fs/proc: add mask_secrets to prevent sensitive information leakage.

There are about 17000+ packages exists on centos. After investigation on 10000+ pacakges, About 200+ commands support passing plain(or encrypted) passwords through command line arguments. Those sensitive information are exposed through a global readable interface: /proc/$pid/cmdline. To prevent the leakcage, adding mask_secrets procfs entry will hook the get_mm_cmdline()'s output and mask sensitive fields in /proc/$pid/cmdline using repeating 'Z's. Signed-off-by: zhanglin <zhang.lin16@zte.com.cn>
intel-lab-lkp · May 9, 2022 · f8d1c42 · f8d1c42
1 parent c5eb0a6
commit f8d1c42
Show file tree

Hide file tree

Showing 4 changed files with 624 additions and 0 deletions.
diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig
@@ -107,3 +107,23 @@ config PROC_PID_ARCH_STATUS
 config PROC_CPU_RESCTRL
 	def_bool n
 	depends on PROC_FS
+
+config PROC_MASK_SECRETS
+	bool "mask secret fields in process cmdline"
+	default n
+	help
+	  mask secret fields in process cmdline to prevent sensitive information
+	  leakage. Enable this feature, credentials including username, passwords
+	  will be masked with repeating 'Z'. "ZZZZZZ..." but no real sensitive
+	  information will appear in /proc/$pid/cmdline. for example: useradd -rp
+	  ZZZZZZ will appear in /proc/$pid/cmdline instead iif you run 'echo 1 >
+	  /proc/mask_secrets/enabled && echo "+/usr/sbin/useradd:-p:--password" >
+	  /proc/mask_secrets/cmdtab'.
+
+	  Say Y if you want to enable this feature.
+	  Enable/Disable: echo 1/0 > /proc/mask_secrets/enabled.
+	  Add masking rules: echo '+${command}:--${secret_opt1}:-${secret_opt2}:...
+	  ' > /proc/mask_secrets/cmdtab.
+	  Remove masking rules: echo '-${command}' > /proc/mask_secrets/cmdtab.
+	  Commands must be well written in absolute path form.
+
diff --git a/fs/proc/Makefile b/fs/proc/Makefile
@@ -34,3 +34,4 @@ proc-$(CONFIG_PROC_VMCORE)	+= vmcore.o
 proc-$(CONFIG_PRINTK)	+= kmsg.o
 proc-$(CONFIG_PROC_PAGE_MONITOR)	+= page.o
 proc-$(CONFIG_BOOT_CONFIG)	+= bootconfig.o
+proc-$(CONFIG_PROC_MASK_SECRETS)	+= mask_secrets.o
diff --git a/fs/proc/base.c b/fs/proc/base.c
@@ -102,6 +102,10 @@
 
 #include "../../lib/kstrtox.h"
 
+#ifdef CONFIG_PROC_MASK_SECRETS
+extern size_t mask_secrets(struct mm_struct *mm, char __user *buf, size_t count, loff_t pos);
+#endif
+
 /* NOTE:
  *	Implementing inode permission operations in /proc is almost
  *	certainly an error.  Permission checks need to happen during
@@ -311,6 +315,12 @@ static ssize_t get_mm_cmdline(struct mm_struct *mm, char __user *buf,
 	if (count > arg_end - pos)
 		count = arg_end - pos;
 
+#ifdef CONFIG_PROC_MASK_SECRETS
+	len = mask_secrets(mm, buf, count, pos);
+	if (len > 0)
+		return len;
+#endif
+
 	page = (char *)__get_free_page(GFP_KERNEL);
 	if (!page)
 		return -ENOMEM;