Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp5087236imm; Tue, 9 Oct 2018 09:29:19 -0700 (PDT) X-Google-Smtp-Source: ACcGV62Jt7Ho+2078BDGZy17hm6FdEeurLoFXe0fOGzilFI/TJq9/Kpi1hEGQ2GFGV9phKk+B/eb X-Received: by 2002:a17:902:8f8f:: with SMTP id z15-v6mr27484019plo.305.1539102559932; Tue, 09 Oct 2018 09:29:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539102559; cv=none; d=google.com; s=arc-20160816; b=UlHm0oW+qzWB7E3DKP+oNRswv5zcvOTdZrmlaJ+fe/km8N+2kRoG0F4FidPUi88CW3 VOhShqEE1SWfqq6udcA42uXEI7ubwP5qBPNFDOGHHf7jVcLOl85g7rTYH5rukECCW4Mg Y0XmmbsLKqz5Xg1Hx7WxoxhdgqYH1KE6L21YOL8qg/qiIkmtl2ATeT3swc8JjHp3di/8 nr5vlCz83VsiKeEhq6cQbwp3VNfED1Io6MgWXLcYNgOOZWmYuYk8jT4ez4G5Rf+eCojU Xd3wVkE4OmkmKQrKhwHBRLb0JI84qttMGkskgNUWH89SFcgmBRb9qcFQ78O4r5ZMLatR vv0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=whg6ewkYniyV6HAKiVc8/3Z0EKakuoHttAUFhDfk8ZI=; b=ATxyTf/E1dM4du8RbrgZrZFUynC+Szdts5aqjy45TH4R3LtZQFguPJnwXoas+1DO12 WyYl3crP5ryMKuJHQKrELcs+3M/joKB3nuHTPCG86a9D4UgnamTvgXZrRgz/FLu8MVUe gkA8maBCzWPhsiZKoW0zW7HWyRj3CysRZPPemfesTbIvI/FC+dsGiE9kTL44M67ovMjL FkKenVFpkDeGNqXuqZdhvpVsszGDdPc8rTZkSQZXQfP2IH+u9gHZRgm6V2V1B9qOWIkl X1a2TqADTKqnlKedrdKgDORnznV2UoUY6rsYWG7STnqMuMGd3BRG0NKoRhJNUwr2jQmD cTDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ezTuF0aA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q15-v6si18717799pgm.595.2018.10.09.09.29.04; Tue, 09 Oct 2018 09:29:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ezTuF0aA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726795AbeJIXo7 (ORCPT + 99 others); Tue, 9 Oct 2018 19:44:59 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:46419 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726415AbeJIXo7 (ORCPT ); Tue, 9 Oct 2018 19:44:59 -0400 Received: by mail-ot1-f68.google.com with SMTP id o21so2247191otb.13 for ; Tue, 09 Oct 2018 09:27:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=whg6ewkYniyV6HAKiVc8/3Z0EKakuoHttAUFhDfk8ZI=; b=ezTuF0aAYVz+gybDq6QJGX+MpuCNJoJpqO/tuRPzVbK4cBQ/qyqECcQsJvmeZfX6kx Y+6wGvnyToSSGHS4s2/Ku5jc13x+DVpQcAWaciMK3QFIq71lOyrNKpkf9DJTkjA79NGH wG1yQ9240+Ol6AB4vJk44pjKt3XsVED8brNe/UJzLRayCrd4T5P/vDqkEOGJMyVNs4aF ccA7qiBfNRptrz2xXeqDFrEY8wrs91NvCNfAJD/Xx4iQAvN+7dy62dwCshug4yjhpgst vo5qVrfV2wQ4Xwgt8iH0Zf8PMiSJoED4HKcAH0zNYMmkXYMYBGeoTR8QeR3JhWOB+ts+ DspQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=whg6ewkYniyV6HAKiVc8/3Z0EKakuoHttAUFhDfk8ZI=; b=sk5MZlzrRmwUtXDhKI1ze1n4By4GodGtyi74hnHFZAboNNEWeL01zBhSF3i0GZ7BWz X67732BZZK4EZns6Kyh2tkAz7GIwZTbp7pa6VsnDORqevaRk3Jg+T9dnakexUdSzCsfw nlz1aqMWaMHa4Z+I/hnTKKzO1GH+yCFEDOxHpa92urnnDYeCw+Z4Ih9kjrGjMAfIVhbs 9hMeMGPKzyTFlnfUm4WX0MTtC9lgwJQqg92b138OqvTDz3f1PkZb3hMb/wa1ddv6oMSZ uZAeE523HyKuiavwCD7y9c1jdz3FskRaUW48zAy/c5BNIZueNWVG3Yde1JP7WsGj3EkZ aX5Q== X-Gm-Message-State: ABuFfohgbtwZuniLqwsiS4Myisjt1ENNhtcOTK5r3VlwNQDx6CquCyVK GK2HRdncBUM0sIz1ly78T8LqN20ysvBgo3A1WioZMA== X-Received: by 2002:a9d:4917:: with SMTP id e23mr15593210otf.73.1539102434276; Tue, 09 Oct 2018 09:27:14 -0700 (PDT) MIME-Version: 1.0 References: <20181008162147.ubfxxsv2425l2zsp@brauner.io> <20181008181815.pwnqxngj22mhm2vj@brauner.io> <20181009132850.fp6yne2vgmfpi27k@brauner.io> <20181009134923.2fvf5roghqgaj5gq@brauner.io> <20181009140932.e5w5lgbgucbl72kt@brauner.io> <20181009162022.d7fd2wibyq6xi6sg@brauner.io> In-Reply-To: <20181009162022.d7fd2wibyq6xi6sg@brauner.io> From: Jann Horn Date: Tue, 9 Oct 2018 18:26:47 +0200 Message-ID: Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace To: christian@brauner.io Cc: Tycho Andersen , Kees Cook , Linux API , containers@lists.linux-foundation.org, suda.akihiro@lab.ntt.co.jp, Oleg Nesterov , kernel list , "Eric W. Biederman" , linux-fsdevel@vger.kernel.org, Christian Brauner , Andy Lutomirski , linux-security-module , selinux@tycho.nsa.gov, Paul Moore , Stephen Smalley , Eric Paris Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 9, 2018 at 6:20 PM Christian Brauner wrote: > On Tue, Oct 09, 2018 at 05:26:26PM +0200, Jann Horn wrote: > > On Tue, Oct 9, 2018 at 4:09 PM Christian Brauner wrote: > > > On Tue, Oct 09, 2018 at 03:50:53PM +0200, Jann Horn wrote: > > > > On Tue, Oct 9, 2018 at 3:49 PM Christian Brauner wrote: > > > > > On Tue, Oct 09, 2018 at 03:36:04PM +0200, Jann Horn wrote: > > > > > > On Tue, Oct 9, 2018 at 3:29 PM Christian Brauner wrote: > > > > > > > One more thing. Citing from [1] > > > > > > > > > > > > > > > I think there's a security problem here. Imagine the following scenario: > > > > > > > > > > > > > > > > 1. task A (uid==0) sets up a seccomp filter that uses SECCOMP_RET_USER_NOTIF > > > > > > > > 2. task A forks off a child B > > > > > > > > 3. task B uses setuid(1) to drop its privileges > > > > > > > > 4. task B becomes dumpable again, either via prctl(PR_SET_DUMPABLE, 1) > > > > > > > > or via execve() > > > > > > > > 5. task C (the attacker, uid==1) attaches to task B via ptrace > > > > > > > > 6. task C uses PTRACE_SECCOMP_NEW_LISTENER on task B > > > > > > > > > > > > > > Sorry, to be late to the party but would this really pass > > > > > > > __ptrace_may_access() in ptrace_attach()? It doesn't seem obvious to me > > > > > > > that it would... Doesn't look like it would get past: > > > > > > > > > > > > > > tcred = __task_cred(task); > > > > > > > if (uid_eq(caller_uid, tcred->euid) && > > > > > > > uid_eq(caller_uid, tcred->suid) && > > > > > > > uid_eq(caller_uid, tcred->uid) && > > > > > > > gid_eq(caller_gid, tcred->egid) && > > > > > > > gid_eq(caller_gid, tcred->sgid) && > > > > > > > gid_eq(caller_gid, tcred->gid)) > > > > > > > goto ok; > > > > > > > if (ptrace_has_cap(tcred->user_ns, mode)) > > > > > > > goto ok; > > > > > > > rcu_read_unlock(); > > > > > > > return -EPERM; > > > > > > > ok: > > > > > > > rcu_read_unlock(); > > > > > > > mm = task->mm; > > > > > > > if (mm && > > > > > > > ((get_dumpable(mm) != SUID_DUMP_USER) && > > > > > > > !ptrace_has_cap(mm->user_ns, mode))) > > > > > > > return -EPERM; > > > > > > > > > > > > Which specific check would prevent task C from attaching to task B? If > > > > > > the UIDs match, the first "goto ok" executes; and you're dumpable, so > > > > > > you don't trigger the second "return -EPERM". > > > > > > > > > > You'd also need CAP_SYS_PTRACE in the mm->user_ns which you shouldn't > > > > > have if you did a setuid to an unpriv user. (But I always find that code > > > > > confusing.) > > > > > > > > Only if the target hasn't gone through execve() since setuid(). > > > > > > Sorry if I want to know this in excessive detail but I'd like to > > > understand this properly so bear with me :) > > > - If task B has setuid()ed and prctl(PR_SET_DUMPABLE, 1)ed but not > > > execve()ed then C won't pass ptrace_has_cap(mm->user_ns, mode). > > > > Yeah. > > > > > - If task B has setuid()ed, exeved()ed it will get its dumpable flag set > > > to /proc/sys/fs/suid_dumpable > > > > Not if you changed all UIDs (e.g. by calling setuid() as root). In > > that case, setup_new_exec() calls "set_dumpable(current->mm, > > SUID_DUMP_USER)". > > Actually, looking at this when C is trying to PTRACE_ATTACH to B as an > unprivileged user even if B execve()ed and it is dumpable C still > wouldn't have CAP_SYS_PTRACE in the mm->user_ns unless it already is > privileged over mm->user_ns which means it must be in an ancestor > user_ns. Huh? Why would you need CAP_SYS_PTRACE for anything here? You can ptrace another process running under your UID just fine, no matter what the namespaces are. I'm not sure what you're saying.