[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v3 1/1] x86: allow to enable/disable modify_ldt at run time
For distros who prefer not to take the risk of completely disabling the modify_ldt syscall using CONFIG_MODIFY_LDT_SYSCALL, this patch adds a sysctl to enable or disable it at runtime, and proposes to disable it by default. This can be a safe alternative. A message is logged if an attempt was stopped so that it's easy to spot if/when it is needed. Future improvements regarding permanent disabling will have to be done in consideration for other syscalls, ABIs and general use cases. Cc: Andy Lutomirski <luto@xxxxxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: Willy Tarreau <w@xxxxxx> --- So this is the third version which only allows to temporarily enable or disable the modify_ldt syscall. Permanent changes will have to be thought about later. It applies on top of Andy's series. Documentation/sysctl/kernel.txt | 15 +++++++++++++++ arch/x86/Kconfig | 17 +++++++++++++++++ arch/x86/kernel/ldt.c | 15 +++++++++++++++ kernel/sysctl.c | 14 ++++++++++++++ 4 files changed, 61 insertions(+) diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 6fccb69..60c7c7a 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt @@ -41,6 +41,7 @@ show up in /proc/sys/kernel: - kptr_restrict - kstack_depth_to_print [ X86 only ] - l2cr [ PPC only ] +- modify_ldt [ X86 only ] - modprobe ==> Documentation/debugging-modules.txt - modules_disabled - msg_next_id [ sysv ipc ] @@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If ============================================================== +modify_ldt: (X86 only) + +Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT +(Local Descriptor Table) may be needed to run a 16-bit or segmented code +such as Dosemu or Wine. This is done via a system call which is not needed +to run portable applications, and which can sometimes be abused to exploit +some weaknesses of the architecture, opening new vulnerabilities. + +This sysctl allows one to increase the system's security by disabling the +system call, or to restore compatibility with specific applications when it +was already disabled. + +============================================================== + modules_disabled: A toggle value indicating if modules are allowed to be loaded diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index beabf30..88d10a0 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2069,6 +2069,23 @@ config MODIFY_LDT_SYSCALL surface. Disabling it removes the modify_ldt(2) system call. Saying 'N' here may make sense for embedded or server kernels. + If really unsure, say 'Y', you'll be able to disable it at runtime. + +config DEFAULT_MODIFY_LDT_SYSCALL + bool "Allow userspace to modify the LDT by default" + depends on MODIFY_LDT_SYSCALL + default y + ---help--- + Modifying the LDT (Local Descriptor Table) may be needed to run a + 16-bit or segmented code such as Dosemu or Wine. This is done via + a system call which is not needed to run portable applications, + and which can sometimes be abused to exploit some weaknesses of + the architecture, opening new vulnerabilities. + + For this reason this option allows one to enable or disable the + feature at runtime. It is recommended to say 'N' here to leave + the system protected, and to enable it at runtime only if needed + by setting the sys.kernel.modify_ldt sysctl. source "kernel/livepatch/Kconfig" diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c index 2bcc052..cb64b85 100644 --- a/arch/x86/kernel/ldt.c +++ b/arch/x86/kernel/ldt.c @@ -11,6 +11,7 @@ #include <linux/sched.h> #include <linux/string.h> #include <linux/mm.h> +#include <linux/ratelimit.h> #include <linux/smp.h> #include <linux/slab.h> #include <linux/vmalloc.h> @@ -21,6 +22,11 @@ #include <asm/mmu_context.h> #include <asm/syscalls.h> +#ifdef CONFIG_MODIFY_LDT_SYSCALL +int sysctl_modify_ldt __read_mostly = + IS_ENABLED(CONFIG_DEFAULT_MODIFY_LDT_SYSCALL); +#endif + /* context.lock is held for us, so we don't need any locking. */ static void flush_ldt(void *current_mm) { @@ -276,6 +282,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr, { int ret = -ENOSYS; + if (!sysctl_modify_ldt) { + printk_ratelimited(KERN_INFO + "Denied a call to modify_ldt() from %s[%d] (uid: %d)." + " Adjust sysctl if this was not an exploit attempt.\n", + current->comm, task_pid_nr(current), + from_kuid_munged(current_user_ns(), current_uid())); + return ret; + } + switch (func) { case 0: ret = read_ldt(ptr, bytecount); diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 19b62b5..492aeba 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -111,6 +111,9 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max; #ifndef CONFIG_MMU extern int sysctl_nr_trim_pages; #endif +#ifdef CONFIG_MODIFY_LDT_SYSCALL +extern int sysctl_modify_ldt; +#endif /* Constants used for minimum and maximum */ #ifdef CONFIG_LOCKUP_DETECTOR @@ -960,6 +963,17 @@ static struct ctl_table kern_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, +#ifdef CONFIG_MODIFY_LDT_SYSCALL + { + .procname = "modify_ldt", + .data = &sysctl_modify_ldt, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, + }, +#endif #endif #if defined(CONFIG_MMU) { -- 1.7.12.1 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |