Hi,
There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
[[
Under "Ptrace access mode checking", the documentation states:
"1. If the calling thread and the target thread are in the same thread
group, access is always allowed."
This is incorrect. A thread may never attach to another in the same group.
Reference, ptrace_attach()
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/ptrace.c?h=v5.9.14#n380
]]
I just wanted to make sure that it is a bug in the manual page, and not
in the implementation.
Thanks,
Alex
--
Alejandro Colomar
Linux man-pages comaintainer; https://www.kernel.org/doc/man-pages/
http://www.alejandro-colomar.es
Per my research on the topic, the error is in the manual page. The
behavior of ptrace(2) was intentionally changed to prohibit attaching to
a thread in the same group. Apparently, there were a number of
ill-behaved edge cases.
I found this email thread on the subject:
https://lkml.org/lkml/2006/8/31/241
Thank you.
--Ted Estes
On 12/15/2020 11:01 AM, Alejandro Colomar (man-pages) wrote:
> Hi,
>
> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>
> [[
> Under "Ptrace access mode checking", the documentation states:
> "1. If the calling thread and the target thread are in the same thread
> group, access is always allowed."
>
> This is incorrect. A thread may never attach to another in the same group.
>
> Reference, ptrace_attach()
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/ptrace.c?h=v5.9.14#n380
> ]]
>
> I just wanted to make sure that it is a bug in the manual page, and not
> in the implementation.
>
>
> Thanks,
>
> Alex
>
Hi Ted,
On 12/15/20 7:31 PM, Ted Estes wrote:
> Per my research on the topic, the error is in the manual page. The
> behavior of ptrace(2) was intentionally changed to prohibit attaching to
> a thread in the same group. Apparently, there were a number of
> ill-behaved edge cases.
>
> I found this email thread on the subject:
> https://lkml.org/lkml/2006/8/31/241
Thank you for all the details and links!
I'll fix the page.
Thanks,
Alex
>
> Thank you.
> --Ted Estes
>
> On 12/15/2020 11:01 AM, Alejandro Colomar (man-pages) wrote:
>> Hi,
>>
>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>>
>> [[
>> Under "Ptrace access mode checking", the documentation states:
>> "1. If the calling thread and the target thread are in the same thread
>> group, access is always allowed."
>>
>> This is incorrect. A thread may never attach to another in the same
>> group.
>>
>> Reference, ptrace_attach()
>> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/ptrace.c?h=v5.9.14#n380
>>
>> ]]
>>
>> I just wanted to make sure that it is a bug in the manual page, and not
>> in the implementation.
>>
>>
>> Thanks,
>>
>> Alex
>>
>
--
Alejandro Colomar
Linux man-pages comaintainer; https://www.kernel.org/doc/man-pages/
http://www.alejandro-colomar.es
[CC += Andreas, Linus, Roland, Markus; fixed Oleg]
On 12/15/20 7:34 PM, Alejandro Colomar (man-pages) wrote:
> Hi Ted,
>
> On 12/15/20 7:31 PM, Ted Estes wrote:
>> Per my research on the topic, the error is in the manual page. The
>> behavior of ptrace(2) was intentionally changed to prohibit attaching to
>> a thread in the same group. Apparently, there were a number of
>> ill-behaved edge cases.
>>
>> I found this email thread on the subject:
>> https://lkml.org/lkml/2006/8/31/241
Okay, after reading the LKML thread,
the old behavior was removed because it was very buggy.
We have two options now:
1) Remove that paragraph, as if that behavior had never existed.
If we do this, not much is lost:
Only _very_ old kernels had that behavior,
and it's not even advisable to make use of it on those, AFAICS.
2) Add a note to that paragraph, saying that since kernel 2.X.Y?
the calling thread and the target thread can't be in the same group.
Cons: That info is unlikely to be useful, and will only add
a few more lines to a page that is already very long.
3) Suggestions?
I prefer option 1.
I'll add a larger screenshot of the manual page below,
so that readers don't need to read 'man 2 ptrace':
[[
...
The algorithm employed for ptrace access mode checking deter‐
mines whether the calling process is allowed to perform the
corresponding action on the target process. (In the case of
opening /proc/[pid] files, the "calling process" is the one
opening the file, and the process with the corresponding PID is
the "target process".) The algorithm is as follows:
1. If the calling thread and the target thread are in the same
thread group, access is always allowed.
2. If the access mode specifies PTRACE_MODE_FSCREDS, then, for
the check in the next step, employ the caller's filesystem
UID and GID. (As noted in credentials(7), the filesystem
UID and GID almost always have the same values as the corre‐
sponding effective IDs.)
Otherwise, the access mode specifies PTRACE_MODE_REALCREDS,
so use the caller's real UID and GID for the checks in the
next step. (Most APIs that check the caller's UID and GID
use the effective IDs. For historical reasons, the
PTRACE_MODE_REALCREDS check uses the real IDs instead.)
...
]]
Any thoughts before I write the patch?
Thanks,
Alex
>
> Thank you for all the details and links!
> I'll fix the page.
>
> Thanks,
>
> Alex
>
>>
>> Thank you.
>> --Ted Estes
>>
>> On 12/15/2020 11:01 AM, Alejandro Colomar (man-pages) wrote:
>>> Hi,
>>>
>>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>>>
>>> [[
>>> Under "Ptrace access mode checking", the documentation states:
>>> "1. If the calling thread and the target thread are in the same
thread
>>> group, access is always allowed."
>>>
>>> This is incorrect. A thread may never attach to another in the same
>>> group.
>>>
>>> Reference, ptrace_attach()
>>>
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/ptrace.c?h=v5.9.14#n380
>>>
>>> ]]
>>>
>>> I just wanted to make sure that it is a bug in the manual page, and not
>>> in the implementation.
>>>
>>>
>>> Thanks,
>>>
>>> Alex
>>>
>>
>
On Wed, Dec 16, 2020 at 12:25 AM Alejandro Colomar (man-pages)
<[email protected]> wrote:
> On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote:
> > On 12/16/20 12:07 AM, Jann Horn wrote:
> >> Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar (man-pages):
> >>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
> >>>
> >>> [[
> >>> Under "Ptrace access mode checking", the documentation states:
> >>> "1. If the calling thread and the target thread are in the same thread
> >>> group, access is always allowed."
> >>>
> >>> This is incorrect. A thread may never attach to another in the same group.
> >>
> >> No, that is correct. ptrace-mode access checks do always short-circuit for
> >> tasks in the same thread group:
> >>
> >> /* Returns 0 on success, -errno on denial. */
> >> static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> >> {
> >> [...]
> >> /* May we inspect the given task?
> >> * This check is used both for attaching with ptrace
> >> * and for allowing access to sensitive information in /proc.
> >> *
> >> * ptrace_attach denies several cases that /proc allows
> >> * because setting up the necessary parent/child relationship
> >> * or halting the specified task is impossible.
> >> */
> >>
> >> /* Don't let security modules deny introspection */
> >> if (same_thread_group(task, current))
> >> return 0;
> >> [...]
> >> }
> >
> > AFAICS, that code always returns non-zero,
>
> Sorry, I should have said "that code never returns 0".
>
> > at least when called from ptrace_attach().
Yes.
> > As you can see below,
> > __ptrace_may_access() is called some lines after
> > the code pointed to by the bug report.
> >
> >
> > static int ptrace_attach(struct task_struct *task, long request,
> > unsigned long addr,
> > unsigned long flags)
> > {
> > [...]
> > if (same_thread_group(task, current))
> > goto out;
> >
> > /*
> > * Protect exec's credential calculations against our interference;
> > * SUID, SGID and LSM creds get determined differently
> > * under ptrace.
> > */
> > retval = -ERESTARTNOINTR;
> > if (mutex_lock_interruptible(&task->signal->cred_guard_mutex))
> > goto out;
> >
> > task_lock(task);
> > retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
> > [...]
> > }
I said exactly that in my last mail:
> >> As the comment explains, you can't actually *attach*
> >> to another task in the same thread group; but that's
> >> not because of the ptrace-style access check rules,
> >> but because specifically *attaching* to another task
> >> in the same thread group doesn't work.
As I said, attaching indeed doesn't work. But that's not what "Ptrace
access mode checking" means. As the first sentence of that section
says:
| Various parts of the kernel-user-space API (not just ptrace()
| operations), require so-called "ptrace access mode" checks,
| whose outcome determines whether an operation is
| permitted (or, in a few cases, causes a "read" operation
| to return sanitized data).
You can find these places by grepping for \bptrace_may_access\b -
operations like e.g. the get_robust_list() syscall will always succeed
when inspecting other tasks in the caller's thread group thanks to
this rule.
On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote:
> Hi Jann,
>
> On 12/16/20 12:07 AM, Jann Horn wrote:
>> Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar (man-pages):
>>> Hi,
>>>
>>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>>>
>>> [[
>>> Under "Ptrace access mode checking", the documentation states:
>>> "1. If the calling thread and the target thread are in the same thread
>>> group, access is always allowed."
>>>
>>> This is incorrect. A thread may never attach to another in the same group.
>>
>> No, that is correct. ptrace-mode access checks do always short-circuit for
>> tasks in the same thread group:
>>
>> /* Returns 0 on success, -errno on denial. */
>> static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
>> {
>> [...]
>> /* May we inspect the given task?
>> * This check is used both for attaching with ptrace
>> * and for allowing access to sensitive information in /proc.
>> *
>> * ptrace_attach denies several cases that /proc allows
>> * because setting up the necessary parent/child relationship
>> * or halting the specified task is impossible.
>> */
>>
>> /* Don't let security modules deny introspection */
>> if (same_thread_group(task, current))
>> return 0;
>> [...]
>> }
>
> AFAICS, that code always returns non-zero,
Sorry, I should have said "that code never returns 0".
> at least when called from ptrace_attach().
>
> As you can see below,
> __ptrace_may_access() is called some lines after
> the code pointed to by the bug report.
>
>
> static int ptrace_attach(struct task_struct *task, long request,
> unsigned long addr,
> unsigned long flags)
> {
> [...]
> if (same_thread_group(task, current))
> goto out;
>
> /*
> * Protect exec's credential calculations against our interference;
> * SUID, SGID and LSM creds get determined differently
> * under ptrace.
> */
> retval = -ERESTARTNOINTR;
> if (mutex_lock_interruptible(&task->signal->cred_guard_mutex))
> goto out;
>
> task_lock(task);
> retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
> [...]
> }
>
>
> Thanks,
>
> Alex
>
>>
>> As the comment explains, you can't actually *attach*
>> to another task in the same thread group; but that's
>> not because of the ptrace-style access check rules,
>> but because specifically *attaching* to another task
>> in the same thread group doesn't work.
>>
Hi Jann,
On 12/16/20 12:07 AM, Jann Horn wrote:
> Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar (man-pages):
>> Hi,
>>
>> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>>
>> [[
>> Under "Ptrace access mode checking", the documentation states:
>> "1. If the calling thread and the target thread are in the same thread
>> group, access is always allowed."
>>
>> This is incorrect. A thread may never attach to another in the same group.
>
> No, that is correct. ptrace-mode access checks do always short-circuit for
> tasks in the same thread group:
>
> /* Returns 0 on success, -errno on denial. */
> static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> {
> [...]
> /* May we inspect the given task?
> * This check is used both for attaching with ptrace
> * and for allowing access to sensitive information in /proc.
> *
> * ptrace_attach denies several cases that /proc allows
> * because setting up the necessary parent/child relationship
> * or halting the specified task is impossible.
> */
>
> /* Don't let security modules deny introspection */
> if (same_thread_group(task, current))
> return 0;
> [...]
> }
AFAICS, that code always returns non-zero,
at least when called from ptrace_attach().
As you can see below,
__ptrace_may_access() is called some lines after
the code pointed to by the bug report.
static int ptrace_attach(struct task_struct *task, long request,
unsigned long addr,
unsigned long flags)
{
[...]
if (same_thread_group(task, current))
goto out;
/*
* Protect exec's credential calculations against our interference;
* SUID, SGID and LSM creds get determined differently
* under ptrace.
*/
retval = -ERESTARTNOINTR;
if (mutex_lock_interruptible(&task->signal->cred_guard_mutex))
goto out;
task_lock(task);
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
[...]
}
Thanks,
Alex
>
> As the comment explains, you can't actually *attach*
> to another task in the same thread group; but that's
> not because of the ptrace-style access check rules,
> but because specifically *attaching* to another task
> in the same thread group doesn't work.
>
Am Tue, Dec 15, 2020 at 06:01:25PM +0100 schrieb Alejandro Colomar (man-pages):
> Hi,
>
> There's a bug report: https://bugzilla.kernel.org/show_bug.cgi?id=210655
>
> [[
> Under "Ptrace access mode checking", the documentation states:
> "1. If the calling thread and the target thread are in the same thread
> group, access is always allowed."
>
> This is incorrect. A thread may never attach to another in the same group.
No, that is correct. ptrace-mode access checks do always short-circuit for
tasks in the same thread group:
/* Returns 0 on success, -errno on denial. */
static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
{
[...]
/* May we inspect the given task?
* This check is used both for attaching with ptrace
* and for allowing access to sensitive information in /proc.
*
* ptrace_attach denies several cases that /proc allows
* because setting up the necessary parent/child relationship
* or halting the specified task is impossible.
*/
/* Don't let security modules deny introspection */
if (same_thread_group(task, current))
return 0;
[...]
}
As the comment explains, you can't actually *attach*
to another task in the same thread group; but that's
not because of the ptrace-style access check rules,
but because specifically *attaching* to another task
in the same thread group doesn't work.
"Alejandro Colomar (man-pages)" <[email protected]> writes:
> [CC += Thomas, Ingo, Peter, Darren]
>
> Hi Oleg,
>
> On 12/16/20 3:33 AM, Jann Horn wrote:
>> On Wed, Dec 16, 2020 at 3:21 AM Ted Estes <[email protected]> wrote:
>>> On 12/15/2020 6:01 PM, Jann Horn wrote:
>>>> On Wed, Dec 16, 2020 at 12:25 AM Alejandro Colomar (man-pages)
>>>> <[email protected]> wrote:
>>>>> On 12/16/20 12:23 AM, Alejandro Colomar (man-pages) wrote:
>>>>>> On 12/16/20 12:07 AM, Jann Horn wrote:
>>>>>>> As the comment explains, you can't actually *attach*
>>>>>>> to another task in the same thread group; but that's
>>>>>>> not because of the ptrace-style access check rules,
>>>>>>> but because specifically *attaching* to another task
>>>>>>> in the same thread group doesn't work.
>>>> As I said, attaching indeed doesn't work. But that's not what "Ptrace
>>>> access mode checking" means. As the first sentence of that section
>>>> says:
>>>>
>>>> | Various parts of the kernel-user-space API (not just ptrace()
>>>> | operations), require so-called "ptrace access mode" checks,
>>>> | whose outcome determines whether an operation is
>>>> | permitted (or, in a few cases, causes a "read" operation
>>>> | to return sanitized data).
>>>>
>>>> You can find these places by grepping for \bptrace_may_access\b -
>>>> operations like e.g. the get_robust_list() syscall will always succeed
>>>> when inspecting other tasks in the caller's thread group thanks to
>>>> this rule.
>>>
>>> Ah, yes. I missed that back reference while trying to digest that
>>> rather meaty man page. A grep on the man page source tree does show a
>>> number of references to "ptrace access mode".
>>>
>>> That said, the ptrace(2) man page also directly references the ptrace
>>> access mode check under both PTRACE_ATTACH and PTACE_SEIZE:
>>>
>>> | Permission to perform a PTRACE_ATTACH is governed by a ptrace | access
>>> mode PTRACE_MODE_ATTACH_REALCREDS check; see below. As confirmed, the
>>> "same thread group" rule does not apply to either of those operations. A
>>> re-wording of rule 1 similar to this might help avoid confusion: 1. If
>>> the calling thread and the target thread are in the same thread group:
>>> a. For ptrace() called with PTRACE_ATTACH or PTRACE_SEIZE, access is
>>> NEVER allowed. b. For all other so-called "ptrace access mode checks",
>>> access is ALWAYS allowed. --Ted
>>
>> Yeah, maybe. OTOH I'm not sure whether it really makes sense to
>> explain this as being part of a security check, or whether it should
>> be explained separately as a restriction on PTRACE_ATTACH and
>> PTRACE_SEIZE (with a note like "(irrelevant for ptrace attachment)" on
>> rule 1). But I don't feel strongly about it either way.
>>
>
> As you are the maintainer for ptrace,
> could you confirm the above from Jan?
> And maybe suggest what you would do with the manual page.
>
> I'd like to get confirmation that there are still other functions that
> require "ptrace access mode" other than ptrace() itself, where it's
> valid that the calling thread and the target thread are in the same
> group.
Large swaths of proc are governed by those checks.
In general in the kernel whenever you are accessing another process to
perform an operation (especially reading) it will probably use
"ptrace access mode" checks.
You can see this by with "git grep ptrace_may_access" on the kernel source.
Eric