From: Oleg Nesterov <oleg@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Alexei Starovoitov <ast@plumgrid.com>,
Andrew Morton <akpm@linux-foundation.org>,
Daniel Borkmann <dborkman@redhat.com>,
Will Drewry <wad@chromium.org>, Julien Tinnes <jln@chromium.org>,
David Drysdale <drysdale@google.com>,
linux-api@vger.kernel.org, x86@kernel.org,
linux-arm-kernel@lists.infradead.org, linux-mips@linux-mips.org,
linux-arch@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
Date: Wed, 25 Jun 2014 16:21:21 +0200 [thread overview]
Message-ID: <20140625142121.GD7892@redhat.com> (raw)
In-Reply-To: <1403642893-23107-10-git-send-email-keescook@chromium.org>
On 06/24, Kees Cook wrote:
>
> +static void seccomp_sync_threads(void)
> +{
> + struct task_struct *thread, *caller;
> +
> + BUG_ON(!spin_is_locked(¤t->sighand->siglock));
> +
> + /* Synchronize all threads. */
> + caller = current;
> + for_each_thread(caller, thread) {
> + /* Get a task reference for the new leaf node. */
> + get_seccomp_filter(caller);
> + /*
> + * Drop the task reference to the shared ancestor since
> + * current's path will hold a reference. (This also
> + * allows a put before the assignment.)
> + */
> + put_seccomp_filter(thread);
> + thread->seccomp.filter = caller->seccomp.filter;
> + /* Opt the other thread into seccomp if needed.
> + * As threads are considered to be trust-realm
> + * equivalent (see ptrace_may_access), it is safe to
> + * allow one thread to transition the other.
> + */
> + if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) {
> + /*
> + * Don't let an unprivileged task work around
> + * the no_new_privs restriction by creating
> + * a thread that sets it up, enters seccomp,
> + * then dies.
> + */
> + if (task_no_new_privs(caller))
> + task_set_no_new_privs(thread);
> +
> + seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
> + }
> + }
> +}
OK, personally I think this all make sense. I even think that perhaps
SECCOMP_FILTER_FLAG_TSYNC should allow filter == NULL, a thread might
want to "sync" without adding the new filter, but this is minor/offtopic.
But. Doesn't this change add the new security hole?
Obviously, we should not allow to install a filter and then (say) exec
a suid binary, that is why we have no_new_privs/LSM_UNSAFE_NO_NEW_PRIVS.
But what if "thread->seccomp.filter = caller->seccomp.filter" races with
any user of task_no_new_privs() ? Say, suppose this thread has already
passed check_unsafe_exec/etc and it is going to exec the suid binary?
Oleg.
WARNING: multiple messages have this Message-ID (diff)
From: oleg@redhat.com (Oleg Nesterov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
Date: Wed, 25 Jun 2014 16:21:21 +0200 [thread overview]
Message-ID: <20140625142121.GD7892@redhat.com> (raw)
In-Reply-To: <1403642893-23107-10-git-send-email-keescook@chromium.org>
On 06/24, Kees Cook wrote:
>
> +static void seccomp_sync_threads(void)
> +{
> + struct task_struct *thread, *caller;
> +
> + BUG_ON(!spin_is_locked(¤t->sighand->siglock));
> +
> + /* Synchronize all threads. */
> + caller = current;
> + for_each_thread(caller, thread) {
> + /* Get a task reference for the new leaf node. */
> + get_seccomp_filter(caller);
> + /*
> + * Drop the task reference to the shared ancestor since
> + * current's path will hold a reference. (This also
> + * allows a put before the assignment.)
> + */
> + put_seccomp_filter(thread);
> + thread->seccomp.filter = caller->seccomp.filter;
> + /* Opt the other thread into seccomp if needed.
> + * As threads are considered to be trust-realm
> + * equivalent (see ptrace_may_access), it is safe to
> + * allow one thread to transition the other.
> + */
> + if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) {
> + /*
> + * Don't let an unprivileged task work around
> + * the no_new_privs restriction by creating
> + * a thread that sets it up, enters seccomp,
> + * then dies.
