Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src As discussed in tech-kern:
details: https://anonhg.NetBSD.org/src/rev/02f019df7155
branches: trunk
changeset: 446443:02f019df7155
user: christos <christos%NetBSD.org@localhost>
date: Wed Dec 05 18:16:51 2018 +0000
description:
As discussed in tech-kern:
- make sysctl kern.expose_address tri-state:
0: no access
1: access to processes with open /dev/kmem
2: access to everyone
defaults:
0: KASLR kernels
1: non-KASLR kernels
- improve efficiency by calling get_expose_address() per sysctl, not per
process.
- don't expose addresses for linux procfs
- welcome to 8.99.27, changes to fill_*proc ABI
diffstat:
share/man/man7/sysctl.7 | 27 ++++++++++-
sys/dev/mm.c | 23 +++++++---
sys/kern/init_sysctl.c | 49 +--------------------
sys/kern/kern_proc.c | 90 +++++++++++++++++++++++++++++++++------
sys/miscfs/procfs/procfs_linux.c | 8 +-
sys/sys/param.h | 4 +-
sys/sys/proc.h | 3 +-
sys/sys/sysctl.h | 6 +-
8 files changed, 127 insertions(+), 83 deletions(-)
diffs (truncated from 487 to 300 lines):
diff -r 9f2b3fdc0aa0 -r 02f019df7155 share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7 Wed Dec 05 14:45:59 2018 +0000
+++ b/share/man/man7/sysctl.7 Wed Dec 05 18:16:51 2018 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: sysctl.7,v 1.135 2018/11/04 16:30:28 christos Exp $
+.\" $NetBSD: sysctl.7,v 1.136 2018/12/05 18:16:51 christos Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
.\"
-.Dd November 3, 2018
+.Dd December 5, 2018
.Dt SYSCTL 7
.Os
.Sh NAME
@@ -524,9 +524,28 @@
.Xr fstat 1
and
.Xr sockstat 1 .
+If it is set to
+.Dv 0
+access is not allowed.
+If it is set to
+.Dv 1
+then only processes that have opened
+.Pa /dev/kmem
+can have access.
+If it is set to
+.Dv 2
+every process is allowed.
Defaults to
-.Dv 0 .
-Turning it on renders KASLR ineffective.
+.Dv 0
+for
+.Dv KASLR
+kernels
+and
+.Dv 1
+otherwise.
+Allowing general access renders KASLR ineffective; allowing only kmem
+accessing programs, weakens KASLR if those programs can be subverted
+to leak the addresses.
.It Li kern.dump_on_panic ( Dv KERN_DUMP_ON_PANIC )
Perform a crash dump on system
.Xr panic 9 .
diff -r 9f2b3fdc0aa0 -r 02f019df7155 sys/dev/mm.c
--- a/sys/dev/mm.c Wed Dec 05 14:45:59 2018 +0000
+++ b/sys/dev/mm.c Wed Dec 05 18:16:51 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mm.c,v 1.22 2016/10/13 08:56:31 ryo Exp $ */
+/* $NetBSD: mm.c,v 1.23 2018/12/05 18:16:51 christos Exp $ */
/*-
* Copyright (c) 2002, 2008, 2010 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mm.c,v 1.22 2016/10/13 08:56:31 ryo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mm.c,v 1.23 2018/12/05 18:16:51 christos Exp $");
#include "opt_compat_netbsd.h"
@@ -53,17 +53,14 @@
static kmutex_t dev_mem_lock __cacheline_aligned;
static vaddr_t dev_mem_addr __read_mostly;
+static dev_type_open(mm_open);
static dev_type_read(mm_readwrite);
static dev_type_ioctl(mm_ioctl);
static dev_type_mmap(mm_mmap);
static dev_type_ioctl(mm_ioctl);
const struct cdevsw mem_cdevsw = {
-#ifdef __HAVE_MM_MD_OPEN
- .d_open = mm_md_open,
-#else
- .d_open = nullopen,
-#endif
+ .d_open = mm_open,
.d_close = nullclose,
.d_read = mm_readwrite,
.d_write = mm_readwrite,
@@ -94,6 +91,18 @@
};
#endif
+static int
+mm_open(dev_t dev, int flag, int mode, struct lwp *l)
+{
+#ifdef __HAVE_MM_MD_OPEN
+ int error;
+ if ((error = mm_md_open(dev, flag, mode, l)) != 0)
+ return error;
+#endif
+ l->l_proc->p_flag |= PK_KMEM;
+ return 0;
+}
+
/*
* mm_init: initialize memory device driver.
*/
diff -r 9f2b3fdc0aa0 -r 02f019df7155 sys/kern/init_sysctl.c
--- a/sys/kern/init_sysctl.c Wed Dec 05 14:45:59 2018 +0000
+++ b/sys/kern/init_sysctl.c Wed Dec 05 18:16:51 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: init_sysctl.c,v 1.220 2018/12/03 00:11:02 christos Exp $ */
+/* $NetBSD: init_sysctl.c,v 1.221 2018/12/05 18:16:51 christos Exp $ */
/*-
* Copyright (c) 2003, 2007, 2008, 2009 The NetBSD Foundation, Inc.
@@ -30,13 +30,12 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.220 2018/12/03 00:11:02 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.221 2018/12/05 18:16:51 christos Exp $");
#include "opt_sysv.h"
#include "opt_compat_netbsd.h"
#include "opt_modular.h"
#include "opt_gprof.h"
-#include "opt_kaslr.h"
#include "pty.h"
#include <sys/types.h>
@@ -86,12 +85,6 @@
int kern_has_sysvshm = 0;
int kern_has_sysvsem = 0;
-#ifdef KASLR
-int kern_expose_address = 0;
-#else
-int kern_expose_address = 1;
-#endif
-
static const u_int sysctl_lwpprflagmap[] = {
LPR_DETACHED, L_DETACHED,
0
@@ -134,7 +127,6 @@
static int sysctl_kern_drivers(SYSCTLFN_PROTO);
static int sysctl_security_setidcore(SYSCTLFN_PROTO);
static int sysctl_security_setidcorename(SYSCTLFN_PROTO);
-static int sysctl_security_expose_address(SYSCTLFN_PROTO);
static int sysctl_kern_cpid(SYSCTLFN_PROTO);
static int sysctl_hw_usermem(SYSCTLFN_PROTO);
static int sysctl_hw_cnmagic(SYSCTLFN_PROTO);
@@ -607,12 +599,6 @@
SYSCTL_DESCR("Kernel message verbosity"),
sysctl_kern_messages, 0, NULL, 0,
CTL_KERN, CTL_CREATE, CTL_EOL);
- sysctl_createv(clog, 0, NULL, NULL,
- CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
- CTLTYPE_INT, "expose_address",
- SYSCTL_DESCR("Expose kernel addresses to userland"),
- sysctl_security_expose_address, 0, &kern_expose_address,
- 0, CTL_KERN, CTL_CREATE, CTL_EOL);
}
SYSCTL_SETUP(sysctl_hw_misc_setup, "sysctl hw subtree misc setup")
@@ -1354,37 +1340,6 @@
}
static int
-sysctl_security_expose_address(SYSCTLFN_ARGS)
-{
- int expose_address, error;
- struct sysctlnode node;
-
- node = *rnode;
- node.sysctl_data = &expose_address;
- expose_address = *(int *)rnode->sysctl_data;
- error = sysctl_lookup(SYSCTLFN_CALL(&node));
- if (error || newp == NULL)
- return error;
-
- if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_KERNADDR,
- 0, NULL, NULL, NULL))
- return (EPERM);
-
- *(int *)rnode->sysctl_data = expose_address;
-
- return 0;
-}
-
-bool
-get_expose_address(struct proc *p)
-{
- /* allow only if sysctl variable is set or privileged */
- return kern_expose_address || kauth_authorize_process(kauth_cred_get(),
- KAUTH_PROCESS_CANSEE, p,
- KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_KPTR), NULL, NULL) == 0;
-}
-
-static int
sysctl_security_setidcorename(SYSCTLFN_ARGS)
{
int error;
diff -r 9f2b3fdc0aa0 -r 02f019df7155 sys/kern/kern_proc.c
--- a/sys/kern/kern_proc.c Wed Dec 05 14:45:59 2018 +0000
+++ b/sys/kern/kern_proc.c Wed Dec 05 18:16:51 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_proc.c,v 1.221 2018/11/24 19:22:17 christos Exp $ */
+/* $NetBSD: kern_proc.c,v 1.222 2018/12/05 18:16:51 christos Exp $ */
/*-
* Copyright (c) 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -62,13 +62,14 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.221 2018/11/24 19:22:17 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.222 2018/12/05 18:16:51 christos Exp $");
#ifdef _KERNEL_OPT
#include "opt_kstack.h"
#include "opt_maxuprc.h"
#include "opt_dtrace.h"
#include "opt_compat_netbsd32.h"
+#include "opt_kaslr.h"
#endif
#if defined(__HAVE_COMPAT_NETBSD32) && !defined(COMPAT_NETBSD32) \
@@ -219,7 +220,13 @@
static int sysctl_doeproc(SYSCTLFN_PROTO);
static int sysctl_kern_proc_args(SYSCTLFN_PROTO);
+static int sysctl_security_expose_address(SYSCTLFN_PROTO);
+#ifdef KASLR
+static int kern_expose_address_= 0;
+#else
+static int kern_expose_address = 1;
+#endif
/*
* The process list descriptors, used during pid allocation and
* by sysctl. No locking on this data structure is needed since
@@ -241,7 +248,7 @@
static kauth_listener_t proc_listener;
-static void fill_proc(const struct proc *, struct proc *);
+static void fill_proc(const struct proc *, struct proc *, bool);
static int fill_pathname(struct lwp *, pid_t, void *, size_t *);
static int
@@ -280,6 +287,16 @@
break;
case KAUTH_REQ_PROCESS_CANSEE_KPTR:
+ if (!kern_expose_address)
+ break;
+
+ if (kern_expose_address == 1 && !(p->p_flag & PK_KMEM))
+ break;
+
+ result = KAUTH_RESULT_ALLOW;
+
+ break;
+
default:
break;
}
@@ -375,6 +392,12 @@
static struct sysctllog *clog;
sysctl_createv(&clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "expose_address",
+ SYSCTL_DESCR("Enable exposing kernel addresses"),
+ sysctl_security_expose_address, 0,
+ &kern_expose_address, 0, CTL_KERN, CTL_CREATE, CTL_EOL);
+ sysctl_createv(&clog, 0, NULL, NULL,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "proc",
SYSCTL_DESCR("System-wide process information"),
@@ -1639,6 +1662,7 @@
u_int elem_size, kelem_size, elem_count;
size_t buflen, needed;
bool match, zombie, mmmbrains;
+ const bool allowaddr = get_expose_address(curproc);
if (namelen == 1 && name[0] == CTL_QUERY)
return (sysctl_query(SYSCTLFN_CALL(rnode)));
@@ -1799,10 +1823,12 @@
if (buflen >= elem_size &&
(type == KERN_PROC || elem_count > 0)) {
if (type == KERN_PROC) {
- fill_proc(p, &kbuf->kproc.kp_proc);
- fill_eproc(p, &kbuf->kproc.kp_eproc, zombie);
+ fill_proc(p, &kbuf->kproc.kp_proc, allowaddr);
+ fill_eproc(p, &kbuf->kproc.kp_eproc, zombie,
+ allowaddr);
} else {
- fill_kproc2(p, &kbuf->kproc2, zombie);
+ fill_kproc2(p, &kbuf->kproc2, zombie,
Home |
Main Index |
Thread Index |
Old Index