lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 19 Oct 2022 15:22:01 +0200
From:   Christian Brauner <brauner@...nel.org>
To:     Daniel Xu <dxu@...uu.xyz>
Cc:     viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: Odd interaction with file capabilities and procfs files

On Tue, Oct 18, 2022 at 06:42:04PM -0600, Daniel Xu wrote:
> Hi,
> 
> (Going off get_maintainers.pl for fs/namei.c here)
> 
> I'm seeing some weird interactions with file capabilities and S_IRUSR
> procfs files. Best I can tell it doesn't occur with real files on my btrfs
> home partition.
> 
> Test program:
> 
>         #include <fcntl.h>
>         #include <stdio.h>
>         
>         int main()
>         {
>                 int fd = open("/proc/self/auxv", O_RDONLY);
>                 if (fd < 0) {
>                         perror("open");
>                         return 1;
>                 }
>        
>                 printf("ok\n");
>                 return 0;
>         }
> 
> Steps to reproduce:
> 
>         $ gcc main.c
>         $ ./a.out
>         ok
>         $ sudo setcap "cap_net_admin,cap_sys_admin+p" a.out
>         $ ./a.out
>         open: Permission denied
> 
> It's not obvious why this happens, even after spending a few hours
> going through the standard documentation and kernel code. It's
> intuitively odd b/c you'd think adding capabilities to the permitted
> set wouldn't affect functionality.
> 
> Best I could tell the -EACCES error occurs in the fallthrough codepath
> inside generic_permission().
> 
> Sorry if this is something dumb or obvious.

Hey Daniel,

No, this is neither dumb nor obvious. :)

Basically, if you set fscaps then /proc/self/auxv will be owned by
root:root. You can verify this:

#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <errno.h>
#include <unistd.h>

int main()
{
        struct stat st;
        printf("%d | %d\n", getuid(), geteuid());

        if (stat("/proc/self/auxv", &st)) {
                fprintf(stderr, "stat: %d - %m\n", errno);
                return 1;
        }
        printf("stat: %d | %d\n", st.st_uid, st.st_gid);

        int fd = open("/proc/self/auxv", O_RDONLY);
        if (fd < 0) {
                fprintf(stderr, "open: %d - %m\n", errno);
                return 1;
        }

        printf("ok\n");
        return 0;
}

$ ./a.out
1000 | 1000
stat: 1000 | 1000
ok
$ sudo setcap "cap_net_admin,cap_sys_admin+p" a.out
$ ./a.out
1000 | 1000
stat: 0 | 0
open: 13 - Permission denied

So acl_permission_check() fails and returns -EACCESS which will cause
generic_permission() to rely on capable_wrt_inode_uidgid() which checks
for CAP_DAC_READ_SEARCH which you don't have as an unprivileged user.

Powered by blists - more mailing lists