Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1245354imm; Wed, 26 Sep 2018 14:20:03 -0700 (PDT) X-Google-Smtp-Source: ACcGV62WeXt+K8t8H6ZrrsRFcppoSEdkngb6t2xNbnQDfRh2mRQAn5ipaGxwVKygK7WOHru8xBUL X-Received: by 2002:aa7:86cb:: with SMTP id h11-v6mr8043152pfo.58.1537996803642; Wed, 26 Sep 2018 14:20:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537996803; cv=none; d=google.com; s=arc-20160816; b=b+ZUNYAblEe5g3J5gb8Ewgn6U8MqQNM9yxUnn3lhI88LG5sEPS6pzVAPBrNaoODXfF Yqeu1cUIPlNcOf7/Yhds0li5pusUxp7QYYjPYCM1Ako9DdVdzyO0Sv12Bvr4Bsg/4ab9 /k+Ud79/zNRLIJIFosHUrRNuaasejgGMgzXVUkIlyaJ9eYspaviM5xsClCXP7RQMkkfY P33ltntZzOU6O1oabZ64HwlgCeWagu26PVkR8g5dwswagHLI+RI5blQEBDmS7R+/RT0S CjMZVAAQeQxA8WQG236M1zAyUr0+Kr/w4D4L2MnwyIaIzKAd4FnCIrts/T31sSLfqsC1 9wcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=VveqmYfiSAjXWcfyZDEn8gk0gnucVYuXcZ87TnB95DE=; b=r9UfaQ2wYpu5r1JIIjjDz6c8tW6WnyCyG5BYmtI6a5Vk/ydsKOB83AQq2AsdP6ng3n IG0AxlxQEFV04GQBKi6WDOT2bRyk88+9yy6xq4QU25X1o4qTCJoBObfp3bpNWus05pV0 bcsm8l9DkCvdww+zpizCZa2jgKKkQGWLUkRzmplvu+R91og2M7wvLnVaRey7SxTn1KpB gSYS1YJ10bUiud2xfO+NpmnggvWz/CjYN26UFZoFIXRE0SmB4FeJEVEk3igNQxic3hr6 B1fN6tiG2zFqmVY7szte3ygR/KXaf9LuVIq+/E8OpOaHtmgJubFpsaKSq6zGCDPNZxLA +hYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=gabM9oFN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w3-v6si86980pgk.176.2018.09.26.14.19.48; Wed, 26 Sep 2018 14:20:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=gabM9oFN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726991AbeI0Ddz (ORCPT + 99 others); Wed, 26 Sep 2018 23:33:55 -0400 Received: from mail-oi1-f194.google.com ([209.85.167.194]:42155 "EHLO mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726778AbeI0Ddy (ORCPT ); Wed, 26 Sep 2018 23:33:54 -0400 Received: by mail-oi1-f194.google.com with SMTP id v198-v6so363172oif.9 for ; Wed, 26 Sep 2018 14:19:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VveqmYfiSAjXWcfyZDEn8gk0gnucVYuXcZ87TnB95DE=; b=gabM9oFNo3AOmU9Tur9V/zHlRr+9W+nY+SMadKSSwkvFIEI5FXVgFbFce2Je8oaQuX d51DC/wvvfy3rCNPqHvZ4V0wSUuErvl8VYqWP4HEXcqCyhly+DTggVxvgrCDyGObinEg yUrRm/Jiyl8In5bFEwSQvo8K9ycebUoIt87tGbs5z8zBlA6bqeMvh7lgqXdmxMwYGtQo YsbbLQNJp2t0jl9M+dQhw6zMqbWZ5QKljyHps22ifOZrjI/q0EToRTFh8umxb+JEdFCo 6AxgfACVP8cRMooBjas02RjAfsDKd9YQkkKXgp1Fy7uCoSU4SUTtD7lLMXxy0sD9oDeX lxRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VveqmYfiSAjXWcfyZDEn8gk0gnucVYuXcZ87TnB95DE=; b=XM396UY3yDiQzyDqQKSz/AEDMpM7xxJceYJJ0uQfuMDiajMUF2fEIN4LWF1oQEws8C JN7QN2xE9gAwws+kE62nwaMGVDbI7j1sHA3WGSm8QparWXDxrVQ/FUAtITJTINYNIrup nX7N+PJi3/Xl0O/QURftm5RqhR/rGvRHf9IdEm/trXGeOHMFqVkw3g8IlHNHt7rKktI6 S+gfSSUghuIJJiLFt02170WV7J0qy1vdbTCQBUA2IbWeNGgV6sI/g/toJJopXAUO7BnF qxZzMMaheUU7u4Wm29zEBYP8cg9fJZ1g+YHnmakcQv++CRtDcDEcC008eYxycTnpUHiX sbjw== X-Gm-Message-State: ABuFfogEhw3wSLB/2PSuCVQmqAoBBk2LOAj366yACCdFNrTnnDBgWYn+ q/w8pqDR7s0A2f6Efl4yM6dszwdRJPCbpGyaEUx8QQ== X-Received: by 2002:aca:b844:: with SMTP id i65-v6mr1659834oif.177.1537996741600; Wed, 26 Sep 2018 14:19:01 -0700 (PDT) MIME-Version: 1.0 References: <20180926203446.2004-1-casey.schaufler@intel.com> <20180926203446.2004-2-casey.schaufler@intel.com> In-Reply-To: From: Jann Horn Date: Wed, 26 Sep 2018 23:18:35 +0200 Message-ID: Subject: Re: [PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED To: Casey Schaufler Cc: Kernel Hardening , kernel list , linux-security-module , selinux@tycho.nsa.gov, Dave Hansen , deneen.t.dock@intel.com, kristen@linux.intel.com, Arjan van de Ven Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 26, 2018 at 11:16 PM Jann Horn wrote: > > On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler > wrote: > > A ptrace access check with mode PTRACE_MODE_SCHED gets called > > from process switching code. This precludes the use of audit, > > as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED > > case. > > Why is this separate from PTRACE_MODE_NOAUDIT? It looks like > apparmor_ptrace_access_check() currently ignores PTRACE_MODE_NOAUDIT. > Could you, instead of adding a new flag, fix the handling of > PTRACE_MODE_NOAUDIT? Er, after looking at more of the series, I see that PTRACE_MODE_SCHED is necessary; but could you handle the "don't audit" part for AppArmor using PTRACE_MODE_NOAUDIT instead? > > Signed-off-by: Casey Schaufler > > --- > > security/apparmor/domain.c | 2 +- > > security/apparmor/include/ipc.h | 2 +- > > security/apparmor/ipc.c | 8 +++++--- > > security/apparmor/lsm.c | 5 +++-- > > 4 files changed, 10 insertions(+), 7 deletions(-) > > > > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c > > index 08c88de0ffda..28300f4c3ef9 100644 > > --- a/security/apparmor/domain.c > > +++ b/security/apparmor/domain.c > > @@ -77,7 +77,7 @@ static int may_change_ptraced_domain(struct aa_label *to_label, > > if (!tracer || unconfined(tracerl)) > > goto out; > > > > - error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH); > > + error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH, true); > > > > out: > > rcu_read_unlock(); > > diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h > > index 5ffc218d1e74..299d1c45fef0 100644 > > --- a/security/apparmor/include/ipc.h > > +++ b/security/apparmor/include/ipc.h > > @@ -34,7 +34,7 @@ struct aa_profile; > > "xcpu xfsz vtalrm prof winch io pwr sys emt lost" > > > > int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, > > - u32 request); > > + u32 request, bool audit); > > int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig); > > > > #endif /* __AA_IPC_H */ > > diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c > > index 527ea1557120..9ed110afc822 100644 > > --- a/security/apparmor/ipc.c > > +++ b/security/apparmor/ipc.c > > @@ -121,15 +121,17 @@ static int profile_tracer_perm(struct aa_profile *tracer, > > * Returns: %0 else error code if permission denied or error > > */ > > int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, > > - u32 request) > > + u32 request, bool audit) > > { > > struct aa_profile *profile; > > u32 xrequest = request << PTRACE_PERM_SHIFT; > > DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE); > > > > return xcheck_labels(tracer, tracee, profile, > > - profile_tracer_perm(profile, tracee, request, &sa), > > - profile_tracee_perm(profile, tracer, xrequest, &sa)); > > + profile_tracer_perm(profile, tracee, request, > > + audit ? &sa : NULL), > > + profile_tracee_perm(profile, tracer, xrequest, > > + audit ? &sa : NULL)); > > } > > > > > > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > > index 8b8b70620bbe..da9d0b228857 100644 > > --- a/security/apparmor/lsm.c > > +++ b/security/apparmor/lsm.c > > @@ -118,7 +118,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child, > > tracee = aa_get_task_label(child); > > error = aa_may_ptrace(tracer, tracee, > > (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ > > - : AA_PTRACE_TRACE); > > + : AA_PTRACE_TRACE, > > + !(mode & PTRACE_MODE_SCHED)); > > aa_put_label(tracee); > > end_current_label_crit_section(tracer); > > > > @@ -132,7 +133,7 @@ static int apparmor_ptrace_traceme(struct task_struct *parent) > > > > tracee = begin_current_label_crit_section(); > > tracer = aa_get_task_label(parent); > > - error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); > > + error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE, true); > > aa_put_label(tracer); > > end_current_label_crit_section(tracee); > > > > -- > > 2.17.1 > >