|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 2/2] x86/ldt: allow to disable modify_ldt at runtime
On Mon, Aug 3, 2015 at 11:23 AM, Willy Tarreau <w@xxxxxx> wrote:
> For distros who prefer not to take the risk of completely disabling the
> modify_ldt syscall using CONFIG_MODIFY_LDT_SYSCALL, this patch adds a
> sysctl to enable, temporarily disable, or permanently disable it at
> runtime, and proposes to temporarily disable it by default. This can be
> a safe alternative. A message is logged if an attempt was stopped so that
> it's easy to spot if/when it is needed.
>
> Cc: Andy Lutomirski <luto@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Signed-off-by: Willy Tarreau <w@xxxxxx>
> ---
> Documentation/sysctl/kernel.txt | 16 ++++++++++++++++
> arch/x86/Kconfig | 17 +++++++++++++++++
> arch/x86/kernel/ldt.c | 15 +++++++++++++++
> kernel/sysctl.c | 14 ++++++++++++++
> 4 files changed, 62 insertions(+)
>
> diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
> index 6fccb69..55648b9 100644
> --- a/Documentation/sysctl/kernel.txt
> +++ b/Documentation/sysctl/kernel.txt
> @@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
> - kptr_restrict
> - kstack_depth_to_print [ X86 only ]
> - l2cr [ PPC only ]
> +- modify_ldt [ X86 only ]
> - modprobe ==> Documentation/debugging-modules.txt
> - modules_disabled
> - msg_next_id [ sysv ipc ]
> @@ -391,6 +392,21 @@ This flag controls the L2 cache of G3 processor boards.
> If
>
> ==============================================================
>
> +modify_ldt: (X86 only)
> +
> +Enables (1), disables (0) or permanently disables (-1) the modify_ldt
> syscall.
> +Modifying the LDT (Local Descriptor Table) may be needed to run a 16-bit or
> +segmented code such as Dosemu or Wine. This is done via a system call which
> is
> +not needed to run portable applications, and which can sometimes be abused to
> +exploit some weaknesses of the architecture, opening new vulnerabilities.
> +
> +This sysctl allows one to increase the system's security by disabling the
> +system call, or to restore compatibility with specific applications when it
> +was already disabled. When permanently disabled, it is not possible to change
> +the value anymore until the next system reboot.
> +
> +==============================================================
> +
> modules_disabled:
>
> A toggle value indicating if modules are allowed to be loaded
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index beabf30..88d10a0 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -2069,6 +2069,23 @@ config MODIFY_LDT_SYSCALL
> surface. Disabling it removes the modify_ldt(2) system call.
>
> Saying 'N' here may make sense for embedded or server kernels.
> + If really unsure, say 'Y', you'll be able to disable it at runtime.
> +
> +config DEFAULT_MODIFY_LDT_SYSCALL
> + bool "Allow userspace to modify the LDT by default"
> + depends on MODIFY_LDT_SYSCALL
> + default y
> + ---help---
> + Modifying the LDT (Local Descriptor Table) may be needed to run a
> + 16-bit or segmented code such as Dosemu or Wine. This is done via
> + a system call which is not needed to run portable applications,
> + and which can sometimes be abused to exploit some weaknesses of
> + the architecture, opening new vulnerabilities.
> +
> + For this reason this option allows one to enable or disable the
> + feature at runtime. It is recommended to say 'N' here to leave
> + the system protected, and to enable it at runtime only if needed
> + by setting the sys.kernel.modify_ldt sysctl.
>
> source "kernel/livepatch/Kconfig"
>
> diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
> index 2bcc052..420fc8f 100644
> --- a/arch/x86/kernel/ldt.c
> +++ b/arch/x86/kernel/ldt.c
> @@ -11,6 +11,7 @@
> #include <linux/sched.h>
> #include <linux/string.h>
> #include <linux/mm.h>
> +#include <linux/ratelimit.h>
> #include <linux/smp.h>
> #include <linux/slab.h>
> #include <linux/vmalloc.h>
> @@ -21,6 +22,11 @@
> #include <asm/mmu_context.h>
> #include <asm/syscalls.h>
>
> +#ifdef CONFIG_MODIFY_LDT_SYSCALL
> +int sysctl_modify_ldt __read_mostly =
> + IS_ENABLED(CONFIG_DEFAULT_MODIFY_LDT_SYSCALL);
> +#endif
> +
> /* context.lock is held for us, so we don't need any locking. */
> static void flush_ldt(void *current_mm)
> {
> @@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr,
> {
> int ret = -ENOSYS;
>
> + if (sysctl_modify_ldt <= 0) {
> + printk_ratelimited(KERN_INFO
pr_info_ratelimited? *shrug*
> + "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
> + " Adjust sysctl if this was not an exploit
> attempt.\n",
> + current->comm, task_pid_nr(current),
> + from_kuid_munged(current_user_ns(), current_uid()));
> + return ret;
> + }
> +
> switch (func) {
> case 0:
> ret = read_ldt(ptr, bytecount);
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 86c95a8..ec1170d 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -111,6 +111,9 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
> #ifndef CONFIG_MMU
> extern int sysctl_nr_trim_pages;
> #endif
> +#ifdef CONFIG_MODIFY_LDT_SYSCALL
> +extern int sysctl_modify_ldt;
> +#endif
>
> /* Constants used for minimum and maximum */
> #ifdef CONFIG_LOCKUP_DETECTOR
> @@ -963,6 +966,17 @@ static struct ctl_table kern_table[] = {
> .mode = 0644,
> .proc_handler = proc_dointvec,
> },
> +#ifdef CONFIG_MODIFY_LDT_SYSCALL
> + {
> + .procname = "modify_ldt",
> + .data = &sysctl_modify_ldt,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec_minmax_negperm,
> + .extra1 = &neg_one,
> + .extra2 = &one,
> + },
> +#endif
> #endif
> #if defined(CONFIG_MMU)
> {
> --
> 1.7.12.1
>
Yay for perm disable! Thank you! :)
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
-Kees
--
Kees Cook
Chrome OS Security
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |