From patchwork Wed Apr 2 15:43:58 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Thompson X-Patchwork-Id: 27641 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-ob0-f199.google.com (mail-ob0-f199.google.com [209.85.214.199]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id E1D4620341 for ; Wed, 2 Apr 2014 15:44:28 +0000 (UTC) Received: by mail-ob0-f199.google.com with SMTP id wo20sf1788104obc.2 for ; Wed, 02 Apr 2014 08:44:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:in-reply-to:references:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe; bh=J1AdDPJmmaTy25TtvUeo7C4um5rVKiCfOeKG2tiHs3Q=; b=FmsFjpswgU2S4qhdPy33qsBBCxLvs8TnSR3+9zEWW63uO0LiZjnevv/DeD/WEi2+sS cgiy17q3ebg/kqDNYO3surnFrrg0jKtkHJ4WQd7KPQyZblPlQomH89XCLVnIOGN21ned BtB0q16C/xdkPA2FjbDV9w1lOn7HpHdEZRp5vuvfzPirgXULjtkdZ4lWePJZgfIx7e30 d3DD5fAS+urMI84qXUhGLnS3ijKmO9Ufgiw6i6+9mV60BnqJfUJQCWCDyEoKZaUsku9z Xgwf1sPyTox9eVHSAhKZc1u5n6CcKTHiV4yt11e4g9S0Xp4y2clPYkuynjGX2Cc8tUoN kzgw== X-Gm-Message-State: ALoCoQlsm8XPZ1dpV/2r5viPxsYrrBkijmt0kuyCvWKblGeCIm/6nf8dh1pddz/jOHrFxlJ3gCzr X-Received: by 10.42.235.206 with SMTP id kh14mr599992icb.30.1396453468464; Wed, 02 Apr 2014 08:44:28 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.89.70 with SMTP id u64ls348507qgd.80.gmail; Wed, 02 Apr 2014 08:44:28 -0700 (PDT) X-Received: by 10.52.77.101 with SMTP id r5mr1153395vdw.63.1396453468380; Wed, 02 Apr 2014 08:44:28 -0700 (PDT) Received: from mail-vc0-f179.google.com (mail-vc0-f179.google.com [209.85.220.179]) by mx.google.com with ESMTPS id tv3si633953vdc.72.2014.04.02.08.44.28 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Apr 2014 08:44:28 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.220.179 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.220.179; Received: by mail-vc0-f179.google.com with SMTP id ij19so567114vcb.38 for ; Wed, 02 Apr 2014 08:44:28 -0700 (PDT) X-Received: by 10.52.130.225 with SMTP id oh1mr1353364vdb.8.1396453468279; Wed, 02 Apr 2014 08:44:28 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.12.8 with SMTP id v8csp334259vcv; Wed, 2 Apr 2014 08:44:27 -0700 (PDT) X-Received: by 10.194.6.106 with SMTP id z10mr1836268wjz.1.1396453467339; Wed, 02 Apr 2014 08:44:27 -0700 (PDT) Received: from mail-we0-f174.google.com (mail-we0-f174.google.com [74.125.82.174]) by mx.google.com with ESMTPS id wq6si1048036wjb.232.2014.04.02.08.44.26 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Apr 2014 08:44:27 -0700 (PDT) Received-SPF: neutral (google.com: 74.125.82.174 is neither permitted nor denied by best guess record for domain of daniel.thompson@linaro.org) client-ip=74.125.82.174; Received: by mail-we0-f174.google.com with SMTP id t60so448098wes.33 for ; Wed, 02 Apr 2014 08:44:26 -0700 (PDT) X-Received: by 10.180.187.225 with SMTP id fv1mr3296219wic.14.1396453466467; Wed, 02 Apr 2014 08:44:26 -0700 (PDT) Received: from sundance.lan (cpc4-aztw19-0-0-cust157.18-1.cable.virginm.net. [82.33.25.158]) by mx.google.com with ESMTPSA id dg7sm3450581wjc.4.2014.04.02.08.44.24 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Apr 2014 08:44:25 -0700 (PDT) From: Daniel Thompson To: kgdb-bugreport@lists.sourceforge.net, Jason Wessel Cc: patches@linaro.org, linaro-kernel@lists.linaro.org, Anton Vorontsov , linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Jiri Slaby , Steven Rostedt , Frederic Weisbecker , Ingo Molnar , John Stultz , Colin Cross , kernel-team@android.com, Daniel Thompson Subject: [RFC v2 08/10] kdb: Add kiosk mode Date: Wed, 2 Apr 2014 16:43:58 +0100 Message-Id: <1396453440-16445-9-git-send-email-daniel.thompson@linaro.org> X-Mailer: git-send-email 1.9.0 In-Reply-To: <1396453440-16445-1-git-send-email-daniel.thompson@linaro.org> References: <1396453440-16445-1-git-send-email-daniel.thompson@linaro.org> X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: daniel.thompson@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.220.179 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , From: Anton Vorontsov By issuing 'echo 1 > /sys/module/kdb/parameters/kiosk' or booting with kdb.kiosk=1 kernel command line option, one can still have a somewhat usable debugging facility, but not fearing that the debugger can be used to easily gain root access or dump sensitive data. Without the kiosk mode, obtaining the root rights via KDB is a matter of a few commands, and works everywhere. For example, log in as a normal