61 lines
2.3 KiB
Diff
61 lines
2.3 KiB
Diff
commit e75e70e736ea53078eaa9fd36a5f7186e3e2235c
|
|
Author: Josh Stone <jistone@redhat.com>
|
|
Date: Fri Jun 24 14:21:26 2011 -0700
|
|
|
|
rhbz716476: Don't allow path-based auth for uprobes
|
|
|
|
For users that are only members of stapusr, and not stapdev, we only
|
|
allow loading modules that are either signed with a trusted certificate
|
|
or located in controlled paths. For the script itself, that path is
|
|
/lib/modules/.../systemtap/, and for uprobes it is the runtime. When
|
|
this policy was first written, uprobes only ever came from the runtime
|
|
path, so the path check just returned 1 always.
|
|
|
|
Later, commit 474d17ad added an optional argument to staprun -u, to
|
|
allow the user to specify their own signed copy of uprobes to load.
|
|
Unfortunately, if presented with an unsigned module, that would still
|
|
fall back to the path check, which blissfully approved it anyway.
|
|
|
|
Our policy is now that stapusr can only load a signed uprobes.ko, so the
|
|
path check for uprobes now unconditionally returns 0.
|
|
|
|
diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c
|
|
index 74eef9c..82754d4 100644
|
|
--- a/runtime/staprun/staprun_funcs.c
|
|
+++ b/runtime/staprun/staprun_funcs.c
|
|
@@ -387,8 +387,10 @@ check_stap_module_path(const char *module_path, int module_fd)
|
|
}
|
|
|
|
/*
|
|
- * Members of the 'stapusr' group can load the uprobes module freely,
|
|
- * since it is loaded from a fixed path in the installed runtime.
|
|
+ * Don't allow path-based authorization for the uprobes module at all.
|
|
+ * Members of the 'stapusr' group can load a signed uprobes module, but
|
|
+ * nothing else. Later we could consider allowing specific paths, like
|
|
+ * the installed runtime or /lib/modules/...
|
|
*
|
|
* Returns: -1 on errors, 0 on failure, 1 on success.
|
|
*/
|
|
@@ -398,7 +400,7 @@ check_uprobes_module_path (
|
|
int module_fd __attribute__ ((unused))
|
|
)
|
|
{
|
|
- return 1;
|
|
+ return 0;
|
|
}
|
|
|
|
/*
|
|
@@ -596,10 +598,8 @@ void assert_uprobes_module_permissions(
|
|
if (check_signature_rc == MODULE_ALTERED)
|
|
exit(-1);
|
|
#else
|
|
- /* If we don't have NSS, then the uprobes module is considered trusted.
|
|
- Otherwise a member of the group 'stapusr' will not be able to load it.
|
|
- */
|
|
- check_signature_rc = MODULE_OK;
|
|
+ /* If we don't have NSS, the uprobes module is considered untrusted. */
|
|
+ check_signature_rc = MODULE_UNTRUSTED;
|
|
#endif
|
|
|
|
/* root can still load this module. */
|