Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S964912AbbDUVKn (ORCPT <rfc822;w@1wt.eu>);
	Tue, 21 Apr 2015 17:10:43 -0400
Received: from out01.mta.xmission.com ([166.70.13.231]:56142 "EHLO
	out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S964891AbbDUVKg (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 21 Apr 2015 17:10:36 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Arnd Bergmann <arnd@arndb.de>, gnomes@lxorguk.ukuu.org.uk, teg@jklm.no,
        jkosina@suse.cz, luto@amacapital.net, linux-kernel@vger.kernel.org,
        daniel@zonque.org, dh.herrmann@gmail.com, tixxdz@opendz.org
References: <20150413190350.GA9485@kroah.com>
	<8738434yjk.fsf@x220.int.ebiederm.org>
	<87lhhv36je.fsf@x220.int.ebiederm.org>
	<20150414175534.GB3974@kroah.com>
Date: Tue, 21 Apr 2015 16:06:15 -0500
In-Reply-To: <20150414175534.GB3974@kroah.com> (Greg Kroah-Hartman's message
	of "Tue, 14 Apr 2015 19:55:34 +0200")
Message-ID: <87oamhmbso.fsf_-_@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-AID: U2FsdGVkX1/56DX9je05c28OT7ueCIicQm0QFC9d/oY=
X-SA-Exim-Connect-IP: 97.119.22.70
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.4997]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Greg Kroah-Hartman <gregkh@linuxfoundation.org>
X-Spam-Relay-Country: 
X-Spam-Timing: total 308 ms - load_scoreonly_sql: 0.04 (0.0%),
	signal_user_changed: 3.4 (1.1%), b_tie_ro: 2.5 (0.8%), parse: 0.78 (0.3%),
	extract_message_metadata: 15 (4.8%), get_uri_detail_list: 1.98 (0.6%),
	tests_pri_-1000: 8 (2.7%), tests_pri_-950: 1.28 (0.4%), tests_pri_-900: 1.12
	(0.4%), tests_pri_-400: 24 (8.0%), check_bayes: 23 (7.6%), b_tokenize: 7
	(2.3%), b_tok_get_all: 9 (2.9%), b_comp_prob: 2.5 (0.8%), b_tok_touch_all:
	2.7 (0.9%), b_finish: 0.64 (0.2%), tests_pri_0: 247 (80.0%), tests_pri_500:
	4.3 (1.4%), rewrite_mail: 0.00 (0.0%)
Subject: Issues with capability bits and meta-data in kdbus
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2970
Lines: 72

Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:

> On Mon, Apr 13, 2015 at 07:19:49PM -0500, Eric W. Biederman wrote:
>> ebiederm@xmission.com (Eric W. Biederman) writes:
>> 
>> > And the code that transfers the meta-data is wrong.
>> 
>> In fact it is worse than I thought.
>
> Please see the email response I just wrote to Andy about this, it should
> address these misconceptions.

Nothing has changed my analysis of the kdbus code.

Hopefully now that I have made some semblance of getting some rest and
have a little bit of time I can explain the issues that I see.  I will
be focusing on user namespaces and capability bits as that is my area of
the kernel.

- The userspace interface for capability bits has a version number that
  determines the quantity and the meaning of the bits, kdbus does not
  pass that number to userspace.

- There is a well defined translation of capability bits between user
  namespaces kdbus does not perform that translation.

- Access to the capability bits is guarded with PTRACE_MAY_READ
  kdbus does not honor that and thus leaks information.

- Usage of the capability bits by userspace is a layering violation.

- The layering violation results in a privilege escalation (by
  definiton) whenever userspace uses the presence of the capability bits
  to allow anything.

- Another kind of privilege escalation happens when userspace makes a
  decision based on the abscense of in kernel capability bits.

The only safe way for userspace to use the kernel capability bits is to
decide which small handful of processes need the bits.  Let those
processes be what implements userspace policy and drop the capabilities
from everything else.

With bugs at every layer of the implementation stack from implementation
to design I concluded earlier that the code that transfers these
capabilities is not at all mature or ready to be merged.  Which is why I
asked for the code to be left for later until someone would pay
attention to it properly.


I will add that when playing with the unix security mechanism the design
has to be done very carefully, as the system is fragile and certain
kinds of changes modify existing tested designs into insecure code.  I
fail to see any of that kind of needed care being applied to the design
of the kdbus mechanisms.


My conclusion is that the design of the meta-data passing code is
fundamentally broken.  The issues I have observed with the kernel
capability bits apply to all of the other meta-data except that
meta-data that unix domain sockets already pass.  The privilege
escalation issues are fundamentally unfixable, and apply in general.

As this is fundamental to kdbus, kdbus is apparently fundmanetally
broken by design.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/