From: ebiederm@xmission.com (Eric W. Biederman)
To: "Serge E. Hallyn" <serge@hallyn.com>
Cc: LSM <linux-security-module@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>, James Morris <jmorris@namei.org>,
Kees Cook <kees.cook@canonical.com>,
containers@lists.linux-foundation.org,
kernel list <linux-kernel@vger.kernel.org>,
Alexey Dobriyan <adobriyan@gmail.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
xemul@parallels.com, dhowells@redhat.com
Subject: Re: [PATCH 5/9] Allow ptrace from non-init user namespaces
Date: Thu, 17 Feb 2011 18:59:57 -0800 [thread overview]
Message-ID: <m1aahu9hea.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20110217150333.GE26395@mail.hallyn.com> (Serge E. Hallyn's message of "Thu, 17 Feb 2011 15:03:33 +0000")
"Serge E. Hallyn" <serge@hallyn.com> writes:
> ptrace is allowed to tasks in the same user namespace according to
> the usual rules (i.e. the same rules as for two tasks in the init
> user namespace). ptrace is also allowed to a user namespace to
> which the current task the has CAP_SYS_PTRACE capability.
I don't see how it can go wrong at the moment but
same_or_ancestore_user_ns is too permissive and potentially inefficient.
Can you please replace it with a simple user namespace equality check.
Eric
> Changelog:
> Dec 31: Address feedback by Eric:
> . Correct ptrace uid check
> . Rename may_ptrace_ns to ptrace_capable
> . Also fix the cap_ptrace checks.
> Jan 1: Use const cred struct
> Jan 11: use task_ns_capable() in place of ptrace_capable().
>
> Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
> ---
> include/linux/capability.h | 2 +
> include/linux/user_namespace.h | 9 +++++++
> kernel/ptrace.c | 27 ++++++++++++----------
> kernel/user_namespace.c | 16 +++++++++++++
> security/commoncap.c | 48 +++++++++++++++++++++++++++++++++------
> 5 files changed, 82 insertions(+), 20 deletions(-)
>
> diff --git a/include/linux/capability.h b/include/linux/capability.h
> index cb3d2d9..bc0f262 100644
> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> @@ -546,6 +546,8 @@ extern const kernel_cap_t __cap_init_eff_set;
> */
> #define has_capability(t, cap) (security_real_capable((t), &init_user_ns, (cap)) == 0)
>
> +#define has_ns_capability(t, ns, cap) (security_real_capable((t), (ns), (cap)) == 0)
> +
> /**
> * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
> * @t: The task in question
> diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
> index faf4679..862fc59 100644
> --- a/include/linux/user_namespace.h
> +++ b/include/linux/user_namespace.h
> @@ -39,6 +39,9 @@ static inline void put_user_ns(struct user_namespace *ns)
> uid_t user_ns_map_uid(struct user_namespace *to, const struct cred *cred, uid_t uid);
> gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t gid);
>
> +int same_or_ancestor_user_ns(struct task_struct *task,
> + struct task_struct *victim);
> +
> #else
>
> static inline struct user_namespace *get_user_ns(struct user_namespace *ns)
> @@ -66,6 +69,12 @@ static inline gid_t user_ns_map_gid(struct user_namespace *to,
> return gid;
> }
>
> +static inline int same_or_ancestor_user_ns(struct task_struct *task,
> + struct task_struct *victim)
> +{
> + return 1;
> +}
> +
> #endif
>
> #endif /* _LINUX_USER_H */
> diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> index 1708b1e..cde4655 100644
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -134,21 +134,24 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> return 0;
> rcu_read_lock();
> tcred = __task_cred(task);
> - if ((cred->uid != tcred->euid ||
> - cred->uid != tcred->suid ||
> - cred->uid != tcred->uid ||
> - cred->gid != tcred->egid ||
> - cred->gid != tcred->sgid ||
> - cred->gid != tcred->gid) &&
> - !capable(CAP_SYS_PTRACE)) {
> - rcu_read_unlock();
> - return -EPERM;
> - }
> + if (cred->user->user_ns == tcred->user->user_ns &&
> + (cred->uid == tcred->euid &&
> + cred->uid == tcred->suid &&
> + cred->uid == tcred->uid &&
> + cred->gid == tcred->egid &&
> + cred->gid == tcred->sgid &&
> + cred->gid == tcred->gid))
> + goto ok;
> + if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
> + goto ok;
> + rcu_read_unlock();
> + return -EPERM;
> +ok:
> rcu_read_unlock();
> smp_rmb();
> if (task->mm)
> dumpable = get_dumpable(task->mm);
> - if (!dumpable && !capable(CAP_SYS_PTRACE))
> + if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
> return -EPERM;
>
> return security_ptrace_access_check(task, mode);
> @@ -198,7 +201,7 @@ int ptrace_attach(struct task_struct *task)
> goto unlock_tasklist;
>
> task->ptrace = PT_PTRACED;
> - if (capable(CAP_SYS_PTRACE))
> + if (task_ns_capable(task, CAP_SYS_PTRACE))
> task->ptrace |= PT_PTRACE_CAP;
>
> __ptrace_link(task, current);
> diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
> index 9da289c..0ef2258 100644
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -129,6 +129,22 @@ gid_t user_ns_map_gid(struct user_namespace *to, const struct cred *cred, gid_t
> return overflowgid;
> }
>
> +int same_or_ancestor_user_ns(struct task_struct *task,
> + struct task_struct *victim)
> +{
> + struct user_namespace *u1 = task_cred_xxx(task, user)->user_ns;
> + struct user_namespace *u2 = task_cred_xxx(victim, user)->user_ns;
> + for (;;) {
> + if (u1 == u2)
> + return 1;
> + if (u1 == &init_user_ns)
> + return 0;
> + u1 = u1->creator->user_ns;
> + }
> + /* We never get here */
> + return 0;
> +}
> +
> static __init int user_namespaces_init(void)
> {
> user_ns_cachep = KMEM_CACHE(user_namespace, SLAB_PANIC);
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 51fa9ec..12ff65c 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -130,18 +130,34 @@ int cap_settime(struct timespec *ts, struct timezone *tz)
> * @child: The process to be accessed
> * @mode: The mode of attachment.
> *
> + * If we are in the same or an ancestor user_ns and have all the target
> + * task's capabilities, then ptrace access is allowed.
> + * If we have the ptrace capability to the target user_ns, then ptrace
> + * access is allowed.
> + * Else denied.
> + *
> * Determine whether a process may access another, returning 0 if permission
> * granted, -ve if denied.
> */
> int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
> {
> int ret = 0;
> + const struct cred *cred, *tcred;
>
> rcu_read_lock();
> - if (!cap_issubset(__task_cred(child)->cap_permitted,
> - current_cred()->cap_permitted) &&
> - !capable(CAP_SYS_PTRACE))
> - ret = -EPERM;
> + cred = current_cred();
> + tcred = __task_cred(child);
> + /*
> + * The ancestor user_ns check may be gratuitous, as I think
> + * we've already guaranteed that in kernel/ptrace.c.
> + */
> + if (same_or_ancestor_user_ns(current, child) &&
> + cap_issubset(tcred->cap_permitted, cred->cap_permitted))
> + goto out;
I have commented on this before but I took a good hard look this time,
and can comment more intelligently.
The cap_issubset check is for the case where we don't use the
CAP_SYS_PTRACE capability, as such is only valid in the same user
namespace. Furthermore capabilities really are not comparable between
different user namespaces. So can you please replace the
same_or_ancestor_user_ns with a simple namespace equality check.
Having the wrong logic in here will just be confusing in the future.
Also could you name tcred child_cread I think that would be clearer in
the test below.
> + if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
> + goto out;
> + ret = -EPERM;
> +out:
> rcu_read_unlock();
> return ret;
I also find it strange that we allow CAP_SYS_PTRACE to allow us to
ptrace processes with more capabilities than ourselves. But that is an
entirely different issue.
> }
> @@ -150,18 +166,34 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
> * cap_ptrace_traceme - Determine whether another process may trace the current
> * @parent: The task proposed to be the tracer
> *
> + * If parent is in the same or an ancestor user_ns and has all current's
> + * capabilities, then ptrace access is allowed.
> + * If parent has the ptrace capability to current's user_ns, then ptrace
> + * access is allowed.
> + * Else denied.
> + *
> * Determine whether the nominated task is permitted to trace the current
> * process, returning 0 if permission is granted, -ve if denied.
> */
> int cap_ptrace_traceme(struct task_struct *parent)
> {
> int ret = 0;
> + const struct cred *cred, *tcred;
>
> rcu_read_lock();
> - if (!cap_issubset(current_cred()->cap_permitted,
> - __task_cred(parent)->cap_permitted) &&
> - !has_capability(parent, CAP_SYS_PTRACE))
> - ret = -EPERM;
> + cred = __task_cred(parent);
> + tcred = current_cred();
> + /*
> + * The ancestor user_ns check may be gratuitous, as I think
> + * we've already guaranteed that in kernel/ptrace.c.
> + */
> + if (same_or_ancestor_user_ns(parent, current) &&
> + cap_issubset(tcred->cap_permitted, cred->cap_permitted))
> + goto out;
> + if (has_ns_capability(parent, tcred->user->user_ns, CAP_SYS_PTRACE))
> + goto out;
> + ret = -EPERM;
> +out:
> rcu_read_unlock();
> return ret;
> }
next prev parent reply other threads:[~2011-02-18 3:00 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-17 15:02 userns: targeted capabilities v5 Serge E. Hallyn
2011-02-17 15:02 ` [PATCH 1/9] Add a user_namespace as creator/owner of uts_namespace Serge E. Hallyn
2011-02-18 3:31 ` Eric W. Biederman
2011-02-18 16:57 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 17:16 ` David Howells
2011-02-23 21:21 ` Eric W. Biederman
2011-02-23 23:19 ` David Howells
2011-02-23 23:54 ` Eric W. Biederman
2011-02-17 15:03 ` [PATCH 2/9] security: Make capabilities relative to the user namespace Serge E. Hallyn
2011-02-18 3:46 ` Eric W. Biederman
2011-02-18 23:44 ` Daniel Lezcano
2011-02-18 23:59 ` Andrew Morton
2011-02-23 11:40 ` David Howells
2011-02-23 12:01 ` David Howells
2011-02-23 13:43 ` Serge E. Hallyn
2011-02-23 16:59 ` David Howells
2011-02-17 15:03 ` [PATCH 3/9] allow sethostname in a container Serge E. Hallyn
2011-02-18 3:05 ` Eric W. Biederman
2011-02-18 23:46 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 4/9] allow killing tasks in your own or child userns Serge E. Hallyn
2011-02-18 3:00 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-24 0:48 ` Serge E. Hallyn
2011-02-24 0:54 ` Andrew Morton
2011-02-19 10:55 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Serge E. Hallyn
2011-02-18 2:59 ` Eric W. Biederman [this message]
2011-02-18 4:36 ` Serge E. Hallyn
2011-02-24 0:49 ` [PATCH] userns: ptrace: incorporate feedback from Eric Serge E. Hallyn
2011-02-24 0:56 ` Andrew Morton
2011-02-24 3:15 ` Serge E. Hallyn
2011-02-18 23:59 ` [PATCH 5/9] Allow ptrace from non-init user namespaces Andrew Morton
2011-02-24 0:43 ` Serge E. Hallyn
2011-02-19 17:49 ` Daniel Lezcano
2011-02-23 17:05 ` David Howells
2011-02-23 17:11 ` David Howells
2011-02-17 15:03 ` [PATCH 6/9] user namespaces: convert all capable checks in kernel/sys.c Serge E. Hallyn
2011-02-18 1:57 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 0:01 ` Andrew Morton
2011-02-19 17:52 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 7/9] add a user namespace owner of ipc ns Serge E. Hallyn
2011-02-18 3:19 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-19 17:57 ` Daniel Lezcano
2011-02-17 15:03 ` [PATCH 8/9] user namespaces: convert several capable() calls Serge E. Hallyn
2011-02-18 1:51 ` Eric W. Biederman
2011-02-19 19:07 ` Daniel Lezcano
2011-02-17 15:04 ` [PATCH 9/9] userns: check user namespace for task->file uid equivalence checks Serge E. Hallyn
2011-02-18 1:29 ` Eric W. Biederman
2011-02-18 23:59 ` Andrew Morton
2011-02-24 3:24 ` Serge E. Hallyn
2011-02-24 5:08 ` Andrew Morton
2011-02-19 19:22 ` Daniel Lezcano
2011-02-18 0:21 ` userns: targeted capabilities v5 Andrew Morton
2011-02-18 3:53 ` Eric W. Biederman
2011-02-18 4:28 ` Serge E. Hallyn
2011-02-23 12:05 ` User namespaces and keys David Howells
2011-02-23 13:58 ` Serge E. Hallyn
2011-02-23 14:46 ` Eric W. Biederman
2011-02-23 15:06 ` David Howells
2011-02-23 15:45 ` Eric W. Biederman
2011-02-23 15:53 ` Serge E. Hallyn
2011-02-23 19:24 ` Casey Schaufler
2011-02-23 20:55 ` Eric W. Biederman
2011-02-23 21:37 ` Casey Schaufler
2011-02-24 6:56 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1aahu9hea.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=adobriyan@gmail.com \
--cc=akpm@osdl.org \
--cc=containers@lists.linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serge@hallyn.com \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).