Re: Leaking path for set_task_comm
From: TongZhang
Date: Tue Sep 25 2018 - 20:44:50 EST
Yes, this is exactly what I am saying.
A process can change its own name using prctl or /proc/self/comm.
prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.
> On Sep 25, 2018, at 2:39 PM, Cyrill Gorcunov <gorcunov@xxxxxxxxx> wrote:
>
> On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
>> Kernel Version: 4.18.5
>>
>> Problem Description:
>>
>> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
>>
>> We discovered a leaking path that can also use method implemented in
>> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSMâs decision.
>
> I don't understand how it is a problem. Could you please explain?
> procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
> prctl and procfs are simply different interfaces.