From patchwork Tue Oct 11 16:29:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 1688731 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=pGKs//n/; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mn1Ty2pcwz1yqk for ; Wed, 12 Oct 2022 03:30:14 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oiI8r-0007t2-OK; Tue, 11 Oct 2022 16:30:05 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oiI8m-0007n8-Ch for kernel-team@lists.ubuntu.com; Tue, 11 Oct 2022 16:30:00 +0000 Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 345D73F147 for ; Tue, 11 Oct 2022 16:29:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1665505799; bh=/O4udkMVJPZoPM5lOqUtChvgy5aG6jp8a7fnyFjBIyI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=pGKs//n/ka7qmKHclW8UYP/2uTgfL0dN1ieyoSNtDFPp4u7BZgRQDGM4brLgUHsZp fiW+L9LCK+NzTQZAOg7iEGxLitAlrfUM3vGHFW4piHqjDkvyeLr+gUlJ+t6cG/IzB+ nd5wLhvqwixBG9L0MP9wTtvlMJCATB1OHFGyYVcAl36spc6H6FZK/X3hU9H64f6d3t 4eMAAznAKtJEPpiA5mUEgWe2q75C+6Utt8Z/PfRBMceLEQqYfOGfzw5xra1uEtGZaS iZaoMblVAF+0RG7zXz+CIMvILrZlFKd6hYSJSnEfaz8liFnmQSe7jqVwf/J04/CHgw q47DctzEihqww== Received: by mail-pl1-f198.google.com with SMTP id n9-20020a170902d2c900b001782ad97c7aso10080284plc.8 for ; Tue, 11 Oct 2022 09:29:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/O4udkMVJPZoPM5lOqUtChvgy5aG6jp8a7fnyFjBIyI=; b=IUvKnx7CPHNU+nGd8JgOjHdQfMNzx0pSq4lVJwZn6VsR0QVhVRwGCdv3CLJfh7Bilq omfgiIEKgVbg4LFIrtf17vCTpUqEvUOoiB7fIY4TCIKD4qlo74bcO0saGu5Q8rgcWrk9 ULGiYUmh93hlNIemjpBmjBgobBAAJROw06FlMyF/gJ+jcOtpOf9DPmGvYzWlXgCbR1BP GJeB4mS6HWI89Vsk52f3gecjQMuUdxJfJAdqh351ft+CgH3t0lX3fmVHO3gwZga1bhWp 4cUaB2l4jMYA7oA9pJgMC1cayHyHXH+0H5qM9BU3kKcNv3wiKKQLuqvze4S4b/fBXhGG BLfw== X-Gm-Message-State: ACrzQf09NcHGxnHBIGedLaCRuZ6R6GGPFJQzhqwh/qogx/UxotluYvFl o5W98FxNVyCYVR4gMk3LxHId6OAEgjZ6UJerjjrKPkQTfBqaljh9AX+bA6nx50ig3SJiCVD25X6 HzSUbkf7f+FtEoTvhVxYlrIiqRyPNVVuPPX3jx5pQcA== X-Received: by 2002:a65:6849:0:b0:461:8779:2452 with SMTP id q9-20020a656849000000b0046187792452mr11558317pgt.383.1665505797163; Tue, 11 Oct 2022 09:29:57 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4U79NMYhWZ8oI9wXgh4StZORTrh6ZF89Jvuw/X0aXifLEwcNBXdzauyOgIB//uOgI7Wr+Cfg== X-Received: by 2002:a65:6849:0:b0:461:8779:2452 with SMTP id q9-20020a656849000000b0046187792452mr11558299pgt.383.1665505796858; Tue, 11 Oct 2022 09:29:56 -0700 (PDT) Received: from localhost.localdomain ([69.163.84.166]) by smtp.gmail.com with ESMTPSA id u7-20020a170902e5c700b00178ac4e70dcsm8337400plf.185.2022.10.11.09.29.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Oct 2022 09:29:55 -0700 (PDT) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2][Jammy linux] devtmpfs: mount with noexec and nosuid Date: Tue, 11 Oct 2022 10:29:11 -0600 Message-Id: <20221011162912.47796-4-tim.gardner@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221011162912.47796-1-tim.gardner@canonical.com> References: <20221011162912.47796-1-tim.gardner@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kees Cook BugLink: https://bugs.launchpad.net/bugs/1991975 devtmpfs is writable. Add the noexec and nosuid as default mount flags to prevent code execution from /dev. The systems who don't use systemd and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by this patch. Other systems are fine with the udev solution. No sane program should be relying on executing from /dev. So this patch reduces the attack surface. It doesn't prevent any specific attack, but it reduces the possibility that someone can use /dev as a place to put executable code. Chrome OS has been carrying this patch for several years. It seems trivial and simple solution to improve the protection of /dev when CONFIG_DEVTMPFS_MOUNT=y. Original patch: https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/ Cc: ellyjones@chromium.org Cc: Kay Sievers Cc: Roland Eggner Co-developed-by: Muhammad Usama Anjum Signed-off-by: Kees Cook Signed-off-by: Muhammad Usama Anjum Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64 Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4) Signed-off-by: Tim Gardner --- drivers/base/Kconfig | 11 +++++++++++ drivers/base/devtmpfs.c | 10 ++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig index ffcbe2bc460e..6f04b831a5c0 100644 --- a/drivers/base/Kconfig +++ b/drivers/base/Kconfig @@ -62,6 +62,17 @@ config DEVTMPFS_MOUNT rescue mode with init=/bin/sh, even when the /dev directory on the rootfs is completely empty. +config DEVTMPFS_SAFE + bool "Use nosuid,noexec mount options on devtmpfs" + depends on DEVTMPFS + help + This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount + flags when mounting devtmpfs. + + Notice: If enabled, things like /dev/mem cannot be mmapped + with the PROT_EXEC flag. This can break, for example, non-KMS + video drivers. + config STANDALONE bool "Select only drivers that don't need compile-time external firmware" default y diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c index fa13ad49d211..f41063ac1aee 100644 --- a/drivers/base/devtmpfs.c +++ b/drivers/base/devtmpfs.c @@ -29,6 +29,12 @@ #include #include "base.h" +#ifdef CONFIG_DEVTMPFS_SAFE +#define DEVTMPFS_MFLAGS (MS_SILENT | MS_NOEXEC | MS_NOSUID) +#else +#define DEVTMPFS_MFLAGS (MS_SILENT) +#endif + static struct task_struct *thread; static int __initdata mount_dev = IS_ENABLED(CONFIG_DEVTMPFS_MOUNT); @@ -370,7 +376,7 @@ int __init devtmpfs_mount(void) if (!thread) return 0; - err = init_mount("devtmpfs", "dev", "devtmpfs", MS_SILENT, NULL); + err = init_mount("devtmpfs", "dev", "devtmpfs", DEVTMPFS_MFLAGS, NULL); if (err) printk(KERN_INFO "devtmpfs: error mounting %i\n", err); else @@ -419,7 +425,7 @@ static noinline int __init devtmpfs_setup(void *p) err = ksys_unshare(CLONE_NEWNS); if (err) goto out; - err = init_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL); + err = init_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL); if (err) goto out; init_chdir("/.."); /* will traverse into overmounted root */