re: CVS commit: src/sys/kern

To: matthew green <mrg%eterna.com.au@localhost>, maxv%netbsd.org@localhost
Subject: re: CVS commit: src/sys/kern
From: christos%zoulas.com@localhost (Christos Zoulas)
Date: Mon, 3 Dec 2018 18:53:39 -0500

On Dec 4, 10:20am, mrg%eterna.com.au@localhost (matthew green) wrote:
-- Subject: re: CVS commit: src/sys/kern

| i just had an idea about a relatively simple hack to allow
| kvm tools to work sanely in kaslr space, even if they're not
| fully converted yet.
| 
| a secmodel overlay that has a way to allow a uid/gid combo
| to retrieve the addresses, not just root, and then have that
| combo set to */kvm.  then, kvm tools don't drop gid kvm until
| after doing sysctl.
| 
| this would restrict the sysctls to gid kvm.
| 
| we still would have to audit the tools to ensure they do not
| expose these addresses directly (ie, printf), but only use
| them internally, but until functional parity is achieved it
| would allow both security and usability today.
| 
| just an idea..

We already have the hooks for that: In proc_listener_cb() one can
add to KAUTH_REQ_PROCESS_CANSEE_KPTR a credentials check based on
two new sysctl's (kern.expose_address.uid, kern.expose_address.gid).
These can work as:

If kern.expose_address.enabled == 0, then nothing is allowed
If kern.expose_address.enabled == 1, then kern.expose_address.{uid,gid} are
consulted: if -1, all are allowed, else the euid/egid needs to match.

The changes to do this are trivial :-)

christos

References:
- re: CVS commit: src/sys/kern
  - From: matthew green

Prev by Date: re: CVS commit: src/sys/kern
Next by Date: Re: bozo .htpasswd exposure
Previous by Thread: re: CVS commit: src/sys/kern
Next by Thread: Re: nfs optimization and veriexec
Indexes:

Home | Main Index | Thread Index | Old Index