diff options
| author | Benjamin Berg <benjamin.berg@intel.com> | 2025-06-02 16:00:52 +0300 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2025-06-02 17:20:10 +0300 |
| commit | e92e2552858142b60238b9828d802f128e4acccd (patch) | |
| tree | 57e6a51acfc7397215131df99d1a67fc58d18349 /arch/um/include/shared | |
| parent | beddc9fb1cb161e1bf779b180750b648ff9690c7 (diff) | |
| download | linux-e92e2552858142b60238b9828d802f128e4acccd.tar.xz | |
um: pass FD for memory operations when needed
Instead of always sharing the FDs with the userspace process, only hand
over the FDs needed for mmap when required. The idea is that userspace
might be able to force the stub into executing an mmap syscall, however,
it will not be able to manipulate the control flow sufficiently to have
access to an FD that would allow mapping arbitrary memory.
Security wise, we need to be sure that only the expected syscalls are
executed after the kernel sends FDs through the socket. This is
currently not the case, as userspace can trivially jump to the
rt_sigreturn syscall instruction to execute any syscall that the stub is
permitted to do. With this, it can trick the kernel to send the FD,
which in turn allows userspace to freely map any physical memory.
As such, this is currently *not* secure. However, in principle the
approach should be fine with a more strict SECCOMP filter and a careful
review of the stub control flow (as userspace can prepare a stack). With
some care, it is likely possible to extend the security model to SMP if
desired.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Link: https://patch.msgid.link/20250602130052.545733-8-benjamin@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'arch/um/include/shared')
| -rw-r--r-- | arch/um/include/shared/skas/mm_id.h | 7 | ||||
| -rw-r--r-- | arch/um/include/shared/skas/stub-data.h | 1 |
2 files changed, 8 insertions, 0 deletions
diff --git a/arch/um/include/shared/skas/mm_id.h b/arch/um/include/shared/skas/mm_id.h index 0654c57bb28e..89df9a55fbea 100644 --- a/arch/um/include/shared/skas/mm_id.h +++ b/arch/um/include/shared/skas/mm_id.h @@ -6,10 +6,17 @@ #ifndef __MM_ID_H #define __MM_ID_H +#define STUB_MAX_FDS 4 + struct mm_id { int pid; unsigned long stack; int syscall_data_len; + + /* Only used with SECCOMP mode */ + int sock; + int syscall_fd_num; + int syscall_fd_map[STUB_MAX_FDS]; }; void __switch_mm(struct mm_id *mm_idp); diff --git a/arch/um/include/shared/skas/stub-data.h b/arch/um/include/shared/skas/stub-data.h index 675f1a0a1390..c261a77a32f6 100644 --- a/arch/um/include/shared/skas/stub-data.h +++ b/arch/um/include/shared/skas/stub-data.h @@ -12,6 +12,7 @@ #include <as-layout.h> #include <sysdep/tls.h> #include <sysdep/stub-data.h> +#include <mm_id.h> #define FUTEX_IN_CHILD 0 #define FUTEX_IN_KERN 1 |