Received: by 10.223.185.116 with SMTP id b49csp4547686wrg; Mon, 26 Feb 2018 21:11:53 -0800 (PST) X-Google-Smtp-Source: AG47ELshXWox0jU+X6uuTGUwcsczSlv9TIJd+pXLDlxZsWyJtEsxYKAnlp+RBLVpGl7wBWnGmHR9 X-Received: by 10.101.67.137 with SMTP id m9mr718263pgp.301.1519708313548; Mon, 26 Feb 2018 21:11:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519708313; cv=none; d=google.com; s=arc-20160816; b=sZ7mkwDaK6RxY5C1TR/ujzHWn3h1dO6ndp1EeW/IQx2w3GJwaVRbtHiMXeShAcbZMy APZ2oJayb+9fcAC4t9R0yMDjId1tCcb1s7EjqlasFIy8LaIsmdjFLakIcgQZu763GTtQ 0v49tg2JMZ8W761gxw2mF+HN66y7nNZYc9wobXeYgX7yMhtVlptj68jF8IV/LqQy1H4q G235RYotgMLO9XlAkgeWr5JU34q1mc94ysESCeLr1HeQ+snaCPVOIHXqH0ZZmhZjoGVr K3nrm1Ei6G3yTc0wR3yq6+e0HBQQXISAKTd8NBjGXgSJgojKeCq1wH2YhKLYqlrfanuK 7rrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=W11+l4s4QiIjZWD14YiWpYuT1l3ukYQteJMA193jSN4=; b=FfF1NJnc3ILqqw/OouLrhS8CDa+hNhwKs7040XGFa1T2Pwu33wag3MpYT1nXYpaeee SF8f/ipD+oP9j7X/j/MjUoaUI3qfBrqu0sOz4jnIDtmlFbYgFKC1cjSG1T1gtBFI11MZ oC6YNauIH7P5sGAyMaBGaA0+H/UwwTjoq7c5hkEKm1rED1WUHBAyWqtz0OYb1qGv4P6Y 6AKHQlVzU4HLhAVjQadBx7k9RUuzy2yvxFynUNK4tkZDv/Jl+t3y1qkXkVkfHyag+PmN zkCHI+lFOmAt0SLJlNVFlcSkojmvFNp8FhoVNo2yBBQvT0nSWlijWd6BUv8HFqSGJE9G T3JQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=ex8/2UFX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s16si7787408pfe.375.2018.02.26.21.11.39; Mon, 26 Feb 2018 21:11:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=ex8/2UFX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751803AbeB0FBd (ORCPT + 99 others); Tue, 27 Feb 2018 00:01:33 -0500 Received: from mail-pf0-f195.google.com ([209.85.192.195]:45759 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751201AbeB0FBa (ORCPT ); Tue, 27 Feb 2018 00:01:30 -0500 Received: by mail-pf0-f195.google.com with SMTP id j24so7516756pff.12 for ; Mon, 26 Feb 2018 21:01:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=W11+l4s4QiIjZWD14YiWpYuT1l3ukYQteJMA193jSN4=; b=ex8/2UFXj7hVoWYwe9cPZFBN+Yf2NFOFtp9kG4OANpCSi+Y52a75xXBnDQq1zZ0XWt bQaCDbV0KVh1Wmz31nuG8FUHTyC8EFT0tDfrjDcwd5fV1pj20HrlBKmvJ+Yzvugz2hqL hlFnQdfgOYjNw4XlqOQpeUK2Si4H+RknO2o98MZIlusYlNkk8tJso6L9o7rVGzvBCvg3 50dP9SGQnAnd/QjKRwD1FW1lhRzvg6MnldU2e+vSWQ9FY/Bvm080OJH3WxqHtBoKR+cu NHCuCRWyTL4bAruU6+ofJcjZE52h+EONdePEKGw6DmEaOKrMjEqUhCiLW6zb31ueJlQF JfSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=W11+l4s4QiIjZWD14YiWpYuT1l3ukYQteJMA193jSN4=; b=JyGTXBFJEaJmHP7QjCjnXm09TCoT6Z4LqJLgxk+DdjbX5Pa+XrHxCdZHWa0fdDyo2+ yvRk4U9Lofutmtb7Dy/U1HZc3rC7a1rxEvsBk3JVmdQPcp1k0HiHo+LGaMdR9dOcmV7D g0tk88RPa/A1Rx0fN9m+VlGlxk7Y65AcnTgGjNQVYq90jE6i1Q66b3hq8LoNCXu6l6zY sdx3mmxZKzNjXKYhIjAGkLrJfhZgRF5gP0LltumSvDD0Fc/ol8If9jdjx8ZkCH+lnNHq fn5D1Az+2BfQgr/967OKVK/ISZkAfIoAiKR4mX2FD53GlN41Sxva66VPqWqlOc0planX 4TDQ== X-Gm-Message-State: APf1xPAD4rvwqEBOb6LS6X1ne4RXiEQjBj9ffghZaGOszIb4agItUloF EvxrdzlasGNV/agBh450cpNtgw== X-Received: by 10.101.70.203 with SMTP id n11mr9982876pgr.377.1519707690166; Mon, 26 Feb 2018 21:01:30 -0800 (PST) Received: from ?IPv6:2600:1010:b019:8e6d:3995:b48a:80db:4dd9? ([2600:1010:b019:8e6d:3995:b48a:80db:4dd9]) by smtp.gmail.com with ESMTPSA id f10sm16726532pgr.33.2018.02.26.21.01.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Feb 2018 21:01:29 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH bpf-next v8 08/11] landlock: Add ptrace restrictions From: Andy Lutomirski X-Mailer: iPhone Mail (15D60) In-Reply-To: Date: Mon, 26 Feb 2018 21:01:28 -0800 Cc: LKML , Alexei Starovoitov , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Tycho Andersen , Will Drewry , Kernel Hardening , Linux API , LSM List , Network Development Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180227004121.3633-1-mic@digikod.net> <20180227004121.3633-9-mic@digikod.net> To: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Feb 26, 2018, at 8:17 PM, Andy Lutomirski wrote: >=20 >> On Tue, Feb 27, 2018 at 12:41 AM, Micka=C3=ABl Sala=C3=BCn wrote: >> A landlocked process has less privileges than a non-landlocked process >> and must then be subject to additional restrictions when manipulating >> processes. To be allowed to use ptrace(2) and related syscalls on a >> target process, a landlocked process must have a subset of the target >> process' rules. >>=20 >> Signed-off-by: Micka=C3=ABl Sala=C3=BCn >> Cc: Alexei Starovoitov >> Cc: Andy Lutomirski >> Cc: Daniel Borkmann >> Cc: David S. Miller >> Cc: James Morris >> Cc: Kees Cook >> Cc: Serge E. Hallyn >> --- >>=20 >> Changes since v6: >> * factor out ptrace check >> * constify pointers >> * cleanup headers >> * use the new security_add_hooks() >> --- >> security/landlock/Makefile | 2 +- >> security/landlock/hooks_ptrace.c | 124 ++++++++++++++++++++++++++++++++++= +++++ >> security/landlock/hooks_ptrace.h | 11 ++++ >> security/landlock/init.c | 2 + >> 4 files changed, 138 insertions(+), 1 deletion(-) >> create mode 100644 security/landlock/hooks_ptrace.c >> create mode 100644 security/landlock/hooks_ptrace.h >>=20 >> diff --git a/security/landlock/Makefile b/security/landlock/Makefile >> index d0f532a93b4e..605504d852d3 100644 >> --- a/security/landlock/Makefile >> +++ b/security/landlock/Makefile >> @@ -3,4 +3,4 @@ obj-$(CONFIG_SECURITY_LANDLOCK) :=3D landlock.o >> landlock-y :=3D init.o chain.o task.o \ >> tag.o tag_fs.o \ >> enforce.o enforce_seccomp.o \ >> - hooks.o hooks_cred.o hooks_fs.o >> + hooks.o hooks_cred.o hooks_fs.o hooks_ptrace.o >> diff --git a/security/landlock/hooks_ptrace.c b/security/landlock/hooks_p= trace.c >> new file mode 100644 >> index 000000000000..f1b977b9c808 >> --- /dev/null >> +++ b/security/landlock/hooks_ptrace.c >> @@ -0,0 +1,124 @@ >> +/* >> + * Landlock LSM - ptrace hooks >> + * >> + * Copyright =C2=A9 2017 Micka=C3=ABl Sala=C3=BCn >> + * >> + * This program is free software; you can redistribute it and/or modify >> + * it under the terms of the GNU General Public License version 2, as >> + * published by the Free Software Foundation. >> + */ >> + >> +#include >> +#include >> +#include /* ARRAY_SIZE */ >> +#include >> +#include /* struct task_struct */ >> +#include >> + >> +#include "common.h" /* struct landlock_prog_set */ >> +#include "hooks.h" /* landlocked() */ >> +#include "hooks_ptrace.h" >> + >> +static bool progs_are_subset(const struct landlock_prog_set *parent, >> + const struct landlock_prog_set *child) >> +{ >> + size_t i; >> + >> + if (!parent || !child) >> + return false; >> + if (parent =3D=3D child) >> + return true; >> + >> + for (i =3D 0; i < ARRAY_SIZE(child->programs); i++) { >=20 > ARRAY_SIZE(child->programs) seems misleading. Is there no define > NUM_LANDLOCK_PROG_TYPES or similar? >=20 >> + struct landlock_prog_list *walker; >> + bool found_parent =3D false; >> + >> + if (!parent->programs[i]) >> + continue; >> + for (walker =3D child->programs[i]; walker; >> + walker =3D walker->prev) { >> + if (walker =3D=3D parent->programs[i]) { >> + found_parent =3D true; >> + break; >> + } >> + } >> + if (!found_parent) >> + return false; >> + } >> + return true; >> +} >=20 > If you used seccomp, you'd get this type of check for free, and it > would be a lot easier to comprehend. AFAICT the only extra leniency > you're granting is that you're agnostic to the order in which the > rules associated with different program types were applied, which > could easily be added to seccomp. On second thought, this is all way too complicated. I think the correct log= ic is either "if you are filtered by Landlock, you cannot ptrace anything" o= r to delete this patch entirely. If something like Tycho's notifiers goes in= , then it's not obvious that, just because you have the same set of filters,= you have the same privilege. Similarly, if a feature that lets a filter qu= ery its cgroup goes in (and you proposed this once!) then the logic you impl= emented here is wrong. Or you could just say that it's the responsibility of a Landlock user to pro= perly filter ptrace() just like it's the responsibility of seccomp users to f= ilter ptrace if needed. I take this as further evidence that Landlock makes much more sense as part o= f seccomp than as a totally separate thing. We've very carefully reviewed t= hese things for seccomp. Please don't make us do it again from scratch.=