|
Message-ID: <CAG48ez3eSJSODADpo=O-j9txJ=2R+EupunRvs5H9t5Wa8mvkRA@mail.gmail.com> Date: Mon, 27 Apr 2020 19:28:56 +0200 From: Jann Horn <jannh@...gle.com> To: Christian Brauner <christian.brauner@...ntu.com> Cc: kernel list <linux-kernel@...r.kernel.org>, Alexander Viro <viro@...iv.linux.org.uk>, Stéphane Graber <stgraber@...ntu.com>, Linux Containers <containers@...ts.linux-foundation.org>, "Eric W . Biederman" <ebiederm@...ssion.com>, Serge Hallyn <serge@...lyn.com>, Aleksa Sarai <cyphar@...har.com>, linux-security-module <linux-security-module@...r.kernel.org>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Linux API <linux-api@...r.kernel.org> Subject: Re: [PATCH] nsproxy: attach to namespaces via pidfds On Mon, Apr 27, 2020 at 4:47 PM Christian Brauner <christian.brauner@...ntu.com> wrote: > For quite a while we have been thinking about using pidfds to attach to > namespaces. This patchset has existed for about a year already but we've > wanted to wait to see how the general api would be received and adopted. > Now that more and more programs in userspace have started using pidfds > for process management it's time to send this one out. You can already reliably switch to a specific namespace of another process like this given a pidfd and the pid of the process (which, if you don't have it, you can get via fdinfo), right? int switch_ns_to(int pidfd, int pid, char *nstypename) { char ns_path[100]; snprintf(ns_path, sizeof(ns_path), "/proc/%d/ns/%s", pid, nstypename); int fd = open(ns_path, O_RDONLY|O_CLOEXEC); int errno_after_open = errno; if (pidfd_send_signal(pidfd, 0, NULL, 0)) return -1; if (fd == -1) { errno = errno_after_open; return -1; } int ret = setns(fd, 0); close(fd); return ret; } > This patch makes it possible to use pidfds to attach to the namespaces > of another process, i.e. they can be passed as the first argument to the > setns() syscall. When only a single namespace type is specified the > semantics are equivalent to passing an nsfd. This introduces a difference in terms of security: With the old API, you need PTRACE_MODE_READ_FSCREDS on the task whose namespace you're attaching to (to dereference the link /proc/*/ns/*) *AND* whatever access checks the namespace itself enforces (always includes a check for CAP_SYS_ADMIN on the namespace). The ptrace check has the advantage, among other things, that it allows an LSM to see the relationship between the task that's accessing the namespace (subject) and the task whose namespace is being accessed (object). I feel slightly twitchy about this relaxation, and I'm wondering whether we can add a ptrace access check analogous to what you'd have needed via procfs. > That means > setns(nsfd, CLONE_NEWNET) equals setns(pidfd, CLONE_NEWNET). However, > when a pidfd is passed, multiple namespace flags can be specified in the > second setns() argument and setns() will attach the caller to all the > specified namespaces all at once or to none of them. If 0 is specified > together with a pidfd then setns() will interpret it the same way 0 is > interpreted together with a nsfd argument, i.e. attach to any/all > namespaces. [...] > Apart from significiantly reducing the number of syscalls from double > digit to single digit which is a decent reason post-spectre/meltdown > this also allows to switch to a set of namespaces atomically, i.e. > either attaching to all the specified namespaces succeeds or we fail. Apart from the issues I've pointed out below, I think it's worth calling out explicitly that with the current design, the switch will not, in fact, be fully atomic - the process will temporarily be in intermediate stages where the switches to some namespaces have completed while the switches to other namespaces are still pending; and while there will be less of these intermediate stages than before, it also means that they will be less explicit to userspace. [...] > diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c [...] > +/* > + * Ordering is equivalent to the standard ordering used everywhere > + * else during unshare and process creation. > + */ > +static int ns_install(struct nsproxy *nsproxy, struct pid *pid, int flags) > +{ > + int ret = 0; > + struct task_struct *tsk; > + struct nsproxy *nsp; > + > + tsk = get_pid_task(pid, PIDTYPE_PID); > + if (!tsk) > + return -ESRCH; > + > + get_nsproxy(tsk->nsproxy); > + nsp = tsk->nsproxy; How is this correct? Are you holding any locks that protect tsk->nsproxy? > +#ifdef CONFIG_USER_NS > + if (wants_ns(flags, CLONE_NEWUSER)) { > + struct user_namespace *user_ns; > + > + user_ns = get_user_ns(__task_cred(tsk)->user_ns); > + ret = __ns_install(nsproxy, &user_ns->ns); If ret == 0, then at this point you've already committed the user namespace change *to the calling process*. The ->install handler of user namespaces doesn't touch the nsproxy at all. > + put_user_ns(user_ns); > + } > +#else > + if (flags & CLONE_NEWUSER) > + ret = -EINVAL; > +#endif > + > + if (!ret && wants_ns(flags, CLONE_NEWNS)) > + ret = __ns_install(nsproxy, mnt_ns_to_common(nsp->mnt_ns)); And this one might be even worse, because the mount namespace change itself is only stored in the nsproxy at this point, but the cwd and root paths have already been overwritten on the task's fs_struct. To actually make sys_set_ns() atomic, I think you'd need some moderately complicated prep work, splitting the ->install handlers up into prep work and a commit phase that can't fail. [...] > +#ifdef CONFIG_PID_NS > + if (!ret && wants_ns(flags, CLONE_NEWPID)) { > + struct pid_namespace *pidns; > + > + pidns = task_active_pid_ns(tsk); > + if (pidns) { > + get_pid_ns(pidns); > + ret = __ns_install(nsproxy, &pidns->ns); > + put_pid_ns(pidns); > + } If you can't get the task's pidns, shouldn't that be an error? > + } [...]
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.