Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964912AbbDUVKn (ORCPT ); Tue, 21 Apr 2015 17:10:43 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:56142 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964891AbbDUVKg (ORCPT ); Tue, 21 Apr 2015 17:10:36 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Greg Kroah-Hartman Cc: Linus Torvalds , Andrew Morton , Arnd Bergmann , gnomes@lxorguk.ukuu.org.uk, teg@jklm.no, jkosina@suse.cz, luto@amacapital.net, linux-kernel@vger.kernel.org, daniel@zonque.org, dh.herrmann@gmail.com, tixxdz@opendz.org References: <20150413190350.GA9485@kroah.com> <8738434yjk.fsf@x220.int.ebiederm.org> <87lhhv36je.fsf@x220.int.ebiederm.org> <20150414175534.GB3974@kroah.com> Date: Tue, 21 Apr 2015 16:06:15 -0500 In-Reply-To: <20150414175534.GB3974@kroah.com> (Greg Kroah-Hartman's message of "Tue, 14 Apr 2015 19:55:34 +0200") Message-ID: <87oamhmbso.fsf_-_@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-AID: U2FsdGVkX1/56DX9je05c28OT7ueCIicQm0QFC9d/oY= X-SA-Exim-Connect-IP: 97.119.22.70 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4997] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Greg Kroah-Hartman X-Spam-Relay-Country: X-Spam-Timing: total 308 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 3.4 (1.1%), b_tie_ro: 2.5 (0.8%), parse: 0.78 (0.3%), extract_message_metadata: 15 (4.8%), get_uri_detail_list: 1.98 (0.6%), tests_pri_-1000: 8 (2.7%), tests_pri_-950: 1.28 (0.4%), tests_pri_-900: 1.12 (0.4%), tests_pri_-400: 24 (8.0%), check_bayes: 23 (7.6%), b_tokenize: 7 (2.3%), b_tok_get_all: 9 (2.9%), b_comp_prob: 2.5 (0.8%), b_tok_touch_all: 2.7 (0.9%), b_finish: 0.64 (0.2%), tests_pri_0: 247 (80.0%), tests_pri_500: 4.3 (1.4%), rewrite_mail: 0.00 (0.0%) Subject: Issues with capability bits and meta-data in kdbus X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2970 Lines: 72 Greg Kroah-Hartman writes: > On Mon, Apr 13, 2015 at 07:19:49PM -0500, Eric W. Biederman wrote: >> ebiederm@xmission.com (Eric W. Biederman) writes: >> >> > And the code that transfers the meta-data is wrong. >> >> In fact it is worse than I thought. > > Please see the email response I just wrote to Andy about this, it should > address these misconceptions. Nothing has changed my analysis of the kdbus code. Hopefully now that I have made some semblance of getting some rest and have a little bit of time I can explain the issues that I see. I will be focusing on user namespaces and capability bits as that is my area of the kernel. - The userspace interface for capability bits has a version number that determines the quantity and the meaning of the bits, kdbus does not pass that number to userspace. - There is a well defined translation of capability bits between user namespaces kdbus does not perform that translation. - Access to the capability bits is guarded with PTRACE_MAY_READ kdbus does not honor that and thus leaks information. - Usage of the capability bits by userspace is a layering violation. - The layering violation results in a privilege escalation (by definiton) whenever userspace uses the presence of the capability bits to allow anything. - Another kind of privilege escalation happens when userspace makes a decision based on the abscense of in kernel capability bits. The only safe way for userspace to use the kernel capability bits is to decide which small handful of processes need the bits. Let those processes be what implements userspace policy and drop the capabilities from everything else. With bugs at every layer of the implementation stack from implementation to design I concluded earlier that the code that transfers these capabilities is not at all mature or ready to be merged. Which is why I asked for the code to be left for later until someone would pay attention to it properly. I will add that when playing with the unix security mechanism the design has to be done very carefully, as the system is fragile and certain kinds of changes modify existing tested designs into insecure code. I fail to see any of that kind of needed care being applied to the design of the kdbus mechanisms. My conclusion is that the design of the meta-data passing code is fundamentally broken. The issues I have observed with the kernel capability bits apply to all of the other meta-data except that meta-data that unix domain sockets already pass. The privilege escalation issues are fundamentally unfixable, and apply in general. As this is fundamental to kdbus, kdbus is apparently fundmanetally broken by design. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/