Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757135AbaFYOXm (ORCPT ); Wed, 25 Jun 2014 10:23:42 -0400 Received: from mx1.redhat.com ([209.132.183.28]:56958 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755444AbaFYOXk (ORCPT ); Wed, 25 Jun 2014 10:23:40 -0400 Date: Wed, 25 Jun 2014 16:21:21 +0200 From: Oleg Nesterov To: Kees Cook Cc: linux-kernel@vger.kernel.org, Andy Lutomirski , "Michael Kerrisk (man-pages)" , Alexei Starovoitov , Andrew Morton , Daniel Borkmann , Will Drewry , Julien Tinnes , David Drysdale , linux-api@vger.kernel.org, x86@kernel.org, linux-arm-kernel@lists.infradead.org, linux-mips@linux-mips.org, linux-arch@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC Message-ID: <20140625142121.GD7892@redhat.com> References: <1403642893-23107-1-git-send-email-keescook@chromium.org> <1403642893-23107-10-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1403642893-23107-10-git-send-email-keescook@chromium.org> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/24, Kees Cook wrote: > > +static void seccomp_sync_threads(void) > +{ > + struct task_struct *thread, *caller; > + > + BUG_ON(!spin_is_locked(¤t->sighand->siglock)); > + > + /* Synchronize all threads. */ > + caller = current; > + for_each_thread(caller, thread) { > + /* Get a task reference for the new leaf node. */ > + get_seccomp_filter(caller); > + /* > + * Drop the task reference to the shared ancestor since > + * current's path will hold a reference. (This also > + * allows a put before the assignment.) > + */ > + put_seccomp_filter(thread); > + thread->seccomp.filter = caller->seccomp.filter; > + /* Opt the other thread into seccomp if needed. > + * As threads are considered to be trust-realm > + * equivalent (see ptrace_may_access), it is safe to > + * allow one thread to transition the other. > + */ > + if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) { > + /* > + * Don't let an unprivileged task work around > + * the no_new_privs restriction by creating > + * a thread that sets it up, enters seccomp, > + * then dies. > + */ > + if (task_no_new_privs(caller)) > + task_set_no_new_privs(thread); > + > + seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); > + } > + } > +} OK, personally I think this all make sense. I even think that perhaps SECCOMP_FILTER_FLAG_TSYNC should allow filter == NULL, a thread might want to "sync" without adding the new filter, but this is minor/offtopic. But. Doesn't this change add the new security hole? Obviously, we should not allow to install a filter and then (say) exec a suid binary, that is why we have no_new_privs/LSM_UNSAFE_NO_NEW_PRIVS. But what if "thread->seccomp.filter = caller->seccomp.filter" races with any user of task_no_new_privs() ? Say, suppose this thread has already passed check_unsafe_exec/etc and it is going to exec the suid binary? Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/