lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5855A8EB.8000005@digikod.net>
Date:   Sat, 17 Dec 2016 22:06:51 +0100
From:   Mickaël Salaün <mic@...ikod.net>
To:     John Stultz <john.stultz@...aro.org>,
        lkml <linux-kernel@...r.kernel.org>
Cc:     Tejun Heo <tj@...nel.org>, Li Zefan <lizefan@...wei.com>,
        Jonathan Corbet <corbet@....net>, cgroups@...r.kernel.org,
        Android Kernel Team <kernel-team@...roid.com>,
        Rom Lemarchand <romlem@...roid.com>,
        Colin Cross <ccross@...roid.com>,
        Dmitry Shmidt <dimitrysh@...gle.com>,
        Todd Kjos <tkjos@...gle.com>,
        Christian Poetzsch <christian.potzsch@...tec.com>,
        Amit Pundir <amit.pundir@...aro.org>,
        Dmitry Torokhov <dmitry.torokhov@...il.com>,
        Kees Cook <keescook@...omium.org>,
        "Serge E . Hallyn" <serge@...lyn.com>,
        Andy Lutomirski <luto@...capital.net>,
        linux-api@...r.kernel.org, Paul Moore <paul@...l-moore.com>,
        Stephen Smalley <sds@...ho.nsa.gov>,
        Eric Paris <eparis@...isplace.org>,
        James Morris <james.l.morris@...cle.com>,
        Jeff Vander Stoep <jeffv@...gle.com>,
        linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
        Michael Kerrisk <mtk.manpages@...il.com>,
        Daniel Mack <daniel@...que.org>
Subject: Re: [PATCH] cgroup: Add new capability to allow a process to migrate
 other tasks between cgroups

Hi,

If I understand correctly, this patch is intended to add a delegation
feature to cgroup v1, which does not really make sense for the v2
because of the clean cgroup-v2 delegation design. However, this new
capability impact both versions.

As Michael said, capabilities are a limited numbers of silos and we
should try to use existing ones as much as possible but without falling
into the trap of using the same capability for everything (e.g.
CAP_SYS_ADMIN) [1]. The CAP_CGROUP looks a lot like another
CAP_SYS_ADMIN. It is not tied to any particular privilege.

Cgroups are not about resource limitation or any particular access
control, they are just about managing a set of processes, which may then
be subject to resource limitation or access control. This possible
limitations only depend on cgroup controllers or netfilter rules or BPF
programs.

To avoid the current capability issue [1], I think it should be a good
idea to reuse an existing capability (if one make sense) for each class
of constraints a controller/eBPF program/netfilter rule can enforce.
This may looks like CAP_NET_ADMIN (with network namespace handling) for
netfilter and eBPF *socket* programs but CAP_SYS_RESOURCE for the CPU,
memory and IO controllers.
As Tejun said, it will be more complicated to handle such a case, but I
don't see any other solution to keep a meaningful use of capabilities.

However, even if a cgroup does not directly involve a limitation, it may
be used to identify a group of processes for a security critical purpose
(e.g. kill a group of process). It can then make sense to have a
dedicated capability CAP_CGROUP to allow a process *without the right to
write in cgroup.procs* to be allowed to move a process out of its
current cgroup. This is similar to CAP_DAC_OVERRIDE but only for
cgroup/controllers files (but not necessarily sufficient to modify all
cgroups). This does not means that CAP_CGROUP should allow to move any
process from any cgroup. The cgroup_procs_write_permission() should
compose the checks for CAP_CGROUP and/or CAP_SYS_RESOURCE and/or
CAP_SYS_ADMIN depending on the current use of the cgroup (i.e. cgroup
controller, BPF program type, netfilter).

Regards,
 Mickaël


[1] https://forums.grsecurity.net/viewtopic.php?f=7&t=2522


On 17/12/2016 05:43, John Stultz wrote:
> This patch adds CAP_GROUP and logic to allows a process to
> migrate other tasks between cgroups.
> 
> In Android (where this feature originated), the ActivityManager
> tracks various application states (TOP_APP, FOREGROUND,
> BACKGROUND, SYSTEM, etc), and then as applications change
> states, the SchedPolicy logic will migrate the application tasks
> between different cgroups used to control the different
> application states (for example, there is a background cpuset
> cgroup which can limit background tasks to stay on one low-power
> cpu, and the bg_non_interactive cpuctrl cgroup can then further
> limit those background tasks to a small percentage of that one
> cpu's cpu time).
> 
> However, for security reasons, Android doesn't want to make the
> system_server (the process that runs the ActivityManager and
> SchedPolicy logic), run as root. So in the Android common.git
> kernel, they have some logic to allow cgroups to loosen their
> permissions so CAP_SYS_NICE tasks can migrate other tasks between
> cgroups.
> 
> I feel the approach taken there overloads CAP_SYS_NICE a bit much
> for non-android environments. Efforts to re-use CAP_SYS_RESOURCE
> for this purpose (which Android has since adopted) was also
> stymied by concerns about risks from future cgroups that could be
> considered "dangerous" by how they might change system semantics.
> 
> So to avoid overlapping usage, this patch adds a brand new
> process capability flag (CAP_CGROUP), and uses it when checking
> if a task can migrate other tasks between cgroups.
> 
> I've tested this with AOSP master (though its a bit hacked in as
> I still need to properly get the selinux userspace bits aware of
> the new capability bit) with selinux set to permissive and it
> seems to be working well.
> 
> Thoughts and feedback would be appreciated!
> 
> (Note, I'm going on holiday break after today, so I may not
> respond to feedback immediately, but I figured it would be
> better to give folks the chance to review this rather then sit
> it for two weeks. I'll resend after the new-year, addressing any
> feedback I do get.)
> 
> Cc: Tejun Heo <tj@...nel.org>
> Cc: Li Zefan <lizefan@...wei.com>
> Cc: Jonathan Corbet <corbet@....net>
> Cc: cgroups@...r.kernel.org
> Cc: Android Kernel Team <kernel-team@...roid.com>
> Cc: Rom Lemarchand <romlem@...roid.com>
> Cc: Colin Cross <ccross@...roid.com>
> Cc: Dmitry Shmidt <dimitrysh@...gle.com>
> Cc: Todd Kjos <tkjos@...gle.com>
> Cc: Christian Poetzsch <christian.potzsch@...tec.com>
> Cc: Amit Pundir <amit.pundir@...aro.org>
> Cc: Dmitry Torokhov <dmitry.torokhov@...il.com>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Serge E. Hallyn <serge@...lyn.com>
> Cc: Andy Lutomirski <luto@...capital.net>
> Cc: linux-api@...r.kernel.org
> Cc: Paul Moore <paul@...l-moore.com>
> Cc: Stephen Smalley <sds@...ho.nsa.gov>
> Cc: Eric Paris <eparis@...isplace.org>
> Cc: James Morris <james.l.morris@...cle.com>
> Cc: Jeff Vander Stoep <jeffv@...gle.com>
> Cc: linux-security-module@...r.kernel.org
> Cc: selinux@...ho.nsa.gov
> Signed-off-by: John Stultz <john.stultz@...aro.org>
> ---
> v2: Renamed to just CAP_CGROUP_MIGRATE as reccomended by Tejun
> v3: Switched to just using CAP_SYS_RESOURCE as suggested by Michael
> v4: Send out properly folded down version of the patch. :P
> v5: Switch back to CAP_CGROUP_MIGRATE due to concerns from Andy
> v6: Rename to CAP_CGROUP, as it might be used for other purposes
>     in the future. Also added selinux mappings for the new cap.
> ---
>  include/uapi/linux/capability.h     | 5 ++++-
>  kernel/cgroup.c                     | 3 ++-
>  security/selinux/include/classmap.h | 4 ++--
>  3 files changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
> index 49bc062..726f767 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -349,8 +349,11 @@ struct vfs_cap_data {
>  
>  #define CAP_AUDIT_READ		37
>  
> +/* Allow migration of other tasks between cgroups */
>  
> -#define CAP_LAST_CAP         CAP_AUDIT_READ
> +#define CAP_CGROUP		38
> +
> +#define CAP_LAST_CAP         CAP_CGROUP
>  
>  #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>  
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 2ee9ec3..8b42ae3 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -2856,7 +2856,8 @@ static int cgroup_procs_write_permission(struct task_struct *task,
>  	 */
>  	if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
>  	    !uid_eq(cred->euid, tcred->uid) &&
> -	    !uid_eq(cred->euid, tcred->suid))
> +	    !uid_eq(cred->euid, tcred->suid) &&
> +	    !ns_capable(tcred->user_ns, CAP_CGROUP))
>  		ret = -EACCES;
>  
>  	if (!ret && cgroup_on_dfl(dst_cgrp)) {
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index e2d4ad3a..ee8c1ed 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -22,9 +22,9 @@
>  	    "audit_control", "setfcap"
>  
>  #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
> -		"wake_alarm", "block_suspend", "audit_read"
> +		"wake_alarm", "block_suspend", "audit_read", "cgroup"
>  
> -#if CAP_LAST_CAP > CAP_AUDIT_READ
> +#if CAP_LAST_CAP > CAP_CGROUP
>  #error New capability defined, please update COMMON_CAP2_PERMS.
>  #endif
>  
> 




Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