|
|
281364 |
From d178865d3d9940423f4d99360e3dc2fcaf0b2c96 Mon Sep 17 00:00:00 2001
|
|
|
281364 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
281364 |
Date: Mon, 28 Nov 2022 12:12:55 +0100
|
|
|
281364 |
Subject: [PATCH] coredump: do not allow user to access coredumps with changed
|
|
|
281364 |
uid/gid/capabilities
|
|
|
281364 |
|
|
|
281364 |
When the user starts a program which elevates its permissions via setuid,
|
|
|
281364 |
setgid, or capabilities set on the file, it may access additional information
|
|
|
281364 |
which would then be visible in the coredump. We shouldn't make the the coredump
|
|
|
281364 |
visible to the user in such cases.
|
|
|
281364 |
|
|
|
281364 |
Reported-by: Matthias Gerstner <mgerstner@suse.de>
|
|
|
281364 |
|
|
|
281364 |
This reads the /proc/<pid>/auxv file and attaches it to the process metadata as
|
|
|
281364 |
PROC_AUXV. Before the coredump is submitted, it is parsed and if either
|
|
|
281364 |
at_secure was set (which the kernel will do for processes that are setuid,
|
|
|
281364 |
setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file
|
|
|
281364 |
is not made accessible to the user. If we can't access this data, we assume the
|
|
|
281364 |
file should not be made accessible either. In principle we could also access
|
|
|
281364 |
the auxv data from a note in the core file, but that is much more complex and
|
|
|
281364 |
it seems better to use the stand-alone file that is provided by the kernel.
|
|
|
281364 |
|
|
|
281364 |
Attaching auxv is both convient for this patch (because this way it's passed
|
|
|
281364 |
between the stages along with other fields), but I think it makes sense to save
|
|
|
281364 |
it in general.
|
|
|
281364 |
|
|
|
281364 |
We use the information early in the core file to figure out if the program was
|
|
|
281364 |
32-bit or 64-bit and its endianness. This way we don't need heuristics to guess
|
|
|
281364 |
whether the format of the auxv structure. This test might reject some cases on
|
|
|
281364 |
fringe architecutes. But the impact would be limited: we just won't grant the
|
|
|
281364 |
user permissions to view the coredump file. If people report that we're missing
|
|
|
281364 |
some cases, we can always enhance this to support more architectures.
|
|
|
281364 |
|
|
|
281364 |
I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and
|
|
|
281364 |
ppc64el, but not the whole coredump handling.
|
|
|
281364 |
|
|
|
281364 |
(cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03)
|
|
|
281364 |
|
|
|
281364 |
Resolves: #2155520
|
|
|
281364 |
---
|
|
|
281364 |
src/coredump/coredump.c | 190 ++++++++++++++++++++++++++++++++++++++--
|
|
|
281364 |
1 file changed, 182 insertions(+), 8 deletions(-)
|
|
|
281364 |
|
|
|
281364 |
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
|
|
|
281364 |
index ebc56d8342..d8acd2d3a7 100644
|
|
|
281364 |
--- a/src/coredump/coredump.c
|
|
|
281364 |
+++ b/src/coredump/coredump.c
|
|
|
281364 |
@@ -4,6 +4,7 @@
|
|
|
281364 |
#include <stdio.h>
|
|
|
281364 |
#include <stdio_ext.h>
|
|
|
281364 |
#include <sys/prctl.h>
|
|
|
281364 |
+#include <sys/auxv.h>
|
|
|
281364 |
#include <sys/xattr.h>
|
|
|
281364 |
#include <unistd.h>
|
|
|
281364 |
|
|
|
281364 |
@@ -88,11 +89,13 @@ enum {
|
|
|
281364 |
CONTEXT_COMM,
|
|
|
281364 |
CONTEXT_EXE,
|
|
|
281364 |
CONTEXT_UNIT,
|
|
|
281364 |
+ CONTEXT_PROC_AUXV,
|
|
|
281364 |
_CONTEXT_MAX
|
|
|
281364 |
};
|
|
|
281364 |
|
|
|
281364 |
typedef struct Context {
|
|
|
281364 |
const char *meta[_CONTEXT_MAX];
|
|
|
281364 |
+ size_t meta_size[_CONTEXT_MAX];
|
|
|
281364 |
} Context;
|
|
|
281364 |
|
|
|
281364 |
typedef enum CoredumpStorage {
|
|
|
281364 |
@@ -148,8 +151,7 @@ static inline uint64_t storage_size_max(void) {
|
|
|
281364 |
return 0;
|
|
|
281364 |
}
|
|
|
281364 |
|
|
|
281364 |
-static int fix_acl(int fd, uid_t uid) {
|
|
|
281364 |
-
|
|
|
281364 |
+static int fix_acl(int fd, uid_t uid, bool allow_user) {
|
|
|
281364 |
#if HAVE_ACL
|
|
|
281364 |
_cleanup_(acl_freep) acl_t acl = NULL;
|
|
|
281364 |
acl_entry_t entry;
|
|
|
281364 |
@@ -157,6 +159,11 @@ static int fix_acl(int fd, uid_t uid) {
|
|
|
281364 |
int r;
|
|
|
281364 |
|
|
|
281364 |
assert(fd >= 0);
|
|
|
281364 |
+ assert(uid_is_valid(uid));
|
|
|
281364 |
+
|
|
|
281364 |
+ /* We don't allow users to read coredumps if the uid or capabilities were changed. */
|
|
|
281364 |
+ if (!allow_user)
|
|
|
281364 |
+ return 0;
|
|
|
281364 |
|
|
|
281364 |
if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY)
|
|
|
281364 |
return 0;
|
|
|
281364 |
@@ -235,7 +242,8 @@ static int fix_permissions(
|
|
|
281364 |
const char *filename,
|
|
|
281364 |
const char *target,
|
|
|
281364 |
const Context *context,
|
|
|
281364 |
- uid_t uid) {
|
|
|
281364 |
+ uid_t uid,
|
|
|
281364 |
+ bool allow_user) {
|
|
|
281364 |
|
|
|
281364 |
int r;
|
|
|
281364 |
|
|
|
281364 |
@@ -245,7 +253,7 @@ static int fix_permissions(
|
|
|
281364 |
|
|
|
281364 |
/* Ignore errors on these */
|
|
|
281364 |
(void) fchmod(fd, 0640);
|
|
|
281364 |
- (void) fix_acl(fd, uid);
|
|
|
281364 |
+ (void) fix_acl(fd, uid, allow_user);
|
|
|
281364 |
(void) fix_xattr(fd, context);
|
|
|
281364 |
|
|
|
281364 |
if (fsync(fd) < 0)
|
|
|
281364 |
@@ -316,6 +324,154 @@ static int make_filename(const Context *context, char **ret) {
|
|
|
281364 |
return 0;
|
|
|
281364 |
}
|
|
|
281364 |
|
|
|
281364 |
+static int parse_auxv64(
|
|
|
281364 |
+ const uint64_t *auxv,
|
|
|
281364 |
+ size_t size_bytes,
|
|
|
281364 |
+ int *at_secure,
|
|
|
281364 |
+ uid_t *uid,
|
|
|
281364 |
+ uid_t *euid,
|
|
|
281364 |
+ gid_t *gid,
|
|
|
281364 |
+ gid_t *egid) {
|
|
|
281364 |
+
|
|
|
281364 |
+ assert(auxv || size_bytes == 0);
|
|
|
281364 |
+
|
|
|
281364 |
+ if (size_bytes % (2 * sizeof(uint64_t)) != 0)
|
|
|
281364 |
+ return log_warning_errno(-EIO, "Incomplete auxv structure (%zu bytes).", size_bytes);
|
|
|
281364 |
+
|
|
|
281364 |
+ size_t words = size_bytes / sizeof(uint64_t);
|
|
|
281364 |
+
|
|
|
281364 |
+ /* Note that we set output variables even on error. */
|
|
|
281364 |
+
|
|
|
281364 |
+ for (size_t i = 0; i + 1 < words; i += 2)
|
|
|
281364 |
+ switch (auxv[i]) {
|
|
|
281364 |
+ case AT_SECURE:
|
|
|
281364 |
+ *at_secure = auxv[i + 1] != 0;
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_UID:
|
|
|
281364 |
+ *uid = auxv[i + 1];
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_EUID:
|
|
|
281364 |
+ *euid = auxv[i + 1];
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_GID:
|
|
|
281364 |
+ *gid = auxv[i + 1];
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_EGID:
|
|
|
281364 |
+ *egid = auxv[i + 1];
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_NULL:
|
|
|
281364 |
+ if (auxv[i + 1] != 0)
|
|
|
281364 |
+ goto error;
|
|
|
281364 |
+ return 0;
|
|
|
281364 |
+ }
|
|
|
281364 |
+ error:
|
|
|
281364 |
+ return log_warning_errno(-ENODATA,
|
|
|
281364 |
+ "AT_NULL terminator not found, cannot parse auxv structure.");
|
|
|
281364 |
+}
|
|
|
281364 |
+
|
|
|
281364 |
+static int parse_auxv32(
|
|
|
281364 |
+ const uint32_t *auxv,
|
|
|
281364 |
+ size_t size_bytes,
|
|
|
281364 |
+ int *at_secure,
|
|
|
281364 |
+ uid_t *uid,
|
|
|
281364 |
+ uid_t *euid,
|
|
|
281364 |
+ gid_t *gid,
|
|
|
281364 |
+ gid_t *egid) {
|
|
|
281364 |
+
|
|
|
281364 |
+ assert(auxv || size_bytes == 0);
|
|
|
281364 |
+
|
|
|
281364 |
+ size_t words = size_bytes / sizeof(uint32_t);
|
|
|
281364 |
+
|
|
|
281364 |
+ if (size_bytes % (2 * sizeof(uint32_t)) != 0)
|
|
|
281364 |
+ return log_warning_errno(-EIO, "Incomplete auxv structure (%zu bytes).", size_bytes);
|
|
|
281364 |
+
|
|
|
281364 |
+ /* Note that we set output variables even on error. */
|
|
|
281364 |
+
|
|
|
281364 |
+ for (size_t i = 0; i + 1 < words; i += 2)
|
|
|
281364 |
+ switch (auxv[i]) {
|
|
|
281364 |
+ case AT_SECURE:
|
|
|
281364 |
+ *at_secure = auxv[i + 1] != 0;
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_UID:
|
|
|
281364 |
+ *uid = auxv[i + 1];
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_EUID:
|
|
|
281364 |
+ *euid = auxv[i + 1];
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_GID:
|
|
|
281364 |
+ *gid = auxv[i + 1];
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_EGID:
|
|
|
281364 |
+ *egid = auxv[i + 1];
|
|
|
281364 |
+ break;
|
|
|
281364 |
+ case AT_NULL:
|
|
|
281364 |
+ if (auxv[i + 1] != 0)
|
|
|
281364 |
+ goto error;
|
|
|
281364 |
+ return 0;
|
|
|
281364 |
+ }
|
|
|
281364 |
+ error:
|
|
|
281364 |
+ return log_warning_errno(-ENODATA,
|
|
|
281364 |
+ "AT_NULL terminator not found, cannot parse auxv structure.");
|
|
|
281364 |
+}
|
|
|
281364 |
+
|
|
|
281364 |
+static int grant_user_access(int core_fd, const Context *context) {
|
|
|
281364 |
+ int at_secure = -1;
|
|
|
281364 |
+ uid_t uid = UID_INVALID, euid = UID_INVALID;
|
|
|
281364 |
+ uid_t gid = GID_INVALID, egid = GID_INVALID;
|
|
|
281364 |
+ int r;
|
|
|
281364 |
+
|
|
|
281364 |
+ assert(core_fd >= 0);
|
|
|
281364 |
+ assert(context);
|
|
|
281364 |
+
|
|
|
281364 |
+ if (!context->meta[CONTEXT_PROC_AUXV])
|
|
|
281364 |
+ return log_warning_errno(-ENODATA, "No auxv data, not adjusting permissions.");
|
|
|
281364 |
+
|
|
|
281364 |
+ uint8_t elf[EI_NIDENT];
|
|
|
281364 |
+ errno = 0;
|
|
|
281364 |
+ if (pread(core_fd, &elf, sizeof(elf), 0) != sizeof(elf))
|
|
|
281364 |
+ return log_warning_errno(errno > 0 ? -errno : -EIO,
|
|
|
281364 |
+ "Failed to pread from coredump fd: %s",
|
|
|
281364 |
+ errno > 0 ? STRERROR(errno) : "Unexpected EOF");
|
|
|
281364 |
+
|
|
|
281364 |
+ if (elf[EI_MAG0] != ELFMAG0 ||
|
|
|
281364 |
+ elf[EI_MAG1] != ELFMAG1 ||
|
|
|
281364 |
+ elf[EI_MAG2] != ELFMAG2 ||
|
|
|
281364 |
+ elf[EI_MAG3] != ELFMAG3 ||
|
|
|
281364 |
+ elf[EI_VERSION] != EV_CURRENT)
|
|
|
281364 |
+ return log_info_errno(-EUCLEAN,
|
|
|
281364 |
+ "Core file does not have ELF header, not adjusting permissions.");
|
|
|
281364 |
+ if (!IN_SET(elf[EI_CLASS], ELFCLASS32, ELFCLASS64) ||
|
|
|
281364 |
+ !IN_SET(elf[EI_DATA], ELFDATA2LSB, ELFDATA2MSB))
|
|
|
281364 |
+ return log_info_errno(-EUCLEAN,
|
|
|
281364 |
+ "Core file has strange ELF class, not adjusting permissions.");
|
|
|
281364 |
+
|
|
|
281364 |
+ if ((elf[EI_DATA] == ELFDATA2LSB) != (__BYTE_ORDER == __LITTLE_ENDIAN))
|
|
|
281364 |
+ return log_info_errno(-EUCLEAN,
|
|
|
281364 |
+ "Core file has non-native endianness, not adjusting permissions.");
|
|
|
281364 |
+
|
|
|
281364 |
+ if (elf[EI_CLASS] == ELFCLASS64)
|
|
|
281364 |
+ r = parse_auxv64((const uint64_t*) context->meta[CONTEXT_PROC_AUXV],
|
|
|
281364 |
+ context->meta_size[CONTEXT_PROC_AUXV],
|
|
|
281364 |
+ &at_secure, &uid, &euid, &gid, &egid);
|
|
|
281364 |
+ else
|
|
|
281364 |
+ r = parse_auxv32((const uint32_t*) context->meta[CONTEXT_PROC_AUXV],
|
|
|
281364 |
+ context->meta_size[CONTEXT_PROC_AUXV],
|
|
|
281364 |
+ &at_secure, &uid, &euid, &gid, &egid);
|
|
|
281364 |
+ if (r < 0)
|
|
|
281364 |
+ return r;
|
|
|
281364 |
+
|
|
|
281364 |
+ /* We allow access if we got all the data and at_secure is not set and
|
|
|
281364 |
+ * the uid/gid matches euid/egid. */
|
|
|
281364 |
+ bool ret =
|
|
|
281364 |
+ at_secure == 0 &&
|
|
|
281364 |
+ uid != UID_INVALID && euid != UID_INVALID && uid == euid &&
|
|
|
281364 |
+ gid != GID_INVALID && egid != GID_INVALID && gid == egid;
|
|
|
281364 |
+ log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)",
|
|
|
281364 |
+ ret ? "permit" : "restrict",
|
|
|
281364 |
+ uid, euid, gid, egid, yes_no(at_secure));
|
|
|
281364 |
+ return ret;
|
|
|
281364 |
+}
|
|
|
281364 |
+
|
|
|
281364 |
static int save_external_coredump(
|
|
|
281364 |
const Context *context,
|
|
|
281364 |
int input_fd,
|
|
|
281364 |
@@ -395,6 +551,8 @@ static int save_external_coredump(
|
|
|
281364 |
goto fail;
|
|
|
281364 |
}
|
|
|
281364 |
|
|
|
281364 |
+ bool allow_user = grant_user_access(fd, context) > 0;
|
|
|
281364 |
+
|
|
|
281364 |
#if HAVE_XZ || HAVE_LZ4
|
|
|
281364 |
/* If we will remove the coredump anyway, do not compress. */
|
|
|
281364 |
if (arg_compress && !maybe_remove_external_coredump(NULL, st.st_size)) {
|
|
|
281364 |
@@ -420,7 +578,7 @@ static int save_external_coredump(
|
|
|
281364 |
goto fail_compressed;
|
|
|
281364 |
}
|
|
|
281364 |
|
|
|
281364 |
- r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid);
|
|
|
281364 |
+ r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid, allow_user);
|
|
|
281364 |
if (r < 0)
|
|
|
281364 |
goto fail_compressed;
|
|
|
281364 |
|
|
|
281364 |
@@ -443,7 +601,7 @@ static int save_external_coredump(
|
|
|
281364 |
uncompressed:
|
|
|
281364 |
#endif
|
|
|
281364 |
|
|
|
281364 |
- r = fix_permissions(fd, tmp, fn, context, uid);
|
|
|
281364 |
+ r = fix_permissions(fd, tmp, fn, context, uid, allow_user);
|
|
|
281364 |
if (r < 0)
|
|
|
281364 |
goto fail;
|
|
|
281364 |
|
|
|
281364 |
@@ -842,6 +1000,7 @@ static void map_context_fields(const struct iovec *iovec, Context *context) {
|
|
|
281364 |
[CONTEXT_HOSTNAME] = "COREDUMP_HOSTNAME=",
|
|
|
281364 |
[CONTEXT_COMM] = "COREDUMP_COMM=",
|
|
|
281364 |
[CONTEXT_EXE] = "COREDUMP_EXE=",
|
|
|
281364 |
+ [CONTEXT_PROC_AUXV] = "COREDUMP_PROC_AUXV=",
|
|
|
281364 |
};
|
|
|
281364 |
|
|
|
281364 |
unsigned i;
|
|
|
281364 |
@@ -862,6 +1021,7 @@ static void map_context_fields(const struct iovec *iovec, Context *context) {
|
|
|
281364 |
/* Note that these strings are NUL terminated, because we made sure that a trailing NUL byte is in the
|
|
|
281364 |
* buffer, though not included in the iov_len count. (see below) */
|
|
|
281364 |
context->meta[i] = p;
|
|
|
281364 |
+ context->meta_size[i] = iovec->iov_len - strlen(context_field_names[i]);
|
|
|
281364 |
break;
|
|
|
281364 |
}
|
|
|
281364 |
}
|
|
|
281364 |
@@ -1070,7 +1230,7 @@ static int gather_pid_metadata(
|
|
|
281364 |
char **comm_fallback,
|
|
|
281364 |
struct iovec *iovec, size_t *n_iovec) {
|
|
|
281364 |
|
|
|
281364 |
- /* We need 27 empty slots in iovec!
|
|
|
281364 |
+ /* We need 28 empty slots in iovec!
|
|
|
281364 |
*
|
|
|
281364 |
* Note that if we fail on oom later on, we do not roll-back changes to the iovec structure. (It remains valid,
|
|
|
281364 |
* with the first n_iovec fields initialized.) */
|
|
|
281364 |
@@ -1078,6 +1238,7 @@ static int gather_pid_metadata(
|
|
|
281364 |
uid_t owner_uid;
|
|
|
281364 |
pid_t pid;
|
|
|
281364 |
char *t;
|
|
|
281364 |
+ size_t size;
|
|
|
281364 |
const char *p;
|
|
|
281364 |
int r, signo;
|
|
|
281364 |
|
|
|
281364 |
@@ -1187,6 +1348,19 @@ static int gather_pid_metadata(
|
|
|
281364 |
if (read_full_file(p, &t, NULL) >=0)
|
|
|
281364 |
set_iovec_field_free(iovec, n_iovec, "COREDUMP_PROC_MOUNTINFO=", t);
|
|
|
281364 |
|
|
|
281364 |
+ /* We attach /proc/auxv here. ELF coredumps also contain a note for this (NT_AUXV), see elf(5). */
|
|
|
281364 |
+ p = procfs_file_alloca(pid, "auxv");
|
|
|
281364 |
+ if (read_full_file(p, &t, &size) >= 0) {
|
|
|
281364 |
+ char *buf = malloc(strlen("COREDUMP_PROC_AUXV=") + size + 1);
|
|
|
281364 |
+ if (buf) {
|
|
|
281364 |
+ /* Add a dummy terminator to make save_context() happy. */
|
|
|
281364 |
+ *((uint8_t*) mempcpy(stpcpy(buf, "COREDUMP_PROC_AUXV="), t, size)) = '\0';
|
|
|
281364 |
+ iovec[(*n_iovec)++] = IOVEC_MAKE(buf, size + strlen("COREDUMP_PROC_AUXV="));
|
|
|
281364 |
+ }
|
|
|
281364 |
+
|
|
|
281364 |
+ free(t);
|
|
|
281364 |
+ }
|
|
|
281364 |
+
|
|
|
281364 |
if (get_process_cwd(pid, &t) >= 0)
|
|
|
281364 |
set_iovec_field_free(iovec, n_iovec, "COREDUMP_CWD=", t);
|
|
|
281364 |
|
|
|
281364 |
@@ -1219,7 +1393,7 @@ static int gather_pid_metadata(
|
|
|
281364 |
static int process_kernel(int argc, char* argv[]) {
|
|
|
281364 |
|
|
|
281364 |
Context context = {};
|
|
|
281364 |
- struct iovec iovec[29 + SUBMIT_COREDUMP_FIELDS];
|
|
|
281364 |
+ struct iovec iovec[30 + SUBMIT_COREDUMP_FIELDS];
|
|
|
281364 |
size_t i, n_iovec, n_to_free = 0;
|
|
|
281364 |
int r;
|
|
|
281364 |
|