• Davidlohr Bueso's avatar
    ipc/shm: introduce shmctl(SHM_STAT_ANY) · c21a6970
    Davidlohr Bueso authored
    Patch series "sysvipc: introduce STAT_ANY commands", v2.
    
    The following patches adds the discussed (see [1]) new command for shm
    as well as for sems and msq as they are subject to the same
    discrepancies for ipc object permission checks between the syscall and
    via procfs.  These new commands are justified in that (1) we are stuck
    with this semantics as changing syscall and procfs can break userland;
    and (2) some users can benefit from performance (for large amounts of
    shm segments, for example) from not having to parse the procfs
    interface.
    
    Once merged, I will submit the necesary manpage updates.  But I'm thinking
    something like:
    
    : diff --git a/man2/shmctl.2 b/man2/shmctl.2
    : index 7bb503999941..bb00bbe21a57 100644
    : --- a/man2/shmctl.2
    : +++ b/man2/shmctl.2
    : @@ -41,6 +41,7 @@
    :  .\" 2005-04-25, mtk -- noted aberrant Linux behavior w.r.t. new
    :  .\"	attaches to a segment that has already been marked for deletion.
    :  .\" 2005-08-02, mtk: Added IPC_INFO, SHM_INFO, SHM_STAT descriptions.
    : +.\" 2018-02-13, dbueso: Added SHM_STAT_ANY description.
    :  .\"
    :  .TH SHMCTL 2 2017-09-15 "Linux" "Linux Programmer's Manual"
    :  .SH NAME
    : @@ -242,6 +243,18 @@ However, the
    :  argument is not a segment identifier, but instead an index into
    :  the kernel's internal array that maintains information about
    :  all shared memory segments on the system.
    : +.TP
    : +.BR SHM_STAT_ANY " (Linux-specific)"
    : +Return a
    : +.I shmid_ds
    : +structure as for
    : +.BR SHM_STAT .
    : +However, the
    : +.I shm_perm.mode
    : +is not checked for read access for
    : +.IR shmid ,
    : +resembing the behaviour of
    : +/proc/sysvipc/shm.
    :  .PP
    :  The caller can prevent or allow swapping of a shared
    :  memory segment with the following \fIcmd\fP values:
    : @@ -287,7 +300,7 @@ operation returns the index of the highest used entry in the
    :  kernel's internal array recording information about all
    :  shared memory segments.
    :  (This information can be used with repeated
    : -.B SHM_STAT
    : +.B SHM_STAT/SHM_STAT_ANY
    :  operations to obtain information about all shared memory segments
    :  on the system.)
    :  A successful
    : @@ -328,7 +341,7 @@ isn't accessible.
    :  \fIshmid\fP is not a valid identifier, or \fIcmd\fP
    :  is not a valid command.
    :  Or: for a
    : -.B SHM_STAT
    : +.B SHM_STAT/SHM_STAT_ANY
    :  operation, the index value specified in
    :  .I shmid
    :  referred to an array slot that is currently unused.
    
    This patch (of 3):
    
    There is a permission discrepancy when consulting shm ipc object metadata
    between /proc/sysvipc/shm (0444) and the SHM_STAT shmctl command.  The
    later does permission checks for the object vs S_IRUGO.  As such there can
    be cases where EACCESS is returned via syscall but the info is displayed
    anyways in the procfs files.
    
    While this might have security implications via info leaking (albeit no
    writing to the shm metadata), this behavior goes way back and showing all
    the objects regardless of the permissions was most likely an overlook - so
    we are stuck with it.  Furthermore, modifying either the syscall or the
    procfs file can cause userspace programs to break (ie ipcs).  Some
    applications require getting the procfs info (without root privileges) and
    can be rather slow in comparison with a syscall -- up to 500x in some
    reported cases.
    
    This patch introduces a new SHM_STAT_ANY command such that the shm ipc
    object permissions are ignored, and only audited instead.  In addition,
    I've left the lsm security hook checks in place, as if some policy can
    block the call, then the user has no other choice than just parsing the
    procfs file.
    
    [1] https://lkml.org/lkml/2017/12/19/220
    
    Link: http://lkml.kernel.org/r/20180215162458.10059-2-dave@stgolabs.netSigned-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
    Acked-by: default avatarMichal Hocko <mhocko@suse.com>
    Cc: Michael Kerrisk <mtk.manpages@gmail.com>
    Cc: Manfred Spraul <manfred@colorfullife.com>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Robert Kettler <robert.kettler@outlook.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    c21a6970
smack_lsm.c 117 KB