From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:54877 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1759330AbcIRSjP (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Sun, 18 Sep 2016 14:39:15 -0400
Date: Sun, 18 Sep 2016 19:38:48 +0100
From: Ben Hutchings <ben@decadent.org.uk>
To: Jann Horn <jann@thejh.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
        Roland McGrath <roland@hack.frob.com>,
        Oleg Nesterov <oleg@redhat.com>,
        John Johansen <john.johansen@canonical.com>,
        James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Paul Moore <aul@paul-moore.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Eric Paris <eparis@parisplace.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Kees Cook <eescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Janis Danisevskis <jdanis@google.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        "Eric . Biederman" <ebiederm@xmission.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Benjamin LaHaise <bcrl@kvack.org>,
        linux-fsdevel@vger.kernel.org,
        linux-security-module@vger.kernel.org, security@kernel.org
Message-ID: <20160918183848.GS10601@decadent.org.uk>
References: <1474211117-16674-1-git-send-email-jann@thejh.net>
 <1474211117-16674-8-git-send-email-jann@thejh.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="R+WA+n3pAWWgNWUs"
Content-Disposition: inline
In-Reply-To: <1474211117-16674-8-git-send-email-jann@thejh.net>
Subject: Re: [PATCH 7/9] ptrace: forbid ptrace checks against current_cred()
 from VFS context
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>


--R+WA+n3pAWWgNWUs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 18, 2016 at 05:05:15PM +0200, Jann Horn wrote:
> This ensures that VFS implementations don't call ptrace_may_access() from
> VFS read or write handlers. In order for file descriptor passing to have
> its intended security properties, VFS read/write handlers must not do any
> kind of privilege checking.
[...]
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -302,6 +302,13 @@ ok:
>  bool ptrace_may_access(struct task_struct *task, unsigned int mode)
>  {
>  	int err;
> +
> +	/* If you have to check for ptrace access from a VFS method, use
> +	 * ptrace_may_access_noncurrent() instead.
> +	 */
> +	if (WARN_ON(current->in_unprivileged_vfs !=3D 0))

Shouldn't this be WARN_ON_ONCE(), so that any such bug can't e used
to spam the log?

Ben.

> +		return false;
> +
>  	task_lock(task);
>  	err =3D __ptrace_may_access(task, mode, current_cred(),
>  				  &current->self_privunit_id);

--=20
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.

--R+WA+n3pAWWgNWUs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBV97fOOe/yOyVhhEJAQqwog//dbmMjFjOsQRgfNtOv+fNFbgf4tz6XpuK
BNSD6XtxPgryjvLEIMbn7LW/SF1g68481dQ6DKrjx4bvoEHBllhEs7SQQ9uOHn+2
13XUQv6LIeGb7rtANys5QIO/WKyPW7dwzA6GeHeKPANS9CjFPc0Z6uNssVf+5EpY
VX9l+JRq8ZZifHzkaRR8Ka9eyIb/MgqHIrrBPTU3RPuZ/8UmgjJ5In9Ean9ewSwk
Hu9kMpMuez13xtXj+Rbxnyq9fkO73QldR91tmUopFPKcrLvYs2So+9vkG0FjZu+Y
9Z2VEsyfEGqhnfBBP3Wk8TZ9inuvMTeaeZin4Xfl034rcSBXkK60gCMDEnkfysEb
h6GbBOJDME2hAQcBl+Fha7em/6tbXRHAzFm3/MwOMBKzbPfgBpUk576TluBIVUBr
2iPn1png/F/BpP7N0XeY5S7Rf0qQTHvPQG95yVFU8SzqJAhAPAwEx5DRpOCBngdm
wxexkU3FXMeJjzfMg4gcfZREo6H6mNx2RLp3wE6m9VEo22JFYPpvAn8tywtuUpt3
Ri6+/vJKm6SaoUBlrQABKvQIpch3SQ5GTQhvZp8muUcWZ2VMd54uUDYcu+gEVehW
RtYpTae+aMC/80WZz0TxMDuUmyf5eB406mMxRu/Lzc/smPk95GzOKMrlP+RF2dMd
jjSnoEUk+Do=
=N5wT
-----END PGP SIGNATURE-----

--R+WA+n3pAWWgNWUs--