Thread (25 messages) 25 messages, 7 authors, 2019-05-11

Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters

From: Andy Lutomirski <luto@kernel.org>
Date: 2019-05-10 21:20:45
Also in: linux-arch, linux-fsdevel, lkml

On Fri, May 10, 2019 at 1:41 PM Jann Horn [off-list ref] wrote:
On Tue, May 07, 2019 at 05:17:35AM +1000, Aleksa Sarai wrote:
quoted
On 2019-05-06, Jann Horn [off-list ref] wrote:
quoted
In my opinion, CVE-2019-5736 points out two different problems:

The big problem: The __ptrace_may_access() logic has a special-case
short-circuit for "introspection" that you can't opt out of; this
makes it possible to open things in procfs that are related to the
current process even if the credentials of the process wouldn't permit
accessing another process like it. I think the proper fix to deal with
this would be to add a prctl() flag for "set whether introspection is
allowed for this process", and if userspace has manually un-set that
flag, any introspection special-case logic would be skipped.
We could do PR_SET_DUMPABLE=3 for this, I guess?
Hmm... I'd make it a new prctl() command, since introspection is
somewhat orthogonal to dumpability. Also, dumpability is per-mm, and I
think the introspection flag should be per-thread.
I've lost track of the context here, but it seems to me that
mitigating attacks involving accidental following of /proc links
shouldn't depend on dumpability.  What's the actual problem this is
trying to solve again?
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help