[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhRmZOMLwY4AvV+96WU3jyqMt6jX5sRKAos75OjWDo-NvA@mail.gmail.com>
Date: Wed, 31 Jul 2024 16:29:16 -0400
From: Paul Moore <paul@...l-moore.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Jann Horn <jannh@...gle.com>, David Howells <dhowells@...hat.com>,
Jarkko Sakkinen <jarkko@...nel.org>, Günther Noack <gnoack@...gle.com>,
James Morris <jmorris@...ei.org>, Kees Cook <kees@...nel.org>, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access()
On Mon, Jul 29, 2024 at 11:17 AM Mickaël Salaün <mic@...ikod.net> wrote:
> On Mon, Jul 29, 2024 at 05:06:10PM +0200, Jann Horn wrote:
> > On Mon, Jul 29, 2024 at 5:02 PM Mickaël Salaün <mic@...ikod.net> wrote:
> > > On Mon, Jul 29, 2024 at 04:21:01PM +0200, Jann Horn wrote:
> > > > On Mon, Jul 29, 2024 at 4:09 PM Mickaël Salaün <mic@...ikod.net> wrote:
> > > > > On Mon, Jul 29, 2024 at 03:49:29PM +0200, Jann Horn wrote:
> > > > > > On Mon, Jul 29, 2024 at 2:59 PM Mickaël Salaün <mic@...ikod.net> wrote:
> > > > > > > A process can modify its parent's credentials with
> > > > > > > KEYCTL_SESSION_TO_PARENT when their EUID and EGID are the same. This
> > > > > > > doesn't take into account all possible access controls.
> > > > > > >
> > > > > > > Enforce the same access checks as for impersonating a process.
> > > > > > >
> > > > > > > The current credentials checks are untouch because they check against
> > > > > > > EUID and EGID, whereas ptrace_may_access() checks against UID and GID.
> > > > > >
> > > > > > FWIW, my understanding is that the intended usecase of
> > > > > > KEYCTL_SESSION_TO_PARENT is that command-line tools (like "keyctl
> > > > > > new_session" and "e4crypt new_session") want to be able to change the
> > > > > > keyring of the parent process that spawned them (which I think is
> > > > > > usually a shell?); and Yama LSM, which I think is fairly widely used
> > > > > > at this point, by default prevents a child process from using
> > > > > > PTRACE_MODE_ATTACH on its parent.
> > > > >
> > > > > About Yama, the patched keyctl_session_to_parent() function already
> > > > > check if the current's and the parent's credentials are the same before
> > > > > this new ptrace_may_access() check.
> > > >
> > > > prepare_exec_creds() in execve() always creates new credentials which
> > > > are stored in bprm->cred and then later committed in begin_new_exec().
> > > > Also, fork() always copies the credentials in copy_creds().
> > > > So the "mycred == pcred" condition in keyctl_session_to_parent()
> > > > basically never applies, I think.
> > > > Also: When that condition is true, the whole operation is a no-op,
> > > > since if the credentials are the same, then the session keyring that
> > > > the credentials point to must also be the same.
> > >
> > > Correct, it's not a content comparison. We could compare the
> > > credential's data for this specific KEYCTL_SESSION_TO_PARENT call, I
> > > guess this should not be performance sensitive.
> >
> > Yeah, though I guess keyctl_session_to_parent() is already kind of
> > doing that for the UID information; and for LSMs that would mean
> > adding an extra LSM hook?
>
> I'm wondering why security_key_session_to_parent() was never used: see
> commit 3011a344cdcd ("security: remove dead hook key_session_to_parent")
While I was looking at this in another off-list thread I think I came
around to the same conclusion: I think we want the
security_key_session_to_parent() hook back, and while I'm wearing my
SELinux hat, I think we want a SELinux implementation.
Mickaël, is this something you want to work on?
--
paul-moore.com
Powered by blists - more mailing lists