Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753071AbbLZV1h (ORCPT ); Sat, 26 Dec 2015 16:27:37 -0500 Received: from thejh.net ([37.221.195.125]:34395 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752341AbbLZV1g (ORCPT ); Sat, 26 Dec 2015 16:27:36 -0500 Date: Sat, 26 Dec 2015 22:27:33 +0100 From: Jann Horn To: "Serge E. Hallyn" Cc: Roland McGrath , Oleg Nesterov , linux-kernel@vger.kernel.org, security@kernel.org, Serge Hallyn , Andy Lutomirski , "Eric W. Biederman" Subject: Re: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids Message-ID: <20151226212733.GA13821@pc.thejh.net> References: <20151226011038.GA25455@pc.thejh.net> <1451098351-8917-1-git-send-email-jann@thejh.net> <20151226211729.GC19815@mail.hallyn.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline In-Reply-To: <20151226211729.GC19815@mail.hallyn.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 6341 Lines: 163 --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 26, 2015 at 03:17:29PM -0600, Serge E. Hallyn wrote: > On Sat, Dec 26, 2015 at 03:52:31AM +0100, Jann Horn wrote: > > ptrace_has_cap() checks whether the current process should be > > treated as having a certain capability for ptrace checks > > against another process. Until now, this was equivalent to > > has_ns_capability(current, target_ns, CAP_SYS_PTRACE). > >=20 > > However, if a root-owned process wants to enter a user > > namespace for some reason without knowing who owns it and > > therefore can't change to the namespace owner's uid and gid > > before entering, as soon as it has entered the namespace, > > the namespace owner can attach to it via ptrace and thereby > > gain access to its uid and gid. > >=20 > > While it is possible for the entering process to switch to > > the uid of a claimed namespace owner before entering, > > causing the attempt to enter to fail if the claimed uid is > > wrong, this doesn't solve the problem of determining an > > appropriate gid. > >=20 > > With this change, the entering process can first enter the > > namespace and then safely inspect the namespace's > > properties, e.g. through /proc/self/{uid_map,gid_map}, > > assuming that the namespace owner doesn't have access to > > uid 0. > >=20 > > Changed in v2: The caller needs to be capable in the > > namespace into which tcred's uids/gids can be mapped. > >=20 > > Signed-off-by: Jann Horn > > --- > > kernel/ptrace.c | 33 ++++++++++++++++++++++++++++----- > > 1 file changed, 28 insertions(+), 5 deletions(-) > >=20 > > diff --git a/kernel/ptrace.c b/kernel/ptrace.c > > index b760bae..260a08d 100644 > > --- a/kernel/ptrace.c > > +++ b/kernel/ptrace.c > > @@ -20,6 +20,7 @@ > > #include > > #include > > #include > > +#include > > #include > > #include > > #include > > @@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct= *child, bool ignore_state) > > return ret; > > } > > =20 > > -static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) > > +static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode) > > { > > + struct user_namespace *tns =3D tcred->user_ns; > > + > > + /* When a root-owned process enters a user namespace created by a > > + * malicious user, the user shouldn't be able to execute code under > > + * uid 0 by attaching to the root-owned process via ptrace. > > + * Therefore, similar to the capable_wrt_inode_uidgid() check, > > + * verify that all the uids and gids of the target process are > > + * mapped into a namespace below the current one in which the caller > > + * is capable. > > + * No fsuid/fsgid check because __ptrace_may_access doesn't do it > > + * either. > > + */ > > + while ( > > + !kuid_has_mapping(tns, tcred->euid) || > > + !kuid_has_mapping(tns, tcred->suid) || > > + !kuid_has_mapping(tns, tcred->uid) || > > + !kgid_has_mapping(tns, tcred->egid) || > > + !kgid_has_mapping(tns, tcred->sgid) || > > + !kgid_has_mapping(tns, tcred->gid)) { > > + tns =3D tns->parent; >=20 > Sorry, i can't quite remember - is there a way for a task in init_user_ns= to have > INVALID_UID | INVALID_GID ? I.e. any point in breaking here if tns =3D= =3D &init_user_n? I assumed that there isn't because the comment above the definition of from= _kuid() says so. Checking... the syscalls for setting uid/gid seem to enforce that = uid/gid aren't -1, and setuid/setgid executables require the uid/gid to be mapped. = So it seems to be true. > > + } > > + > > if (mode & PTRACE_MODE_NOAUDIT) > > - return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); > > + return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE); > > else > > - return has_ns_capability(current, ns, CAP_SYS_PTRACE); > > + return has_ns_capability(current, tns, CAP_SYS_PTRACE); > > } > > =20 > > /* Returns 0 on success, -errno on denial. */ > > @@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *= task, unsigned int mode) > > gid_eq(cred->gid, tcred->sgid) && > > gid_eq(cred->gid, tcred->gid)) > > goto ok; > > - if (ptrace_has_cap(tcred->user_ns, mode)) > > + if (ptrace_has_cap(tcred, mode)) > > goto ok; > > rcu_read_unlock(); > > return -EPERM; > > @@ -252,7 +275,7 @@ ok: > > dumpable =3D get_dumpable(task->mm); > > rcu_read_lock(); > > if (dumpable !=3D SUID_DUMP_USER && > > - !ptrace_has_cap(__task_cred(task)->user_ns, mode)) { > > + !ptrace_has_cap(__task_cred(task), mode)) { > > rcu_read_unlock(); > > return -EPERM; > > } > > --=20 > > 2.1.4 > >=20 > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-kernel"= in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > Please read the FAQ at http://www.tux.org/lkml/ --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWfwZFAAoJED4KNFJOeCOoBlsQAMHEAfLE89W9WVv2kbqiEMqC DpbDq0T8vquYyMrQzQWVgx7HGaS7L7S0SwIyZXLOW4L7ewoguGRuLuS9yxcsZHTp Y5WU8vCp5QfsakRYxVrk2HfR9/sLrwbUTumQBrNd/j68YG3ANKZRtvYxUtNweEv1 HHwFZLxPT3LbMwpSltOYbCl20GAiBQDEMLFveAHi5o7TXh2ZCOkXlbtvPvkP/CeL FfMXVl7VfzUfbFC6GyfcuuQ6XJ0Djl8hTXpR3URhNcl9YG/ganmNQwqjr9AuVPXT J8vwm72NmSJY06j6RbwbF5UEt0VUgJiph/DNEsOZg61SztzRY7lGYsenCZ6qg4Hx VJGDRrwFxn4XitQqetDhOYywsivYUmuv844+uvEEAWPFb09xFg7mP6vyePUAMKHo DjCOPOqvOBO53ws6ndQ+hwJNjvc/fP/ingt7IgJrOEeio02IeQwzrhIlonSCKjny SfCANpNmiL9l+mfKBWM/Nf8p8v759WrgS7rrld0CAXPQfGQXdyxQL9a2y3dJlJja QC44b69MwG5ih2F1Mhv6hpocALsHpHtGiBAf8tIQoL8ipQHEKiClfAubTsHPzjrD itR/fx7QycCMKC8cS+UQhHC9P17tiY/s8SAaqsUVfU7+l5W1R1qIKV1BhuTZrVv+ YMSe4uxg4dclfKWqqoPP =/JYh -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/