From: Jann Horn <jannh@google.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
Andy Lutomirski <luto@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Jeff Layton <jlayton@kernel.org>,
"J. Bruce Fields" <bfields@fieldses.org>,
Arnd Bergmann <arnd@arndb.de>,
David Howells <dhowells@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Kees Cook <keescook@chromium.org>,
Christian Brauner <christian@brauner.io>,
Tycho Andersen <tycho@tycho.ws>,
David Drysdale <drysdale@google.com>,
Chanho Min <chanho.min@lge.com>, Oleg Nesterov <oleg@redhat.com>,
Aleksa Sarai <asarai@suse.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
containers@lists.linux-foundation.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters
Date: Fri, 10 May 2019 22:10:32 +0200 [thread overview]
Message-ID: <20190510201032.GA253532@google.com> (raw)
In-Reply-To: <87o94d6aql.fsf@xmission.com>
On Tue, May 07, 2019 at 07:38:58PM -0500, Eric W. Biederman wrote:
> Jann Horn <jannh@google.com> writes:
> > In my opinion, CVE-2019-5736 points out two different problems:
> >
> > The big problem: The __ptrace_may_access() logic has a special-case
> > short-circuit for "introspection" that you can't opt out of;
>
> Once upon a time in a galaxy far far away I fixed a bug where we missing
> ptrace_may_access checks on various proc files and systems using selinux
> stopped working. At the time selinux did not allow ptrace like access
> to yourself. The "introspection" special case was the quick and simple
> work-around.
>
> There is nothing fundamental in having the "introspection" special case
> except that various lsms have probably grown to depend upon it being
> there. I expect without difficulty we could move the check down
> into the various lsms. Which would get that check out of the core
> kernel code.
Oh, if that's an option, that would be great, I think.
But this means, for example, that a non-root, non-dumpable process can't
open /proc/self/maps anymore, or open /proc/self/fd/*, and things like
that, without making itself dumpable. I would be surprised if there is
no code out there that relies on that.
>From what I can tell, without the introspection special case,
introspection would fail in the following cases (assuming that the
process is not capable and isn't using sys_setfs[ug]id()):
- ruid/euid/suid are not all the same
- rgid/egid/sgid are not all the same
- process is not dumpable
I think that there probably should be some way for a non-dumpable
process to look at its own procfs entries? If we could start from a
clean slate, I'd propose an opt-in flag to openat() for that, but
since we don't have a clean slate, I'd be afraid of breaking things
with that. But maybe I'm just being overly careful here?
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
Andy Lutomirski <luto@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Jeff Layton <jlayton@kernel.org>,
"J. Bruce Fields" <bfields@fieldses.org>,
Arnd Bergmann <arnd@arndb.de>,
David Howells <dhowells@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Kees Cook <keescook@chromium.org>,
Christian Brauner <christian@brauner.io>,
Tycho Andersen <tycho@tycho.ws>,
David Drysdale <drysdale@google.com>,
Chanho Min <chanho.min@lge.com>, Oleg Nesterov <oleg@redhat.com>,
Aleksa Sarai <asarai@suse.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
containers@lists.linux-foundation.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters
Date: Fri, 10 May 2019 22:10:32 +0200 [thread overview]
Message-ID: <20190510201032.GA253532@google.com> (raw)
In-Reply-To: <87o94d6aql.fsf@xmission.com>
On Tue, May 07, 2019 at 07:38:58PM -0500, Eric W. Biederman wrote:
> Jann Horn <jannh@google.com> writes:
> > In my opinion, CVE-2019-5736 points out two different problems:
> >
> > The big problem: The __ptrace_may_access() logic has a special-case
> > short-circuit for "introspection" that you can't opt out of;
>
> Once upon a time in a galaxy far far away I fixed a bug where we missing
> ptrace_may_access checks on various proc files and systems using selinux
> stopped working. At the time selinux did not allow ptrace like access
> to yourself. The "introspection" special case was the quick and simple
> work-around.
>
> There is nothing fundamental in having the "introspection" special case
> except that various lsms have probably grown to depend upon it being
> there. I expect without difficulty we could move the check down
> into the various lsms. Which would get that check out of the core
> kernel code.
Oh, if that's an option, that would be great, I think.
But this means, for example, that a non-root, non-dumpable process can't
open /proc/self/maps anymore, or open /proc/self/fd/*, and things like
that, without making itself dumpable. I would be surprised if there is
no code out there that relies on that.
From what I can tell, without the introspection special case,
introspection would fail in the following cases (assuming that the
process is not capable and isn't using sys_setfs[ug]id()):
- ruid/euid/suid are not all the same
- rgid/egid/sgid are not all the same
- process is not dumpable
I think that there probably should be some way for a non-dumpable
process to look at its own procfs entries? If we could start from a
clean slate, I'd propose an opt-in flag to openat() for that, but
since we don't have a clean slate, I'd be afraid of breaking things
with that. But maybe I'm just being overly careful here?
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
Andy Lutomirski <luto@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Jeff Layton <jlayton@kernel.org>,
"J. Bruce Fields" <bfields@fieldses.org>,
Arnd Bergmann <arnd@arndb.de>,
David Howells <dhowells@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Kees Cook <keescook@chromium.org>,
Christian Brauner <christian@brauner.io>,
Tycho Andersen <tycho@tycho.ws>,
David Drysdale <drysdale@google.com>,
Chanho Min <chanho.min@lge.com>, Oleg Nesterov <oleg@redhat.com>,
Aleksa Sarai <asarai@suse.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
containers@lists.linux-foundation.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
kernel list <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>
Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters
Date: Fri, 10 May 2019 22:10:32 +0200 [thread overview]
Message-ID: <20190510201032.GA253532@google.com> (raw)
Message-ID: <20190510201032.TgL6UjlABqyKThw5TfgdWpUe0_Jo8d7b7zFzZpVLefE@z> (raw)
In-Reply-To: <87o94d6aql.fsf@xmission.com>
On Tue, May 07, 2019 at 07:38:58PM -0500, Eric W. Biederman wrote:
> Jann Horn <jannh@google.com> writes:
> > In my opinion, CVE-2019-5736 points out two different problems:
> >
> > The big problem: The __ptrace_may_access() logic has a special-case
> > short-circuit for "introspection" that you can't opt out of;
>
> Once upon a time in a galaxy far far away I fixed a bug where we missing
> ptrace_may_access checks on various proc files and systems using selinux
> stopped working. At the time selinux did not allow ptrace like access
> to yourself. The "introspection" special case was the quick and simple
> work-around.
>
> There is nothing fundamental in having the "introspection" special case
> except that various lsms have probably grown to depend upon it being
> there. I expect without difficulty we could move the check down
> into the various lsms. Which would get that check out of the core
> kernel code.
Oh, if that's an option, that would be great, I think.
But this means, for example, that a non-root, non-dumpable process can't
open /proc/self/maps anymore, or open /proc/self/fd/*, and things like
that, without making itself dumpable. I would be surprised if there is
no code out there that relies on that.
WARNING: multiple messages have this Message-ID (diff)
From: Jann Horn <jannh@google.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
Andy Lutomirski <luto@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Jeff Layton <jlayton@kernel.org>,
"J. Bruce Fields" <bfields@fieldses.org>,
Arnd Bergmann <arnd@arndb.de>,
David Howells <dhowells@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Kees Cook <keescook@chromium.org>,
Christian Brauner <christian@brauner.io>,
Tycho Andersen <tycho@tycho.ws>,
David Drysdale <drysdale@google.com>,
Chanho Min <chanho.min@lge.com>, Oleg Nesterov <oleg@redhat.com>,
Aleksa Sarai <asarai@suse.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
containers@lists.linux-foundation.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
kernel list <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>
Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters
Date: Fri, 10 May 2019 22:10:32 +0200 [thread overview]
Message-ID: <20190510201032.GA253532@google.com> (raw)
In-Reply-To: <87o94d6aql.fsf@xmission.com>
On Tue, May 07, 2019 at 07:38:58PM -0500, Eric W. Biederman wrote:
> Jann Horn <jannh@google.com> writes:
> > In my opinion, CVE-2019-5736 points out two different problems:
> >
> > The big problem: The __ptrace_may_access() logic has a special-case
> > short-circuit for "introspection" that you can't opt out of;
>
> Once upon a time in a galaxy far far away I fixed a bug where we missing
> ptrace_may_access checks on various proc files and systems using selinux
> stopped working. At the time selinux did not allow ptrace like access
> to yourself. The "introspection" special case was the quick and simple
> work-around.
>
> There is nothing fundamental in having the "introspection" special case
> except that various lsms have probably grown to depend upon it being
> there. I expect without difficulty we could move the check down
> into the various lsms. Which would get that check out of the core
> kernel code.
Oh, if that's an option, that would be great, I think.
But this means, for example, that a non-root, non-dumpable process can't
open /proc/self/maps anymore, or open /proc/self/fd/*, and things like
that, without making itself dumpable. I would be surprised if there is
no code out there that relies on that.
