Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters
From: Andy Lutomirski <luto@kernel.org>
Date: 2019-05-10 21:20:45
Also in:
linux-arch, linux-fsdevel, lkml
From: Andy Lutomirski <luto@kernel.org>
Date: 2019-05-10 21:20:45
Also in:
linux-arch, linux-fsdevel, lkml
On Fri, May 10, 2019 at 1:41 PM Jann Horn [off-list ref] wrote:
On Tue, May 07, 2019 at 05:17:35AM +1000, Aleksa Sarai wrote:quoted
On 2019-05-06, Jann Horn [off-list ref] wrote:quoted
In my opinion, CVE-2019-5736 points out two different problems: The big problem: The __ptrace_may_access() logic has a special-case short-circuit for "introspection" that you can't opt out of; this makes it possible to open things in procfs that are related to the current process even if the credentials of the process wouldn't permit accessing another process like it. I think the proper fix to deal with this would be to add a prctl() flag for "set whether introspection is allowed for this process", and if userspace has manually un-set that flag, any introspection special-case logic would be skipped.We could do PR_SET_DUMPABLE=3 for this, I guess?Hmm... I'd make it a new prctl() command, since introspection is somewhat orthogonal to dumpability. Also, dumpability is per-mm, and I think the introspection flag should be per-thread.
I've lost track of the context here, but it seems to me that mitigating attacks involving accidental following of /proc links shouldn't depend on dumpability. What's the actual problem this is trying to solve again?