oss-sec mailing list archives
Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
From: Vasiliy Kulikov <segoon () openwall com>
Date: Fri, 25 Feb 2011 15:10:10 +0300
Kees, On Thu, Feb 24, 2011 at 16:32 -0800, Kees Cook wrote:
Having a system with acpi and debugfs built into the kernel allows a uid=0 user (without capabilities, e.g. in containers)
Does it fit into any current security model? I mean that containers of vanilla kernel are not fully restricted, neither sysfs or procfs differ much in different namespaces. If one may locate one sysfs file it may locate all of them (chrooting into /sys is rather pointless :-D); with sysfs one may change many hardware setting, they are driver-dependend, but still very sensitive. With /proc/sys/ one (inside of namespace constainer) may change sysctl settings. I suppose that it is not hard to gain full root in such situation even without any bugs in sysfs file read/write implementations (I didn't tried it, though). UID 0 without capabilities has not been made really unprivileged yet. It makes sense only within namespace container without any virtual filesystem which handles permissions with uid/gid checks (not CAP_*). But this is rather strange. Thanks, -- Vasiliy
Current thread:
- CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Kees Cook (Feb 24)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Eugene Teo (Feb 24)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Vasiliy Kulikov (Feb 25)