by: Alexey Gladkov Signed-off-

[PATCH RFC v3 2/7] proc: move /proc/{self|thread-self} dentries to proc_fs_info

2017-11-09 Thread Djalal Harouni
, and we want to make sure that unmounting a private procfs won't clash with other procfs mounts. Cc: Kees Cook Cc: Greg Kroah-Hartman Suggested-by: Andy Lutomirski Signed-off-by: Alexey Gladkov Signed-off-by: Djalal Harouni --- fs/proc/base.c| 4 ++-- fs/proc/r

[PATCH RFC v3 3/7] proc: add helpers to set and get proc hidepid and gid mount options

2017-11-09 Thread Djalal Harouni
truct. First lets fix the access. Cc: Kees Cook Cc: Greg Kroah-Hartman Suggested-by: Andy Lutomirski Signed-off-by: Alexey Gladkov Signed-off-by: Djalal Harouni --- fs/proc/base.c | 16 +--- fs/proc/inode.c | 5 +++-- fs/proc/internal.h | 2 +- fs/proc/r

[PATCH RFC v3 5/7] proc: move hidepid definitions to proc files

2017-11-09 Thread Djalal Harouni
lets move this last bit to where it really belongs. Cc: Kees Cook Cc: Greg Kroah-Hartman Cc: Andy Lutomirski Signed-off-by: Alexey Gladkov Signed-off-by: Djalal Harouni --- include/linux/pid_namespace.h | 6 -- include/linux/proc_fs.h | 6 ++ 2 files changed, 6 insertions(+),

[PATCH RFC v3 6/7] proc: support new 'pids=all|ptraceable' mount option

2017-11-09 Thread Djalal Harouni
[1] https://lkml.org/lkml/2017/4/26/646 Cc: Kees Cook Cc: Greg Kroah-Hartman Suggested-by: Andy Lutomirski Signed-off-by: Alexey Gladkov Signed-off-by: Djalal Harouni --- fs/proc/base.c | 36 +--- fs/proc/inode.c | 6 +- fs/proc/root.c

[PATCH RFC v3 4/7] proc: support mounting private procfs instances inside same pid namespace

2017-11-09 Thread Djalal Harouni
lxr.free-electrons.com/source/Documentation/filesystems/devpts.txt?v=3.14 [5] https://lkml.org/lkml/2017/5/2/407 [6] https://lkml.org/lkml/2017/5/3/357 Cc: Kees Cook Cc: Greg Kroah-Hartman Suggested-by: Andy Lutomirski Signed-off-by: Alexey Gladkov Signed-off-by: Djalal Harouni --- fs/proc/

[PATCH RFC v3 7/7] proc: flush dcache entries from all procfs instances

2017-11-09 Thread Djalal Harouni
Flush dcache entries of a task when it terminates. The task may have showed up in multiple procfs mounts per pid namespace, and we need to walk the mounts and invalidate any left entires. Cc: Kees Cook Cc: Greg Kroah-Hartman Cc: Andy Lutomirski Cc: Alexey Gladkov Signed-off-by: Djalal Harouni

[PATCH RFC v3 0/7] proc: modernize proc to support multiple private instances

2017-11-09 Thread Djalal Harouni
enamed mount options to 'newinstance' and 'pids=' Suggested-by: Andy Lutomirski *) Fixed order of commit, Suggested-by: Andy Lutomirski *) Many bug fixes. # Changes since RFC v1: *) Removed 'unshared' mount option and replaced it with 'limit_pids' wh

Re: [PATCH v2 2/2] pidmap(2)

2017-09-25 Thread Djalal Harouni
Hi Alexey, On Sun, Sep 24, 2017 at 9:08 PM, Alexey Dobriyan wrote: > From: Tatsiana Brouka > > Implement system call for bulk retrieveing of pids in binary form. > > Using /proc is slower than necessary: 3 syscalls + another 3 for each thread + > converting with atoi() + instantiating dentries a

