On Thu, Apr 25, 2024 at 05:04:47PM -0400, Kent Overstreet wrote: > On Thu, Apr 25, 2024 at 09:51:56PM +0100, Matthew Wilcox wrote: > > On Thu, Apr 25, 2024 at 04:45:51PM -0400, Kent Overstreet wrote: > > > On Thu, Apr 25, 2024 at 01:08:50PM -0700, Kees Cook wrote: > > > > The /proc/allocinfo file exposes a tremendous about of information about > > > > kernel build details, memory allocations (obviously), and potentially > > > > even image layout (due to ordering). As this is intended to be consumed > > > > by system owners (like /proc/slabinfo), use the same file permissions as > > > > there: 0400. > > > > > > Err... > > > > > > The side effect of locking down more and more reporting interfaces is > > > that programs that consume those interfaces now have to run as root. > > > > sudo cat /proc/allocinfo | analyse-that-fie > > Even that is still an annoyance, but I'm thinking more about a future > daemon to collect this every n seconds - that really shouldn't need to > be root. Open it once and rewind? But regardless, see the end about changing ownership/perms/etc. > And the "lock everything down" approach really feels like paranoia gone > too far - what's next, /proc/cpuinfo? Do we really want to go the > Windows approach of UAC pop ups for everything? I'd rather be going the > opposite direction, of making it as easy as possible for users to see > what's going on with their machine. Not unless there's something in /proc/cpuinfo that can't be extracted in other methods. :) Anyway, you're offering a slippery-slope argument, I just want to avoid new interfaces from having needlessly permissive default access permissions. I expect this to be enabled by default in distros, etc, so I'd like to make sure it's not giving attackers more information than they had before. Even reporting how much has been allocated at a specific location means an attacker ends up with extremely accurate information when attempting heap grooming, etc. Even the low granularity of slabinfo is sufficient to improve attacks. (Which is why it's 0400 by default too.) > Instead, why not a sysctl, like we already have for perf? perf is a whole other beast, including syscalls, etc. > The concern about leaking image layout could be addressed by sorting the > output before returning to userspace. It's trivial to change permissions from the default 0400 at boot time. It can even have groups and ownership changed, etc. This is why we have per-mount-namespace /proc instances: # chgrp sysmonitor /proc/allocinfo # chmod 0440 /proc/allocinfo Poof, instant role-based access control. :) I'm just trying to make the _default_ safe. -- Kees Cook
