tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

re: CVS commit: src/sys/kern



On Dec 4, 10:20am, mrg%eterna.com.au@localhost (matthew green) wrote:
-- Subject: re: CVS commit: src/sys/kern

| i just had an idea about a relatively simple hack to allow
| kvm tools to work sanely in kaslr space, even if they're not
| fully converted yet.
| 
| a secmodel overlay that has a way to allow a uid/gid combo
| to retrieve the addresses, not just root, and then have that
| combo set to */kvm.  then, kvm tools don't drop gid kvm until
| after doing sysctl.
| 
| this would restrict the sysctls to gid kvm.
| 
| we still would have to audit the tools to ensure they do not
| expose these addresses directly (ie, printf), but only use
| them internally, but until functional parity is achieved it
| would allow both security and usability today.
| 
| just an idea..

We already have the hooks for that: In proc_listener_cb() one can
add to KAUTH_REQ_PROCESS_CANSEE_KPTR a credentials check based on
two new sysctl's (kern.expose_address.uid, kern.expose_address.gid).
These can work as:

If kern.expose_address.enabled == 0, then nothing is allowed
If kern.expose_address.enabled == 1, then kern.expose_address.{uid,gid} are
consulted: if -1, all are allowed, else the euid/egid needs to match.

The changes to do this are trivial :-)

christos


Home | Main Index | Thread Index | Old Index