Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <99FC4B6EFCEFD44486C35F4C281DC6732146256E@ORSMSX107.amr.corp.intel.com>
Date: Wed, 26 Sep 2018 22:24:34 +0000
From: "Schaufler, Casey" <casey.schaufler@...el.com>
To: Jann Horn <jannh@...gle.com>
CC: Kernel Hardening <kernel-hardening@...ts.openwall.com>, kernel list
	<linux-kernel@...r.kernel.org>, linux-security-module
	<linux-security-module@...r.kernel.org>, "selinux@...ho.nsa.gov"
	<selinux@...ho.nsa.gov>, "Hansen, Dave" <dave.hansen@...el.com>, "Dock,
 Deneen T" <deneen.t.dock@...el.com>, "kristen@...ux.intel.com"
	<kristen@...ux.intel.com>, Arjan van de Ven <arjan@...ux.intel.com>
Subject: RE: [PATCH v5 4/5] Capability: Complete PTRACE_MODE_SCHED

> -----Original Message-----
> From: Jann Horn [mailto:jannh@...gle.com]
> Sent: Wednesday, September 26, 2018 2:26 PM
> To: Schaufler, Casey <casey.schaufler@...el.com>
> Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com>; kernel list
> <linux-kernel@...r.kernel.org>; linux-security-module <linux-security-
> module@...r.kernel.org>; selinux@...ho.nsa.gov; Hansen, Dave
> <dave.hansen@...el.com>; Dock, Deneen T <deneen.t.dock@...el.com>;
> kristen@...ux.intel.com; Arjan van de Ven <arjan@...ux.intel.com>
> Subject: Re: [PATCH v5 4/5] Capability: Complete PTRACE_MODE_SCHED
> 
> On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
> <casey.schaufler@...el.com> wrote:
> > Allow a complete ptrace access check with mode PTRACE_MODE_SCHED.
> > Disable the inappropriate privilege check in the capability code
> > that does incompatible locking.
> 
> What's that locking you're talking about?

ns_capable() eventually gets you to an audit call. The audit code
is going to do the locking. Fortunately, the preceding cap_issubset()
is the check that we really need here.

> 
> > Signed-off-by: Casey Schaufler <casey.schaufler@...el.com>
> > ---
> >  kernel/ptrace.c      | 2 --
> >  security/commoncap.c | 2 ++
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> > index 99cfddde6a55..0b6a9df51c3b 100644
> > --- a/kernel/ptrace.c
> > +++ b/kernel/ptrace.c
> > @@ -331,8 +331,6 @@ static int __ptrace_may_access(struct task_struct
> *task, unsigned int mode)
> >              !ptrace_has_cap(mm->user_ns, mode)))
> >             return -EPERM;
> >
> > -       if (mode & PTRACE_MODE_SCHED)
> > -               return 0;
> >         return security_ptrace_access_check(task, mode);
> >  }
> >
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index 2e489d6a3ac8..e77457110d05 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -152,6 +152,8 @@ int cap_ptrace_access_check(struct task_struct
> *child, unsigned int mode)
> >         if (cred->user_ns == child_cred->user_ns &&
> >             cap_issubset(child_cred->cap_permitted, *caller_caps))
> >                 goto out;
> > +       if (mode & PTRACE_MODE_SCHED)
> > +               goto out;
> 
> So for PTRACE_MODE_SCHED, this function always returns 0, right? 

That can't be right, can it? Determining that we have PTRACE_MODE_SCHED
at this point should result in -EPERM. I mucked up on the logic flow. The
next revision will fix this.

> If that's intentional, perhaps you should instead just put "if (mode &
> PTRACE_MODE_SCHED) return 0;" at the start of the function, to avoid
> taking the RCU read lock in this case.
> 
> >         if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
> >                 goto out;
> >         ret = -EPERM;

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.