From: "Serge E. Hallyn" <serge@hallyn.com>
To: Andrey Vagin <avagin@openvz.org>
Cc: linux-kernel@vger.kernel.org, criu@openvz.org,
Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Pavel Emelyanov <xemul@parallels.com>,
Aditya Kali <adityakali@google.com>
Subject: Re: [PATCH 2/3] capabilities: add a secure bit to allow changing a task exe link
Date: Tue, 18 Feb 2014 05:53:39 +0100 [thread overview]
Message-ID: <20140218045339.GA1175@mail.hallyn.com> (raw)
In-Reply-To: <1392387209-330-3-git-send-email-avagin@openvz.org>
Quoting Andrey Vagin (avagin@openvz.org):
> When we restore a task we need to restore its exe link from userspace to
> the values the task had at checkpoint time.
>
> Currently this operations required the global CAP_SYS_RESOURCE, which is
> always absent in a non-root user namespace.
>
> So this patch introduces a new security bit which:
> * can be set only if a task has the global CAP_SYS_RESOURCE
> * inherited by child processes
> * is saved when a task moves in another userns
> * allows to change a task exe link even if a task doesn't have CAP_SYS_RESOURCE
I'm late to this party anyway, but fwiw I don't like this use
of securebits. It also seems to prevent c/r in a nested
container anyway so wouldn't seem to suffice.
But I assume I don't really need to argue it as it appears Pavel
and Eric are looking into a better all-around design.
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Oleg Nesterov <oleg@redhat.com>
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: Stephen Rothwell <sfr@canb.auug.org.au>
> Cc: Pavel Emelyanov <xemul@parallels.com>
> Cc: Aditya Kali <adityakali@google.com>
> Signed-off-by: Andrey Vagin <avagin@openvz.org>
> ---
> include/uapi/linux/securebits.h | 12 +++++++++++-
> kernel/sys.c | 5 +++++
> kernel/user_namespace.c | 3 ++-
> security/commoncap.c | 7 +++++++
> 4 files changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/include/uapi/linux/securebits.h b/include/uapi/linux/securebits.h
> index 985aac9..c99803b 100644
> --- a/include/uapi/linux/securebits.h
> +++ b/include/uapi/linux/securebits.h
> @@ -43,9 +43,19 @@
> #define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS))
> #define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
>
> +/* When set, a process can do PR_SET_MM_EXE_FILE even if it doesn't
> + * have CAP_SYS_RESOURCE. Setting of this bit requires CAP_SYS_RESOURCE.
> + * This bit is not dropped when a task moves in another userns. */
> +#define SECURE_SET_EXE_FILE 6
> +#define SECURE_SET_EXE_FILE_LOCKED 7 /* make bit-6 immutable */
> +
> +#define SECBIT_SET_EXE_FILE (issecure_mask(SECURE_SET_EXE_FILE))
> +#define SECBIT_SET_EXE_FILE_LOCKED (issecure_mask(SECURE_SET_EXE_FILE_LOCKED))
> +
> #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \
> issecure_mask(SECURE_NO_SETUID_FIXUP) | \
> - issecure_mask(SECURE_KEEP_CAPS))
> + issecure_mask(SECURE_KEEP_CAPS) | \
> + issecure_mask(SECURE_SET_EXE_FILE))
> #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
>
> #endif /* _UAPI_LINUX_SECUREBITS_H */
> diff --git a/kernel/sys.c b/kernel/sys.c
> index 939370c..2f0925d 100644
> --- a/kernel/sys.c
> +++ b/kernel/sys.c
> @@ -18,6 +18,7 @@
> #include <linux/kernel.h>
> #include <linux/workqueue.h>
> #include <linux/capability.h>
> +#include <linux/securebits.h>
> #include <linux/device.h>
> #include <linux/key.h>
> #include <linux/times.h>
> @@ -1714,6 +1715,10 @@ static int prctl_set_mm(int opt, unsigned long addr,
> if (rlimit(RLIMIT_STACK) < RLIM_INFINITY)
> return -EPERM;
> break;
> + case PR_SET_MM_EXE_FILE:
> + if (!issecure(SECURE_SET_EXE_FILE))
> + return -EPERM;
> + break;
> default:
> return -EPERM;
> }
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 240fb62..59584fe 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -34,7 +34,8 @@ static void set_cred_user_ns(struct cred *cred, struct user_namespace *user_ns)
> /* Start with the same capabilities as init but useless for doing
> * anything as the capabilities are bound to the new user namespace.
> */
> - cred->securebits = SECUREBITS_DEFAULT;
> + cred->securebits = SECUREBITS_DEFAULT |
> + (cred->securebits & SECBIT_SET_EXE_FILE);
> cred->cap_inheritable = CAP_EMPTY_SET;
> cred->cap_permitted = CAP_FULL_SET;
> cred->cap_effective = CAP_FULL_SET;
> diff --git a/security/commoncap.c b/security/commoncap.c
> index b9d613e..eda1eb8 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -907,6 +907,13 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> )
> /* cannot change a locked bit */
> goto error;
> +
> + /* Setting SECURE_SET_EXE_FILE requires CAP_SYS_RESOURCE */
> + if ((arg2 & SECBIT_SET_EXE_FILE) &&
> + !(new->securebits & SECBIT_SET_EXE_FILE) &&
> + !capable(CAP_SYS_RESOURCE))
> + goto error;
> +
> new->securebits = arg2;
> goto changed;
>
> --
> 1.8.5.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2014-02-18 4:53 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-14 14:13 [PATCH RFC 0/3] c/r: add ability to restore mm attributes in a non-root userns Andrey Vagin
2014-02-14 14:13 ` [PATCH 1/3] prctl: reduce permissions to change boundaries of data, brk and stack Andrey Vagin
2014-02-14 16:05 ` Eric W. Biederman
2014-02-14 17:43 ` Andrew Vagin
2014-02-14 18:01 ` [CRIU] " Cyrill Gorcunov
2014-02-14 19:16 ` Eric W. Biederman
2014-02-14 19:47 ` Pavel Emelyanov
2014-02-14 20:06 ` Cyrill Gorcunov
2014-02-14 20:18 ` Eric W. Biederman
2014-02-15 6:29 ` Cyrill Gorcunov
2014-02-15 23:01 ` Eric W. Biederman
2014-02-14 20:09 ` Eric W. Biederman
2014-02-17 8:34 ` Pavel Emelyanov
2014-02-17 8:52 ` Cyrill Gorcunov
2014-02-17 16:57 ` Pavel Emelyanov
2014-03-07 13:51 ` Pavel Emelyanov
2014-02-14 20:44 ` Andrey Wagin
2014-02-15 23:05 ` Eric W. Biederman
2014-02-14 14:13 ` [PATCH 2/3] capabilities: add a secure bit to allow changing a task exe link Andrey Vagin
2014-02-18 4:53 ` Serge E. Hallyn [this message]
2014-02-14 14:13 ` [PATCH 3/3] prctl: allow to use PR_MM_SET_* which affect only a current task Andrey Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140218045339.GA1175@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=adityakali@google.com \
--cc=akpm@linux-foundation.org \
--cc=avagin@openvz.org \
--cc=criu@openvz.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=sfr@canb.auug.org.au \
--cc=viro@zeniv.linux.org.uk \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox