Re: Leaking path for set_task_comm

From: TongZhang
Date: Tue Sep 25 2018 - 20:44:50 EST

Next message: Martin K. Petersen: "Re: [RESEND PATCH v2] scsi: Use vmemdup_user to replace the open code"
Previous message: Bernd Petrovitsch: "Re: Code of Conduct: Let's revamp it."
In reply to: Cyrill Gorcunov: "Re: Leaking path for set_task_comm"
Next in thread: Theodore Y. Ts'o: "Re: Leaking path for set_task_comm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, this is exactly what I am saying.
A process can change its own name using prctl or /proc/self/comm.
prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.

A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.

> On Sep 25, 2018, at 2:39 PM, Cyrill Gorcunov <gorcunov@xxxxxxxxx> wrote:
>
> On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
>> Kernel Version: 4.18.5
>>
>> Problem Description:
>>
>> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
>>
>> We discovered a leaking path that can also use method implemented in
>> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSMâs decision.
>
> I don't understand how it is a problem. Could you please explain?
> procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
> prctl and procfs are simply different interfaces.

Next message: Martin K. Petersen: "Re: [RESEND PATCH v2] scsi: Use vmemdup_user to replace the open code"
Previous message: Bernd Petrovitsch: "Re: Code of Conduct: Let's revamp it."
In reply to: Cyrill Gorcunov: "Re: Leaking path for set_task_comm"
Next in thread: Theodore Y. Ts'o: "Re: Leaking path for set_task_comm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]