Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932189AbaFYPIP (ORCPT ); Wed, 25 Jun 2014 11:08:15 -0400 Received: from mail-oa0-f48.google.com ([209.85.219.48]:52270 "EHLO mail-oa0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756769AbaFYPIM (ORCPT ); Wed, 25 Jun 2014 11:08:12 -0400 MIME-Version: 1.0 In-Reply-To: <20140625142121.GD7892@redhat.com> References: <1403642893-23107-1-git-send-email-keescook@chromium.org> <1403642893-23107-10-git-send-email-keescook@chromium.org> <20140625142121.GD7892@redhat.com> Date: Wed, 25 Jun 2014 08:08:11 -0700 X-Google-Sender-Auth: r_1Qo0KhVxpzl5aIumz0oJDUf2o Message-ID: Subject: Re: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC From: Kees Cook To: Oleg Nesterov Cc: LKML , Andy Lutomirski , "Michael Kerrisk (man-pages)" , Alexei Starovoitov , Andrew Morton , Daniel Borkmann , Will Drewry , Julien Tinnes , David Drysdale , Linux API , "x86@kernel.org" , "linux-arm-kernel@lists.infradead.org" , linux-mips@linux-mips.org, linux-arch , linux-security-module Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 25, 2014 at 7:21 AM, Oleg Nesterov wrote: > On 06/24, Kees Cook wrote: >> >> +static void seccomp_sync_threads(void) >> +{ >> + struct task_struct *thread, *caller; >> + >> + BUG_ON(!spin_is_locked(¤t->sighand->siglock)); >> + >> + /* Synchronize all threads. */ >> + caller = current; >> + for_each_thread(caller, thread) { >> + /* Get a task reference for the new leaf node. */ >> + get_seccomp_filter(caller); >> + /* >> + * Drop the task reference to the shared ancestor since >> + * current's path will hold a reference. (This also >> + * allows a put before the assignment.) >> + */ >> + put_seccomp_filter(thread); >> + thread->seccomp.filter = caller->seccomp.filter; >> + /* Opt the other thread into seccomp if needed. >> + * As threads are considered to be trust-realm >> + * equivalent (see ptrace_may_access), it is safe to >> + * allow one thread to transition the other. >> + */ >> + if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) { >> + /* >> + * Don't let an unprivileged task work around >> + * the no_new_privs restriction by creating >> + * a thread that sets it up, enters seccomp, >> + * then dies. >> + */ >> + if (task_no_new_privs(caller)) >> + task_set_no_new_privs(thread); >> + >> + seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); >> + } >> + } >> +} > > OK, personally I think this all make sense. I even think that perhaps > SECCOMP_FILTER_FLAG_TSYNC should allow filter == NULL, a thread might > want to "sync" without adding the new filter, but this is minor/offtopic. > > But. Doesn't this change add a new security hole? > > Obviously, we should not allow to install a filter and then (say) exec > a suid binary, that is why we have no_new_privs/LSM_UNSAFE_NO_NEW_PRIVS. > > But what if "thread->seccomp.filter = caller->seccomp.filter" races with > any user of task_no_new_privs() ? Say, suppose this thread has already > passed check_unsafe_exec/etc and it is going to exec the suid binary? Oh, ew. Yeah. It looks like there's a cred lock to be held to combat this? I wonder if changes to nnp need to "flushed" during syscall entry instead of getting updated externally/asynchronously? That way it won't be out of sync with the seccomp mode/filters. Perhaps secure computing needs to check some (maybe seccomp-only) atomic flags and flip on the "real" nnp if found? -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/