From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Kees Cook <kees.cook@canonical.com>,
containers@lists.linux-foundation.org,
kernel list <linux-kernel@vger.kernel.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Michael Kerrisk <michael.kerrisk@gmail.com>
Subject: Re: [RFC 5/5] user namespaces: Allow ptrace from non-init user namespaces
Date: Fri, 17 Dec 2010 11:45:49 -0800 [thread overview]
Message-ID: <m1hbecqj2q.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20101217152737.GE11162@mail.hallyn.com> (Serge E. Hallyn's message of "Fri, 17 Dec 2010 15:27:37 +0000")
"Serge E. Hallyn" <serge@hallyn.com> writes:
> ptrace is allowed to tasks in the same user namespace according to
> the usual rules (i.e. the same rules as for two tasks in the init
> user namespace). ptrace is also allowed to a user namespace to
> which the current task the has CAP_SYS_PTRACE capability.
The uid equality check below is broken.
Eric
> Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
> ---
> include/linux/capability.h | 2 ++
> kernel/ptrace.c | 40 ++++++++++++++++++++++++++++------------
> security/commoncap.c | 26 +++++++++++++++++++++-----
> 3 files changed, 51 insertions(+), 17 deletions(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index cc3e976..777a166 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -543,6 +543,8 @@ extern const kernel_cap_t __cap_init_eff_set;
> */
> #define has_capability(t, cap) (security_real_capable((t), &init_user_ns, (cap)) == 0)
>
> +#define has_ns_capability(t, ns, cap) (security_real_capable((t), (ns), (cap)) == 0)
> +
> /**
> * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
> * @t: The task in question
> diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> index 99bbaa3..aed24eb 100644
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -116,6 +116,19 @@ int ptrace_check_attach(struct task_struct *child, int kill)
> return ret;
> }
>
> +static inline int may_ptrace_ns(struct task_struct *t)
Can we name this ptrace_capable? Since you are only
wrapping the capability check? With a name like may_ptrace_ns
I imagine very different semantics.
> +{
> + struct user_namespace *ns;
> + int ret;
> +
> + rcu_read_lock();
> + ns = task_cred_xxx(t, user)->user_ns;
> + ret = ns_capable(ns, CAP_SYS_PTRACE);
> + rcu_read_unlock();
> +
> + return ret;
> +}
> +
> int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> {
> const struct cred *cred = current_cred(), *tcred;
> @@ -134,21 +147,24 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> return 0;
> rcu_read_lock();
> tcred = __task_cred(task);
> - if ((cred->uid != tcred->euid ||
> - cred->uid != tcred->suid ||
> - cred->uid != tcred->uid ||
> - cred->gid != tcred->egid ||
> - cred->gid != tcred->sgid ||
> - cred->gid != tcred->gid) &&
> - !capable(CAP_SYS_PTRACE)) {
> - rcu_read_unlock();
> - return -EPERM;
> - }
> + if (cred->user->user_ns == tcred->user->user_ns &&
> + (cred->uid == tcred->euid ||
> + cred->uid == tcred->suid ||
> + cred->uid == tcred->uid ||
> + cred->gid == tcred->egid ||
> + cred->gid == tcred->sgid ||
> + cred->gid == tcred->gid))
> + goto ok;
This needs to be:
> + if (cred->user->user_ns == tcred->user->user_ns &&
> + (cred->uid == tcred->euid &&
> + cred->uid == tcred->suid &&
> + cred->uid == tcred->uid &&
> + cred->gid == tcred->egid &&
> + cred->gid == tcred->sgid &&
> + cred->gid == tcred->gid))
> + goto ok;
> + if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
> + goto ok;
> + rcu_read_unlock();
> + return -EPERM;
> +ok:
> rcu_read_unlock();
> smp_rmb();
> if (task->mm)
> dumpable = get_dumpable(task->mm);
> - if (!dumpable && !capable(CAP_SYS_PTRACE))
> + if (!dumpable && !may_ptrace_ns(task))
> return -EPERM;
>
> return security_ptrace_access_check(task, mode);
> @@ -198,7 +214,7 @@ int ptrace_attach(struct task_struct *task)
> goto unlock_tasklist;
>
> task->ptrace = PT_PTRACED;
> - if (capable(CAP_SYS_PTRACE))
> + if (may_ptrace_ns(task))
> task->ptrace |= PT_PTRACE_CAP;
>
> __ptrace_link(task, current);
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 9d910e6..bd0bcc6 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -136,12 +136,20 @@ int cap_settime(struct timespec *ts, struct timezone *tz)
> int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
> {
> int ret = 0;
> + struct cred *cred, *tcred;
>
> rcu_read_lock();
> - if (!cap_issubset(__task_cred(child)->cap_permitted,
> - current_cred()->cap_permitted) &&
> + cred = current_cred();
> + tcred = __task_cred(child);
> + if (cred->user->user_ns != tcred->user->user_ns) {
This probably deserves a comment about why cap_issubset isn't
needed here. Aka we implicitly have all caps in child user namespaces
so if we have CAP_SYS_PTRACE we know we have them all.
> + if (!ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
> + ret = -EPERM;
> + goto out;
> + }
> + if (!cap_issubset(tcred->cap_permitted, cred->cap_permitted) &&
> !capable(CAP_SYS_PTRACE))
> ret = -EPERM;
> +out:
> rcu_read_unlock();
> return ret;
> }
> @@ -156,12 +164,20 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
> int cap_ptrace_traceme(struct task_struct *parent)
> {
> int ret = 0;
> + struct cred *cred, *tcred;
>
> rcu_read_lock();
> - if (!cap_issubset(current_cred()->cap_permitted,
> - __task_cred(parent)->cap_permitted) &&
> - !has_capability(parent, CAP_SYS_PTRACE))
> + cred = __task_cred(parent);
> + tcred = current_cred();
> + if (cred->user->user_ns != tcred->user->user_ns) {
> + if (!has_ns_capability(parent, tcred->user->user_ns, CAP_SYS_PTRACE))
> + ret = -EPERM;
> + goto out;
> + }
> + if (!cap_issubset(tcred->cap_permitted, cred->cap_permitted) &&
> + !has_ns_capability(parent, tcred->user->user_ns, CAP_SYS_PTRACE))
> ret = -EPERM;
> +out:
> rcu_read_unlock();
> return ret;
> }
next prev parent reply other threads:[~2010-12-17 19:45 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-17 15:22 [RFC 0/5] user namespaces: start clamping down Serge E. Hallyn
[not found] ` <20101217152246.GA8221-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2010-12-17 15:24 ` [RFC 1/5] user namespaces: Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2010-12-17 15:24 ` Serge E. Hallyn
2010-12-17 15:25 ` [RFC 2/5] user namespaces: make capabilities relative to the user namespace Serge E. Hallyn
2010-12-17 15:26 ` [RFC 3/5] user namespaces: allow sethostname in a container Serge E. Hallyn
2010-12-17 15:26 ` [RFC 4/5] user namespaces: allow killing tasks in your own or child userns Serge E. Hallyn
2010-12-17 15:27 ` [RFC 5/5] user namespaces: Allow ptrace from non-init user namespaces Serge E. Hallyn
2010-12-17 19:45 ` Eric W. Biederman [this message]
2010-12-17 20:04 ` Serge Hallyn
[not found] ` <m1hbecqj2q.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-12-17 20:04 ` Serge Hallyn
2011-01-01 4:47 ` Serge E. Hallyn
2011-01-01 4:47 ` Serge E. Hallyn
[not found] ` <20101217152737.GE11162-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2010-12-17 19:45 ` Eric W. Biederman
2010-12-17 19:31 ` [RFC 4/5] user namespaces: allow killing tasks in your own or child userns Eric W. Biederman
2010-12-17 20:09 ` Serge E. Hallyn