> + */
> + if (task_no_new_privs(caller))
> + task_set_no_new_privs(thread);
> +
> + seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
> + }
> + }
> +}
OK, personally I think this all make sense. I even think that perhaps
SECCOMP_FILTER_FLAG_TSYNC should allow filter == NULL, a thread might
want to "sync" without adding the new filter, but this is minor/offtopic.
But. Doesn't this change add the new security hole?
Obviously, we should not allow to install a filter and then (say) exec
a suid binary, that is why we have no_new_privs/LSM_UNSAFE_NO_NEW_PRIVS.
But what if "thread->seccomp.filter = caller->seccomp.filter" races with
any user of task_no_new_privs() ? Say, suppose this thread has already
passed check_unsafe_exec/etc and it is going to exec the suid binary?
Oleg.
next prev parent reply other threads:[~2014-06-25 14:21 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 20:48 [PATCH v8 0/9] seccomp: add thread sync ability Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 1/9] seccomp: create internal mode-setting function Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 2/9] seccomp: split filter prep from check and apply Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 3/9] seccomp: introduce writer locking Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-27 17:27 ` Kees Cook
2014-06-27 17:27 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 4/9] sched: move no_new_privs into new atomic flags Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 14:44 ` Kees Cook
2014-06-25 14:44 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 5/9] seccomp: split mode set routines Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 14:51 ` Kees Cook
2014-06-25 14:51 ` Kees Cook
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:54 ` Kees Cook
2014-06-25 16:54 ` Kees Cook
[not found] ` <CAGXu5j+J11zJnuFR8bYKAXizAHhCx4R+uJE_QH6zC3q2udkpaQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:32 ` Oleg Nesterov
2014-06-25 17:32 ` Oleg Nesterov
[not found] ` <20140625173245.GA17695-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 18:00 ` Kees Cook
2014-06-25 18:00 ` Kees Cook
[not found] ` <CAGXu5jL17k6=GXju6x+eLU20FMwBHhnuRiHoQD1Bzj_EmpiKjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:39 ` Andy Lutomirski
2014-06-27 18:39 ` Andy Lutomirski
[not found] ` <CALCETrUPxTxseJ=sOhD9CyJPtOqCR5sL8yx7KezLmLZcFSFNMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 19:04 ` Kees Cook
2014-06-27 19:04 ` Kees Cook
[not found] ` <CAGXu5jL5rN6=2-SwHiiEVuGVain-T7Ucg2PsN7u08vQ5Rxz6Mg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:27 ` Oleg Nesterov
2014-06-27 19:27 ` Oleg Nesterov
[not found] ` <20140627192753.GA30752-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:55 ` Oleg Nesterov
2014-06-27 19:55 ` Oleg Nesterov
[not found] ` <20140627195559.GA31661-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-25 17:00 ` Oleg Nesterov
2014-06-25 17:00 ` Oleg Nesterov
2014-06-24 20:48 ` [PATCH v8 6/9] seccomp: add "seccomp" syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 7/9] ARM: add seccomp syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 8/9] MIPS: " Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:21 ` Oleg Nesterov [this message]
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 15:08 ` Kees Cook
2014-06-25 15:08 ` Kees Cook
2014-06-25 16:52 ` Oleg Nesterov
2014-06-25 16:52 ` Oleg Nesterov
[not found] ` <20140625165209.GA14720-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:57 ` Kees Cook
2014-06-25 17:57 ` Kees Cook
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:20 ` Oleg Nesterov
2014-06-25 18:20 ` Oleg Nesterov
[not found] ` <20140625182012.GA19437-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-24 20:56 ` [PATCH v8 1/1] man-pages: seccomp.2: document syscall Kees Cook
2014-06-24 20:56 ` Kees Cook
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 15:10 ` Kees Cook
2014-06-25 15:10 ` Kees Cook
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140625142121.GD7892@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ast@plumgrid.com \
--cc=dborkman@redhat.com \
--cc=drysdale@google.com \
--cc=jln@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.