lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAG48ez1=xbGd8az4+iNJ_v1z4McMN8dsvWff-PH=ozLYnbzPqg@mail.gmail.com>
Date: Mon, 29 Jul 2024 16:21:01 +0200
From: Jann Horn <jannh@...gle.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: David Howells <dhowells@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>, 
	Günther Noack <gnoack@...gle.com>, 
	James Morris <jmorris@...ei.org>, Kees Cook <kees@...nel.org>, Paul Moore <paul@...l-moore.com>, 
	keyrings@...r.kernel.org, linux-kernel@...r.kernel.org, 
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access()

On Mon, Jul 29, 2024 at 4:09 PM Mickaël Salaün <mic@...ikod.net> wrote:
> On Mon, Jul 29, 2024 at 03:49:29PM +0200, Jann Horn wrote:
> > On Mon, Jul 29, 2024 at 2:59 PM Mickaël Salaün <mic@...ikod.net> wrote:
> > > A process can modify its parent's credentials with
> > > KEYCTL_SESSION_TO_PARENT when their EUID and EGID are the same.  This
> > > doesn't take into account all possible access controls.
> > >
> > > Enforce the same access checks as for impersonating a process.
> > >
> > > The current credentials checks are untouch because they check against
> > > EUID and EGID, whereas ptrace_may_access() checks against UID and GID.
> >
> > FWIW, my understanding is that the intended usecase of
> > KEYCTL_SESSION_TO_PARENT is that command-line tools (like "keyctl
> > new_session" and "e4crypt new_session") want to be able to change the
> > keyring of the parent process that spawned them (which I think is
> > usually a shell?); and Yama LSM, which I think is fairly widely used
> > at this point, by default prevents a child process from using
> > PTRACE_MODE_ATTACH on its parent.
>
> About Yama, the patched keyctl_session_to_parent() function already
> check if the current's and the parent's credentials are the same before
> this new ptrace_may_access() check.

prepare_exec_creds() in execve() always creates new credentials which
are stored in bprm->cred and then later committed in begin_new_exec().
Also, fork() always copies the credentials in copy_creds().
So the "mycred == pcred" condition in keyctl_session_to_parent()
basically never applies, I think.
Also: When that condition is true, the whole operation is a no-op,
since if the credentials are the same, then the session keyring that
the credentials point to must also be the same.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