| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez1ocnFNSPdVDaVtB2-S+B4uBeLTLaekCYq=m1DuMyA-CA@mail.gmail.com>
Date: Thu, 18 Jun 2020 16:11:19 +0200
From: Jann Horn <jannh@...gle.com>
To: Adrian Reber <areber@...hat.com>
Cc: Christian Brauner <christian.brauner@...ntu.com>,
Eric Biederman <ebiederm@...ssion.com>,
Pavel Emelyanov <ovzxemul@...il.com>,
Oleg Nesterov <oleg@...hat.com>,
Dmitry Safonov <0x7f454c46@...il.com>,
Andrei Vagin <avagin@...il.com>,
Nicolas Viennot <Nicolas.Viennot@...sigma.com>,
Michał Cłapiński <mclapinski@...gle.com>,
Kamil Yurtsever <kyurtsever@...gle.com>,
Dirk Petersen <dipeit@...il.com>,
Christine Flood <chf@...hat.com>,
Casey Schaufler <casey@...aufler-ca.com>,
Mike Rapoport <rppt@...ux.ibm.com>,
Radostin Stoyanov <rstoyanov1@...il.com>,
Cyrill Gorcunov <gorcunov@...nvz.org>,
Serge Hallyn <serge@...lyn.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Sargun Dhillon <sargun@...gun.me>,
Arnd Bergmann <arnd@...db.de>,
linux-security-module <linux-security-module@...r.kernel.org>,
kernel list <linux-kernel@...r.kernel.org>,
SElinux list <selinux@...r.kernel.org>,
Eric Paris <eparis@...isplace.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH v3 3/3] prctl: Allow ptrace capable processes to change exe_fd
On Thu, Jun 18, 2020 at 3:50 PM Adrian Reber <areber@...hat.com> wrote:
> The current process is authorized to change its /proc/self/exe link via
> two policies:
> 1) The current user can do checkpoint/restore In other words is
> CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE capable.
> 2) The current user can use ptrace.
>
> With access to ptrace facilities, a process can do the following: fork a
> child, execve() the target executable, and have the child use ptrace()
> to replace the memory content of the current process. This technique
> makes it possible to masquerade an arbitrary program as any executable,
> even setuid ones.
>
> This commit also changes the permission error code from -EINVAL to
> -EPERM for consistency with the rest of the prctl() syscall when
> checking capabilities.
[...]
> diff --git a/kernel/sys.c b/kernel/sys.c
[...]
> @@ -2007,12 +2007,23 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data
>
> if (prctl_map.exe_fd != (u32)-1) {
> /*
> - * Make sure the caller has the rights to
> - * change /proc/pid/exe link: only local sys admin should
> - * be allowed to.
> + * The current process is authorized to change its
> + * /proc/self/exe link via two policies:
> + * 1) The current user can do checkpoint/restore
> + * In other words is CAP_SYS_ADMIN or
> + * CAP_CHECKPOINT_RESTORE capable.
> + * 2) The current user can use ptrace.
> + *
> + * With access to ptrace facilities, a process can do the
> + * following: fork a child, execve() the target executable,
> + * and have the child use ptrace() to replace the memory
> + * content of the current process. This technique makes it
> + * possible to masquerade an arbitrary program as the target
> + * executable, even if it is setuid.
(That is not necessarily true in the presence of LSMs like SELinux:
You'd have to be able to FILE__EXECUTE_NO_TRANS the target executable
according to the system's security policy.)
Powered by blists - more mailing lists