From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from thejh.net ([37.221.195.125]:46482 "EHLO thejh.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1755272AbcIRSkw (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
        Sun, 18 Sep 2016 14:40:52 -0400
Date: Sun, 18 Sep 2016 20:40:48 +0200
From: Jann Horn <jann@thejh.net>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
        Roland McGrath <roland@hack.frob.com>,
        Oleg Nesterov <oleg@redhat.com>,
        John Johansen <john.johansen@canonical.com>,
        James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Paul Moore <aul@paul-moore.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Eric Paris <eparis@parisplace.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Janis Danisevskis <jdanis@google.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        "Eric . Biederman" <ebiederm@xmission.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Benjamin LaHaise <bcrl@kvack.org>,
        linux-fsdevel@vger.kernel.org,
        linux-security-module@vger.kernel.org, security@kernel.org
Subject: Re: [PATCH 7/9] ptrace: forbid ptrace checks against current_cred()
 from VFS context
Message-ID: <20160918184048.GC17170@pc.thejh.net>
References: <1474211117-16674-1-git-send-email-jann@thejh.net>
 <1474211117-16674-8-git-send-email-jann@thejh.net>
 <20160918183848.GS10601@decadent.org.uk>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="f0KYrhQ4vYSV2aJu"
Content-Disposition: inline
In-Reply-To: <20160918183848.GS10601@decadent.org.uk>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>


--f0KYrhQ4vYSV2aJu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 18, 2016 at 07:38:48PM +0100, Ben Hutchings wrote:
> On Sun, Sep 18, 2016 at 05:05:15PM +0200, Jann Horn wrote:
> > This ensures that VFS implementations don't call ptrace_may_access() fr=
om
> > VFS read or write handlers. In order for file descriptor passing to have
> > its intended security properties, VFS read/write handlers must not do a=
ny
> > kind of privilege checking.
> [...]
> > --- a/kernel/ptrace.c
> > +++ b/kernel/ptrace.c
> > @@ -302,6 +302,13 @@ ok:
> >  bool ptrace_may_access(struct task_struct *task, unsigned int mode)
> >  {
> >  	int err;
> > +
> > +	/* If you have to check for ptrace access from a VFS method, use
> > +	 * ptrace_may_access_noncurrent() instead.
> > +	 */
> > +	if (WARN_ON(current->in_unprivileged_vfs !=3D 0))
>=20
> Shouldn't this be WARN_ON_ONCE(), so that any such bug can't e used
> to spam the log?

Hm, makes sense. I'll change it in v2.

--f0KYrhQ4vYSV2aJu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJX3t+wAAoJED4KNFJOeCOoCuQQAKx6IrSh9vsweN+tTd/zfAx4
Cm2KMxNe8jxtkpVvmpHsd2xFFdsPMi0o5IlCzG+b8wsOImTyrEMJ56qWW/o7DiM1
hzVank3NbI7SBa6tbX2LpaTXrLruqig6rwVnJKRe3XqrGiLsDZFjDlplOWMRXL2I
fGuCPdzyQbdHDeJKFdyPQSFR3WrGaylsoqRJVHG4cj4XzsVkDmiwDwYI//21S7sG
LuaYuWipsJKkMzbeDeDpvjFhtx7UHPNriv8VhfmwODFHyqM+FG1WKMKEdweb7K4X
+DIwbaNXPs7e5dYb3U6BvNIwN2XvqxS6pzWzaPBXVOkRcU0hUuDa64gnRYuOVeFp
WrXkY0Mo9gxyR7nzD0jIVde0CfwhZKPI1XnfmHMdQs0tNecxRaGdjF91Y4dLFC5q
9ZyikEFXOQSQEdw4VZNdryHawySKxRy//gZuzmqusMXkhfB+y/crdfJG2L31u8Cs
j8u8Pk3z7hxdmbFptf36Osx/9tUnUGyHzVweme2Z3jnyMc4rMKLnNqY3XgcDZYet
zYmrvaIe2nPbo0WG5mLTn4oQbHf8MTpmdMzEqKVBMUkdg+BvRcvDqoJUHcRQj7ZK
M02hjqargEOXNAsJHP0kAiM8XNvgbyUYuimkXmuCrSD2FRhx2WnXQvhMC0Ai4H+R
N38Oh8eWHyaRaPsYmCcH
=1UWL
-----END PGP SIGNATURE-----

--f0KYrhQ4vYSV2aJu--