待辦事項 #40877

Rules for allowing read from /proc/<pid of program>/

啟用日期: 2020-10-23 14:52 最後更新: 2020-10-24 02:35

回報者:
(匿名)
負責人:
(無)
類型:
狀態:
開啟
元件:
(無)
里程碑:
(無)
優先權:
5 - 中
嚴重程度:
5 - 中
處理結果:
檔案:

細節

Kernel: 5.8.10 amd64 CCSecurity: 1.8.7+ 2020/08/20

It appears to me that newer systemd versions are accessing /proc/<getpid()>/ directly instead of via the /proc/self symlink. Is there anyway for me to permit only for the /proc entry of the requesting process instead of a blanket file read proc:/\$/* rule?

Ticket History (3/7 Histories)

2020-10-23 14:52 Updated by: None
  • New Ticket "Rules for allowing read from /proc/<pid of program>/" created
2020-10-23 20:42 Updated by: kumaneko
評語

Can you provide more details? "systemd" is a name of a package which contains multiple programs.

Which executable program is using proc:/\$/ ?

Did you confirm that that executable program is using only proc:/\$/ (and not using proc:/self/ )?

/proc/self/ is once converted to /proc/$pid/ by the pathname resolution routine inside the kernel, and TOMOYO converts back from "$pid" to "self" if the $pid matches getpid() value (please see ccs_get_local_path() in security/ccsecurity/realpath.c ).

Therefore, if a $pid is used for checking permission, I think that that executable program started scanning other processes (e.g. parents or children).

2020-10-23 22:13 Updated by: None
評語

Sure, here are some examples from my audit log:

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6534) task={ pid=6534 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=39403 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=39401 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-bless-boot-generator
file read proc:/6534/status

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6536) task={ pid=6536 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=35063 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=35062 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-cryptsetup-generator
file read proc:/6536/stat

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6536) task={ pid=6536 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=35064 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=35062 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-cryptsetup-generator
file read proc:/6536/status

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6539) task={ pid=6539 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=37991 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=37990 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-getty-generator
file read proc:/6539/stat

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6539) task={ pid=6539 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=37992 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=37990 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-getty-generator
file read proc:/6539/status

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6537) task={ pid=6537 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=33057 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=33056 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-debug-generator
file read proc:/6537/stat

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6540) task={ pid=6540 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=32496 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=32495 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-gpt-auto-generator
file read proc:/6540/stat

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6540) task={ pid=6540 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=32497 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=32495 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-gpt-auto-generator
file read proc:/6540/status

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6537) task={ pid=6537 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=33058 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=33056 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-debug-generator
file read proc:/6537/status

#2020/10/23 03:34:29# profile=3 mode=enforcing granted=no (global-pid=6547) task={ pid=6547 ppid=6530 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 type!=execute_handler } path1={ uid=0 gid=0 ino=39405 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=0 gid=0 ino=39404 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/system-generators/systemd-veritysetup-generator
file read proc:/6547/stat

#2020/10/23 04:12:30# profile=3 mode=enforcing granted=no (global-pid=35758) task={ pid=35758 ppid=1 uid=193 gid=193 euid=193 egid=193 suid=193 sgid=193 fsuid=193 fsgid=193 type!=execute_handler } path1={ uid=193 gid=193 ino=72364 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=193 gid=193 ino=71154 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/systemd-resolved
file read proc:/35758/stat

#2020/10/23 04:12:30# profile=3 mode=enforcing granted=no (global-pid=35758) task={ pid=35758 ppid=1 uid=193 gid=193 euid=193 egid=193 suid=193 sgid=193 fsuid=193 fsgid=193 type!=execute_handler } path1={ uid=193 gid=193 ino=68468 major=0 minor=22 perm=0444 type=file } path1.parent={ uid=193 gid=193 ino=71154 perm=0555 }
<kernel> /lib/systemd/systemd /lib/systemd/systemd-resolved
file read proc:/35758/status

The issue seems to only hit systemd utilities afaict from the log.

2020-10-24 01:44 Updated by: kumaneko
評語

Well, in Linux 5.8, tomoyo_get_local_path() was updated to use proc_pid_ns(sb) instead of sb->s_fs_info.

Will you try below diff?

--- a/security/ccsecurity/realpath.c	(revision 6821)
+++ b/security/ccsecurity/realpath.c	(working copy)
@@ -12,6 +12,9 @@
 #include <linux/nsproxy.h>
 #include <linux/mnt_namespace.h>
 #endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+#include <linux/proc_fs.h>
+#endif
 
 /***** SECTION1: Constants definition *****/
 
@@ -379,8 +382,16 @@
 	if (sb->s_magic == PROC_SUPER_MAGIC && *pos == '/') {
 		char *ep;
 		const pid_t pid = (pid_t) simple_strtoul(pos + 1, &ep, 10);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
 		if (*ep == '/' && pid && pid ==
+		    task_tgid_nr_ns(current, proc_pid_ns(sb))) {
+			pos = ep - 5;
+			if (pos < buffer)
+				goto out;
+			memmove(pos, "/self", 5);
+		}
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
+		if (*ep == '/' && pid && pid ==
 		    task_tgid_nr_ns(current, sb->s_fs_info)) {
 			pos = ep - 5;
 			if (pos < buffer)
2020-10-24 02:34 Updated by: None
評語

That seems to work. Thanks!

2020-10-24 02:34 Updated by: None
評語

That seems to work. Thanks!

2020-10-24 02:35 Updated by: None
評語

That seems to work. Thanks!

Attachment File List

No attachments

編輯

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » 登入