Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752232AbcKQVxv (ORCPT <rfc822;w@1wt.eu>);
        Thu, 17 Nov 2016 16:53:51 -0500
Received: from out01.mta.xmission.com ([166.70.13.231]:46295 "EHLO
        out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751716AbcKQVxs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Nov 2016 16:53:48 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: Willy Tarreau <w@1wt.eu>
Cc: Kees Cook <keescook@chromium.org>,
        Linux Containers <containers@lists.linux-foundation.org>,
        Oleg Nesterov <oleg@redhat.com>,
        "linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-mm\@kvack.org" <linux-mm@kvack.org>,
        Linux FS Devel <linux-fsdevel@vger.kernel.org>,
        Michal Hocko <mhocko@kernel.org>, Jann Horn <jann@thejh.net>,
        Andy Lutomirski <luto@amacapital.net>
References: <20161019172917.GE1210@laptop.thejh.net>
        <CALCETrWSY1SRse5oqSwZ=goQ+ZALd2XcTP3SZ8ry49C8rNd98Q@mail.gmail.com>
        <87pomwi5p2.fsf@xmission.com>
        <CALCETrUz2oU6OYwQ9K4M-SUg6FeDsd6Q1gf1w-cJRGg2PdmK8g@mail.gmail.com>
        <87pomwghda.fsf@xmission.com>
        <CALCETrXA2EnE8X3HzetLG6zS8YSVjJQJrsSumTfvEcGq=r5vsw@mail.gmail.com>
        <87twb6avk8.fsf_-_@xmission.com> <87inrmavax.fsf_-_@xmission.com>
        <20161117204707.GB10421@1wt.eu>
        <CAGXu5jJc6TmzdVp+4OMDAt5Kd68hHbNBXaRPD8X0+m558hx3qw@mail.gmail.com>
        <20161117213258.GA10839@1wt.eu>
Date: Thu, 17 Nov 2016 15:51:09 -0600
In-Reply-To: <20161117213258.GA10839@1wt.eu> (Willy Tarreau's message of "Thu,
        17 Nov 2016 22:32:59 +0100")
Message-ID: <874m3522sy.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1c7Ucn-0007Al-0g;;;mid=<874m3522sy.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=75.170.125.99;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX18gOw6wvk1oORTW8wQmVBQ7kYkIt5bzpSM=
X-SA-Exim-Connect-IP: 75.170.125.99
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.7 XMSubLong Long Subject
        *  1.5 TR_Symld_Words too many words that have symbols inside
        *  1.5 XMNoVowels Alpha-numberic number with no vowels
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.4978]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa07 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.0 T_TooManySym_01 4+ unique symbols in subject
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ***;Willy Tarreau <w@1wt.eu>
X-Spam-Relay-Country: 
X-Spam-Timing: total 5541 ms - load_scoreonly_sql: 0.04 (0.0%),
        signal_user_changed: 3.7 (0.1%), b_tie_ro: 2.6 (0.0%), parse: 1.06 (0.0%),
        extract_message_metadata: 13 (0.2%), get_uri_detail_list: 1.31 (0.0%),
        tests_pri_-1000: 6 (0.1%), tests_pri_-950: 1.15 (0.0%), tests_pri_-900: 0.96
        (0.0%), tests_pri_-400: 23 (0.4%), check_bayes: 22 (0.4%), b_tokenize: 6
        (0.1%), b_tok_get_all: 7 (0.1%), b_comp_prob: 2.4 (0.0%), b_tok_touch_all:
        2.9 (0.1%), b_finish: 0.70 (0.0%), tests_pri_0: 141 (2.6%),
        check_dkim_signature: 0.44 (0.0%), check_dkim_adsp: 3.0 (0.1%),
        tests_pri_500: 5348 (96.5%), poll_dns_idle: 5343 (96.4%), rewrite_mail: 0.00
        (0.0%)
Subject: Re: [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1256
Lines: 27

Willy Tarreau <w@1wt.eu> writes:

> On Thu, Nov 17, 2016 at 01:07:33PM -0800, Kees Cook wrote:
>> I'm not opposed to a sysctl for this. Regardless, I think we need to
>> embrace this idea now, though, since we'll soon end up with
>> architectures that enforce executable-only memory, in which case
>> ptrace will again fail. Almost better to get started here and then not
>> have more surprises later.
>
> Also that makes me realize that by far the largest use case of ptrace
> is strace and that strace needs very little capabilities. I guess that
> most users would be fine with having only pointers and not contents
> for addresses or read/write of data, as they have on some other OSes,
> when the process is not readable. But in my opinion when a process
> is executable we should be able to trace its execution (even without
> memory read access).

Given all of this I will respin this series with a replacement patch
that adds a permission check ion the path where ptrace calls
access_process_vm.

I avoided it because the patch is a bit larger and with full ptrace control
is much better at leaking information.  Even if you can't read the
data.  But ptrace works even if it won't give you the memory based
arguments to system calls anymore.

Eric