mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
kernel: Only expose su when daemon is running
Note: this is for the 3.4 kernel It has been claimed that the PG implementation of 'su' has security vulnerabilities even when disabled. Unfortunately, the people that find these vulnerabilities often like to keep them private so they can profit from exploits while leaving users exposed to malicious hackers. In order to reduce the attack surface for vulnerabilites, it is therefore necessary to make 'su' completely inaccessible when it is not in use (except by the root and system users). Change-Id: Ia7d50ba46c3d932c2b0ca5fc8e9ec69ec9045f85
This commit is contained in:
parent
5c6321cec0
commit
75ec7fa33f
8 changed files with 87 additions and 0 deletions
|
@ -1567,6 +1567,11 @@ static int do_execve_common(const char *filename,
|
||||||
if (retval < 0)
|
if (retval < 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
if (d_is_su(file->f_dentry) && capable(CAP_SYS_ADMIN)) {
|
||||||
|
current->flags |= PF_SU;
|
||||||
|
su_exec();
|
||||||
|
}
|
||||||
|
|
||||||
/* execve succeeded */
|
/* execve succeeded */
|
||||||
current->fs->in_exec = 0;
|
current->fs->in_exec = 0;
|
||||||
current->in_execve = 0;
|
current->in_execve = 0;
|
||||||
|
|
|
@ -1770,6 +1770,14 @@ static int path_lookupat(int dfd, const char *name,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!err) {
|
||||||
|
struct super_block *sb = nd->inode->i_sb;
|
||||||
|
if (sb->s_flags & MS_RDONLY) {
|
||||||
|
if (d_is_su(nd->path.dentry) && !su_visible())
|
||||||
|
err = -ENOENT;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (base)
|
if (base)
|
||||||
fput(base);
|
fput(base);
|
||||||
|
|
||||||
|
|
20
fs/readdir.c
20
fs/readdir.c
|
@ -47,6 +47,14 @@ out:
|
||||||
|
|
||||||
EXPORT_SYMBOL(vfs_readdir);
|
EXPORT_SYMBOL(vfs_readdir);
|
||||||
|
|
||||||
|
static bool hide_name(const char *name, int namlen)
|
||||||
|
{
|
||||||
|
if (namlen == 2 && !memcmp(name, "su", 2))
|
||||||
|
if (!su_visible())
|
||||||
|
return true;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Traditional linux readdir() handling..
|
* Traditional linux readdir() handling..
|
||||||
*
|
*
|
||||||
|
@ -68,6 +76,7 @@ struct old_linux_dirent {
|
||||||
struct readdir_callback {
|
struct readdir_callback {
|
||||||
struct old_linux_dirent __user * dirent;
|
struct old_linux_dirent __user * dirent;
|
||||||
int result;
|
int result;
|
||||||
|
bool romnt;
|
||||||
};
|
};
|
||||||
|
|
||||||
static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset,
|
static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset,
|
||||||
|
@ -84,6 +93,8 @@ static int fillonedir(void * __buf, const char * name, int namlen, loff_t offset
|
||||||
buf->result = -EOVERFLOW;
|
buf->result = -EOVERFLOW;
|
||||||
return -EOVERFLOW;
|
return -EOVERFLOW;
|
||||||
}
|
}
|
||||||
|
if (hide_name(name, namlen) && buf->romnt)
|
||||||
|
return 0;
|
||||||
buf->result++;
|
buf->result++;
|
||||||
dirent = buf->dirent;
|
dirent = buf->dirent;
|
||||||
if (!access_ok(VERIFY_WRITE, dirent,
|
if (!access_ok(VERIFY_WRITE, dirent,
|
||||||
|
@ -116,6 +127,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
|
||||||
|
|
||||||
buf.result = 0;
|
buf.result = 0;
|
||||||
buf.dirent = dirent;
|
buf.dirent = dirent;
|
||||||
|
buf.romnt = (file->f_path.dentry->d_sb->s_flags & MS_RDONLY);
|
||||||
|
|
||||||
error = vfs_readdir(file, fillonedir, &buf);
|
error = vfs_readdir(file, fillonedir, &buf);
|
||||||
if (buf.result)
|
if (buf.result)
|
||||||
|
@ -144,6 +156,7 @@ struct getdents_callback {
|
||||||
struct linux_dirent __user * previous;
|
struct linux_dirent __user * previous;
|
||||||
int count;
|
int count;
|
||||||
int error;
|
int error;
|
||||||
|
bool romnt;
|
||||||
};
|
};
|
||||||
|
|
||||||
static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
|
static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
|
||||||
|
@ -163,6 +176,8 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
|
||||||
buf->error = -EOVERFLOW;
|
buf->error = -EOVERFLOW;
|
||||||
return -EOVERFLOW;
|
return -EOVERFLOW;
|
||||||
}
|
}
|
||||||
|
if (hide_name(name, namlen) && buf->romnt)
|
||||||
|
return 0;
|
||||||
dirent = buf->previous;
|
dirent = buf->previous;
|
||||||
if (dirent) {
|
if (dirent) {
|
||||||
if (__put_user(offset, &dirent->d_off))
|
if (__put_user(offset, &dirent->d_off))
|
||||||
|
@ -210,6 +225,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
|
||||||
buf.previous = NULL;
|
buf.previous = NULL;
|
||||||
buf.count = count;
|
buf.count = count;
|
||||||
buf.error = 0;
|
buf.error = 0;
|
||||||
|
buf.romnt = (file->f_path.dentry->d_sb->s_flags & MS_RDONLY);
|
||||||
|
|
||||||
error = vfs_readdir(file, filldir, &buf);
|
error = vfs_readdir(file, filldir, &buf);
|
||||||
if (error >= 0)
|
if (error >= 0)
|
||||||
|
@ -231,6 +247,7 @@ struct getdents_callback64 {
|
||||||
struct linux_dirent64 __user * previous;
|
struct linux_dirent64 __user * previous;
|
||||||
int count;
|
int count;
|
||||||
int error;
|
int error;
|
||||||
|
bool romnt;
|
||||||
};
|
};
|
||||||
|
|
||||||
static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
|
static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
|
||||||
|
@ -244,6 +261,8 @@ static int filldir64(void * __buf, const char * name, int namlen, loff_t offset,
|
||||||
buf->error = -EINVAL; /* only used if we fail.. */
|
buf->error = -EINVAL; /* only used if we fail.. */
|
||||||
if (reclen > buf->count)
|
if (reclen > buf->count)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
if (hide_name(name, namlen) && buf->romnt)
|
||||||
|
return 0;
|
||||||
dirent = buf->previous;
|
dirent = buf->previous;
|
||||||
if (dirent) {
|
if (dirent) {
|
||||||
if (__put_user(offset, &dirent->d_off))
|
if (__put_user(offset, &dirent->d_off))
|
||||||
|
@ -293,6 +312,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
|
||||||
buf.previous = NULL;
|
buf.previous = NULL;
|
||||||
buf.count = count;
|
buf.count = count;
|
||||||
buf.error = 0;
|
buf.error = 0;
|
||||||
|
buf.romnt = (file->f_path.dentry->d_sb->s_flags & MS_RDONLY);
|
||||||
|
|
||||||
error = vfs_readdir(file, filldir64, &buf);
|
error = vfs_readdir(file, filldir64, &buf);
|
||||||
if (error >= 0)
|
if (error >= 0)
|
||||||
|
|
|
@ -400,6 +400,13 @@ static inline bool d_need_lookup(struct dentry *dentry)
|
||||||
|
|
||||||
extern void d_clear_need_lookup(struct dentry *dentry);
|
extern void d_clear_need_lookup(struct dentry *dentry);
|
||||||
|
|
||||||
|
static inline bool d_is_su(const struct dentry *dentry)
|
||||||
|
{
|
||||||
|
return dentry &&
|
||||||
|
dentry->d_name.len == 2 &&
|
||||||
|
!memcmp(dentry->d_name.name, "su", 2);
|
||||||
|
}
|
||||||
|
|
||||||
extern int sysctl_vfs_cache_pressure;
|
extern int sysctl_vfs_cache_pressure;
|
||||||
|
|
||||||
#endif /* __LINUX_DCACHE_H */
|
#endif /* __LINUX_DCACHE_H */
