lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+5PVA577SSG42i+C6oGw2c+dRcTS2oNgfehJ0-aqdPK5XZsjg@mail.gmail.com>
Date:	Mon, 4 Jan 2016 10:03:45 -0500
From:	Josh Boyer <jwboyer@...oraproject.org>
To:	Andy Lutomirski <luto@...capital.net>
Cc:	"Serge E. Hallyn" <serge.hallyn@...ntu.com>,
	Jann Horn <jann@...jh.net>,
	Roland McGrath <roland@...k.frob.com>,
	Oleg Nesterov <oleg@...hat.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"security@...nel.org" <security@...nel.org>,
	Serge Hallyn <serge.hallyn@...onical.com>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids

On Sat, Dec 26, 2015 at 9:03 PM, Andy Lutomirski <luto@...capital.net> wrote:
> On Sat, Dec 26, 2015 at 1:51 PM, Serge E. Hallyn
> <serge.hallyn@...ntu.com> wrote:
>> On Sat, Dec 26, 2015 at 03:52:31AM +0100, Jann Horn wrote:
>>> ptrace_has_cap() checks whether the current process should be
>>> treated as having a certain capability for ptrace checks
>>> against another process. Until now, this was equivalent to
>>> has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
>>>
>>> However, if a root-owned process wants to enter a user
>>> namespace for some reason without knowing who owns it and
>>> therefore can't change to the namespace owner's uid and gid
>>> before entering, as soon as it has entered the namespace,
>>> the namespace owner can attach to it via ptrace and thereby
>>> gain access to its uid and gid.
>>>
>>> While it is possible for the entering process to switch to
>>> the uid of a claimed namespace owner before entering,
>>> causing the attempt to enter to fail if the claimed uid is
>>> wrong, this doesn't solve the problem of determining an
>>> appropriate gid.
>>>
>>> With this change, the entering process can first enter the
>>> namespace and then safely inspect the namespace's
>>> properties, e.g. through /proc/self/{uid_map,gid_map},
>>> assuming that the namespace owner doesn't have access to
>>> uid 0.
>>>
>>> Changed in v2: The caller needs to be capable in the
>>> namespace into which tcred's uids/gids can be mapped.
>>>
>>> Signed-off-by: Jann Horn <jann@...jh.net>
>>
>> Acked-by: Serge Hallyn <serge.hallyn@...ntu.com>
>
> Acked-by: Andy Lutomirski <luto@...nel.org>
>
> Who's going to apply this?  Linus?  Eric?

An Ack from Oleg would be nice too.  I'm guessing this got lost in the
holidays but it has an assigned CVE now.  Would be good to get it in
4.4 final.

josh
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