From: "Mickaël Salaün" <mic@digikod.net>
To: Jann Horn <jannh@google.com>
Cc: "David Howells" <dhowells@redhat.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
"Günther Noack" <gnoack@google.com>,
"James Morris" <jmorris@namei.org>, "Kees Cook" <kees@kernel.org>,
"Paul Moore" <paul@paul-moore.com>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access()
Date: Mon, 29 Jul 2024 17:17:40 +0200 [thread overview]
Message-ID: <20240729.roSo6soogho8@digikod.net> (raw)
In-Reply-To: <CAG48ez2HdeKXwwiCck9cvcoS1ZhbGD8Qs2DzV7F6W_6=fSgK5Q@mail.gmail.com>
On Mon, Jul 29, 2024 at 05:06:10PM +0200, Jann Horn wrote:
> On Mon, Jul 29, 2024 at 5:02 PM Mickaël Salaün <mic@digikod.net> wrote:
> > On Mon, Jul 29, 2024 at 04:21:01PM +0200, Jann Horn wrote:
> > > On Mon, Jul 29, 2024 at 4:09 PM Mickaël Salaün <mic@digikod.net> wrote:
> > > > On Mon, Jul 29, 2024 at 03:49:29PM +0200, Jann Horn wrote:
> > > > > On Mon, Jul 29, 2024 at 2:59 PM Mickaël Salaün <mic@digikod.net> wrote:
> > > > > > A process can modify its parent's credentials with
> > > > > > KEYCTL_SESSION_TO_PARENT when their EUID and EGID are the same. This
> > > > > > doesn't take into account all possible access controls.
> > > > > >
> > > > > > Enforce the same access checks as for impersonating a process.
> > > > > >
> > > > > > The current credentials checks are untouch because they check against
> > > > > > EUID and EGID, whereas ptrace_may_access() checks against UID and GID.
> > > > >
> > > > > FWIW, my understanding is that the intended usecase of
> > > > > KEYCTL_SESSION_TO_PARENT is that command-line tools (like "keyctl
> > > > > new_session" and "e4crypt new_session") want to be able to change the
> > > > > keyring of the parent process that spawned them (which I think is
> > > > > usually a shell?); and Yama LSM, which I think is fairly widely used
> > > > > at this point, by default prevents a child process from using
> > > > > PTRACE_MODE_ATTACH on its parent.
> > > >
> > > > About Yama, the patched keyctl_session_to_parent() function already
> > > > check if the current's and the parent's credentials are the same before
> > > > this new ptrace_may_access() check.
> > >
> > > prepare_exec_creds() in execve() always creates new credentials which
> > > are stored in bprm->cred and then later committed in begin_new_exec().
> > > Also, fork() always copies the credentials in copy_creds().
> > > So the "mycred == pcred" condition in keyctl_session_to_parent()
> > > basically never applies, I think.
> > > Also: When that condition is true, the whole operation is a no-op,
> > > since if the credentials are the same, then the session keyring that
> > > the credentials point to must also be the same.
> >
> > Correct, it's not a content comparison. We could compare the
> > credential's data for this specific KEYCTL_SESSION_TO_PARENT call, I
> > guess this should not be performance sensitive.
>
> Yeah, though I guess keyctl_session_to_parent() is already kind of
> doing that for the UID information; and for LSMs that would mean
> adding an extra LSM hook?
I'm wondering why security_key_session_to_parent() was never used: see
commit 3011a344cdcd ("security: remove dead hook key_session_to_parent")
next prev parent reply other threads:[~2024-07-29 15:17 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-29 12:58 [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access() Mickaël Salaün
2024-07-29 13:49 ` Jann Horn
2024-07-29 14:09 ` Mickaël Salaün
2024-07-29 14:21 ` Jann Horn
2024-07-29 15:02 ` Mickaël Salaün
2024-07-29 15:06 ` Jann Horn
2024-07-29 15:17 ` Mickaël Salaün [this message]
2024-07-31 20:29 ` Paul Moore
2024-07-31 20:53 ` Jann Horn
2024-07-31 21:27 ` Paul Moore
2024-07-31 21:33 ` Jann Horn
2024-08-01 15:34 ` Mickaël Salaün
2024-08-02 13:12 ` Jann Horn
2024-07-29 14:06 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240729.roSo6soogho8@digikod.net \
--to=mic@digikod.net \
--cc=dhowells@redhat.com \
--cc=gnoack@google.com \
--cc=jannh@google.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kees@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox