From patchwork Tue Oct 11 16:29:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 1688728 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=M3t+8B0+; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mn1Tt5Dzwz1yqk for ; Wed, 12 Oct 2022 03:30:10 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oiI8n-0007oI-1e; Tue, 11 Oct 2022 16:30:01 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oiI8i-0007m1-As for kernel-team@lists.ubuntu.com; Tue, 11 Oct 2022 16:29:56 +0000 Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com [209.85.214.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 202CA3F147 for ; Tue, 11 Oct 2022 16:29:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1665505796; bh=5IOXkwGM5kBgRDt4kLXVCT2PhMw3Vutikc1Uu2nGMb8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=M3t+8B0+NpsoLEewfkIM1WOHgCpbhJDiXtbPC4U0XTEa+F03a0aHarLW5qcgDxZzU zds20elizfqqKipIu/aSpf1Cj4TG3YgWGaxN6batASshhq4j5szllHrFQ2J/JrtFvW HvXQAZF5Efhz9RE5DaM8ceZkGzA9aAv7FY26BHZlZQWINd8OJVOQ5DcyHBbCH31Ll7 ucC0M2RAzsKGcuTu+7DTolmmhCmwBYy7TVFGnBr8Gew7ZgEGiyJ5S5oYHe/XhTPBzB IMpnanVAXpjuixgyvkuyD6+GmJvli5Or18vGE6COl0TaQXhWzbRC9GEfMn5X+yvINJ ExE+aIv7X/ubw== Received: by mail-pl1-f197.google.com with SMTP id q3-20020a17090311c300b0017898180dddso10130032plh.0 for ; Tue, 11 Oct 2022 09:29:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5IOXkwGM5kBgRDt4kLXVCT2PhMw3Vutikc1Uu2nGMb8=; b=Bep+yZI/t/Wz3cIc2KNCoH8jkyJh3nPWrNOepi/ir8BFEqIX/GkUyRrva/KPnnufb2 fWcb4bDYfiDVbuqxiJCGpa0/mxNKzl1uvsbXllCbAKAqEqJT/LFXcKs18ElJMl8YUn+k 6JNrfUNEvoxa6vh+1rW/WdOi9ZTElpMUBctVgW793yGxDw6V4/8LE5+/umUkMqDNcpOi qr7CdIrAS5uib0YMAluVDwrKYR1bjQ1QIS5u3ZD/SDs2Rxh3xRGa+xolNKEEVsscAzi4 +HAY1IJ0VbS1LVhdOnx8eQ9/Fct+YB2Ef85YHNPciX8dgYYVN4efLCw1d9LY+hmsUdP5 jOxA== X-Gm-Message-State: ACrzQf2e9bNnmMdmitNnDda59ayMro5v/gnt14wleQcguiogrPYdUpN2 cAsjV+s0uBsK77k1wCxoWbbujkCBFlfivwQlpAfvuyJ1z+1hP1zCeXHL5L0WuhRsVf5WUEB2b1s KKKGUVsGHkuSBqD+B6ki0yPnHbvq0KP9S5BuMWwWhNg== X-Received: by 2002:a63:ea04:0:b0:43a:b17f:cd12 with SMTP id c4-20020a63ea04000000b0043ab17fcd12mr21531155pgi.109.1665505794479; Tue, 11 Oct 2022 09:29:54 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7p9y1A9WWAkMwL1wHktVmTHUR7MtaIu8x5SL+J76164GrsEg9RidpR5vFEQE15S13lCEhkfQ== X-Received: by 2002:a63:ea04:0:b0:43a:b17f:cd12 with SMTP id c4-20020a63ea04000000b0043ab17fcd12mr21531138pgi.109.1665505794211; Tue, 11 Oct 2022 09:29:54 -0700 (PDT) Received: from localhost.localdomain ([69.163.84.166]) by smtp.gmail.com with ESMTPSA id u7-20020a170902e5c700b00178ac4e70dcsm8337400plf.185.2022.10.11.09.29.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Oct 2022 09:29:53 -0700 (PDT) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2][Focal linux] devtmpfs: mount with noexec and nosuid Date: Tue, 11 Oct 2022 10:29:09 -0600 Message-Id: <20221011162912.47796-2-tim.gardner@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221011162912.47796-1-tim.gardner@canonical.com> References: <20221011162912.47796-1-tim.gardner@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kees Cook BugLink: https://bugs.launchpad.net/bugs/1991975 devtmpfs is writable. Add the noexec and nosuid as default mount flags to prevent code execution from /dev. The systems who don't use systemd and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by this patch. Other systems are fine with the udev solution. No sane program should be relying on executing from /dev. So this patch reduces the attack surface. It doesn't prevent any specific attack, but it reduces the possibility that someone can use /dev as a place to put executable code. Chrome OS has been carrying this patch for several years. It seems trivial and simple solution to improve the protection of /dev when CONFIG_DEVTMPFS_MOUNT=y. Original patch: https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/ Cc: ellyjones@chromium.org Cc: Kay Sievers Cc: Roland Eggner Co-developed-by: Muhammad Usama Anjum Signed-off-by: Kees Cook Signed-off-by: Muhammad Usama Anjum Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64 Signed-off-by: Greg Kroah-Hartman (backported from commit 28f0c335dd4a1a4b44b3e6c6402825a93132e1a4) [rtg - Use ksys_mount() because init_mount() does not yet exist. ] Signed-off-by: Tim Gardner --- drivers/base/Kconfig | 11 +++++++++++ drivers/base/devtmpfs.c | 10 ++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/drivers/base/Kconfig b/drivers/base/Kconfig index 28b92e3cc570..94077975cbd9 100644 --- a/drivers/base/Kconfig +++ b/drivers/base/Kconfig @@ -59,6 +59,17 @@ config DEVTMPFS_MOUNT rescue mode with init=/bin/sh, even when the /dev directory on the rootfs is completely empty. +config DEVTMPFS_SAFE + bool "Use nosuid,noexec mount options on devtmpfs" + depends on DEVTMPFS + help + This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount + flags when mounting devtmpfs. + + Notice: If enabled, things like /dev/mem cannot be mmapped + with the PROT_EXEC flag. This can break, for example, non-KMS + video drivers. + config STANDALONE bool "Select only drivers that don't need compile-time external firmware" default y diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c index 5e9b00711357..82fc8ea81c4b 100644 --- a/drivers/base/devtmpfs.c +++ b/drivers/base/devtmpfs.c @@ -29,6 +29,12 @@ #include #include "base.h" +#ifdef CONFIG_DEVTMPFS_SAFE +#define DEVTMPFS_MFLAGS (MS_SILENT | MS_NOEXEC | MS_NOSUID) +#else +#define DEVTMPFS_MFLAGS (MS_SILENT) +#endif + static struct task_struct *thread; #if defined CONFIG_DEVTMPFS_MOUNT @@ -377,7 +383,7 @@ int devtmpfs_mount(const char *mntdir) if (!thread) return 0; - err = ksys_mount("devtmpfs", mntdir, "devtmpfs", MS_SILENT, NULL); + err = ksys_mount("devtmpfs", mntdir, "devtmpfs", DEVTMPFS_MFLAGS, NULL); if (err) printk(KERN_INFO "devtmpfs: error mounting %i\n", err); else @@ -402,7 +408,7 @@ static int devtmpfsd(void *p) *err = ksys_unshare(CLONE_NEWNS); if (*err) goto out; - *err = ksys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, NULL); + *err = ksys_mount("devtmpfs", "/", "devtmpfs", DEVTMPFS_MFLAGS, NULL); if (*err) goto out; ksys_chdir("/.."); /* will traverse into overmounted root */ From patchwork Tue Oct 11 16:29:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 1688729 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Ujxu1WFE; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mn1Tt5L5kz23jy for ; Wed, 12 Oct 2022 03:30:10 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oiI8l-0007nJ-RS; Tue, 11 Oct 2022 16:29:59 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oiI8j-0007mS-Qu for kernel-team@lists.ubuntu.com; Tue, 11 Oct 2022 16:29:57 +0000 Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id A3B703F147 for ; Tue, 11 Oct 2022 