From patchwork Tue Oct 11 16:29:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 1688728 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=M3t+8B0+; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mn1Tt5Dzwz1yqk for ; Wed, 12 Oct 2022 03:30:10 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oiI8n-0007oI-1e; Tue, 11 Oct 2022 16:30:01 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oiI8i-0007m1-As for kernel-team@lists.ubuntu.com; Tue, 11 Oct 2022 16:29:56 +0000 Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com [209.85.214.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 202CA3F147 for ; Tue, 11 Oct 2022 16:29:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1665505796; bh=5IOXkwGM5kBgRDt4kLXVCT2PhMw3Vutikc1Uu2nGMb8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=M3t+8B0+NpsoLEewfkIM1WOHgCpbhJDiXtbPC4U0XTEa+F03a0aHarLW5qcgDxZzU zds20elizfqqKipIu/aSpf1Cj4TG3YgWGaxN6batASshhq4j5szllHrFQ2J/JrtFvW HvXQAZF5Efhz9RE5DaM8ceZkGzA9aAv7FY26BHZlZQWINd8OJVOQ5DcyHBbCH31Ll7 ucC0M2RAzsKGcuTu+7DTolmmhCmwBYy7TVFGnBr8Gew7ZgEGiyJ5S5oYHe/XhTPBzB IMpnanVAXpjuixgyvkuyD6+GmJvli5Or18vGE6COl0TaQXhWzbRC9GEfMn5X+yvINJ ExE+aIv7X/ubw== Received: by mail-pl1-f197.google.com with SMTP id q3-20020a17090311c300b0017898180dddso10130032plh.0 for ; Tue, 11 Oct 2022 09:29:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5IOXkwGM5kBgRDt4kLXVCT2PhMw3Vutikc1Uu2nGMb8=; b=Bep+yZI/t/Wz3cIc2KNCoH8jkyJh3nPWrNOepi/ir8BFEqIX/GkUyRrva/KPnnufb2 fWcb4bDYfiDVbuqxiJCGpa0/mxNKzl1uvsbXllCbAKAqEqJT/LFXcKs18ElJMl8YUn+k 6JNrfUNEvoxa6vh+1rW/WdOi9ZTElpMUBctVgW793yGxDw6V4/8LE5+/umUkMqDNcpOi qr7CdIrAS5uib0YMAluVDwrKYR1bjQ1QIS5u3ZD/SDs2Rxh3xRGa+xolNKEEVsscAzi4 +HAY1IJ0VbS1LVhdOnx8eQ9/Fct+YB2Ef85YHNPciX8dgYYVN4efLCw1d9LY+hmsUdP5 jOxA== X-Gm-Message-State: ACrzQf2e9bNnmMdmitNnDda59ayMro5v/gnt14wleQcguiogrPYdUpN2 cAsjV+s0uBsK77k1wCxoWbbujkCBFlfivwQlpAfvuyJ1z+1hP1zCeXHL5L0WuhRsVf5WUEB2b1s KKKGUVsGHkuSBqD+B6ki0yPnHbvq0KP9S5BuMWwWhNg== X-Received: by 2002:a63:ea04:0:b0:43a:b17f:cd12 with SMTP id c4-20020a63ea04000000b0043ab17fcd12mr21531155pgi.109.1665505794479; Tue, 11 Oct 2022 09:29:54 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7p9y1A9WWAkMwL1wHktVmTHUR7MtaIu8x5SL+J76164GrsEg9RidpR5vFEQE15S13lCEhkfQ== X-Received: by 2002:a63:ea04:0:b0:43a:b17f:cd12 with SMTP id c4-20020a63ea04000000b0043ab17fcd12mr21531138pgi.109.1665505794211; Tue, 11 Oct 2022 09:29:54 -0700 (PDT) Received: from localhost.localdomain ([69.163.84.166]) by smtp.gmail.com with ESMTPSA id u7-20020a170902e5c700b00178ac4e70dcsm8337400plf.185.2022.10.11.09.29.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Oct 2022 09:29:53 -0700 (PDT) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2][Focal linux] devtmpfs: mount with noexec and nosuid Date: Tue, 11 Oct 2022 10:29:09 -0600 Message-Id: <20221011162912.47796-2-tim.gardner@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221011162912.47796-1-tim.gardner@canonical.com> References: <20221011162912.47796-1-tim.gardner@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kees Cook BugLink: https://bugs.launchpad.net/bugs/1991975 devtmpfs is writable. Add the noexec and nosuid as default mount flags to prevent code execution from /dev. The systems who don't use systemd and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by this patch. Other systems are fine with the udev solution. No sane program should be relying on executing from /dev. So this patch reduces the attack surface. It doesn't prevent any specific attack, but it reduces the possibility that someone can use /dev as a place to put executable code. Chrome OS has been carrying this patch for several years. It seems trivial and simple solution to improve the protection of /dev when CONFIG_DEVTMPFS_MOUNT=y. Original patch: https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/ Cc: ellyjones@chromium.org Cc: Kay Sievers Cc: Roland Eggner Co-developed-by: Muhammad Usama Anjum Signed-off-by: Kees Cook Signed-off-by: Muhammad Usama Anjum Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64 Signed-off-by: Greg Kroah-Hartman (backported from commit 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4) [rtg - Use ksys_mount() because init_mount() does not yet exist. ] Signed-off-by: Tim Gardner --- drivers/base/Kconfig | 11 +++++++++++ drivers/base/devtmpfs.c | 10 ++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig index 28b92e3cc570..94077975cbd9 100644 --- a/drivers/base/Kconfig +++ b/drivers/base/Kconfig @@ -59,6 +59,17 @@ config DEVTMPFS_MOUNT rescue mode with init=/bin/sh, even when the /dev directory on the rootfs is completely empty. +config DEVTMPFS_SAFE + bool "Use nosuid,noexec mount options on devtmpfs" + depends on DEVTMPFS + help + This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount + flags when mounting devtmpfs. + + Notice: If enabled, things like /dev/mem cannot be mmapped + with the PROT_EXEC flag. This can break, for example, non-KMS + video drivers. + config STANDALONE bool "Select only drivers that don't need compile-time external firmware" default y diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c index 5e9b00711357..82fc8ea81c4b 100644 --- a/drivers/base/devtmpfs.c +++ b/drivers/base/devtmpfs.c @@ -29,6 +29,12 @@ #include #include "base.h" +#ifdef CONFIG_DEVTMPFS_SAFE +#define DEVTMPFS_MFLAGS (MS_SILENT | MS_NOEXEC | MS_NOSUID) +#else +#define DEVTMPFS_MFLAGS (MS_SILENT) +#endif + static struct task_struct *thread; #if defined CONFIG_DEVTMPFS_MOUNT @@ -377,7 +383,7 @@ int devtmpfs_mount(const char *mntdir) if (!thread) return 0; - err = ksys_mount("devtmpfs", mntdir, "devtmpfs", MS_SILENT, NULL); + err = ksys_mount("devtmpfs", mntdir, "devtmpfs", DEVTMPFS_MFLAGS, NULL); if (err) printk(KERN_INFO "devtmpfs: error mounting %i\n", err); else @@ -402,7 +408,7 @@ static int devtmpfsd(void *p) *err = ksys_unshare(CLONE_NEWNS); if (*err) goto out; - *err = ksys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL); + *err = ksys_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL); if (*err) goto out; ksys_chdir("/.."); /* will traverse into overmounted root */