Re: [PATCH 1/2] pidmap(2)

2017-09-06 Thread Djalal Harouni
Hi Alexey, On Thu, Sep 7, 2017 at 4:04 AM, Andy Lutomirski wrote: > On Wed, Sep 6, 2017 at 2:04 AM, Alexey Dobriyan wrote: >> On 9/6/17, Randy Dunlap wrote: >>> On 09/05/17 15:53, Andrew Morton wrote: [...] >>> >>> also, I expect that the tiny kernel people will want kconfig options for >>> the

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

2017-09-01 Thread Djalal Harouni
Hi Kees, On Thu, Jun 1, 2017 at 9:10 PM, Kees Cook wrote: > On Thu, Jun 1, 2017 at 7:56 AM, Djalal Harouni wrote: ... > >> BTW Kees, also in next version I won't remove the >> capable(CAP_NET_ADMIN) check from [1] >> even if there is the new request_module_cap(),

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

2017-06-01 Thread Djalal Harouni
On Tue, May 30, 2017 at 7:59 PM, Kees Cook wrote: [...] >>> I see a few options: >>> >>> 1) keep what you have for v4, and hope other places don't use >>> __request_module. (I'm not a fan of this.) >> >> Yes even if it is documented I wouldn't bet on it, though. :-) > > Okay, we seem to agree: we'

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-24 Thread Djalal Harouni
On Tue, May 23, 2017 at 9:48 AM, Solar Designer wrote: >> >>> On Mon, May 22, 2017 at 2:08 PM, Solar Designer >> >>> wrote: >> >>> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> >>> >> *) When module

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

2017-05-24 Thread Djalal Harouni
On Tue, May 23, 2017 at 9:19 PM, Kees Cook wrote: > On Tue, May 23, 2017 at 3:29 AM, Djalal Harouni wrote: [...] >> I think if there is an interface request_module_capable() , then code >> will use it. The DCCP code path did not check capabilities at all and >> called re

Re: [RFC][PATCH 0/9] Make containers kernel objects

2017-05-23 Thread Djalal Harouni
On Tue, May 23, 2017 at 2:54 PM, Eric W. Biederman wrote: > Jeff Layton writes: > >> On Mon, 2017-05-22 at 14:04 -0500, Eric W. Biederman wrote: >>> David Howells writes: >>> >>> > Here are a set of patches to define a container object for the kernel and >>> > to provide some methods to create a

Re: [RFC][PATCH 0/9] Make containers kernel objects

2017-05-23 Thread Djalal Harouni
On Tue, May 23, 2017 at 12:22 AM, Jeff Layton wrote: > On Mon, 2017-05-22 at 14:04 -0500, Eric W. Biederman wrote: >> David Howells writes: >> >> > Here are a set of patches to define a container object for the kernel and >> > to provide some methods to create and manipulate them. >> > >> > The r

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-23 Thread Djalal Harouni
On Tue, May 23, 2017 at 1:38 AM, Andy Lutomirski wrote: > On Mon, May 22, 2017 at 4:07 PM, Kees Cook wrote: >> On Mon, May 22, 2017 at 12:55 PM, Djalal Harouni wrote: >>> On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: >>>> On Mon, May 22, 2017 at 03:49:15

Re: [PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

2017-05-23 Thread Djalal Harouni
On Tue, May 23, 2017 at 12:20 AM, Kees Cook wrote: > On Mon, May 22, 2017 at 4:57 AM, Djalal Harouni wrote: >> This is a preparation patch for the module auto-load restriction feature. >> >> In order to restrict module auto-load operations we need to check if the >>

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Djalal Harouni
On Mon, May 22, 2017 at 6:43 PM, Solar Designer wrote: > On Mon, May 22, 2017 at 03:49:15PM +0200, Djalal Harouni wrote: >> On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: >> > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> >> *) When modu

Re: [kernel-hardening] [PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Djalal Harouni
Hi Alexander, On Mon, May 22, 2017 at 2:08 PM, Solar Designer wrote: > Hi Djalal, > > Thank you for your work on this! > > On Mon, May 22, 2017 at 01:57:03PM +0200, Djalal Harouni wrote: >> *) When modules_autoload_mode is set to (2), automatic module loading is >>

[PATCH v4 next 2/3] modules:capabilities: automatic module loading restriction

2017-05-22 Thread Djalal Harouni
[1] http://www.openwall.com/lists/oss-security/2017/02/22/3 [2] http://www.openwall.com/lists/oss-security/2017/03/29/2 [3] https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074 Cc: Ben Hutchings Cc: Rusty Russell Cc: James Morris Cc: Serge Hallyn Cc: Andy Lutomirski Suggested-

[PATCH v4 next 3/3] modules:capabilities: add a per-task modules auto-load mode

2017-05-22 Thread Djalal Harouni
sandboxed apps or containers will be restricted to trigger automatic module loading, other parts of the system can continue to use the system as it is which is the case of the desktop. [1] http://www.openwall.com/lists/oss-security/2017/02/22/3 [2] http://www.openwall.com/lists/oss-security

[PATCH v4 next 1/3] modules:capabilities: allow __request_module() to take a capability argument

2017-05-22 Thread Djalal Harouni
equest() hook. Based on patch by Rusty Russell: https://lkml.org/lkml/2017/4/26/735 Cc: Serge Hallyn Cc: Andy Lutomirski Suggested-by: Rusty Russell Suggested-by: Kees Cook Signed-off-by: Djalal Harouni [1] https://lkml.org/lkml/2017/4/24/7 --- include/linux/kmod.h | 15 --

[PATCH v4 next 0/3] modules: automatic module loading restrictions

2017-05-22 Thread Djalal Harouni
Suggested-by: Kees Cook *) Improved documentation. *) Removed unused code. # Changes since v1: *) Renamed module to ModAutoRestrict *) Improved documentation to explicity refer to module autoloading. *) Switched to use the new task_security_alloc() hook. *) Switched from rhash tables to u

Re: [RFC][PATCH 0/9] VFS: Introduce mount context

2017-05-08 Thread Djalal Harouni
On Wed, May 3, 2017 at 6:04 PM, David Howells wrote: > > Here are a set of patches to create a mount context prior to setting up a > new mount, populating it with the parsed options/binary data and then > effecting the mount. > > This allows namespaces and other information to be conveyed through

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-05-05 Thread Djalal Harouni
Hi Serge, On Thu, May 4, 2017 at 4:58 PM, Serge E. Hallyn wrote: > On Thu, May 04, 2017 at 03:07:49PM +0200, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: >> > On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski >> > wrote: >> [

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-05-04 Thread Djalal Harouni
On Sat, Apr 22, 2017 at 2:17 PM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:28 AM, Andy Lutomirski wrote: [...] >> >> My point is that all of these need some way to handle configuration >> and inheritance, and I don't think that a bunch of per-task prctls is >

Re: [PATCH RFC v2 4/6] proc: support mounting private procfs instances inside same pid namespace

2017-05-03 Thread Djalal Harouni
On Tue, May 2, 2017 at 6:33 PM, Andy Lutomirski wrote: > On Tue, May 2, 2017 at 7:29 AM, Djalal Harouni wrote: >> On Thu, Apr 27, 2017 at 12:13 AM, Andy Lutomirski wrote: >>> On Tue, Apr 25, 2017 at 5:23 AM, Djalal Harouni wrote: >> [...] >>>> We have to ali

Re: [PATCH RFC v2 4/6] proc: support mounting private procfs instances inside same pid namespace

2017-05-02 Thread Djalal Harouni
On Thu, Apr 27, 2017 at 12:13 AM, Andy Lutomirski wrote: > On Tue, Apr 25, 2017 at 5:23 AM, Djalal Harouni wrote: [...] >> We have to align procfs and modernize it to have a per mount context >> where at least the mount option do not propagate to all other mounts, >> then

Re: [PATCH RFC v2 5/6] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option

2017-05-02 Thread Djalal Harouni
Hello Andy, (Sorry for my late response) On Thu, Apr 27, 2017 at 12:09 AM, Andy Lutomirski wrote: > On Tue, Apr 25, 2017 at 5:23 AM, Djalal Harouni wrote: >> If "limit_pids=1" mount option is set then do not instantiate pids that >> we can not ptrace. "limit_pi

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-27 Thread Djalal Harouni
On Thu, Apr 27, 2017 at 4:07 AM, Rusty Russell wrote: > Djalal Harouni writes: >> Hi Rusty, >> >> On Mon, Apr 24, 2017 at 6:29 AM, Rusty Russell wrote: >>> Djalal Harouni writes: >>>> When value is (1), task must have CAP_SYS_MODULE to be able to tri

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-26 Thread Djalal Harouni
Hi Rusty, On Mon, Apr 24, 2017 at 6:29 AM, Rusty Russell wrote: > Djalal Harouni writes: >> When value is (1), task must have CAP_SYS_MODULE to be able to trigger a >> module auto-load operation, or CAP_NET_ADMIN for modules with a >> 'netdev-%s' alias. > >

[PATCH RFC v2 6/6] proc: flush task dcache entries from all procfs instances

2017-04-25 Thread Djalal Harouni
This allows to flush dcache entries of a task on multiple procfs mounts per pid namespace. Cc: Kees Cook Cc: Andy Lutomirski Signed-off-by: Djalal Harouni --- fs/proc/base.c| 27 ++- fs/proc/inode.c | 9 - fs/proc/root.c

[PATCH RFC v2 5/6] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option

2017-04-25 Thread Djalal Harouni
If "limit_pids=1" mount option is set then do not instantiate pids that we can not ptrace. "limit_pids=1" means that procfs should only contain pids that the caller can ptrace. Cc: Kees Cook Cc: Andy Lutomirski Signed-off-by: Djalal Harouni --- fs/proc/base.c | 9

[PATCH RFC v2 4/6] proc: support mounting private procfs instances inside same pid namespace

2017-04-25 Thread Djalal Harouni
rough procfs on pids with the other syscalls that can be blocked by seccomp filters. Later Yama LSM can be updated to check that processes are able only able to see their children inside /proc/. [1] https://lkml.org/lkml/2017/3/31/324 Cc: Kees Cook Suggested-by: Andy Lutomirski Signed-off-

[PATCH RFC v2 3/6] proc: add helpers to set and get proc hidepid and gid mount options

2017-04-25 Thread Djalal Harouni
This is a cleaning patch to add helpers to set and get proc mount options instead of directly using them. This make it easy to track what's happening and easy to update in future. Cc: Kees Cook Cc: Andy Lutomirski Signed-off-by: Djalal Harouni --- fs/proc/base.c

[PATCH RFC v2 1/6] proc: add proc_fs_info struct to store proc information

2017-04-25 Thread Djalal Harouni
: Kees Cook Suggested-by: Andy Lutomirski Signed-off-by: Djalal Harouni --- fs/locks.c | 6 +++-- fs/proc/base.c | 31 +-- fs/proc/inode.c | 8 +++--- fs/proc/root.c | 65 ++--- fs/proc

[PATCH RFC v2 2/6] proc: move /proc/{self|thread-self} dentries to proc_fs_info

2017-04-25 Thread Djalal Harouni
, unmounting a private procfs won't clash with other procfs mounts. Cc: Kees Cook Cc: Andy Lutomirski Signed-off-by: Djalal Harouni --- fs/proc/base.c| 4 ++-- fs/proc/root.c| 8 fs/proc/self.c| 3 +-- fs/proc/thread_self.c

[PATCH RFC v2 0/6] proc: support private proc instances per pidnamespace

2017-04-25 Thread Djalal Harouni
ch is attached to the current procfs mount. Suggested-by Andy Lutomirski *) Do not fill dcache with pid entries that we can not ptrace. *) Many bug fixes. Djalal Harouni (6): [PATCH 1/6] proc: add proc_fs_info struct to store proc information [PATCH 2/6] proc: move /proc/{self|thread-self} dentrie

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-24 Thread Djalal Harouni
On Mon, Apr 24, 2017 at 8:02 PM, Kees Cook wrote: > On Mon, Apr 24, 2017 at 7:25 AM, Djalal Harouni wrote: >> On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook wrote: >>> On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: >>>> On Fri, Apr 21, 2017 at 5:12 PM, Djala

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-24 Thread Djalal Harouni
On Sat, Apr 22, 2017 at 9:29 PM, Kees Cook wrote: > On Fri, Apr 21, 2017 at 11:51 PM, Andy Lutomirski wrote: >> On Fri, Apr 21, 2017 at 5:12 PM, Djalal Harouni wrote: >>> On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: >>> [...] >>> * DCCP use after

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-22 Thread Djalal Harouni
dy Lutomirski wrote: >>>>> On Wed, Apr 19, 2017 at 3:20 PM, Djalal Harouni wrote: >>>>>> +/* Sets task's modules_autoload */ >>>>>> +static inline int task_set_modules_autoload(struct task_struct *task, >>>>>

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-21 Thread Djalal Harouni
On Sat, Apr 22, 2017 at 2:12 AM, Djalal Harouni wrote: > On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: > [...] >>>> I personally like my implicit_rights idea, and it might be interesting >>>> to prototype it. >>> >>> I don't like b

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-21 Thread Djalal Harouni
On Sat, Apr 22, 2017 at 1:51 AM, Andy Lutomirski wrote: [...] >>> I personally like my implicit_rights idea, and it might be interesting >>> to prototype it. >> >> I don't like blocking a needed feature behind a large super-feature >> that doesn't exist yet. We'd be able to refactor this code into

Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction

2017-04-20 Thread Djalal Harouni
On Thu, Apr 20, 2017 at 5:02 PM, Ben Hutchings wrote: > On Thu, 2017-04-20 at 14:44 +0200, Djalal Harouni wrote: >> > On Thu, Apr 20, 2017 at 4:22 AM, Ben Hutchings >> > wrote: >> > On Thu, 2017-04-20 at 00:20 +0200, Djalal Harouni wrote: >> > [...] [...]

Re: [kernel-hardening] Re: [PATCH v3 1/2] modules:capabilities: automatic module loading restriction

2017-04-20 Thread Djalal Harouni
On Thu, Apr 20, 2017 at 4:22 AM, Ben Hutchings wrote: > On Thu, 2017-04-20 at 00:20 +0200, Djalal Harouni wrote: > [...] >> +modules_autoload: >> + >> +A sysctl to control if modules auto-load feature is allowed or not. >> +This sysctl complements "module

Re: [PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-19 Thread Djalal Harouni
On Thu, Apr 20, 2017 at 12:20 AM, Djalal Harouni wrote: [...] > +/* Returns task's modules_autoload */ > +static inline void task_copy_modules_autoload(struct task_struct *dest, > + struct task_struct *src) > +{ > + dest->

[PATCH v3 0/2] modules:capabilities: automatic module loading restrictions

2017-04-19 Thread Djalal Harouni
Hi List, This is an update of the previous two RFCs that implemented module auto-load restriction as a stackable LSM [1] [2]. The previous versions were presented as a stackable LSM, this new version is implemented as a core kernel feature inside the capability subsystem. This new version is cle

[PATCH v3 1/2] modules:capabilities: automatic module loading restriction

2017-04-19 Thread Djalal Harouni
r [ 416.040569] Automatic module loading of netdev-tunl0 by "ip"[1398] was denied [ 416.040578] Automatic module loading of tunl0 by "ip"[1398] was denied $ cat /proc/sys/kernel/modules_autoload 2 Cc: Serge Hallyn Cc: Andy Lutomirski Suggested-by: Kees Cook Signed-off-by:

[PATCH v3 2/2] modules:capabilities: add a per-task modules autoload restriction

2017-04-19 Thread Djalal Harouni
"ip"[1362] was denied Cc: Serge Hallyn Cc: Andy Lutomirski Suggested-by: Kees Cook Signed-off-by: Djalal Harouni --- Documentation/filesystems/proc.txt | 3 ++ Documentation/prctl/modules_autoload.txt | 49 +++ fs/proc/array.c

Re: [kernel-hardening] Re: [PATCH RFC v2 1/3] LSM: Allow per LSM module per "struct task_struct" blob.

2017-04-12 Thread Djalal Harouni
On Tue, Apr 11, 2017 at 6:43 AM, Kees Cook wrote: > On Mon, Apr 10, 2017 at 1:00 PM, Djalal Harouni wrote: >> On Mon, Apr 10, 2017 at 9:26 PM, Casey Schaufler >> wrote: >>> I think that would be the prudent approach. There is still >>> the possibility that b

Re: [kernel-hardening] Re: [PATCH RFC v2 1/3] LSM: Allow per LSM module per "struct task_struct" blob.

2017-04-12 Thread Djalal Harouni
On Tue, Apr 11, 2017 at 9:54 PM, Casey Schaufler wrote: > On 4/10/2017 9:43 PM, Kees Cook wrote: >> On Mon, Apr 10, 2017 at 1:00 PM, Djalal Harouni wrote: >>> On Mon, Apr 10, 2017 at 9:26 PM, Casey Schaufler >>> wrote: >>>> I think that would be the pr

Re: [PATCH RFC v2 0/3] security: Add ModAutoRestrict LSM

2017-04-12 Thread Djalal Harouni
On Tue, Apr 11, 2017 at 6:23 AM, Kees Cook wrote: > On Sun, Apr 9, 2017 at 3:42 AM, Djalal Harouni wrote: [...] >> A userspace request to use a kernel feature that is implemented by modules >> that are not loaded may trigger the module auto-load feature to load >> thes

Re: [PATCH RFC v2 1/3] LSM: Allow per LSM module per "struct task_struct" blob.

2017-04-10 Thread Djalal Harouni
On Mon, Apr 10, 2017 at 9:26 PM, Casey Schaufler wrote: > On 4/10/2017 11:30 AM, Djalal Harouni wrote: >> On Mon, Apr 10, 2017 at 5:50 PM, Casey Schaufler >> wrote: >>> On 4/9/2017 3:42 AM, Djalal Harouni wrote: >>>> From: Tetsuo Handa [...] >>>

Re: [PATCH RFC v2 2/3] security: add the ModAutoRestrict Linux Security Module

2017-04-10 Thread Djalal Harouni
On Mon, Apr 10, 2017 at 9:04 PM, Casey Schaufler wrote: > On 4/10/2017 11:27 AM, Djalal Harouni wrote: >> On Mon, Apr 10, 2017 at 5:42 PM, Casey Schaufler >> wrote: >>> On 4/9/2017 3:42 AM, Djalal Harouni wrote: [...] >>>> --- a/security/security.c >>

Re: [PATCH RFC v2 1/3] LSM: Allow per LSM module per "struct task_struct" blob.

2017-04-10 Thread Djalal Harouni
On Mon, Apr 10, 2017 at 5:50 PM, Casey Schaufler wrote: > On 4/9/2017 3:42 AM, Djalal Harouni wrote: >> From: Tetsuo Handa >> >> Since several modules are planning to use per "struct task_struct" blob, >> we need a layer for isolating it. Therefore, this p

Re: [PATCH RFC v2 2/3] security: add the ModAutoRestrict Linux Security Module

2017-04-10 Thread Djalal Harouni
On Mon, Apr 10, 2017 at 5:42 PM, Casey Schaufler wrote: > On 4/9/2017 3:42 AM, Djalal Harouni wrote: [...] >> + >> +static inline struct modautoload_task *init_modautoload_task(struct >> task_struct *tsk, >> +

Re: [kernel-hardening] [PATCH net-next v6 07/11] landlock: Add ptrace restrictions

2017-04-09 Thread Djalal Harouni
On Wed, Mar 29, 2017 at 1:46 AM, Mickaël Salaün wrote: > A landlocked process has less privileges than a non-landlocked process > and must then be subject to additional restrictions when manipulating > processes. To be allowed to use ptrace(2) and related syscalls on a > target process, a landlock

[PATCH RFC v2 1/3] LSM: Allow per LSM module per "struct task_struct" blob.

2017-04-09 Thread Djalal Harouni
te all modules which should be activated. Signed-off-by: Djalal Harouni Signed-off-by: Tetsuo Handa --- include/linux/lsm_hooks.h | 36 +++- security/security.c | 37 - 2 files changed, 71 insertions(+), 2 deletions(

[PATCH RFC v2 2/3] security: add the ModAutoRestrict Linux Security Module

2017-04-09 Thread Djalal Harouni
lue can not be changed. *) Access rules: First the prctl() settings are checked, if the access is not denied then the global sysctl settings are checked. Cc: Andy Lutomirski Cc: James Morris Cc: Tetsuo Handa Cc: Kees Cook Signed-off-by: Djalal Harouni --- MAINTAINERS

[PATCH RFC v2 3/3] Documentation: add ModAutoRestrict LSM documentation

2017-04-09 Thread Djalal Harouni
Cc: Andy Lutomirski Cc: James Morris Cc: Tetsuo Handa Cc: Kees Cook Signed-off-by: Djalal Harouni --- Documentation/security/00-INDEX| 2 + Documentation/security/ModAutoRestrict.txt | 77 ++ 2 files changed, 79 insertions(+) create mode 100644

[PATCH RFC v2 0/3] security: Add ModAutoRestrict LSM

2017-04-09 Thread Djalal Harouni
xes and documentation improvements. All Kees Cook comments handled, except for the removing of security_kernel_read_file which I will do in next iteration when I make sure that I did not miss something. Thank you! Tetsuo Handa (1): LSM: Allow per LSM module per "struct task_struct&qu

Re: [PATCH RFC 0/4] proc: support multiple separate proc instances per pidnamespace

2017-03-31 Thread Djalal Harouni
On Thu, Mar 30, 2017 at 9:12 PM, Andy Lutomirski wrote: > On Thu, Mar 30, 2017 at 8:22 AM, Djalal Harouni wrote: >> Hi, >> >> This RFC can be applied on top of Linus' tree 89970a04d7 >> >> This RFC implements support for multiple separate proc instances

Re: [PATCH RFC 0/4] proc: support multiple separate proc instances per pidnamespace

2017-03-31 Thread Djalal Harouni
On Fri, Mar 31, 2017 at 12:16 AM, Alexey Gladkov wrote: > On Thu, Mar 30, 2017 at 05:22:55PM +0200, Djalal Harouni wrote: >> Hi, >> >> This RFC can be applied on top of Linus' tree 89970a04d7 >> >> This RFC implements support for multiple separate proc inst

Re: [PATCH RFC 1/4] proc: add proc_fs_info struct to store proc options

2017-03-31 Thread Djalal Harouni
On Thu, Mar 30, 2017 at 9:10 PM, Andy Lutomirski wrote: > On Thu, Mar 30, 2017 at 8:22 AM, Djalal Harouni wrote: >> This is a preparation patch that adds a proc_fs_info to be able to store >> different procfs options. Right now some mount options are stored inside >> the pid

[PATCH RFC 0/4] proc: support multiple separate proc instances per pidnamespace

2017-03-30 Thread Djalal Harouni
Hi, This RFC can be applied on top of Linus' tree 89970a04d7 This RFC implements support for multiple separate proc instances inside the same pid namespace. This allows to solve lot of problems that today's use case face. Historically procfs was tied to pid namespaces, and mount options were pro

[PATCH RFC 1/4] proc: add proc_fs_info struct to store proc options

2017-03-30 Thread Djalal Harouni
This is a preparation patch that adds a proc_fs_info to be able to store different procfs options. Right now some mount options are stored inside the pid namespace which make multiple proc share the same mount options. This patch will help also to fix this. Signed-off-by: Djalal Harouni --- fs

[PATCH RFC 4/4] proc: support flushing dcache entries of a task on multiple procfs mounts

2017-03-30 Thread Djalal Harouni
This allows to flush dcache entries of a task on multiple procfs mounts per pid namespace. Maybe this patch is nedded since this is just an optimization and maybe it contains bugs. Signed-off-by: Djalal Harouni --- fs/proc/base.c| 28 ++-- fs/proc

[PATCH RFC 2/4] proc: add helpers to set/get hidepid and gid mount options

2017-03-30 Thread Djalal Harouni
This is a preparation patch to allow to set and get hidepid and gid mount options correctly Signed-off-by: Djalal Harouni --- fs/proc/base.c | 15 +-- fs/proc/generic.c | 37 + fs/proc/inode.c | 5 +++-- fs/proc/internal.h

[PATCH RFC 3/4] proc: support mounting new procfs instances inside same pid namespace

2017-03-30 Thread Djalal Harouni
This patch adds support for 'unshare' mount option to have multiple separated procfs inside the same pid namespace. This allows to solve lot of problem for containers and their specific use cases. Signed-off-by: Djalal Harouni --- fs/proc/generic.c | 10 + fs/pr

Re: [kernel-hardening] [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy

2017-03-29 Thread Djalal Harouni
On Wed, Mar 29, 2017 at 1:46 AM, Mickaël Salaün wrote: > The seccomp(2) syscall can be used by a task to apply a Landlock rule to > itself. As a seccomp filter, a Landlock rule is enforced for the current > task and all its future children. A rule is immutable and a task can > only add new restric

Re: [RFC] Add option to mount only a pids subset

2017-03-26 Thread Djalal Harouni
(Cc'ed Kees and Jann for the procfs stacking issue) On Thu, Mar 23, 2017 at 11:07 PM, Alexey Gladkov wrote: > On Thu, Mar 23, 2017 at 05:06:28PM +0100, Djalal Harouni wrote: >> Hi Alexey, >> >> On Mon, Mar 20, 2017 at 1:58 PM, Alexey Gladkov >> wrote: >>

Re: [RFC] Add option to mount only a pids subset

2017-03-23 Thread Djalal Harouni
Hi Alexey, On Mon, Mar 20, 2017 at 1:58 PM, Alexey Gladkov wrote: > > > Al Viro, this patch looks better ? > > == Overview == > > Some of the container virtualization systems are mounted /proc inside > the container. This is done in most cases to operate with information > about the processes. Kn

[PATCH] proc: allow to change proc mount options per mount

2017-03-23 Thread Djalal Harouni
Signed-off-by: Djalal Harouni --- fs/locks.c | 6 +- fs/proc/base.c | 51 +- fs/proc/generic.c | 5 ++ fs/proc/inode.c | 10 +-- fs/proc/root.c | 181 ++-- fs/proc/self.c |

Re: [RFC] Add option to mount only a pids subset

2017-03-09 Thread Djalal Harouni
On Tue, Mar 7, 2017 at 5:24 PM, Andy Lutomirski wrote: > > On Mon, Mar 6, 2017 at 3:05 PM, Alexey Gladkov > wrote: > > > > After discussion with Oleg Nesterov I reimplement my patch as an additional > > option for /proc. This option affects the mountpoint. It means that in one > > pid namespace

  1   2   3   >