Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp5013219imm; Tue, 9 Oct 2018 08:27:51 -0700 (PDT) X-Google-Smtp-Source: ACcGV633S7iFhtJAnIEgjQbRvIqhXo+khSbXLOxnQCe/ZdDbL78zq6AIpDkkmMsj651M/kK60Mce X-Received: by 2002:a62:8d16:: with SMTP id z22-v6mr30448489pfd.185.1539098871033; Tue, 09 Oct 2018 08:27:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539098871; cv=none; d=google.com; s=arc-20160816; b=QlR1HaRZinLghlfug845mtMFCzq04b3VWE6St4FspeiF5VVTqWSltv1S3J/KY15bmD 5DNNA9QpmzquyBfRa7fWYQiNF3HhBqs32v7r0/y1R7llS2KJ6sMk5G3EFXlz8GOO4r60 QRDL6/Ov3dNGn1KNi0bf77dPbkC8Uo7GqAUXRx8O5/NKKqRjQUfQ9uGz89JqCGl/ZuqD muGZCppFobFOgusEz5Qtq/rfKIcMb9haTBCPrAnllbBxkzk5YFRgFpW6Ah5P1etFH5ge zBtVA8rAbidbRW5IGS/wk6DxpHEOZ4+diiOv/xVolIIHB0QXwDr17aE7/AcsCrVCygqj bPxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=VsAL5GqCpbZrHMxJMuKGe2H4E5MCvjGbnXe/JT1UDsI=; b=j/4eqIA/L1L5umGQv5Tj/ZioDvE8P0hA/rySV/9zLDeZvASeG8UvPg9Ufu5I89glvc ZThEfofcJYYkTE2W/kplejvODibWiGaJ0GrE0VJVSGLidjnrG3C5QrU3ao4eCwClFy0p HbmRhz1TTWmqk+AksWPPYVme6CDU0bV6tz88jXnWSJDXppszCmTKQiYw2r1TOaHBqAtG 3+G7eQioqJuzAczCZHwu3kWftphrpUkS2tfIEKp8viyy9zt2qPlaEmXXo2mDFWSEY5qv SLlq6dOSt6JsQsGPSX2TEYg8M5Vm7t2DnVAqPf+jn4ZT82cjRNSS/gMIow6Opm3S4pbP vJGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Ghj5RM8n; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d35-v6si22793084pla.116.2018.10.09.08.27.36; Tue, 09 Oct 2018 08:27:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Ghj5RM8n; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726995AbeJIWoU (ORCPT + 99 others); Tue, 9 Oct 2018 18:44:20 -0400 Received: from mail-oi1-f194.google.com ([209.85.167.194]:37395 "EHLO mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726600AbeJIWoU (ORCPT ); Tue, 9 Oct 2018 18:44:20 -0400 Received: by mail-oi1-f194.google.com with SMTP id e17-v6so1550443oib.4 for ; Tue, 09 Oct 2018 08:26:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VsAL5GqCpbZrHMxJMuKGe2H4E5MCvjGbnXe/JT1UDsI=; b=Ghj5RM8n5lG8lYepy+GfW/bb87aQek7ZoBUrtDYmzJQaeAbLRHm2JHNezrueDi9tG4 iQkw9CjHkPGADrFLlP4HqOHCgmoMni4CfDiUwkZ6ava4ffEUbtx0YCSVLASJLwlZBHis UR8VuPWNVqjdwPdktPfIgh3K/VfqxpzBK0MW4eCOhmrtX41ebWpaC+SY8AkThR51FU8p F6QhlgqwBkLNaQIxZykJkSnbyfVAiIw38WnsR11otPh+aHk+5MPRaE4CdpYSmn8q6r07 4HC3iYMfCpJ0muw7OdhDr+hrAQonFqAUMZ+mTzKuOkZhq9Ab2xS9QhzqfCX1mx1Q4/ta PmNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VsAL5GqCpbZrHMxJMuKGe2H4E5MCvjGbnXe/JT1UDsI=; b=HjEtphOh1b+oVeIcLRzaN82+R+c44RQOKj74lSfWmIz5HKUfn9HZ5z5odQVCqgvuxB 5ajqw8Q2t7nDDSvIxLfhYu5ywpSDq3wB6kdTStsXtIMROqjSr51yR9L+nXEOTYh2XdxL H4T4cHXVCNpJq7K1aXd422tbvpOPuHla44zNgvNMXfWktuouZFHUFlaxNOPWkqIvSV2V 9fsCzCsxvbHl1zLUgWz6dQQtL5SKeFQfoGTyFy9Jta+kkm9q40EOU79uEZFd7nW8e355 60BzMlQ1Ivutydygh9yEA7LQSMddBrEmmR0SJKkHJoJcZSH1oTfSPmlbrr1rCoPkGpIN yEEQ== X-Gm-Message-State: ABuFfohJvov0VD2pVw1DJD/dVBk3WwfJcA5EcXcDjpOdXonpVxOTbthq xp2bRQ4j+9Isxc6qSaB8bfj7SDhf28ig/Yi+zi55Ew== X-Received: by 2002:aca:c4cf:: with SMTP id u198-v6mr6844830oif.209.1539098812581; Tue, 09 Oct 2018 08:26:52 -0700 (PDT) MIME-Version: 1.0 References: <20181008151629.hkgzzsluevwtuclw@brauner.io> <20181008162147.ubfxxsv2425l2zsp@brauner.io> <20181008181815.pwnqxngj22mhm2vj@brauner.io> <20181009132850.fp6yne2vgmfpi27k@brauner.io> <20181009134923.2fvf5roghqgaj5gq@brauner.io> <20181009140932.e5w5lgbgucbl72kt@brauner.io> In-Reply-To: <20181009140932.e5w5lgbgucbl72kt@brauner.io> From: Jann Horn Date: Tue, 9 Oct 2018 17:26:26 +0200 Message-ID: Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace To: christian@brauner.io Cc: Tycho Andersen , Kees Cook , Linux API , containers@lists.linux-foundation.org, suda.akihiro@lab.ntt.co.jp, Oleg Nesterov , kernel list , "Eric W. Biederman" , linux-fsdevel@vger.kernel.org, Christian Brauner , Andy Lutomirski , linux-security-module , selinux@tycho.nsa.gov, Paul Moore , Stephen Smalley , Eric Paris Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 9, 2018 at 4:09 PM Christian Brauner wrote: > On Tue, Oct 09, 2018 at 03:50:53PM +0200, Jann Horn wrote: > > On Tue, Oct 9, 2018 at 3:49 PM Christian Brauner wrote: > > > On Tue, Oct 09, 2018 at 03:36:04PM +0200, Jann Horn wrote: > > > > On Tue, Oct 9, 2018 at 3:29 PM Christian Brauner wrote: > > > > > One more thing. Citing from [1] > > > > > > > > > > > I think there's a security problem here. Imagine the following scenario: > > > > > > > > > > > > 1. task A (uid==0) sets up a seccomp filter that uses SECCOMP_RET_USER_NOTIF > > > > > > 2. task A forks off a child B > > > > > > 3. task B uses setuid(1) to drop its privileges > > > > > > 4. task B becomes dumpable again, either via prctl(PR_SET_DUMPABLE, 1) > > > > > > or via execve() > > > > > > 5. task C (the attacker, uid==1) attaches to task B via ptrace > > > > > > 6. task C uses PTRACE_SECCOMP_NEW_LISTENER on task B > > > > > > > > > > Sorry, to be late to the party but would this really pass > > > > > __ptrace_may_access() in ptrace_attach()? It doesn't seem obvious to me > > > > > that it would... Doesn't look like it would get past: > > > > > > > > > > tcred = __task_cred(task); > > > > > if (uid_eq(caller_uid, tcred->euid) && > > > > > uid_eq(caller_uid, tcred->suid) && > > > > > uid_eq(caller_uid, tcred->uid) && > > > > > gid_eq(caller_gid, tcred->egid) && > > > > > gid_eq(caller_gid, tcred->sgid) && > > > > > gid_eq(caller_gid, tcred->gid)) > > > > > goto ok; > > > > > if (ptrace_has_cap(tcred->user_ns, mode)) > > > > > goto ok; > > > > > rcu_read_unlock(); > > > > > return -EPERM; > > > > > ok: > > > > > rcu_read_unlock(); > > > > > mm = task->mm; > > > > > if (mm && > > > > > ((get_dumpable(mm) != SUID_DUMP_USER) && > > > > > !ptrace_has_cap(mm->user_ns, mode))) > > > > > return -EPERM; > > > > > > > > Which specific check would prevent task C from attaching to task B? If > > > > the UIDs match, the first "goto ok" executes; and you're dumpable, so > > > > you don't trigger the second "return -EPERM". > > > > > > You'd also need CAP_SYS_PTRACE in the mm->user_ns which you shouldn't > > > have if you did a setuid to an unpriv user. (But I always find that code > > > confusing.) > > > > Only if the target hasn't gone through execve() since setuid(). > > Sorry if I want to know this in excessive detail but I'd like to > understand this properly so bear with me :) > - If task B has setuid()ed and prctl(PR_SET_DUMPABLE, 1)ed but not > execve()ed then C won't pass ptrace_has_cap(mm->user_ns, mode). Yeah. > - If task B has setuid()ed, exeved()ed it will get its dumpable flag set > to /proc/sys/fs/suid_dumpable Not if you changed all UIDs (e.g. by calling setuid() as root). In that case, setup_new_exec() calls "set_dumpable(current->mm, SUID_DUMP_USER)". > which by default is 0. So C won't pass > (get_dumpable(mm) != SUID_DUMP_USER). > In both cases PTRACE_ATTACH shouldn't work. Now, if > /proc/sys/fs/suid_dumpable is 1 I'd find it acceptable for this to work. > This is an administrator choice.