From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Kees Cook <kees.cook@canonical.com>,
containers@lists.linux-foundation.org,
kernel list <linux-kernel@vger.kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Alexey Dobriyan <adobriyan@gmail.com>,
Michael Kerrisk <michael.kerrisk@gmail.com>
Subject: [RFC 5/5] user namespaces: Allow ptrace from non-init user namespaces
Date: Fri, 17 Dec 2010 15:27:37 +0000 [thread overview]
Message-ID: <20101217152737.GE11162@mail.hallyn.com> (raw)
In-Reply-To: <20101217152659.GD11162@mail.hallyn.com>
ptrace is allowed to tasks in the same user namespace according to
the usual rules (i.e. the same rules as for two tasks in the init
user namespace). ptrace is also allowed to a user namespace to
which the current task the has CAP_SYS_PTRACE capability.
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
---
include/linux/capability.h | 2 ++
kernel/ptrace.c | 40 ++++++++++++++++++++++++++++------------
security/commoncap.c | 26 +++++++++++++++++++++-----
3 files changed, 51 insertions(+), 17 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index cc3e976..777a166 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -543,6 +543,8 @@ extern const kernel_cap_t __cap_init_eff_set;
*/
#define has_capability(t, cap) (security_real_capable((t), &init_user_ns, (cap)) == 0)
+#define has_ns_capability(t, ns, cap) (security_real_capable((t), (ns), (cap)) == 0)
+
/**
* has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
* @t: The task in question
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 99bbaa3..aed24eb 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -116,6 +116,19 @@ int ptrace_check_attach(struct task_struct *child, int kill)
return ret;
}
+static inline int may_ptrace_ns(struct task_struct *t)
+{
+ struct user_namespace *ns;
+ int ret;
+
+ rcu_read_lock();
+ ns = task_cred_xxx(t, user)->user_ns;
+ ret = ns_capable(ns, CAP_SYS_PTRACE);
+ rcu_read_unlock();
+
+ return ret;
+}
+
int __ptrace_may_access(struct task_struct *task, unsigned int mode)
{
const struct cred *cred = current_cred(), *tcred;
@@ -134,21 +147,24 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
return 0;
rcu_read_lock();
tcred = __task_cred(task);
- if ((cred->uid != tcred->euid ||
- cred->uid != tcred->suid ||
- cred->uid != tcred->uid ||
- cred->gid != tcred->egid ||
- cred->gid != tcred->sgid ||
- cred->gid != tcred->gid) &&
- !capable(CAP_SYS_PTRACE)) {
- rcu_read_unlock();
- return -EPERM;
- }
+ if (cred->user->user_ns == tcred->user->user_ns &&
+ (cred->uid == tcred->euid ||
+ cred->uid == tcred->suid ||
+ cred->uid == tcred->uid ||
+ cred->gid == tcred->egid ||
+ cred->gid == tcred->sgid ||
+ cred->gid == tcred->gid))
+ goto ok;
+ if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
+ goto ok;
+ rcu_read_unlock();
+ return -EPERM;
+ok:
rcu_read_unlock();
smp_rmb();
if (task->mm)
dumpable = get_dumpable(task->mm);
- if (!dumpable && !capable(CAP_SYS_PTRACE))
+ if (!dumpable && !may_ptrace_ns(task))
return -EPERM;
return security_ptrace_access_check(task, mode);
@@ -198,7 +214,7 @@ int ptrace_attach(struct task_struct *task)
goto unlock_tasklist;
task->ptrace = PT_PTRACED;
- if (capable(CAP_SYS_PTRACE))
+ if (may_ptrace_ns(task))
task->ptrace |= PT_PTRACE_CAP;
__ptrace_link(task, current);
diff --git a/security/commoncap.c b/security/commoncap.c