|
||||||
|
|
|
@ -93,6 +93,12 @@ struct sched_param {
|
||||||
|
|
||||||
#include <asm/processor.h>
|
#include <asm/processor.h>
|
||||||
|
|
||||||
|
int su_instances(void);
|
||||||
|
bool su_running(void);
|
||||||
|
bool su_visible(void);
|
||||||
|
void su_exec(void);
|
||||||
|
void su_exit(void);
|
||||||
|
|
||||||
struct exec_domain;
|
struct exec_domain;
|
||||||
struct futex_pi_state;
|
struct futex_pi_state;
|
||||||
struct robust_list_head;
|
struct robust_list_head;
|
||||||
|
@ -1842,6 +1848,8 @@ extern int task_free_unregister(struct notifier_block *n);
|
||||||
#define PF_MUTEX_TESTER 0x20000000 /* Thread belongs to the rt mutex tester */
|
#define PF_MUTEX_TESTER 0x20000000 /* Thread belongs to the rt mutex tester */
|
||||||
#define PF_FREEZER_SKIP 0x40000000 /* Freezer should not count it as freezable */
|
#define PF_FREEZER_SKIP 0x40000000 /* Freezer should not count it as freezable */
|
||||||
|
|
||||||
|
#define PF_SU 0x80000000 /* task is su */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Only the _current_ task can read/write to tsk->flags, but other
|
* Only the _current_ task can read/write to tsk->flags, but other
|
||||||
* tasks can access tsk->flags in readonly mode for example
|
* tasks can access tsk->flags in readonly mode for example
|
||||||
|
|
|
@ -953,6 +953,11 @@ void do_exit(long code)
|
||||||
}
|
}
|
||||||
|
|
||||||
exit_signals(tsk); /* sets PF_EXITING */
|
exit_signals(tsk); /* sets PF_EXITING */
|
||||||
|
|
||||||
|
if (tsk->flags & PF_SU) {
|
||||||
|
su_exit();
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* tsk->flags are checked in the futex code to protect against
|
* tsk->flags are checked in the futex code to protect against
|
||||||
* an exiting task cleaning up the robust pi futexes.
|
* an exiting task cleaning up the robust pi futexes.
|
||||||
|
|
|
@ -295,6 +295,8 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
|
||||||
if (err)
|
if (err)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
|
tsk->flags &= ~PF_SU;
|
||||||
|
|
||||||
tsk->stack = ti;
|
tsk->stack = ti;
|
||||||
#ifdef CONFIG_SECCOMP
|
#ifdef CONFIG_SECCOMP
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -88,6 +88,38 @@
|
||||||
#define CREATE_TRACE_POINTS
|
#define CREATE_TRACE_POINTS
|
||||||
#include <trace/events/sched.h>
|
#include <trace/events/sched.h>
|
||||||
|
|
||||||
|
static atomic_t __su_instances;
|
||||||
|
|
||||||
|
int su_instances(void)
|
||||||
|
{
|
||||||
|
return atomic_read(&__su_instances);
|
||||||
|
}
|
||||||
|
|
||||||
|
bool su_running(void)
|
||||||
|
{
|
||||||
|
return su_instances() > 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool su_visible(void)
|
||||||
|
{
|
||||||
|
uid_t uid = current_uid();
|
||||||
|
if (su_running())
|
||||||
|
return true;
|
||||||
|
if (uid == 0 || uid == 1000)
|
||||||
|
return true;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
void su_exec(void)
|
||||||
|
{
|
||||||
|
atomic_inc(&__su_instances);
|
||||||
|
}
|
||||||
|
|
||||||
|
void su_exit(void)
|
||||||
|
{
|
||||||
|
atomic_dec(&__su_instances);
|
||||||
|
}
|
||||||
|
|
||||||
ATOMIC_NOTIFIER_HEAD(migration_notifier_head);
|
ATOMIC_NOTIFIER_HEAD(migration_notifier_head);
|
||||||
|
|
||||||
void start_bandwidth_timer(struct hrtimer *period_timer, ktime_t period)
|
void start_bandwidth_timer(struct hrtimer *period_timer, ktime_t period)
|
||||||
|
|
Loading…
Reference in a new issue