| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cehkmvl3y3u6qugobjo2h4yez6h5uw5pffqcr3mfjuki3sb32t@nr7nxkk3bdsg> Date: Fri, 18 Jul 2025 17:55:15 +0200 From: Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr> To: Jann Horn <jannh@...gle.com> Cc: Kees Cook <kees@...nel.org>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, Olivier Bal-Petre <olivier.bal-petre@....cyber.gouv.fr>, Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr> Subject: Re: [PATCH] lsm: yama: Check for PTRACE_MODE_READ_FSCREDS access On Fri, Jul 18, 2025 at 04:52:51PM +0200, Jann Horn wrote: > On Fri, Jul 18, 2025 at 10:47 AM <nicolas.bouchinet@....cyber.gouv.fr> wrote: > > From: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr> > > > > Currently, yama only checks if the `PTRACE_MODE_ATTACH` mode is set > > during the `yama_ptrace_access_check()` LSM hook implementation. > > > > In cases of call with the `PTRACE_MODE_READ_FSCREDS` mode, nothing > > happens. Thus, yama does not interact properly with the > > "hidepid=ptraceable" option. > > > > hidepid's "ptraceable" option being documented as follow : > > > > - hidepid=ptraceable or hidepid=4 means that procfs should only contain > > `/proc/<pid>/` directories that the caller can ptrace. > > > > This patch simply add yama a `PTRACE_MODE_READ_FSCREDS` mode check to > > enable an interaction with "hidepid=ptraceable". > > Please note that PTRACE_MODE_READ_FSCREDS is actually a combination of > two flags, and the intention is that the PTRACE_MODE_REALCREDS / > PTRACE_MODE_FSCREDS part of the flags should basically only be used to > determine where to read the caller's credentials from: > > /* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */ > #define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS) > #define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS) > #define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS) > #define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | > PTRACE_MODE_REALCREDS) > Yes my bad, I should have sent the hidepid [1] patch in the same batch. The idea here is to take "hidepid=ptraceable" into account. Which already calls yama with `PTRACE_MODE_READ_FSCREDS`. > > Combined with hidepid=ptraceable, the following behaviors will then > > happen while reading in `/proc/<pid>`: > > > > - "restricted": A process that has a predefined relationship with the > > inferior will see the inferior process in `/proc`. > > > > - "admin-only": A process that has the CAP_SYS_PTRACE will be able to > > see every processes in `/proc`. > > > > - "no attach": A process will not see anything but itself in > > `/proc/<pid>/`. > > > > It is important to note that the combination of "hidepid=ptraceable" and > > yama "no attach" also makes PIDs invisible to root. > > > > No access reports are logged in case of denied access with > > `PTRACE_MODE_READ_FSCREDS` to avoid flooding kernel logs. > > This seems like a major semantic change; I believe it essentially > means that commands like "ps" stop working entirely on systems that > enable hidepid. While that might be desirable in some scenarios, I > think changing the semantics like this without making it opt-in > through a new sysctl knob or such would be a bad idea. Yes, this patch doesn't work alone it needs to be coupled with [1]: https://lore.kernel.org/all/20250718-hidepid_fix-v1-1-3fd5566980bc@ssi.gouv.fr/.
Powered by blists - more mailing lists