index 9d910e6..bd0bcc6 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -136,12 +136,20 @@ int cap_settime(struct timespec *ts, struct timezone *tz)
int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
{
int ret = 0;
+ struct cred *cred, *tcred;
rcu_read_lock();
- if (!cap_issubset(__task_cred(child)->cap_permitted,
- current_cred()->cap_permitted) &&
+ cred = current_cred();
+ tcred = __task_cred(child);
+ if (cred->user->user_ns != tcred->user->user_ns) {
+ if (!ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
+ ret = -EPERM;
+ goto out;
+ }
+ if (!cap_issubset(tcred->cap_permitted, cred->cap_permitted) &&
!capable(CAP_SYS_PTRACE))
ret = -EPERM;
+out:
rcu_read_unlock();
return ret;
}
@@ -156,12 +164,20 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
int cap_ptrace_traceme(struct task_struct *parent)
{
int ret = 0;
+ struct cred *cred, *tcred;
rcu_read_lock();
- if (!cap_issubset(current_cred()->cap_permitted,
- __task_cred(parent)->cap_permitted) &&
- !has_capability(parent, CAP_SYS_PTRACE))
+ cred = __task_cred(parent);
+ tcred = current_cred();
+ if (cred->user->user_ns != tcred->user->user_ns) {
+ if (!has_ns_capability(parent, tcred->user->user_ns, CAP_SYS_PTRACE))
+ ret = -EPERM;
+ goto out;
+ }
+ if (!cap_issubset(tcred->cap_permitted, cred->cap_permitted) &&
+ !has_ns_capability(parent, tcred->user->user_ns, CAP_SYS_PTRACE))
ret = -EPERM;
+out:
rcu_read_unlock();
return ret;
}
--
1.7.0.4
next prev parent reply other threads:[~2010-12-17 15:27 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-17 15:22 [RFC 0/5] user namespaces: start clamping down Serge E. Hallyn
2010-12-17 15:24 ` [RFC 1/5] user namespaces: Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2010-12-17 15:25 ` [RFC 2/5] user namespaces: make capabilities relative to the user namespace Serge E. Hallyn
2010-12-17 15:26 ` [RFC 3/5] user namespaces: allow sethostname in a container Serge E. Hallyn
2010-12-17 15:26 ` [RFC 4/5] user namespaces: allow killing tasks in your own or child userns Serge E. Hallyn
2010-12-17 15:27 ` Serge E. Hallyn [this message]
2010-12-17 19:45 ` [RFC 5/5] user namespaces: Allow ptrace from non-init user namespaces Eric W. Biederman
2010-12-17 20:04 ` Serge Hallyn
2011-01-01 4:47 ` Serge E. Hallyn
2010-12-17 19:31 ` [RFC 4/5] user namespaces: allow killing tasks in your own or child userns Eric W. Biederman
2010-12-17 20:09 ` Serge E. Hallyn
2010-12-17 20:17 ` Eric W. Biederman
2010-12-17 20:22 ` Serge E. Hallyn
2011-01-01 4:45 ` Serge E. Hallyn
2011-01-01 23:10 ` Eric W. Biederman
2011-01-02 14:39 ` Serge E. Hallyn
2010-12-17 15:56 ` [RFC 1/5] user namespaces: Add a user_namespace as creator/owner of uts_namespace Alexey Dobriyan
2010-12-17 16:00 ` Alexey Dobriyan
2010-12-17 16:17 ` Serge Hallyn
2010-12-17 16:12 ` Serge Hallyn
2010-12-17 17:31 ` Greg KH
2010-12-17 19:26 ` Eric W. Biederman
2010-12-17 19:58 ` Greg KH
2010-12-17 20:40 ` Eric W. Biederman
2010-12-17 23:15 ` Greg KH
2010-12-18 6:32 ` Eric W. Biederman
2010-12-18 17:56 ` Greg KH
2010-12-17 19:46 ` Serge Hallyn
2010-12-17 19:57 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101217152737.GE11162@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=adobriyan@gmail.com \
--cc=containers@lists.linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=michael.kerrisk@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox