• Kees Cook's avatar
    sysctl: allow for strict write position handling · f4aacea2
    Kees Cook authored
    When writing to a sysctl string, each write, regardless of VFS position,
    begins writing the string from the start.  This means the contents of
    the last write to the sysctl controls the string contents instead of the
      open("/proc/sys/kernel/modprobe", O_WRONLY)   = 1
      write(1, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 4096) = 4096
      write(1, "/bin/true", 9)                = 9
      close(1)                                = 0
      $ cat /proc/sys/kernel/modprobe
    Expected behaviour would be to have the sysctl be "AAAA..." capped at
    maxlen (in this case KMOD_PATH_LEN: 256), instead of truncating to the
    contents of the second write.  Similarly, multiple short writes would
    not append to the sysctl.
    The old behavior is unlike regular POSIX files enough that doing audits
    of software that interact with sysctls can end up in unexpected or
    dangerous situations.  For example, "as long as the input starts with a
    trusted path" turns out to be an insufficient filter, as what must also
    happen is for the input to be entirely contained in a single write
    syscall -- not a common consideration, especially for high level tools.
    This provides kernel.sysctl_writes_strict as a way to make this behavior
    act in a less surprising manner for strings, and disallows non-zero file
    position when writing numeric sysctls (similar to what is already done
    when reading from non-zero file positions).  For now, the default (0) is
    to warn about non-zero file position use, but retain the legacy
    behavior.  Setting this to -1 disables the warning, and setting this to
    1 enables the file position respecting behavior.
    [akpm@linux-foundation.org: fix build]
    [akpm@linux-foundation.org: move misplaced hunk, per Randy]
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
kernel.txt 29.6 KB