proc_rwmem check PRIV_PROC_MEM_WRITE when writing
ClosedPublic
Actions

Authored by sjg on Nov 8 2024, 5:09 AM.

Details

Reviewers

markj
stevek
olce

Commits

rGf239981ed58c: proc_rwmem check PRIV_PROC_MEM_WRITE when writing

Summary

This will fail when mac_veriexec is enforced.

Move the check from procfs_doprocmem to proc_rwmem to ensure all
cases are covered.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

sjg created this revision.Nov 8 2024, 5:09 AM

Herald added subscribers: olce, imp. · View Herald TranscriptNov 8 2024, 5:09 AM

sjg requested review of this revision.Nov 8 2024, 5:09 AM

Harbormaster completed remote builds in B60446: Diff 146166.Nov 8 2024, 5:09 AM

proc_rwmem() is also called by ptrace() and cuse(4). I can imagine you also want to prevent process tampering via ptrace(), but what about cuse(4), and more generally other potential uses where data transfers are performed by proc_rwmem()?

If this is a concern, an alternative would be to add a check of PRIV_PROC_MEM_WRITE directly in kern_ptrace().

sys/sys/priv.h
518

In D47484#1082949, @olce wrote:

proc_rwmem() is also called by ptrace() and cuse(4). I can imagine you also want to prevent process tampering via ptrace(), but what about cuse(4), and more generally other potential uses where data transfers are performed by proc_rwmem()?

If this is a concern, an alternative would be to add a check of PRIV_PROC_MEM_WRITE directly in kern_ptrace().

The point is to disallow arbitrary modifications of process memory. kern_ptrace() is not the only interface which permits this, proc_rwmem() can be reached via dtrace as well. veriexec has ways to exempt executables from this restriction, e.g., so that one can use gdb. I think executables which operate a cuse server would require similar handling, and that's probably acceptable.

This revision is now accepted and ready to land.Nov 8 2024, 1:57 PM

In D47484#1082989, @markj wrote:

The point is to disallow arbitrary modifications of process memory. kern_ptrace() is not the only interface which permits this, proc_rwmem() can be reached via dtrace as well. veriexec has ways to exempt executables from this restriction, e.g., so that one can use gdb.

Yes, I agree (and am already aware).

I think executables which operate a cuse server would require similar handling, and that's probably acceptable.

That I wasn't sure of, by lack of cuse knowledge, thanks for sharing this info. It seems to me that if proc_rwmem() is used to send data to another process that explicitly requested it and if cuse enforces that the data can only be sent to the requested addresses (out of the control of the sending server process), then that send should be accepted regardless of PRIV_PROC_MEM_WRITE. But I don't know if it's the case, and even if it is I agree it doesn't matter at first order.

Closed by commit rGf239981ed58c: proc_rwmem check PRIV_PROC_MEM_WRITE when writing (authored by sjg). · Explain WhyNov 9 2024, 12:13 AM

This revision was automatically updated to reflect the committed changes.

sjg added a commit: rGf239981ed58c: proc_rwmem check PRIV_PROC_MEM_WRITE when writing.