Re: [kernel-hardening] [PATCH] move RLIMIT_NPROC check from set_user() to do_execve_common()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 26 Jul 2011 03:40:13 +0400 Solar Designer <solar@xxxxxxxxxxxx> wrote:

> Vasiliy,
> 
> On Mon, Jul 25, 2011 at 09:14:23PM +0400, Vasiliy Kulikov wrote:
> > @@ -1433,6 +1433,19 @@ static int do_execve_common(const char *filename,
> >  	struct files_struct *displaced;
> >  	bool clear_in_exec;
> >  	int retval;
> > +	const struct cred *cred = current_cred();
> > +
> > +	/*
> > +	 * We move the actual failure in case of RLIMIT_NPROC excess from
> > +	 * set*uid() to execve() because too many poorly written programs
> > +	 * don't check setuid() return code.  Here we additionally recheck
> > +	 * whether NPROC limit is still exceeded.
> > +	 */
> > +	if ((current->flags & PF_NPROC_EXCEEDED) &&
> > +	    atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) {
> > +		retval = -EAGAIN;
> > +		goto out_ret;
> > +	}
> 
> Do you possibly need:
> 
> 	current->flags &= ~PF_NPROC_EXCEEDED;
> 
> somewhere after this point?
> 
> I think it's weird to have past set_user() failure affect other than the
> very next execve().

So we are hoping that no program uses execvp() or similar...  Maybe that is
reasonable but "in for a penny, in for a pound" - I'd fail them all.

I think the flag should only be cleared once we notice that the limit is no
longer exceeded.  So clearing the flag can appear *after* the code you quote
above, but not in the middle of it.

> 
> Perhaps also reset the flag on fork() because we have an RLIMIT_NPROC
> check on fork() anyway.

I agree it should be cleared here too.

> 
> Thanks,
> 
> Alexander


But there is still the issue of 'zygot' like services....

Let me try another suggestion.  Instead of catching the error in
do_execve_common, how about we catch it in do_mmap_pgoff.
i.e. if the flag is set and an attempt it made to create an executable
mapping, we check the user->processes against the limit then - either failing
or clearing the flag and succeeding.

This will stop an execve, and an attempt to load a shared library and call it.

In the case of 'exec' the process will get a SIGKILL as well, which is
probably a good thing.

Thoughts?

NeilBrown

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux