Received: by 10.223.185.116 with SMTP id b49csp5520898wrg; Tue, 27 Feb 2018 15:03:44 -0800 (PST) X-Google-Smtp-Source: AH8x227ETleLAr3AoumjNhFENNGhNZwn0n2YxHDNQAoDMGyxt/WDB3Rq7Ho5uNy99Iv1Tkrd3qGJ X-Received: by 10.98.103.136 with SMTP id t8mr15647601pfj.177.1519772624861; Tue, 27 Feb 2018 15:03:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519772624; cv=none; d=google.com; s=arc-20160816; b=uIh1PlQGS2CmlDZZt4SY/Uyiuq8GoIl/WA79+lSQDC8Y7wSeXAa7FFMq9bk5B5raXp xf/1ICYm10IZzMLDL4nLQFgtMkVkJxOB66FHEhhoEhQ4vENqgbbrJDqR0x1NPIuxNHEr 0fCMwBGrifd9RTu1GuEI6SgDBa3IC6f+wMEcmfEfgmUlmb6DzyiO33FzzskFj9JMZy2D BaujLDpxFf0g4jyYsfRgNiv2NXaTQa84uc7cWCVaqfGZJYzdhbAJptMu6ZnHoNpM83Z/ n0Q56vbrr8J1c+5Y4rGbIFXlF66eBzoA4q+bCG/zUG1ZtEOdPYUQTerIkpqUMdYiu9jq 0mzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dmarc-filter:arc-authentication-results; bh=rR0qdZj3tIRA6lv/Cdk2uBfj+E4gJrv8UebDmEV/ftQ=; b=tqB/OvFVgiSptZzOPRbO+rNoTjFRws4YL1OYpq386NWVKsoAlz/Slg7vBecCjYEm3Z oPPx8/z5JQ9ClACyAWYvU5XciYFXTjnILkI0BrRx+MPEyYlgbcEFARjuYv8az9efjS66 oa9HxuCZzIlrimq9QsjzoXlJhv9/a6VdVjAf6vvZaKhMYmyMPhGuqH/6DuKF+MghBgO8 CSfeN1ois8eB4Ky9udALSnyI+/3M6cOCtiRAAyqBahG6II3IiAco9AuWDI2Y6KE7uHrr fAz38wbzU+9ab5CdhneD06LPAp7noH++QEDBws2bcLehzUwYrhu8+iSamLycqelNCR4t unUg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b68si150126pfd.345.2018.02.27.15.03.30; Tue, 27 Feb 2018 15:03:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752016AbeB0XCm convert rfc822-to-8bit (ORCPT + 99 others); Tue, 27 Feb 2018 18:02:42 -0500 Received: from mail.kernel.org ([198.145.29.99]:52000 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751775AbeB0XCj (ORCPT ); Tue, 27 Feb 2018 18:02:39 -0500 Received: from mail-io0-f178.google.com (mail-io0-f178.google.com [209.85.223.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B6E4A217D5 for ; Tue, 27 Feb 2018 23:02:38 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B6E4A217D5 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f178.google.com with SMTP id f1so1116403iob.0 for ; Tue, 27 Feb 2018 15:02:38 -0800 (PST) X-Gm-Message-State: APf1xPBTxIp1a+Q0UQmG+xsIVNaS/Q+QRwlopwmjxZLRXUiAgVGdyMU5 8nn0seWrTzpMfenA5P5ZXRnulLhN4Qgp4BQZxK+Ymg== X-Received: by 10.107.151.209 with SMTP id z200mr11796445iod.150.1519772557178; Tue, 27 Feb 2018 15:02:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.137.101 with HTTP; Tue, 27 Feb 2018 15:02:16 -0800 (PST) In-Reply-To: <0e7d0512-12a3-568d-aa55-3def4b91c6d0@digikod.net> References: <20180227004121.3633-1-mic@digikod.net> <20180227004121.3633-9-mic@digikod.net> <0e7d0512-12a3-568d-aa55-3def4b91c6d0@digikod.net> From: Andy Lutomirski Date: Tue, 27 Feb 2018 23:02:16 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH bpf-next v8 08/11] landlock: Add ptrace restrictions To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: LKML , Alexei Starovoitov , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Tycho Andersen , Will Drewry , Kernel Hardening , Linux API , LSM List , Network Development Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 27, 2018 at 10:14 PM, Mickaël Salaün wrote: > > On 27/02/2018 06:01, Andy Lutomirski wrote: >> >> >>> On Feb 26, 2018, at 8:17 PM, Andy Lutomirski wrote: >>> >>>> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: >>>> A landlocked process has less privileges than a non-landlocked process >>>> and must then be subject to additional restrictions when manipulating >>>> processes. To be allowed to use ptrace(2) and related syscalls on a >>>> target process, a landlocked process must have a subset of the target >>>> process' rules. >>>> >>>> Signed-off-by: Mickaël Salaün >>>> Cc: Alexei Starovoitov >>>> Cc: Andy Lutomirski >>>> Cc: Daniel Borkmann >>>> Cc: David S. Miller >>>> Cc: James Morris >>>> Cc: Kees Cook >>>> Cc: Serge E. Hallyn >>>> --- >>>> >>>> Changes since v6: >>>> * factor out ptrace check >>>> * constify pointers >>>> * cleanup headers >>>> * use the new security_add_hooks() >>>> --- >>>> security/landlock/Makefile | 2 +- >>>> security/landlock/hooks_ptrace.c | 124 +++++++++++++++++++++++++++++++++++++++ >>>> security/landlock/hooks_ptrace.h | 11 ++++ >>>> security/landlock/init.c | 2 + >>>> 4 files changed, 138 insertions(+), 1 deletion(-) >>>> create mode 100644 security/landlock/hooks_ptrace.c >>>> create mode 100644 security/landlock/hooks_ptrace.h >>>> >>>> diff --git a/security/landlock/Makefile b/security/landlock/Makefile >>>> index d0f532a93b4e..605504d852d3 100644 >>>> --- a/security/landlock/Makefile >>>> +++ b/security/landlock/Makefile >>>> @@ -3,4 +3,4 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o >>>> landlock-y := init.o chain.o task.o \ >>>> tag.o tag_fs.o \ >>>> enforce.o enforce_seccomp.o \ >>>> - hooks.o hooks_cred.o hooks_fs.o >>>> + hooks.o hooks_cred.o hooks_fs.o hooks_ptrace.o >>>> diff --git a/security/landlock/hooks_ptrace.c b/security/landlock/hooks_ptrace.c >>>> new file mode 100644 >>>> index 000000000000..f1b977b9c808 >>>> --- /dev/null >>>> +++ b/security/landlock/hooks_ptrace.c >>>> @@ -0,0 +1,124 @@ >>>> +/* >>>> + * Landlock LSM - ptrace hooks >>>> + * >>>> + * Copyright © 2017 Mickaël Salaün >>>> + * >>>> + * This program is free software; you can redistribute it and/or modify >>>> + * it under the terms of the GNU General Public License version 2, as >>>> + * published by the Free Software Foundation. >>>> + */ >>>> + >>>> +#include >>>> +#include >>>> +#include /* ARRAY_SIZE */ >>>> +#include >>>> +#include /* struct task_struct */ >>>> +#include >>>> + >>>> +#include "common.h" /* struct landlock_prog_set */ >>>> +#include "hooks.h" /* landlocked() */ >>>> +#include "hooks_ptrace.h" >>>> + >>>> +static bool progs_are_subset(const struct landlock_prog_set *parent, >>>> + const struct landlock_prog_set *child) >>>> +{ >>>> + size_t i; >>>> + >>>> + if (!parent || !child) >>>> + return false; >>>> + if (parent == child) >>>> + return true; >>>> + >>>> + for (i = 0; i < ARRAY_SIZE(child->programs); i++) { >>> >>> ARRAY_SIZE(child->programs) seems misleading. Is there no define >>> NUM_LANDLOCK_PROG_TYPES or similar? >>> >>>> + struct landlock_prog_list *walker; >>>> + bool found_parent = false; >>>> + >>>> + if (!parent->programs[i]) >>>> + continue; >>>> + for (walker = child->programs[i]; walker; >>>> + walker = walker->prev) { >>>> + if (walker == parent->programs[i]) { >>>> + found_parent = true; >>>> + break; >>>> + } >>>> + } >>>> + if (!found_parent) >>>> + return false; >>>> + } >>>> + return true; >>>> +} >>> >>> If you used seccomp, you'd get this type of check for free, and it >>> would be a lot easier to comprehend. AFAICT the only extra leniency >>> you're granting is that you're agnostic to the order in which the >>> rules associated with different program types were applied, which >>> could easily be added to seccomp. >> >> On second thought, this is all way too complicated. I think the correct logic is either "if you are filtered by Landlock, you cannot ptrace anything" or to delete this patch entirely. > > This does not fit a lot of use cases like running a container > constrained with some Landlock programs. We should not deny users the > ability to debug their stuff. > > This patch add the minimal protection which are needed to have > meaningful Landlock security policy. Without it, they may be easily > bypassable, hence useless. > I think you're wrong here. Any sane container trying to use Landlock like this would also create a PID namespace. Problem solved. I still think you should drop this patch. > >> If something like Tycho's notifiers goes in, then it's not obvious that, just because you have the same set of filters, you have the same privilege. Similarly, if a feature that lets a filter query its cgroup goes in (and you proposed this once!) then the logic you implemented here is wrong. > > I don't get your point. Please take a look at the tests (patch 10). I don't know what you want me to look at. What I'm saying is: suppose I write a filter like this: bool allow_some_action(void) { int value_from_container_manager = call_out_to_user_notifier(); return value_from_container_manager == 42; } or bool allow_some_action(void) { return my_cgroup_is("/foo/bar"); } In both of these cases, your code will do the wrong thing. > >> >> Or you could just say that it's the responsibility of a Landlock user to properly filter ptrace() just like it's the responsibility of seccomp users to filter ptrace if needed. > > A user should be able to enforce a security policy on ptrace as well, > but this patch enforce a minimal set of security boundaries. It will be > easy to add a new Landlock program type to get this kind of access control. It sounds like you want Landlock to be a complete container system all by itself. I disagree with that design goal.