user: cbou:~$ id uid=1001(cbou) gid=1001(cbou) groups=1001(cbou) Now enter KDB (for example via sysrq): Entering kdb (current=0xffff8800065bc740, pid 920) due to Keyboard Entry kdb> ps 23 sleeping system daemon (state M) processes suppressed, use 'ps A' to see all. Task Addr Pid Parent [*] cpu State Thread Command 0xffff8800065bc740 920 919 1 0 R 0xffff8800065bca20 *bash 0xffff880007078000 1 0 0 0 S 0xffff8800070782e0 init [...snip...] 0xffff8800065be3c0 918 1 0 0 S 0xffff8800065be6a0 getty 0xffff8800065b9c80 919 1 0 0 S 0xffff8800065b9f60 login 0xffff8800065bc740 920 919 1 0 R 0xffff8800065bca20 *bash All we need is the offset of cred pointers. We can look up the offset in the distro's kernel source, but it is unnecessary. We can just start dumping init's task_struct, until we see the process name: kdb> md 0xffff880007078000 0xffff880007078000 0000000000000001 ffff88000703c000 ................ 0xffff880007078010 0040210000000002 0000000000000000 .....!@......... [...snip...] 0xffff8800070782b0 ffff8800073e0580 ffff8800073e0580 ..>.......>..... 0xffff8800070782c0 0000000074696e69 0000000000000000 init............ ^ Here, 'init'. Creds are just above it, so the offset is 0x02b0. Now we set up init's creds for our non-privileged shell: kdb> mm 0xffff8800065bc740+0x02b0 0xffff8800073e0580 0xffff8800065bc9f0 = 0xffff8800073e0580 kdb> mm 0xffff8800065bc740+0x02b8 0xffff8800073e0580 0xffff8800065bc9f8 = 0xffff8800073e0580 And thus gaining the root: kdb> go cbou:~$ id uid=0(root) gid=0(root) groups=0(root) cbou:~$ bash root:~# p.s. No distro enables kdb by default (although, with a nice KDB-over-KMS feature availability, I would expect at least some would enable it), so it's not actually some kind of a major issue. Signed-off-by: Anton Vorontsov Signed-off-by: John Stultz Signed-off-by: Daniel Thompson --- include/linux/kdb.h | 1 + kernel/debug/kdb/kdb_main.c | 31 ++++++++++++++++++++++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/include/linux/kdb.h b/include/linux/kdb.h index 784b22f..cc5ece9 100644 --- a/include/linux/kdb.h +++ b/include/linux/kdb.h @@ -63,6 +63,7 @@ extern atomic_t kdb_event; #define KDB_BADLENGTH (-19) #define KDB_NOBP (-20) #define KDB_BADADDR (-21) +#define KDB_NOPERM (-22) /* * kdb_diemsg diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c index 0205e4a..808bf55 100644 --- a/kernel/debug/kdb/kdb_main.c +++ b/kernel/debug/kdb/kdb_main.c @@ -12,6 +12,7 @@ */ #include +#include #include #include #include @@ -23,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -42,6 +44,12 @@ #include #include "kdb_private.h" +#undef MODULE_PARAM_PREFIX +#define MODULE_PARAM_PREFIX "kdb." + +static bool kdb_kiosk; +module_param_named(kiosk, kdb_kiosk, bool, 0600); + #define GREP_LEN 256 char kdb_grep_string[GREP_LEN]; int kdb_grepping_flag; @@ -121,6 +129,7 @@ static kdbmsg_t kdbmsgs[] = { KDBMSG(BADLENGTH, "Invalid length field"), KDBMSG(NOBP, "No Breakpoint exists"), KDBMSG(BADADDR, "Invalid address"), + KDBMSG(NOPERM, "Permission denied"), }; #undef KDBMSG @@ -476,6 +485,14 @@ int kdbgetaddrarg(int argc, const char **argv, int *nextarg, kdb_symtab_t symtab; /* + * In kiosk mode there's no arbitrary memory access (only + * pre-canned status commands) thus no reasonable need for + * symbol lookup. + */ + if (kdb_kiosk) + return KDB_NOPERM; + + /* * Process arguments which follow the following syntax: * * symbol | numeric-address [+/- numeric-offset] @@ -1007,6 +1024,14 @@ int kdb_parse(const char *cmdstr) if (i < kdb_max_commands) { int result; + + if (kdb_kiosk) { + if (!(tp->cmd_flags & (KDB_SAFE | KDB_SAFE_NO_ARGS))) + return KDB_NOPERM; + if (tp->cmd_flags & KDB_SAFE_NO_ARGS && argc > 1) + return KDB_NOPERM; + } + KDB_STATE_SET(CMD); result = (*tp->cmd_func)(argc-1, (const char **)argv); if (result && ignore_errors && result > KDB_CMD_GO) @@ -1915,13 +1940,17 @@ static int kdb_rm(int argc, const char **argv) * kdb_sr - This function implements the 'sr' (SYSRQ key) command * which interfaces to the soi-disant MAGIC SYSRQ functionality. * sr + * + * Normally this command bypasses the SYSRQ enables tests, however + * when kiosk mode is engaged certain SYSRQ commands can be masked + * out. */ static int kdb_sr(int argc, const char **argv) { if (argc != 1) return KDB_ARGCOUNT; kdb_trap_printk++; - __handle_sysrq_nolock(*argv[1], false); + __handle_sysrq_nolock(*argv[1], kdb_kiosk); kdb_trap_printk--; return 0;