On Tue, 26 Jul 2011 18:48:48 +0400 Vasiliy Kulikov <segoon@xxxxxxxxxxxx> wrote: > Neil, Solar, > > On Tue, Jul 26, 2011 at 14:11 +1000, NeilBrown wrote: > > I don't really see that failing mmap is any more hackish than failing execve. > > > > Both are certainly hacks. It is setuid that should fail, but that is > > problematic. > > > > We seem to agree that it is acceptable to delay the failure until the process > > actually tries to run some code for the user. I just think that > > mapping-a-file-for-exec is a more direct measure of "trying to run some code > > for the user" than "execve" is. > > > > So they are both hacks, but one it more thorough than the other. In the > > world of security I would hope that "thorough" would win. > > Well, I don't mind against something more generic than the check in > execve(), however, the usefulness of the check in mmap() is unclear to > me. You want to make more programs fail after setuid(), but does mmap > stops really many programs? Do you know any program doing mmap/dlopen > after setuid() call? What if the program will not do any mmap/dlopen > and e.g. start to handle network connections or do some computations? > I suppose the latter case is much more often than mmap/dlopen. I think I didn't make myself clear. I don't mean we should intercept the mmap system call. I mean we could intercept the internal kernel function do_mmap_pgoff. This is used by the mmap system call but also (and more importantly) by the execve system call and the uselib system call. So any attempt to map a file and execute the code in that file - whether via exec or via mapping a shared object - will go through do_mmap_pgoff. So if we disable do_mmap_pgoff() requests which ask for execute permission when a setuid has caused RLIMIT_NPROC to be exceeded, then we catch every attempt to run the user's code as the user. I won't catch a situation where an interpreter is already loaded into the root-owned process and the setuid is followed by loading a script and running that, it is isn't perfect. But I think it is more general than just trapping in execve. NeilBrown -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
