Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756505AbbDVKqm (ORCPT <rfc822;w@1wt.eu>);
	Wed, 22 Apr 2015 06:46:42 -0400
Received: from 251.110.2.81.in-addr.arpa ([81.2.110.251]:51973 "EHLO
	lxorguk.ukuu.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756455AbbDVKqj (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 22 Apr 2015 06:46:39 -0400
Date: Wed, 22 Apr 2015 11:45:38 +0100
From: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Arnd Bergmann <arnd@arndb.de>, Tom Gundersen <teg@jklm.no>,
        Jiri Kosina <jkosina@suse.cz>, Andy Lutomirski <luto@amacapital.net>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Daniel Mack <daniel@zonque.org>,
        David Herrmann <dh.herrmann@gmail.com>,
        Djalal Harouni <tixxdz@opendz.org>
Subject: Re: Issues with capability bits and meta-data in kdbus
Message-ID: <20150422114538.0f8b3d04@lxorguk.ukuu.org.uk>
In-Reply-To: <CA+55aFwqhbN=1Tm71AFHtXeOUut5gcLpqRmH=6R1H92grDsVrw@mail.gmail.com>
References: <20150413190350.GA9485@kroah.com>
	<8738434yjk.fsf@x220.int.ebiederm.org>
	<87lhhv36je.fsf@x220.int.ebiederm.org>
	<20150414175534.GB3974@kroah.com>
	<87oamhmbso.fsf_-_@x220.int.ebiederm.org>
	<CA+55aFwqhbN=1Tm71AFHtXeOUut5gcLpqRmH=6R1H92grDsVrw@mail.gmail.com>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1798
Lines: 43

> > - Access to the capability bits is guarded with PTRACE_MAY_READ
> >   kdbus does not honor that and thus leaks information.
> 
> Now, this is likely not a real problem.
> 
> Yes, when you try to read other processes capabilities, you need
> PTRACE_MAY_READ to see them. HOWEVER, that's not really what a kdbus
> message would do - it doesn't "read somebody elses capabilities". When
> you do a kdbus write, you export your *own* capabilities. If you don't
> want others to know what privileges you have, then you shouldn't be
> using kdbus.

That's broken but fixable.

It should not share any capability information *unless* you pass a flag
which says "flash my security badges around".

That fails safe (descriptor passed to another process), and gives a
default behaviour which is non surprising, non leaky and useful for
general purposes. This is also mirroring AF_LOCAL/AF_UNIX where you have
to choose to wave your bits in public.

(again its showing that kdbus really should be done by adding multicast
reliable delivery to AF_LOCAL sockets)

> So I think that one is a real and serious bug. But the other
> complaints seem to be off the mark. It seems quite reasonable to me to
> say that a recipient should be able to distinguish between *root*
> sending it a dbus message to take down the system, and some random
> luser doing the same.

Agreed but there are better ways to do this including opening some
kind of capability object and passing it as proof.

Also do I need to be root when I send the message or root when you ask ...


Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/