From: Kees Cook <keescook@chromium.org>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: linux-kernel@vger.kernel.org, Jann Horn <jannh@google.com>,
Oleg Nesterov <oleg@redhat.com>,
stable@vger.kernel.org, Serge Hallyn <serge@hallyn.com>,
Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH v3] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
Date: Fri, 17 Jan 2020 13:15:04 -0800 [thread overview]
Message-ID: <202001171310.A74535C0@keescook> (raw)
In-Reply-To: <20200117105717.29803-1-christian.brauner@ubuntu.com>
On Fri, Jan 17, 2020 at 11:57:18AM +0100, Christian Brauner wrote:
> -static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
> +static int ptrace_has_cap(const struct cred *cred, struct user_namespace *ns,
> + unsigned int mode)
> {
> - if (mode & PTRACE_MODE_NOAUDIT)
> - return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
> - else
> - return has_ns_capability(current, ns, CAP_SYS_PTRACE);
> + return security_capable(cred, ns, CAP_SYS_PTRACE,
> + (mode & PTRACE_MODE_NOAUDIT) ? CAP_OPT_NOAUDIT :
> + CAP_OPT_NONE);
> }
Eek, no. I think this inverts the check.
Before:
bool has_ns_capability(struct task_struct *t,
struct user_namespace *ns, int cap)
{
...
ret = security_capable(__task_cred(t), ns, cap, CAP_OPT_NONE);
...
return (ret == 0);
}
static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
{
...
return has_ns_capability(current, ns, CAP_SYS_PTRACE);
}
After:
static int ptrace_has_cap(const struct cred *cred, struct user_namespace *ns,
unsigned int mode)
{
return security_capable(cred, ns, CAP_SYS_PTRACE,
(mode & PTRACE_MODE_NOAUDIT) ? CAP_OPT_NOAUDIT :
CAP_OPT_NONE);
}
Note lack of "== 0" on the security_capable() return value, but it's
needed. To avoid confusion, I think ptrace_has_cap() should likely
return bool too.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2020-01-17 21:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 10:57 [PATCH v3] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Christian Brauner
2020-01-17 21:15 ` Kees Cook [this message]
2020-01-17 21:35 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202001171310.A74535C0@keescook \
--to=keescook@chromium.org \
--cc=christian.brauner@ubuntu.com \
--cc=eparis@redhat.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox