From: "Mickaël Salaün" <mic@digikod.net>
To: Jann Horn <jannh@google.com>
Cc: "David Howells" <dhowells@redhat.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
"Günther Noack" <gnoack@google.com>,
"James Morris" <jmorris@namei.org>, "Kees Cook" <kees@kernel.org>,
"Paul Moore" <paul@paul-moore.com>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access()
Date: Mon, 29 Jul 2024 17:02:41 +0200 [thread overview]
Message-ID: <20240729.rayi3Chi9aef@digikod.net> (raw)
In-Reply-To: <CAG48ez1=xbGd8az4+iNJ_v1z4McMN8dsvWff-PH=ozLYnbzPqg@mail.gmail.com>
On Mon, Jul 29, 2024 at 04:21:01PM +0200, Jann Horn wrote:
> On Mon, Jul 29, 2024 at 4:09 PM Mickaël Salaün <mic@digikod.net> wrote:
> > On Mon, Jul 29, 2024 at 03:49:29PM +0200, Jann Horn wrote:
> > > On Mon, Jul 29, 2024 at 2:59 PM Mickaël Salaün <mic@digikod.net> wrote:
> > > > A process can modify its parent's credentials with
> > > > KEYCTL_SESSION_TO_PARENT when their EUID and EGID are the same. This
> > > > doesn't take into account all possible access controls.
> > > >
> > > > Enforce the same access checks as for impersonating a process.
> > > >
> > > > The current credentials checks are untouch because they check against
> > > > EUID and EGID, whereas ptrace_may_access() checks against UID and GID.
> > >
> > > FWIW, my understanding is that the intended usecase of
> > > KEYCTL_SESSION_TO_PARENT is that command-line tools (like "keyctl
> > > new_session" and "e4crypt new_session") want to be able to change the
> > > keyring of the parent process that spawned them (which I think is
> > > usually a shell?); and Yama LSM, which I think is fairly widely used
> > > at this point, by default prevents a child process from using
> > > PTRACE_MODE_ATTACH on its parent.
> >
> > About Yama, the patched keyctl_session_to_parent() function already
> > check if the current's and the parent's credentials are the same before
> > this new ptrace_may_access() check.
>
> prepare_exec_creds() in execve() always creates new credentials which
> are stored in bprm->cred and then later committed in begin_new_exec().
> Also, fork() always copies the credentials in copy_creds().
> So the "mycred == pcred" condition in keyctl_session_to_parent()
> basically never applies, I think.
> Also: When that condition is true, the whole operation is a no-op,
> since if the credentials are the same, then the session keyring that
> the credentials point to must also be the same.
Correct, it's not a content comparison. We could compare the
credential's data for this specific KEYCTL_SESSION_TO_PARENT call, I
guess this should not be performance sensitive.
next prev parent reply other threads:[~2024-07-29 15:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-29 12:58 [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access() Mickaël Salaün
2024-07-29 13:49 ` Jann Horn
2024-07-29 14:09 ` Mickaël Salaün
2024-07-29 14:21 ` Jann Horn
2024-07-29 15:02 ` Mickaël Salaün [this message]
2024-07-29 15:06 ` Jann Horn
2024-07-29 15:17 ` Mickaël Salaün
2024-07-31 20:29 ` Paul Moore
2024-07-31 20:53 ` Jann Horn
2024-07-31 21:27 ` Paul Moore
2024-07-31 21:33 ` Jann Horn
2024-08-01 15:34 ` Mickaël Salaün
2024-08-02 13:12 ` Jann Horn
2024-07-29 14:06 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240729.rayi3Chi9aef@digikod.net \
--to=mic@digikod.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=jannh@google.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kees@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.