Opened 5 months ago

Last modified 7 weeks ago

#14961 assigned bug

Audit all syscalls for permissions and access checks

Reported by: waddlesplash Owned by: waddlesplash
Priority: blocker Milestone: R1/beta2
Component: System/Kernel Version: R1/Development
Keywords: security Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description (last modified by waddlesplash)

Here's a full list of source files containing syscall implementations:

  • OK src/system/kernel/arch/arm/arch_atomic32.cpp
  • OK src/system/kernel/arch/arm/arch_atomic64.cpp
  • OK src/system/kernel/arch/m68k/arch_atomic.cpp
  • OK src/system/kernel/arch/x86/arch_system_info.cpp
  • OK src/system/kernel/arch/x86/syscalls_compat.cpp
  • OK src/system/kernel/debug/debug.cpp
  • OK src/system/kernel/debug/frame_buffer_console.cpp
  • OK src/system/kernel/debug/safemode_settings.cpp
  • OK src/system/kernel/debug/system_profiler.cpp
  • OK src/system/kernel/debug/tracing.cpp
  • OK src/system/kernel/debug/user_debugger.cpp
  • NEEDSWORK src/system/kernel/disk_device_manager/ddm_userland_interface.cpp
  • OK src/system/kernel/UserTimer.cpp
  • OK src/system/kernel/cpu.cpp
  • src/system/kernel/elf.cpp
  • src/system/kernel/fs/fd.cpp
  • src/system/kernel/fs/node_monitor.cpp
  • src/system/kernel/fs/socket.cpp
  • src/system/kernel/fs/vfs.cpp
  • src/system/kernel/image.cpp
  • src/system/kernel/locks/user_mutex.cpp
  • src/system/kernel/messaging/MessagingService.cpp
  • src/system/kernel/port.cpp
  • src/system/kernel/posix/realtime_sem.cpp
  • src/system/kernel/posix/xsi_message_queue.cpp
  • src/system/kernel/posix/xsi_semaphore.cpp
  • src/system/kernel/real_time_clock.cpp
  • src/system/kernel/scheduler/scheduler.cpp
  • src/system/kernel/scheduler/scheduling_analysis.cpp
  • src/system/kernel/sem.cpp
  • src/system/kernel/shutdown.cpp
  • src/system/kernel/signal.cpp
  • src/system/kernel/syscalls.cpp
  • src/system/kernel/system_info.cpp
  • src/system/kernel/team.cpp
  • src/system/kernel/thread.cpp
  • src/system/kernel/usergroup.cpp
  • src/system/kernel/vm/vm.cpp
  • src/system/kernel/wait_for_objects.cpp

Each and every one of these needs to be audited, namely:

  • All passed pointers are checked against IS_USER_ADDRESS (thanks to SMAP, largely already done)
  • All objects (e.g. FDs, areas, semaphores) manipulated by syscalls are checked that the calling team has access to manipulate them
  • Whatever other things I think of adding here...

Change History (3)

comment:1 Changed 5 months ago by waddlesplash

Description: modified (diff)

Did the first pass on the first few files.

safemode_settings does not do any access checks; any application is allowed to read (not write, that can't be done via syscall) safemode settings. I think that's OK? Otherwise the file is fine.

system_profiler also does not seem to do permissions checks. I think that we expose quite a lot of information in that, so it should probably only allow root to run the profiler?

comment:2 Changed 5 months ago by waddlesplash

Just for the record: I already added thread syscall permissions checks in hrev52825~1, and the first level of VM area access checks in hrev52546~2.

comment:3 Changed 7 weeks ago by waddlesplash

Description: modified (diff)

A bunch more files done in hrev53233.

Note: See TracTickets for help on using tickets.