From what I can tell, without the introspection special case,
introspection would fail in the following cases (assuming that the
process is not capable and isn't using sys_setfs[ug]id()):
- ruid/euid/suid are not all the same
- rgid/egid/sgid are not all the same
- process is not dumpable
I think that there probably should be some way for a non-dumpable
process to look at its own procfs entries? If we could start from a
clean slate, I'd propose an opt-in flag to openat() for that, but
since we don't have a clean slate, I'd be afraid of breaking things
with that. But maybe I'm just being overly careful here?
next prev parent reply other threads:[~2019-05-10 20:10 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-06 16:54 [PATCH v6 0/6] namei: resolveat(2) path resolution restriction API Aleksa Sarai
2019-05-06 16:54 ` [PATCH v6 1/6] namei: split out nd->dfd handling to dirfd_path_init Aleksa Sarai
2019-05-06 16:54 ` [PATCH v6 2/6] namei: O_BENEATH-style path resolution flags Aleksa Sarai
2019-05-06 16:54 ` [PATCH v6 3/6] namei: LOOKUP_IN_ROOT: chroot-like path resolution Aleksa Sarai
2019-05-06 16:54 ` [PATCH v6 4/6] namei: aggressively check for nd->root escape on ".." resolution Aleksa Sarai
2019-05-06 16:54 ` [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters Aleksa Sarai
2019-05-06 18:37 ` Jann Horn
2019-05-06 18:37 ` Jann Horn
2019-05-06 19:17 ` Aleksa Sarai
2019-05-06 19:17 ` Aleksa Sarai
2019-05-06 23:41 ` Andy Lutomirski
2019-05-06 23:41 ` Andy Lutomirski
2019-05-08 0:54 ` Aleksa Sarai
2019-05-08 0:54 ` Aleksa Sarai
2019-05-10 20:41 ` Jann Horn
2019-05-10 20:41 ` Jann Horn
2019-05-10 21:20 ` Andy Lutomirski
2019-05-10 21:20 ` Andy Lutomirski
2019-05-10 22:55 ` Jann Horn
2019-05-10 22:55 ` Jann Horn
2019-05-10 23:36 ` Christian Brauner
2019-05-10 23:36 ` Christian Brauner
2019-05-11 15:49 ` Aleksa Sarai
2019-05-11 15:49 ` Aleksa Sarai
2019-05-11 17:00 ` Andy Lutomirski
2019-05-11 17:00 ` Andy Lutomirski
2019-05-11 17:21 ` Linus Torvalds
2019-05-11 17:21 ` Linus Torvalds
2019-05-11 17:26 ` Linus Torvalds
2019-05-11 17:26 ` Linus Torvalds
2019-05-11 17:31 ` Aleksa Sarai
2019-05-11 17:31 ` Aleksa Sarai
2019-05-11 17:43 ` Linus Torvalds
2019-05-11 17:43 ` Linus Torvalds
2019-05-11 17:48 ` Christian Brauner
2019-05-11 17:48 ` Christian Brauner
2019-05-11 18:00 ` Aleksa Sarai
2019-05-11 18:00 ` Aleksa Sarai
2019-05-11 22:39 ` Andy Lutomirski
2019-05-11 22:39 ` Andy Lutomirski
[not found] ` <CAHk-=wg3+3GfHsHdB4o78jNiPh_5ShrzxBuTN-Y8EZfiFMhCvw@mail.gmail.com>
2019-05-12 10:19 ` Christian Brauner
2019-05-12 10:19 ` Christian Brauner
[not found] ` <9CD2B97D-A6BD-43BE-9040-B410D996A195@amacapital.net>
2019-05-12 10:44 ` Linus Torvalds
2019-05-12 10:44 ` Linus Torvalds
2019-05-12 13:35 ` Aleksa Sarai
2019-05-12 13:35 ` Aleksa Sarai
2019-05-12 13:38 ` Aleksa Sarai
2019-05-12 13:38 ` Aleksa Sarai
2019-05-12 14:34 ` Andy Lutomirski
2019-05-12 14:34 ` Andy Lutomirski
2019-05-11 17:26 ` Aleksa Sarai
2019-05-11 17:26 ` Aleksa Sarai
2019-05-08 0:38 ` Eric W. Biederman
2019-05-08 0:38 ` Eric W. Biederman
2019-05-10 20:10 ` Jann Horn [this message]
2019-05-10 20:10 ` Jann Horn
2019-05-10 20:10 ` Jann Horn
2019-05-10 20:10 ` Jann Horn
2019-05-06 16:54 ` [PATCH v6 6/6] namei: resolveat(2) syscall Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190510201032.GA253532@google.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=asarai@suse.de \
--cc=ast@kernel.org \
--cc=bfields@fieldses.org \
--cc=chanho.min@lge.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=cyphar@cyphar.com \
--cc=dhowells@redhat.com \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=jlayton@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.