[not found] ` <20101217200903.GA15528-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2010-12-17 20:17 ` Eric W. Biederman
2010-12-17 20:17 ` Eric W. Biederman
2010-12-17 20:22 ` Serge E. Hallyn
2011-01-01 4:45 ` Serge E. Hallyn
2011-01-01 23:10 ` Eric W. Biederman
[not found] ` <m1zkrkuso4.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-01-02 14:39 ` Serge E. Hallyn
2011-01-02 14:39 ` Serge E. Hallyn
[not found] ` <20110101044522.GA26476-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2011-01-01 23:10 ` Eric W. Biederman
[not found] ` <m1d3p0qhl5.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-12-17 20:22 ` Serge E. Hallyn
2011-01-01 4:45 ` Serge E. Hallyn
[not found] ` <m14oacryar.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-12-17 20:09 ` Serge E. Hallyn
[not found] ` <20101217152659.GD11162-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2010-12-17 15:27 ` [RFC 5/5] user namespaces: Allow ptrace from non-init user namespaces Serge E. Hallyn
2010-12-17 19:31 ` [RFC 4/5] user namespaces: allow killing tasks in your own or child userns Eric W. Biederman
[not found] ` <20101217152625.GC11162-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2010-12-17 15:26 ` Serge E. Hallyn
[not found] ` <20101217152547.GB11162-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2010-12-17 15:26 ` [RFC 3/5] user namespaces: allow sethostname in a container Serge E. Hallyn
2010-12-17 15:56 ` [RFC 1/5] user namespaces: Add a user_namespace as creator/owner of uts_namespace Alexey Dobriyan
2010-12-17 16:00 ` Alexey Dobriyan
2010-12-17 16:17 ` Serge Hallyn
[not found] ` <AANLkTik2ry7zbRMgiwhrXMYfQ4tr07BW0ODCNbKBMWmc-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-12-17 16:17 ` Serge Hallyn
2010-12-17 16:12 ` Serge Hallyn
[not found] ` <AANLkTinPBAPjeEdhn21JN6zVpAKDHR9=3gszj84CyyNx-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-12-17 16:00 ` Alexey Dobriyan
2010-12-17 16:12 ` Serge Hallyn
[not found] ` <20101217152458.GA11162-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2010-12-17 15:25 ` [RFC 2/5] user namespaces: make capabilities relative to the user namespace Serge E. Hallyn
2010-12-17 15:56 ` [RFC 1/5] user namespaces: Add a user_namespace as creator/owner of uts_namespace Alexey Dobriyan
2010-12-17 17:31 ` Greg KH
2010-12-17 17:31 ` Greg KH
2010-12-17 19:26 ` Eric W. Biederman
2010-12-17 19:58 ` Greg KH
[not found] ` <20101217195829.GB1410-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2010-12-17 20:40 ` Eric W. Biederman
2010-12-17 20:40 ` Eric W. Biederman
2010-12-17 23:15 ` Greg KH
2010-12-18 6:32 ` Eric W. Biederman
[not found] ` <m1vd2rlhez.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-12-18 17:56 ` Greg KH
2010-12-18 17:56 ` Greg KH
[not found] ` <20101217231527.GA21227-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2010-12-18 6:32 ` Eric W. Biederman
[not found] ` <m1ipysm8us.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-12-17 23:15 ` Greg KH
[not found] ` <m18vzoryit.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-12-17 19:58 ` Greg KH
[not found] ` <20101217173125.GA29982-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2010-12-17 19:26 ` Eric W. Biederman
2010-12-17 19:46 ` Serge Hallyn
2010-12-17 19:46 ` Serge Hallyn
2010-12-17 19:57 ` Greg KH
2010-12-17 19:57 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1hbecqj2q.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.linux-foundation.org \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=michael.kerrisk@gmail.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.