16:29:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1665505797; bh=bgR/OEY/8DxO9qUsVSmu5L2eYf4wh8U3/yuuea2ZB14=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Ujxu1WFE70OiwHUsD4W4PlzIglfk4GJ5H4LBjRDUGM6Lua2Tw9G5PqLHA973usnLO VstZOZCcGWjUsp5iqszam1Gk+r0ZYURWyeB1BoFtESfCsFV5lXitWxrfF5DeF46Jl4 r1r0DJd00arGM5hrjo/k83KZBS8K+/mAnEPDZFXRKZOnkjTK6+HfM20MgZ882x7vI7 RofaWvGm/x0FPWgWmHd7EXCHf/rDWwj8UTf7HgVlyJ7Zf+oYO6M/okawCsfeqRtlyz BKwccNv7lbY0veQFxggTdOrdRrXj6Y5cafC8ZT3qbPtJ8j7Xs0hqAqZEwkpHitHqVr OyavFtJdYaw7Q== Received: by mail-pj1-f69.google.com with SMTP id gn9-20020a17090ac78900b0020d7a817d36so470002pjb.2 for ; Tue, 11 Oct 2022 09:29:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bgR/OEY/8DxO9qUsVSmu5L2eYf4wh8U3/yuuea2ZB14=; b=Y5B1uD+aFhkkOf2HQBZ85Brv+I6WxbkbzDzYQfGfbFCKOPD5YMaB0vY0f6TXolf2Nr TJuQyxFzlp7O5tyKGvCKnYZwfadHRA9Qmr6YtjfxXopX6Exm/eXd7F23irUN3JBk+Z6n vuxYtUYWVc+8qNKkF5rYHJymDItnhjbaU8IDZ2V3QgMBvfMjUV2FEgxpRAmRiuAxqzBI ksTFeysP+f4L3ezTHZ7fygMF2BTkn0kQuuyiYrm8Vl/noNm+W2NBb2OpYckp7ix9KOTT U3MPgvYrSTNlxbp2SIgsBsIOxZCDsA+szAcNgDUbzFinVCzx3dDmmsPpWj1b48PY9aFo OFfA== X-Gm-Message-State: ACrzQf1K/Os+THTEjHZHTtTcDdhDMW5uH+5PoXBBo2tqeHMii1z5HDbr HuZ4DcQWsMJFWpUxiDkaDWakHFOBCTh+TfSYPat6Hc5NeXTUu9W/7IRSJJYoXiBYKdRI1D4OfQl rmKRrday5pX8L/s5P9+N9nMUbU+7g4bjTqJujmuN5bg== X-Received: by 2002:a65:6e0d:0:b0:42d:707c:94ee with SMTP id bd13-20020a656e0d000000b0042d707c94eemr21295586pgb.260.1665505795834; Tue, 11 Oct 2022 09:29:55 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5D7cjfM+3OAAIkMH25rP4/6SGddpdo6L8w+Nm/C+xHAxoHxVM+kYgnM/xqIJREPNt9QIS8rQ== X-Received: by 2002:a65:6e0d:0:b0:42d:707c:94ee with SMTP id bd13-20020a656e0d000000b0042d707c94eemr21295573pgb.260.1665505795472; Tue, 11 Oct 2022 09:29:55 -0700 (PDT) Received: from localhost.localdomain ([69.163.84.166]) by smtp.gmail.com with ESMTPSA id u7-20020a170902e5c700b00178ac4e70dcsm8337400plf.185.2022.10.11.09.29.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Oct 2022 09:29:54 -0700 (PDT) From: Tim Gardner To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/2][Focal linux] UBUNTU: [Config] CONFIG_DEVTMPFS_SAFE=y Date: Tue, 11 Oct 2022 10:29:10 -0600 Message-Id: <20221011162912.47796-3-tim.gardner@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221011162912.47796-1-tim.gardner@canonical.com> References: <20221011162912.47796-1-tim.gardner@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1991975 Signed-off-by: Tim Gardner --- debian.master/config/annotations | 3 +++ debian.master/config/config.common.ubuntu | 1 + 2 files changed, 4 insertions(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index c4170bf2c547..d52f72a792d6 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -2,6 +2,9 @@ # FORMAT: 2 # ARCH: x86 arm arm64 s390 powerpc +CONFIG_DEVTMPFS_SAFE policy<{'amd64': 'y', 'i386': 'y', 'i386-lowlatency': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 'riscv64': 'y', 's390x': 'y'}> +CONFIG_DEVTMPFS_SAFE note + # Mark debugging symbols. # exceptions CONFIG_DEBUG_FS note diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 966bf3c4df54..925838b40fd6 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -2415,6 +2415,7 @@ CONFIG_DEVMEM=y CONFIG_DEVPORT=y CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS_MOUNT=y +CONFIG_DEVTMPFS_SAFE=y CONFIG_DEV_APPLETALK=m CONFIG_DEV_COREDUMP=y CONFIG_DEV_DAX=m