Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751845AbdH3ALQ (ORCPT <rfc822;w@1wt.eu>);
        Tue, 29 Aug 2017 20:11:16 -0400
Received: from out01.mta.xmission.com ([166.70.13.231]:39839 "EHLO
        out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751314AbdH3ALO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 Aug 2017 20:11:14 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: "prakash.sangappa" <prakash.sangappa@oracle.com>
Cc: David Miller <davem@davemloft.net>, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, drepper@redhat.com
References: <1503965540-30393-1-git-send-email-prakash.sangappa@oracle.com>
        <20170829.160232.1901318933754673000.davem@davemloft.net>
        <c9ea9bec-6b0e-70d6-3f74-9b483358edd2@oracle.com>
Date: Tue, 29 Aug 2017 19:10:50 -0500
In-Reply-To: <c9ea9bec-6b0e-70d6-3f74-9b483358edd2@oracle.com> (prakash
        sangappa's message of "Tue, 29 Aug 2017 16:59:18 -0700")
Message-ID: <87ziahzzhx.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1dmqb5-0006Au-Gd;;;mid=<87ziahzzhx.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.200.44;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX18aUwd3bb8xiI8+iiPv66F5ClAc3T0m/t0=
X-SA-Exim-Connect-IP: 67.3.200.44
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.7 XMSubLong Long Subject
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        * -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
        *      [score: 0.1497]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa03 1397; Body=1 Fuz1=1 Fuz2=1]
        *  0.1 XMSolicitRefs_0 Weightloss drug
X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;"prakash.sangappa" <prakash.sangappa@oracle.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 5337 ms - load_scoreonly_sql: 0.21 (0.0%),
        signal_user_changed: 5 (0.1%), b_tie_ro: 3.3 (0.1%), parse: 1.95 (0.0%),
        extract_message_metadata: 30 (0.6%), get_uri_detail_list: 3.2 (0.1%),
        tests_pri_-1000: 10 (0.2%), tests_pri_-950: 2.5 (0.0%), tests_pri_-900: 2.0
        (0.0%), tests_pri_-400: 32 (0.6%), check_bayes: 30 (0.6%), b_tokenize: 12
        (0.2%), b_tok_get_all: 7 (0.1%), b_comp_prob: 4.6 (0.1%), b_tok_touch_all:
        2.3 (0.0%), b_finish: 0.90 (0.0%), tests_pri_0: 525 (9.8%),
        check_dkim_signature: 1.19 (0.0%), check_dkim_adsp: 7 (0.1%), tests_pri_500:
        4719 (88.4%), poll_dns_idle: 4702 (88.1%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [RESEND PATCH] Allow passing tid or pid in SCM_CREDENTIALS without CAP_SYS_ADMIN
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2155
Lines: 49

"prakash.sangappa" <prakash.sangappa@oracle.com> writes:

> On 08/29/2017 04:02 PM, David Miller wrote:
>> From: Prakash Sangappa <prakash.sangappa@oracle.com>
>> Date: Mon, 28 Aug 2017 17:12:20 -0700
>>
>>> Currently passing tid(gettid(2)) of a thread in struct ucred in
>>> SCM_CREDENTIALS message requires CAP_SYS_ADMIN capability otherwise
>>> it fails with EPERM error. Some applications deal with thread id
>>> of a thread(tid) and so it would help to allow tid in SCM_CREDENTIALS
>>> message. Basically, either tgid(pid of the process) or the tid of
>>> the thread should be allowed without the need for CAP_SYS_ADMIN capability.
>>>
>>> SCM_CREDENTIALS will be used to determine the global id of a process or
>>> a thread running inside a pid namespace.
>>>
>>> This patch adds necessary check to accept tid in SCM_CREDENTIALS
>>> struct ucred.
>>>
>>> Signed-off-by: Prakash Sangappa <prakash.sangappa@oracle.com>
>> I'm pretty sure that by the descriptions in previous changes to this
>> function, what you are proposing is basically a minor form of PID
>> spoofing which we only want someone with CAP_SYS_ADMIN over the
>> PID namespace to be able to do.
>
> The fix is to allow passing tid of the calling thread itself not of any
> other thread or process. Curious why would this be considered
> as pid spoofing?
>
> This change would enable a thread in a multi threaded process, running
> inside a pid namespace to be identified by the recipient of the
> message easily.

I think a more practical problem is that change, changes what is being
passed in the SCM_CREDENTIALS from a pid of a process to a tid of a
thread.  That could be confusing and that confusion could be exploited.

It is definitely confusing because in some instances a value can be both
a tgid and a tid.

I definitely think this needs to be talked about in terms of changing
what is passed in that field and what the consequences could be.

I suspect you are ok.  As nothing allows passing a tid today.  But I
don't see any analysis on why passing a tid instead of a tgid will not
confuse the receiving application, and in such confusion introduce a
security hole.

Eric