Leaking path for set_task_comm
TongZhang
ztong at vt.edu
Wed Sep 26 00:44:39 UTC 2018
Yes, this is exactly what I am saying.
A process can change its own name using prctl or /proc/self/comm.
prctl is protected by security_task_prctl, whereas /proc/self/comm is not protected by this LSM hook.
A system admin may expect to use security_task_prctl to block all attempt to change process name, however, it can still change name using /proc/self/comm.
> On Sep 25, 2018, at 2:39 PM, Cyrill Gorcunov <gorcunov at gmail.com> wrote:
>
> On Tue, Sep 25, 2018 at 01:27:08PM -0400, Tong Zhang wrote:
>> Kernel Version: 4.18.5
>>
>> Problem Description:
>>
>> When using prctl(PR_SET_NAME) to set the thread name, it is checked by security_task_prctl.
>>
>> We discovered a leaking path that can also use method implemented in
>> fs/proc/base.c:1526 comm_write(), to do similar thing without asking LSM’s decision.
>
> I don't understand how it is a problem. Could you please explain?
> procfs/comm is created with S_IRUGO|S_IWUSR permissions. So
> prctl and procfs are simply different interfaces.
More information about the Linux-security-module-archive
mailing list