oss-sec mailing list archives

Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions

From: Vasiliy Kulikov <segoon () openwall com>
Date: Fri, 25 Feb 2011 15:10:10 +0300

Kees,

On Thu, Feb 24, 2011 at 16:32 -0800, Kees Cook wrote:

Having a system with acpi and debugfs built into the kernel allows
a uid=0 user (without capabilities, e.g. in containers)


Does it fit into any current security model?  I mean that containers of
vanilla kernel are not fully restricted, neither sysfs or procfs differ
much in different namespaces.  If one may locate one sysfs file it may
locate all of them (chrooting into /sys is rather pointless :-D); with
sysfs one may change many hardware setting, they are driver-dependend,
but still very sensitive.  With /proc/sys/ one (inside of namespace
constainer) may change sysctl settings.  I suppose that it is not hard
to gain full root in such situation even without any bugs in sysfs file
read/write implementations (I didn't tried it, though).

UID 0 without capabilities has not been made really unprivileged yet.
It makes sense only within namespace container without any virtual
filesystem which handles permissions with uid/gid checks (not CAP_*).
But this is rather strange.


Thanks,

-- 
Vasiliy

Current thread:

CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Kees Cook (Feb 24)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Eugene Teo (Feb 24)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Vasiliy Kulikov (Feb 25)
  - Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Kees Cook (Feb 25)