Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757888AbcJXXNY (ORCPT <rfc822;w@1wt.eu>);
        Mon, 24 Oct 2016 19:13:24 -0400
Received: from out02.mta.xmission.com ([166.70.13.232]:45934 "EHLO
        out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1757425AbcJXXNW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Oct 2016 19:13:22 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>,
        Andrey Vagin <avagin@virtuozzo.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Pavel Emelyanov <xemul@virtuozzo.com>,
        Linux Containers <containers@lists.linux-foundation.org>
References: <20161024105959.GQ1847@uranus.lan> <8760oh8tbp.fsf@xmission.com>
        <20161024202925.GS1847@uranus.lan>
        <CAGXu5jK4p4bbQU1Bu-p9aM1GJ+CAR-FAHZcXXRH0De_M4VQ3wA@mail.gmail.com>
Date: Mon, 24 Oct 2016 18:11:04 -0500
In-Reply-To: <CAGXu5jK4p4bbQU1Bu-p9aM1GJ+CAR-FAHZcXXRH0De_M4VQ3wA@mail.gmail.com>
        (Kees Cook's message of "Mon, 24 Oct 2016 14:32:06 -0700")
Message-ID: <8760oh737b.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1byoQi-0007v8-Ol;;;mid=<8760oh737b.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=75.170.125.99;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX18GZNaGA/uCRgC26b6Re2oNSZlzuy6hx6c=
X-SA-Exim-Connect-IP: 75.170.125.99
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.7 XMSubLong Long Subject
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4774]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Kees Cook <keescook@chromium.org>
X-Spam-Relay-Country: 
X-Spam-Timing: total 221 ms - load_scoreonly_sql: 0.05 (0.0%),
        signal_user_changed: 3.6 (1.6%), b_tie_ro: 2.5 (1.2%), parse: 0.85 (0.4%),
        extract_message_metadata: 12 (5.2%), get_uri_detail_list: 1.56 (0.7%),
        tests_pri_-1000: 5 (2.3%), tests_pri_-950: 1.22 (0.6%), tests_pri_-900: 1.04
        (0.5%), tests_pri_-400: 23 (10.6%), check_bayes: 22 (10.1%), b_tokenize: 6
        (2.9%), b_tok_get_all: 9 (3.9%), b_comp_prob: 2.3 (1.0%), b_tok_touch_all:
        2.7 (1.2%), b_finish: 0.69 (0.3%), tests_pri_0: 166 (75.1%),
        check_dkim_signature: 0.57 (0.3%), check_dkim_adsp: 3.2 (1.5%),
        tests_pri_500: 5 (2.3%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [ISSUE] mm: Add a user_ns owner to mm_struct and fix ptrace_may_access
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2182
Lines: 55

Kees Cook <keescook@chromium.org> writes:

> On Mon, Oct 24, 2016 at 1:29 PM, Cyrill Gorcunov <gorcunov@gmail.com> wrote:
>> On Mon, Oct 24, 2016 at 02:01:30PM -0500, Eric W. Biederman wrote:
>>> So I am probably going to tweak the !mm case so that instead of failing
>>> we perform the old capable check in that case.  That seems the mot
>>> certain way to avoid regressions.  With that said, why is exit_code
>>> behind a ptrace_may_access permission check?
>>
>> Yes, this would be great! And as to @exit_code I think better ask
>> Kees, CC'ed.
>
> My concern was that this was an exposure in the sense that it is
> internal program state that isn't visible through other means (without
> being the parent, for example). Under the ptrace check, it has an
> equivalency that seemed correct at the time.
>
> As already covered, I'd agree: it looks like ce99dd5fd5f6 accidentally
> added a dependency on task->mm where it didn't before. That section of
> logic was entirely around dumpability, not an mm existing. It should
> be "EPERM if mm and dumpable != SUID_DUMP_USER".
>
> That said, I'd also agree that ptrace against no mm is crazy (though I
> suppose that should return EINVAL or ESRCH or something), so perhaps a
> better access control on @exit_code is needed here.

I traced down the original logic of why we had that dumpable
variable, and it was ancient conservative on my part when we started
using the ptrace permission checks for proc files.

That same conservatism has resulted in the regression under
discussion.

Given that we already have a very full set of permission checks
separate from dumpable in ptrace_may_access I think it makes sense
to simply ignore dumpable when there is no mm.
AKA:
	mm = task->mm;
	if (mm &&
	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
	     !ptrace_has_cap(mm->user_ns, mode)))
	    return -EPERM;

Because while it has been used for other things dumpable is
fundamentally about do you have permission to read the mm.
So there is no real point in permission checks that protect
the mm if the mm has gone away.

It also looks like I may need to update the check that sets
PT_PTRACE_CAP to look at mm->user_ns as well.  

Eric