mirror of
https://github.com/edk2-porting/linux-next.git
synced 2025-01-08 13:44:01 +08:00
a280d6dc77
There is a permission discrepancy when consulting shm ipc object metadata between /proc/sysvipc/sem (0444) and the SEM_STAT semctl command. The later does permission checks for the object vs S_IRUGO. As such there can be cases where EACCESS is returned via syscall but the info is displayed anyways in the procfs files. While this might have security implications via info leaking (albeit no writing to the sma metadata), this behavior goes way back and showing all the objects regardless of the permissions was most likely an overlook - so we are stuck with it. Furthermore, modifying either the syscall or the procfs file can cause userspace programs to break (ie ipcs). Some applications require getting the procfs info (without root privileges) and can be rather slow in comparison with a syscall -- up to 500x in some reported cases for shm. This patch introduces a new SEM_STAT_ANY command such that the sem ipc object permissions are ignored, and only audited instead. In addition, I've left the lsm security hook checks in place, as if some policy can block the call, then the user has no other choice than just parsing the procfs file. Link: http://lkml.kernel.org/r/20180215162458.10059-3-dave@stgolabs.net Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Reported-by: Robert Kettler <robert.kettler@outlook.com> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Kees Cook <keescook@chromium.org> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
95 lines
3.0 KiB
C
95 lines
3.0 KiB
C
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
#ifndef _UAPI_LINUX_SEM_H
|
|
#define _UAPI_LINUX_SEM_H
|
|
|
|
#include <linux/ipc.h>
|
|
|
|
/* semop flags */
|
|
#define SEM_UNDO 0x1000 /* undo the operation on exit */
|
|
|
|
/* semctl Command Definitions. */
|
|
#define GETPID 11 /* get sempid */
|
|
#define GETVAL 12 /* get semval */
|
|
#define GETALL 13 /* get all semval's */
|
|
#define GETNCNT 14 /* get semncnt */
|
|
#define GETZCNT 15 /* get semzcnt */
|
|
#define SETVAL 16 /* set semval */
|
|
#define SETALL 17 /* set all semval's */
|
|
|
|
/* ipcs ctl cmds */
|
|
#define SEM_STAT 18
|
|
#define SEM_INFO 19
|
|
#define SEM_STAT_ANY 20
|
|
|
|
/* Obsolete, used only for backwards compatibility and libc5 compiles */
|
|
struct semid_ds {
|
|
struct ipc_perm sem_perm; /* permissions .. see ipc.h */
|
|
__kernel_time_t sem_otime; /* last semop time */
|
|
__kernel_time_t sem_ctime; /* create/last semctl() time */
|
|
struct sem *sem_base; /* ptr to first semaphore in array */
|
|
struct sem_queue *sem_pending; /* pending operations to be processed */
|
|
struct sem_queue **sem_pending_last; /* last pending operation */
|
|
struct sem_undo *undo; /* undo requests on this array */
|
|
unsigned short sem_nsems; /* no. of semaphores in array */
|
|
};
|
|
|
|
/* Include the definition of semid64_ds */
|
|
#include <asm/sembuf.h>
|
|
|
|
/* semop system calls takes an array of these. */
|
|
struct sembuf {
|
|
unsigned short sem_num; /* semaphore index in array */
|
|
short sem_op; /* semaphore operation */
|
|
short sem_flg; /* operation flags */
|
|
};
|
|
|
|
/* arg for semctl system calls. */
|
|
union semun {
|
|
int val; /* value for SETVAL */
|
|
struct semid_ds __user *buf; /* buffer for IPC_STAT & IPC_SET */
|
|
unsigned short __user *array; /* array for GETALL & SETALL */
|
|
struct seminfo __user *__buf; /* buffer for IPC_INFO */
|
|
void __user *__pad;
|
|
};
|
|
|
|
struct seminfo {
|
|
int semmap;
|
|
int semmni;
|
|
int semmns;
|
|
int semmnu;
|
|
int semmsl;
|
|
int semopm;
|
|
int semume;
|
|
int semusz;
|
|
int semvmx;
|
|
int semaem;
|
|
};
|
|
|
|
/*
|
|
* SEMMNI, SEMMSL and SEMMNS are default values which can be
|
|
* modified by sysctl.
|
|
* The values has been chosen to be larger than necessary for any
|
|
* known configuration.
|
|
*
|
|
* SEMOPM should not be increased beyond 1000, otherwise there is the
|
|
* risk that semop()/semtimedop() fails due to kernel memory fragmentation when
|
|
* allocating the sop array.
|
|
*/
|
|
|
|
|
|
#define SEMMNI 32000 /* <= IPCMNI max # of semaphore identifiers */
|
|
#define SEMMSL 32000 /* <= INT_MAX max num of semaphores per id */
|
|
#define SEMMNS (SEMMNI*SEMMSL) /* <= INT_MAX max # of semaphores in system */
|
|
#define SEMOPM 500 /* <= 1 000 max num of ops per semop call */
|
|
#define SEMVMX 32767 /* <= 32767 semaphore maximum value */
|
|
#define SEMAEM SEMVMX /* adjust on exit max value */
|
|
|
|
/* unused */
|
|
#define SEMUME SEMOPM /* max num of undo entries per process */
|
|
#define SEMMNU SEMMNS /* num of undo structures system wide */
|
|
#define SEMMAP SEMMNS /* # of entries in semaphore map */
|
|
#define SEMUSZ 20 /* sizeof struct sem_undo */
|
|
|
|
|
|
#endif /* _UAPI_LINUX_SEM_H */
|