implement STATIC_USERMODEHELPER in newer kernels |
|||
Issue descriptionlinux-4.14+ supports STATIC_USERMODEHELPER which allows us to filter every program that the kernel tries to run. this would allow us to lock it to a path like /sbin/usermode-helper, and then that custom program of ours would verify everything else (like /proc/sys/kernel/hotplug and /proc/sys/kernel/core_pattern). so even if someone managed to write a bad path to those, our usermode-helper would reject it out of hand. not sure how easy it is to backport this to older kernels, but we should take a look once it's deployed in 4.14+.
,
Dec 18
,
Jan 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/d376f60be8a0a1ddbfd858cb59524c4b82645702 commit d376f60be8a0a1ddbfd858cb59524c4b82645702 Author: Mike Frysinger <vapier@chromium.org> Date: Fri Jan 04 10:09:06 2019 init: new usermode-helper This filters all upcalls the kernel makes to userspace. This way we can catch & reject all attempts to subvert configs that spawn calls as the root user. For now we trigger crash reports when the program is unknown but we don't block it. This way we can get feedback from the field before we start blocking it for real. BUG=chromium:915974 TEST=unittests & precq pass TEST=booting a system with everything (inc kernel) enabled works & no crashes in /var/spool/crash Change-Id: I2563b3b992780a024d8a853b4e02b84993eabc0c Reviewed-on: https://chromium-review.googlesource.com/1381653 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Allen Webb <allenwebb@google.com> [modify] https://crrev.com/d376f60be8a0a1ddbfd858cb59524c4b82645702/init/BUILD.gn [add] https://crrev.com/d376f60be8a0a1ddbfd858cb59524c4b82645702/init/usermode-helper.h [add] https://crrev.com/d376f60be8a0a1ddbfd858cb59524c4b82645702/init/usermode-helper_test.cc [add] https://crrev.com/d376f60be8a0a1ddbfd858cb59524c4b82645702/init/usermode-helper_lib.cc [add] https://crrev.com/d376f60be8a0a1ddbfd858cb59524c4b82645702/init/usermode-helper.cc
,
Jan 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/584c61226455daabb9153643df25bb5d478d08c5 commit 584c61226455daabb9153643df25bb5d478d08c5 Author: Mike Frysinger <vapier@chromium.org> Date: Fri Jan 04 17:08:06 2019 chromeos-init: install new usermode-helper BUG=chromium:915974 TEST=unittests pass CQ-DEPEND=CL:1381653 Change-Id: I5b2538ccb478ad4e0dd537c680e47f4ef814027d Reviewed-on: https://chromium-review.googlesource.com/1381674 Commit-Ready: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/584c61226455daabb9153643df25bb5d478d08c5/chromeos-base/chromeos-init/chromeos-init-9999.ebuild
,
Jan 14
Mike appears to be working on this already :-p |
|||
►
Sign in to add a comment |
|||
Comment 1 by vapier@chromium.org
, Dec 18