| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez3DzxGMWN9GDhSqpHrDJnZDg2k=VEMD_DFiET5yDr07rw@mail.gmail.com> Date: Mon, 29 Jul 2024 15:49:29 +0200 From: Jann Horn <jannh@...gle.com> To: Mickaël Salaün <mic@...ikod.net> Cc: David Howells <dhowells@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>, Günther Noack <gnoack@...gle.com>, James Morris <jmorris@...ei.org>, Kees Cook <kees@...nel.org>, Paul Moore <paul@...l-moore.com>, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access() On Mon, Jul 29, 2024 at 2:59 PM Mickaël Salaün <mic@...ikod.net> wrote: > A process can modify its parent's credentials with > KEYCTL_SESSION_TO_PARENT when their EUID and EGID are the same. This > doesn't take into account all possible access controls. > > Enforce the same access checks as for impersonating a process. > > The current credentials checks are untouch because they check against > EUID and EGID, whereas ptrace_may_access() checks against UID and GID. FWIW, my understanding is that the intended usecase of KEYCTL_SESSION_TO_PARENT is that command-line tools (like "keyctl new_session" and "e4crypt new_session") want to be able to change the keyring of the parent process that spawned them (which I think is usually a shell?); and Yama LSM, which I think is fairly widely used at this point, by default prevents a child process from using PTRACE_MODE_ATTACH on its parent. I think KEYCTL_SESSION_TO_PARENT is not a great design, but I'm not sure if we can improve it much without risking some breakage.
Powered by blists - more mailing lists