Re: [PATCH v2] devtmpfs: mount with noexec and nosuid

From: Kees Cook
Date: Tue Nov 20 2012 - 18:53:20 EST

Next message: Dave Chinner: "Re: [PATCH RFC 10/12] userns: Convert xfs to use kuid/kgid/kprojidwhere appropriate"
Previous message: Marcelo Tosatti: "Re: [PATCH 2/5] KVM: MMU: simplify mmu_set_spte"
In reply to: Alan Cox: "Re: [PATCH v2] devtmpfs: mount with noexec and nosuid"
Next in thread: Alan Cox: "Re: [PATCH v2] devtmpfs: mount with noexec and nosuid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 20, 2012 at 3:53 PM, Alan Cox <alan@xxxxxxxxxxxxxxxxxxx> wrote:
>> > 1. Why not just have your userspace mount -o remount the file system this
>> > way already in early boot. (and if you trojanned boot that early then any
>> > supposed security gain is already lost)
>>
>> That's certainly possible, but I am hoping to avoid adding any extra
>> boot time. The kernel is responsible for this mount, so its flags
>> should be configurable, resulting in no time penalty anywhere.
>
> You just broke my bullshitometer
>
> It's a single syscall from your init binary, its microseconds.

Whatever, I still see it as a needless inefficiency.

>> > 2. If you want to do this right then you need to work out what you are
>> > trying to prevent. Your devtmpfs can force file permissions on the
>> > underlying device nodes by having its own operation handling for chmod.
>> >
>> > At that point you can force permissions on anything that you want to
>> > avoid floating around that filesystem with other rights, while not
>> > touching it on device or directory nodes where the meaning is different.
>> >
>> > In its current form however it appears to be a kernel implementation of
>> > "mount is too hard".
>>
>> This change also stops mmap() with PROT_EXEC which a chmod handler
>> wouldn't be able to do.
>
> You don't want to stop mmap with PROT_EXEC on /dev/mem as that breaks a
> load of stuff, you want to stop people adding stuff to that file system
> and executing it.

Well, initially the latter, yes. But as it turns out, setting noexec
also stops PROT_EXEC on /dev/mem. Since the systems I'm building for
all use KMS, there's no need to execute regions of /dev/mem (e.g. VESA
BIOS init, etc).

-Kees

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave Chinner: "Re: [PATCH RFC 10/12] userns: Convert xfs to use kuid/kgid/kprojidwhere appropriate"
Previous message: Marcelo Tosatti: "Re: [PATCH 2/5] KVM: MMU: simplify mmu_set_spte"
In reply to: Alan Cox: "Re: [PATCH v2] devtmpfs: mount with noexec and nosuid"
Next in thread: Alan Cox: "Re: [PATCH v2] devtmpfs: mount with noexec and nosuid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]