[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime

To: Willy Tarreau <w@xxxxxx>
From: Kees Cook <keescook@xxxxxxxxxxxx>
Date: Mon, 27 Jul 2015 12:04:54 -0700
Cc: "security@xxxxxxxxxx" <security@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, "linux-kernel@xxxxxxxxxxxxxxx" <linux-kernel@xxxxxxxxxxxxxxx>, Steven Rostedt <rostedt@xxxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Sasha Levin <sasha.levin@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Mon, 27 Jul 2015 19:05:07 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Sat, Jul 25, 2015 at 6:03 AM, Willy Tarreau <w@xxxxxx> wrote:
> On Sat, Jul 25, 2015 at 09:50:52AM +0200, Willy Tarreau wrote:
>> On Fri, Jul 24, 2015 at 11:44:52PM -0700, Andy Lutomirski wrote:
>> > I'm all for it, but I think it should be hard-disablable in config,
>> > too, for the -tiny people.
>>
>> I totally agree.
>>
>> > If we add a runtime disable, let's do a
>> > separate patch, and you and Kees can fight over how general it should
>> > be.
>>
>> Initially I was thinking about changing it for a 3-state option but
>> that would prevent X86_16BIT from being hard-disablable, so I'll do
>> something completely separate.
>
> So here comes the proposed patch. It adds a default setting for the
> sysctl when the option is not hard-disabled (eg: distros not wanting
> to take risks with legacy apps). It suggests to leave the option off.
> In case a syscall is blocked, a printk_ratelimited() is called with
> relevant info (program name, pid, uid) so that the admin can decide
> whether it's a legitimate call or not. Eg:
>
>   Denied a call to modify_ldt() from a.out[1736] (uid: 100). Adjust sysctl if 
> this was not an exploit attempt.
>
> I personally think it completes well your series, hence the 4/3 numbering.
> Feel free to adopt it if you cycle another round and if you're OK with it
> of course.
>
> CCing Kees as well.

This patch looks reasonable, but I'd prefer a tri-state (enable,
disable, hard-disable). I do something like this for Yama's ptrace
zero to max_scope range (which "pins" to max_scope if set):

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/yama/yama_lsm.c#n361

-Kees

-- 
Kees Cook
Chrome OS Security

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime
  - From: Willy Tarreau

References:
- [Xen-devel] [PATCH v4 0/3] x86: modify_ldt improvement, test, and config option
  - From: Andy Lutomirski
- [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
  - From: Willy Tarreau
- Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
  - From: Andy Lutomirski
- Re: [Xen-devel] [PATCH v4 2/3] x86/ldt: Make modify_ldt optional
  - From: Willy Tarreau
- [Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime
  - From: Willy Tarreau

Prev by Date: Re: [Xen-devel] design philosophy of blktap
Next by Date: Re: [Xen-devel] [PATCHv2 00/10] mm, xen/balloon: memory hotplug improvements
Previous by thread: Re: [Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime
Next by thread: Re: [Xen-devel] [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.