[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200609212818.GM134822@grain>
Date: Wed, 10 Jun 2020 00:28:18 +0300
From: Cyrill Gorcunov <gorcunov@...il.com>
To: Nicolas Viennot <Nicolas.Viennot@...sigma.com>
Cc: Adrian Reber <areber@...hat.com>,
Andy Lutomirski <luto@...nel.org>,
Christian Brauner <christian.brauner@...ntu.com>,
Eric Biederman <ebiederm@...ssion.com>,
Pavel Emelyanov <ovzxemul@...il.com>,
Oleg Nesterov <oleg@...hat.com>,
Dmitry Safonov <0x7f454c46@...il.com>,
Andrei Vagin <avagin@...il.com>,
Michał Cłapiński <mclapinski@...gle.com>,
Kamil Yurtsever <kyurtsever@...gle.com>,
Dirk Petersen <dipeit@...il.com>,
Christine Flood <chf@...hat.com>,
Casey Schaufler <casey@...aufler-ca.com>,
Mike Rapoport <rppt@...ux.ibm.com>,
Radostin Stoyanov <rstoyanov1@...il.com>,
Serge Hallyn <serge@...lyn.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Sargun Dhillon <sargun@...gun.me>,
Arnd Bergmann <arnd@...db.de>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"selinux@...r.kernel.org" <selinux@...r.kernel.org>,
Eric Paris <eparis@...isplace.org>,
Jann Horn <jannh@...gle.com>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH v2 1/3] capabilities: Introduce CAP_CHECKPOINT_RESTORE
On Tue, Jun 09, 2020 at 08:09:49PM +0000, Nicolas Viennot wrote:
> >> proc_map_files_get_link(struct dentry *dentry,
> >> struct inode *inode,
> >> struct delayed_call *done)
> >> {
> >> - if (!capable(CAP_SYS_ADMIN))
> >> + if (!(capable(CAP_SYS_ADMIN) || capable(CAP_CHECKPOINT_RESTORE)))
> >> return ERR_PTR(-EPERM);
>
> > First of all -- sorry for late reply. You know, looking into this code more I think
> this CAP_SYS_ADMIN is simply wrong: for example I can't even fetch links for /proc/self/map_files.
> Still /proc/$pid/maps (which as well points to the files opened) test for ptrace-read permission.
> I think we need ptrace-may-attach test here instead of these capabilities (if I can attach to
> a process I can read any data needed, including the content of the mapped files, if only
> I'm not missing something obvious).
>
Nikolas, could you please split the text lines next time, I've had to add newlines into reply manually :)
> Currently /proc/pid/map_files/* have exactly the same permission checks as /proc/pid/fd/*, with the exception
> of the extra CAP_SYS_ADMIN check. The check originated from the following discussions where 3 security issues are discussed:
> http://lkml.iu.edu/hypermail/linux/kernel/1505.2/02524.html
> http://lkml.iu.edu/hypermail/linux/kernel/1505.2/04030.html
>
> From what I understand, the extra CAP_SYS_ADMIN comes from the following issues:
> 1. Being able to open dma-buf / kdbus region (referred in the referenced email as problem #1).
> I don't fully understand what the dangers are, but perhaps we could do CAP_SYS_ADMIN check
> only for such dangerous files, as opposed to all files.
As far as I remember we only need to read the content of mmap'ed files and if I've ptrace-attach
permission we aready can inject own code into a process and read anything we wish. That said we probably
should fixup this interface like -- test for open mode and if it is read only then ptrace-attach
should be enough, if it is write mode -- then we require being node's admin instead of just adding
a new capability here. And thanks a huge for mail reference, I'll take a look once time permit.
Powered by blists - more mailing lists