Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3780151imm; Mon, 8 Oct 2018 09:22:21 -0700 (PDT) X-Google-Smtp-Source: ACcGV6007+K8XagdfF1YNDiBRTRhxOByEM43hLweHW8GyzcuggK7I3itQ7ynWugio+2a5xKvZuAU X-Received: by 2002:a63:e749:: with SMTP id j9-v6mr21604988pgk.246.1539015741336; Mon, 08 Oct 2018 09:22:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539015741; cv=none; d=google.com; s=arc-20160816; b=cRzUdOltQ7RRewrPP6OSwMQPWmXbnrS/os5pfJsXCuAQwABQxlaELAr+f84IPXcjgD 4I/XYmMaaKg5I1l4zZrvagb7GkydYp8GCh0RQcl2zGwAVm7tSfKx5ZBC4OF40DNY5I35 5im2YmrYVIMZFPOxpy21ZBGYSBHVl5YYWbIFc9jQTR7hPJt8aOVtb2rWxb1fAqbwBr1M DcLcXA0AJYGHV411Ht3ufqEJNEzVgjC82ZT1HCmCut6X9M4LOppiYPHMqetGWw4F2zt7 bisv+kv6nS4dRfae0Y/El7UBiGIrC78KVQCe5b4yugK7H2bXPu1TtNisITh6jXp3yQ+P Qy6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=Puy0dHBha4s/npAf1cLvCd9OaxBxe3baF9envUyvhcs=; b=H9r2DO7WQH2TknSmV8JQssOPpFa1xxcw7IfwdIh5g27P3LS4xiub2T76mYW/t3beuO 8RECY2uKs7mNR2IYAA/UJHy3w19Kjt2UuM8P49bOQdV7bE/6HoANxh0iJ/kSNZbWSCa0 XJjaG6BugkcxMj6mgZhfEWZLSAx0LTuJN3LHImBkK3qMhCtLDs9w9h0quR4xMUoYnUoF QAJUn/WV64UTX5ps9QkrQas7jzh0OGZySHf11Xa+K5L9HanWmPJnifmxFZEYgG+CTS2R rW7f7ksBU9/Gjg4WFWX7KMRFdVh5F3Uscis8NPSNWM9qe8KO/yaZGezyypqv0mtEYEI+ cMrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=bu92eMXQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z10-v6si14446959pgv.487.2018.10.08.09.22.04; Mon, 08 Oct 2018 09:22:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=bu92eMXQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726468AbeJHXe2 (ORCPT + 99 others); Mon, 8 Oct 2018 19:34:28 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:50710 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726393AbeJHXe2 (ORCPT ); Mon, 8 Oct 2018 19:34:28 -0400 Received: by mail-wm1-f66.google.com with SMTP id i8-v6so2625386wmg.0 for ; Mon, 08 Oct 2018 09:21:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=Puy0dHBha4s/npAf1cLvCd9OaxBxe3baF9envUyvhcs=; b=bu92eMXQ92Bs9bhIHTmoXhhLi4roaaOwbTLCFQi+sq29nidFN3prWK6TZdHHyC6pB2 TuhRq7lH8/iJpGNcqiY8lyrVDosmLTVn+zHZdm2lar8T9usO+fwWlVBRgln169wE96yB qj4GKByZ4+uAL4jJ2JOe0IuetRxdLANogfHfBEiZ7odxGJtRnNMwW8P4r8YelWFXIjzS ITsv8AWoUOWNk6WWIyTKKzqKa+QtI4KWAde1to+5Fs55k+/D+TxrxLWsnuVbJBARjOSj 09uqfkFZwjV0CIR3tSIZ9ChOi1gSRsbbBE/Gd0E7heIDED8rJ+y0y7nMnw7UuEmlVcu7 HoHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Puy0dHBha4s/npAf1cLvCd9OaxBxe3baF9envUyvhcs=; b=EatWGKK71R8IeERGbsl/ZtrWuOpjx/g/v4/2QqacRslU7eDgKrrjhbmHw/Ar68Cs8G YfRmQuNlRPgI4MBJIvI8Ik95k1xZYhHS42xlnJvhZyFqnhywfNO2gh8kw/dwTg9P8I+u Qy/WFrsFXIv2PUMmIBYIzTcmrYB1ljVS78JwU8v6O268rbMGGNibe4PLc8FsUmmPFugf a2cK0zvqC7NNwf+/iZfJj8bM8wQwsFGmkq15jhVo70ak8U3gzC4RTb8KNtdODCVleppw kNpc/ZAyPtSsKRHT4O4pROoMI5uxpRo9xJIbAqT1PAdOmx4VJvTfzXtf/yAE21jaevB/ ynoQ== X-Gm-Message-State: ABuFfoh8Gw7qBhS7QwnXkmSt3E/6YfeZ3RqhdBS25CmxjXCi2l/EC1JL Ce30/0YAEwJfHrDUqJH6FRCWcw== X-Received: by 2002:a1c:3ad3:: with SMTP id h202-v6mr15693455wma.120.1539015715879; Mon, 08 Oct 2018 09:21:55 -0700 (PDT) Received: from brauner.io ([2a02:8070:8895:9700:8197:8849:535a:4f00]) by smtp.gmail.com with ESMTPSA id z69-v6sm9978772wmz.18.2018.10.08.09.21.54 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 08 Oct 2018 09:21:55 -0700 (PDT) Date: Mon, 8 Oct 2018 18:21:48 +0200 From: Christian Brauner To: Jann Horn Cc: Tycho Andersen , Kees Cook , Linux API , containers@lists.linux-foundation.org, suda.akihiro@lab.ntt.co.jp, Oleg Nesterov , kernel list , "Eric W. Biederman" , linux-fsdevel@vger.kernel.org, Christian Brauner , Andy Lutomirski Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace Message-ID: <20181008162147.ubfxxsv2425l2zsp@brauner.io> References: <20180927151119.9989-1-tycho@tycho.ws> <20180927151119.9989-4-tycho@tycho.ws> <20181008151629.hkgzzsluevwtuclw@brauner.io> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 08, 2018 at 05:33:22PM +0200, Jann Horn wrote: > On Mon, Oct 8, 2018 at 5:16 PM Christian Brauner wrote: > > > > On Thu, Sep 27, 2018 at 09:11:16AM -0600, Tycho Andersen wrote: > > > As an alternative to SECCOMP_FILTER_FLAG_GET_LISTENER, perhaps a ptrace() > > > version which can acquire filters is useful. There are at least two reasons > > > this is preferable, even though it uses ptrace: > > > > > > 1. You can control tasks that aren't cooperating with you > > > 2. You can control tasks whose filters block sendmsg() and socket(); if the > > > task installs a filter which blocks these calls, there's no way with > > > SECCOMP_FILTER_FLAG_GET_LISTENER to get the fd out to the privileged task. > > > > So for the slow of mind aka me: > > I'm not sure I completely understand this problem. Can you outline how > > sendmsg() and socket() are involved in this? > > > > I'm also not sure that this holds (but I might misunderstand the > > problem) afaict, you could do try to get the fd out via CLONE_FILES and > > other means so something like: > > > > // let's pretend the libc wrapper for clone actually has sane semantics > > pid = clone(CLONE_FILES); > > if (pid == 0) { > > fd = seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog); > > > > // Now this fd will be valid in both parent and child. > > // If you haven't blocked it you can inform the parent what > > // the fd number is via pipe2(). If you have blocked it you can > > // use dup2() and dup to a known fd number. > > } > > > > > > > > v2: fix a bug where listener mode was not unset when an unused fd was not > > > available > > > v3: fix refcounting bug (Oleg) > > > v4: * change the listener's fd flags to be 0 > > > * rename GET_LISTENER to NEW_LISTENER (Matthew) > > > v5: * add capable(CAP_SYS_ADMIN) requirement > > > v7: * point the new listener at the right filter (Jann) > > > > > > Signed-off-by: Tycho Andersen > > > CC: Kees Cook > > > CC: Andy Lutomirski > > > CC: Oleg Nesterov > > > CC: Eric W. Biederman > > > CC: "Serge E. Hallyn" > > > CC: Christian Brauner > > > CC: Tyler Hicks > > > CC: Akihiro Suda > > > --- > > > include/linux/seccomp.h | 7 ++ > > > include/uapi/linux/ptrace.h | 2 + > > > kernel/ptrace.c | 4 ++ > > > kernel/seccomp.c | 31 +++++++++ > > > tools/testing/selftests/seccomp/seccomp_bpf.c | 68 +++++++++++++++++++ > > > 5 files changed, 112 insertions(+) > > > > > > diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h > > > index 017444b5efed..234c61b37405 100644 > > > --- a/include/linux/seccomp.h > > > +++ b/include/linux/seccomp.h > > > @@ -83,6 +83,8 @@ static inline int seccomp_mode(struct seccomp *s) > > > #ifdef CONFIG_SECCOMP_FILTER > > > extern void put_seccomp_filter(struct task_struct *tsk); > > > extern void get_seccomp_filter(struct task_struct *tsk); > > > +extern long seccomp_new_listener(struct task_struct *task, > > > + unsigned long filter_off); > > > #else /* CONFIG_SECCOMP_FILTER */ > > > static inline void put_seccomp_filter(struct task_struct *tsk) > > > { > > > @@ -92,6 +94,11 @@ static inline void get_seccomp_filter(struct task_struct *tsk) > > > { > > > return; > > > } > > > +static inline long seccomp_new_listener(struct task_struct *task, > > > + unsigned long filter_off) > > > +{ > > > + return -EINVAL; > > > +} > > > #endif /* CONFIG_SECCOMP_FILTER */ > > > > > > #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE) > > > diff --git a/include/uapi/linux/ptrace.h b/include/uapi/linux/ptrace.h > > > index d5a1b8a492b9..e80ecb1bd427 100644 > > > --- a/include/uapi/linux/ptrace.h > > > +++ b/include/uapi/linux/ptrace.h > > > @@ -73,6 +73,8 @@ struct seccomp_metadata { > > > __u64 flags; /* Output: filter's flags */ > > > }; > > > > > > +#define PTRACE_SECCOMP_NEW_LISTENER 0x420e > > > + > > > /* Read signals from a shared (process wide) queue */ > > > #define PTRACE_PEEKSIGINFO_SHARED (1 << 0) > > > > > > diff --git a/kernel/ptrace.c b/kernel/ptrace.c > > > index 21fec73d45d4..289960ac181b 100644 > > > --- a/kernel/ptrace.c > > > +++ b/kernel/ptrace.c > > > @@ -1096,6 +1096,10 @@ int ptrace_request(struct task_struct *child, long request, > > > ret = seccomp_get_metadata(child, addr, datavp); > > > break; > > > > > > + case PTRACE_SECCOMP_NEW_LISTENER: > > > + ret = seccomp_new_listener(child, addr); > > > + break; > > > + > > > default: > > > break; > > > } > > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > > > index 44a31ac8373a..17685803a2af 100644 > > > --- a/kernel/seccomp.c > > > +++ b/kernel/seccomp.c > > > @@ -1777,4 +1777,35 @@ static struct file *init_listener(struct task_struct *task, > > > > > > return ret; > > > } > > > + > > > +long seccomp_new_listener(struct task_struct *task, > > > + unsigned long filter_off) > > > +{ > > > + struct seccomp_filter *filter; > > > + struct file *listener; > > > + int fd; > > > + > > > + if (!capable(CAP_SYS_ADMIN)) > > > + return -EACCES; > > > > I know this might have been discussed a while back but why exactly do we > > require CAP_SYS_ADMIN in init_userns and not in the target userns? What > > if I want to do a setns()fd, CLONE_NEWUSER) to the target process and > > use ptrace from in there? > > See https://lore.kernel.org/lkml/CAG48ez3R+ZJ1vwGkDfGzKX2mz6f=jjJWsO5pCvnH68P+RKO8Ow@mail.gmail.com/ > . Basically, the problem is that this doesn't just give you capability > over the target task, but also over every other task that has the same > filter installed; you need some sort of "is the caller capable over > the filter and anyone who uses it" check. Thanks. But then this new ptrace feature as it stands is imho currently broken. If you can install a seccomp filter with SECCOMP_RET_USER_NOTIF if you are ns_cpabable(CAP_SYS_ADMIN) and also get an fd via seccomp() itself if you are ns_cpabable(CAP_SYS_ADMIN) then either the new ptrace() api extension should be fixed to allow for this too or the seccomp() way of retrieving the pid - which I really think we want - needs to be fixed to require capable(CAP_SYS_ADMIN) too. The solution where both require ns_capable(CAP_SYS_ADMIN) is - imho - the preferred way to solve this. Everything else will just be confusing.