Re: [PATCH, RESEND] procfs: silence lockdep warning about read vs. exec seq_file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Aug 04, 2014 at 08:42:11PM -0700, Eric W. Biederman wrote:
> "Kirill A. Shutemov" <kirill@xxxxxxxxxxxxx> writes:
> 
> > From: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx>
> >
> > Testcase:
> >
> >   cat /proc/self/maps >/dev/null
> >   chmod +x /proc/self/net/packet
> >   exec /proc/self/net/packet
> >
> > It triggers lockdep warning:
> 
> > I don't know why we allow "chmod +x" on some proc files, notably net-related.
> > Is it a bug?
> 
> It looks like we simply did not remove the ability to make those files
> executable when we realized executable proc files could be a problem.
> 
> I expect that part of proc could use an audit where someone figures out
> what makes sense.  It does appear that chmod XXX /proc/generic_file
> is explicitly supported.  So we would have to be delicate with any
> changes in that area to avoid creating userspace regressions.

I can't imagine valid use-case, taking into account that changing access
rights for one PID changes it for every PID. It's potential security hole
if user is not aware about this (I wasn't until recently).

List of files under /proc/PID/ which doesn't fail chmod to its current
access rights -- chmod "$(stat --format="%a" "$file")" "$file":

net/anycast6
net/arp
net/connector
net/dev
net/dev_mcast
net/dev_snmp6/eth0
net/dev_snmp6/lo
net/fib_trie
net/fib_triestat
net/icmp
net/icmp6
net/if_inet6
net/igmp
net/igmp6
net/ip6_flowlabel
net/ip6_tables_matches
net/ip6_tables_names
net/ip6_tables_targets
net/ip_mr_cache
net/ip_mr_vif
net/ip_tables_matches
net/ip_tables_names
net/ip_tables_targets
net/ipv6_route
net/mcfilter
net/mcfilter6
net/netfilter/nf_log
net/netlink
net/netstat
net/nf_conntrack
net/nf_conntrack_expect
net/packet
net/pnp
net/protocols
net/psched
net/ptype
net/raw
net/raw6
net/route
net/rt6_stats
net/rt_cache
net/snmp
net/snmp6
net/sockstat
net/sockstat6
net/softnet_stat
net/stat/arp_cache
net/stat/ndisc_cache
net/stat/nf_conntrack
net/stat/rt_cache
net/tcp
net/tcp6
net/udp
net/udp6
net/udplite
net/udplite6
net/unix

David, could you comment on this?

-- 
 Kirill A. Shutemov
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux