| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200715152011.whdeysy3ztqrnocn@wittgenstein>
Date: Wed, 15 Jul 2020 17:20:11 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: Adrian Reber <areber@...hat.com>
Cc: Eric Biederman <ebiederm@...ssion.com>,
Pavel Emelyanov <ovzxemul@...il.com>,
Oleg Nesterov <oleg@...hat.com>,
Dmitry Safonov <0x7f454c46@...il.com>,
Andrei Vagin <avagin@...il.com>,
Nicolas Viennot <Nicolas.Viennot@...sigma.com>,
Michał Cłapiński <mclapinski@...gle.com>,
Kamil Yurtsever <kyurtsever@...gle.com>,
Dirk Petersen <dipeit@...il.com>,
Christine Flood <chf@...hat.com>,
Casey Schaufler <casey@...aufler-ca.com>,
Mike Rapoport <rppt@...ux.ibm.com>,
Radostin Stoyanov <rstoyanov1@...il.com>,
Cyrill Gorcunov <gorcunov@...nvz.org>,
Serge Hallyn <serge@...lyn.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Sargun Dhillon <sargun@...gun.me>,
Arnd Bergmann <arnd@...db.de>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, selinux@...r.kernel.org,
Eric Paris <eparis@...isplace.org>,
Jann Horn <jannh@...gle.com>, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v5 5/6] prctl: Allow checkpoint/restore capable processes
to change exe link
On Wed, Jul 15, 2020 at 04:49:53PM +0200, Adrian Reber wrote:
> From: Nicolas Viennot <Nicolas.Viennot@...sigma.com>
>
> Allow CAP_CHECKPOINT_RESTORE capable users to change /proc/self/exe.
>
> This commit also changes the permission error code from -EINVAL to
> -EPERM for consistency with the rest of the prctl() syscall when
> checking capabilities.
I agree that EINVAL seems weird here but this is a potentially user
visible change. Might be nice to have the EINVAL->EPERM change be an
additional patch on top after this one so we can revert it in case it
breaks someone (unlikely though). I can split this out myself though so
no need to resend for that alone.
What I would also prefer is to have some history in the commit message
tbh. The reason is that when we started discussing that specific change
I had to hunt down the history of changing /proc/self/exe and had to
dig up and read through ancient threads on lore to come up with the
explanation why this is placed under a capability. The commit message
should then also mention that there are other ways to change the
/proc/self/exe link that don't require capabilities and that
/proc/self/exe itself is not something userspace should rely on for
security. Mainly so that in a few months/years we can read through that
commit message and go "Weird, but ok.". :)
But maybe I can just rewrite this myself so you don't have to go through
the trouble. This is really not pedantry it's just that it's a lot of
work digging up the reasons for a piece of code existing when it's
really not obvious. :)
Christian
>
> Signed-off-by: Nicolas Viennot <Nicolas.Viennot@...sigma.com>
> Signed-off-by: Adrian Reber <areber@...hat.com>
> ---
> kernel/sys.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 00a96746e28a..dd59b9142b1d 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -2007,12 +2007,14 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data
>
> if (prctl_map.exe_fd != (u32)-1) {
> /*
> - * Make sure the caller has the rights to
> - * change /proc/pid/exe link: only local sys admin should
> - * be allowed to.
> + * Check if the current user is checkpoint/restore capable.
> + * At the time of this writing, it checks for CAP_SYS_ADMIN
> + * or CAP_CHECKPOINT_RESTORE.
> + * Note that a user with access to ptrace can masquerade an
> + * arbitrary program as any executable, even setuid ones.
> */
> - if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN))
> - return -EINVAL;
> + if (!checkpoint_restore_ns_capable(current_user_ns()))
> + return -EPERM;
>
> error = prctl_set_mm_exe_file(mm, prctl_map.exe_fd);
> if (error)
> --
> 2.26.2
>
Powered by blists - more mailing lists