Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966610AbcLVSnU (ORCPT ); Thu, 22 Dec 2016 13:43:20 -0500 Received: from out03.mta.xmission.com ([166.70.13.233]:47010 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755923AbcLVSnS (ORCPT ); Thu, 22 Dec 2016 13:43:18 -0500 From: ebiederm@xmission.com (Eric W. Biederman) To: Aleksa Sarai Cc: oleg@redhat.com, viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, cyphar@cyphar.com, dev@opencontainers.org References: <20161221052624.16270-1-asarai@suse.de> Date: Fri, 23 Dec 2016 07:39:57 +1300 In-Reply-To: <20161221052624.16270-1-asarai@suse.de> (Aleksa Sarai's message of "Wed, 21 Dec 2016 16:26:24 +1100") Message-ID: <87h95v3j0i.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1cK8Kc-0003jq-RH;;;mid=<87h95v3j0i.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=101.100.131.98;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+8oS73SSuC8IgDq+Fo0DYaua3sSX5C8zM= X-SA-Exim-Connect-IP: 101.100.131.98 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Aleksa Sarai X-Spam-Relay-Country: X-Spam-Timing: total 5548 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 4.6 (0.1%), b_tie_ro: 3.3 (0.1%), parse: 1.06 (0.0%), extract_message_metadata: 16 (0.3%), get_uri_detail_list: 2.6 (0.0%), tests_pri_-1000: 6 (0.1%), tests_pri_-950: 1.14 (0.0%), tests_pri_-900: 0.96 (0.0%), tests_pri_-400: 27 (0.5%), check_bayes: 26 (0.5%), b_tokenize: 8 (0.1%), b_tok_get_all: 9 (0.2%), b_comp_prob: 2.4 (0.0%), b_tok_touch_all: 3.8 (0.1%), b_finish: 0.73 (0.0%), tests_pri_0: 400 (7.2%), check_dkim_signature: 0.70 (0.0%), check_dkim_adsp: 4.2 (0.1%), tests_pri_500: 5088 (91.7%), poll_dns_idle: 5080 (91.6%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3194 Lines: 83 Aleksa Sarai writes: > If you have a process that has set itself to be non-dumpable, and it > then undergoes exec(2), any CLOEXEC file descriptors it has open are > "exposed" during a race window between the dumpable flags of the process > being reset for exec(2) and CLOEXEC being applied to the file > descriptors. This can be exploited by a process by attempting to access > /proc//fd/... during this window, without requiring CAP_SYS_PTRACE. > > The race in question is after set_dumpable has been (for get_link, > though the trace is basically the same for readlink): > > [vfs] > -> proc_pid_link_inode_operations.get_link > -> proc_pid_get_link > -> proc_fd_access_allowed > -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); > > Which will return 0, during the race window and CLOEXEC file descriptors > will still be open during this window because do_close_on_exec has not > been called yet. As a result, the ordering of these calls should be > reversed to avoid this race window. > > This is of particular concern to container runtimes, where joining a > PID namespace with file descriptors referring to the host filesystem > can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect > against access of CLOEXEC file descriptors -- file descriptors which may > reference filesystem objects the container shouldn't have access to). That seems reasonable. I was thinking cred_guard_mutex should handle this case, but it obviously won't because only ptrace_attach takes that. Sigh with enough cleanups the code might even become comprehensible and correct in there. I have dropped this onto my for-testing branch for now (so I don't forget it) and after the chaos of the merge window ends I will forward this along. Eric > Cc: dev@opencontainers.org > Cc: # v3.2+ > Reported-by: Michael Crosby > Signed-off-by: Aleksa Sarai > --- > fs/exec.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/fs/exec.c b/fs/exec.c > index 4e497b9ee71e..b0a98ef03253 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -19,7 +19,7 @@ > * current->executable is only used by the procfs. This allows a dispatch > * table to check for several different types of binary formats. We keep > * trying until we recognize the file or we run out of supported binary > - * formats. > + * formats. > */ > > #include > @@ -1266,6 +1266,13 @@ int flush_old_exec(struct linux_binprm * bprm) > flush_thread(); > current->personality &= ~bprm->per_clear; > > + /* > + * We have to apply CLOEXEC before we change whether the process is > + * dumpable (in setup_new_exec) to avoid a race with a process in userspace > + * trying to access the should-be-closed file descriptors of a process > + * undergoing exec(2). > + */ > + do_close_on_exec(current->files); > return 0; > > out: > @@ -1315,7 +1322,6 @@ void setup_new_exec(struct linux_binprm * bprm) > group */ > current->self_exec_id++; > flush_signal_handlers(current, 0); > - do_close_on_exec(current->files); > } > EXPORT_SYMBOL(setup_new_exec);