Re: [PATCH v1 0/7] Remove in-tree usage of MAP_DENYWRITE
From: Eric W. Biederman <hidden>
Date: 2021-08-12 16:18:29
Also in:
linux-api, linux-fsdevel, linux-unionfs, lkml
Possibly related (same subject, not in this thread)
- 2021-09-01 · Re: [PATCH v1 0/7] Remove in-tree usage of MAP_DENYWRITE · David Hildenbrand <hidden>
- 2021-08-27 · Re: [PATCH v1 0/7] Remove in-tree usage of MAP_DENYWRITE · Eric W. Biederman <hidden>
- 2021-08-27 · Re: [PATCH v1 0/7] Remove in-tree usage of MAP_DENYWRITE · Christian Brauner <hidden>
- 2021-08-27 · RE: [PATCH v1 0/7] Remove in-tree usage of MAP_DENYWRITE · David Laight <hidden>
- 2021-08-26 · Re: [PATCH v1 0/7] Remove in-tree usage of MAP_DENYWRITE · Eric W. Biederman <hidden>
Florian Weimer [off-list ref] writes:
* David Hildenbrand:quoted
There are some (minor) user-visible changes with this series: 1. We no longer deny write access to shared libaries loaded via legacy uselib(); this behavior matches modern user space e.g., via dlopen(). 2. We no longer deny write access to the elf interpreter after exec completed, treating it just like shared libraries (which it often is).We have a persistent issue with people using cp (or similar tools) to replace system libraries. Since the file is truncated first, all relocations and global data are replaced by file contents, result in difficult-to-diagnose crashes. It would be nice if we had a way to prevent this mistake. It doesn't have to be MAP_DENYWRITE or MAP_COPY. It could be something completely new, like an option that turns every future access beyond the truncation point into a signal (rather than getting bad data or bad code and crashing much later). I don't know how many invalid copy operations are currently thwarted by the current program interpreter restriction. I doubt that lifting the restriction matters.
I suspect that what should happen is that we should make shared libraries and executables read-only on disk. We could potentially take this a step farther and introduce a new sysctl that causes "mmap(adr, len, PROT_EXEC, MAP_SHARED, fd, off)" but not PROT_WRITE to fail if the file can be written by anyone. That sysctl could even deny chown adding write access to the file if there are mappings open. Given that there hasn't been enough pain for people to install shared libraries read-only yet I suspect just installing executables and shared libraries without write-permissions on disk is enough to prevent the hard to track down bugs you have been talking about.
quoted
3. We always deny write access to the file linked via /proc/pid/exe: sys_prctl(PR_SET_MM_EXE_FILE) will fail if write access to the file cannot be denied, and write access to the file will remain denied until the link is effectivel gone (exec, termination, PR_SET_MM_EXE_FILE) -- just as if exec'ing the file. I was wondering if we really care about permanently disabling write access to the executable, or if it would be good enough to just disable write access while loading the new executable during exec; but I don't know the history of that -- and it somewhat makes sense to deny write access at least to the main executable. With modern user space -- dlopen() -- we can effectively modify the content of shared libraries while being used.Is there a difference between ET_DYN and ET_EXEC executables?
What is being changed is how we track which files to denying write access on. Instead of denying write-access based on a per mapping (aka mmap) basis, the new code is only denying access to /proc/self/exe. Because the method of tracking is much coarser is why the interper stops being protected. The code doesn't care how the mappings happen, only if the file is /proc/self/exe or not. Eric