Re: Identified Redundant Capability Check in File Access under /proc/sys
From: Aleksa Sarai
Date: Mon Jan 29 2024 - 09:57:13 EST
On 2024-01-28, 孟敬姿 <mengjingzi@xxxxxxxxx> wrote:
> Hello developers,
>
> I hope this message finds you well. I wanted to bring to your
> attention an observation regarding file access under /proc/sys in the
> kernel source code.
>
> Upon review, it appears that certain files are protected by
> capabilities in the kernel source code; however, the capability check
> does not seem to be effectively enforced during file access.
>
> For example, I noticed this inconsistency in the access functions of some special files:
> 1. The access function mmap_min_addr_handler() in /proc/sys/vm/mmap_min_addr utilizes the CAP_SYS_RAWIO check.
> 2. The access function proc_dointvec_minmax_sysadmin() in /proc/sys/kernel/kptr_restrict requires the CAP_SYS_ADMIN check.
>
> Despite these capability checks in the source code, when accessing a
> file, it undergoes a UGO permission check before triggering these
> specialized file access functions. The UGO permissions for these files
> are configured as root:root rw- r-- r--, meaning only the root user
> can pass the UGO check.
>
> As a result, to access these files, one must be the root user, who
> inherently possesses all capabilities. Consequently, the capabilities
> check in the file access function seems redundant.
>
> Please consider reviewing and adjusting the capability checks in the
> mentioned access functions for better alignment with the UGO
> permissions.
These are not redundant -- opening a file and writing to a file
descriptor are different operations that can be done by:
1. The same process with the same credential set (what you're
describing);
2. The same process but with the write operation happening after a
setuid() or similar operation that changed its credentials; or
3. A different process that has been given access to the file
descriptor (passing it as an open file to a subprocess, SCM_RIGHTS,
etc.)
On Unix, access checks when opening a file for writing are different to
access checks when doing a write operation. For some sysctls, it is
prudent to restrict both the open and write operations to privileged
users.
> Thank you for your attention to this matter.
>
> Best regards,
> Jingzi Meng
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature