Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp903222imm; Wed, 10 Oct 2018 06:12:26 -0700 (PDT) X-Google-Smtp-Source: ACcGV63S+cI2ScaUyLWcIlyZCHYG/gzsF3UfoHktiv/JeeXhqSnLf4dNwwrGRwC7oo1fXE003Zlt X-Received: by 2002:a62:8dcd:: with SMTP id p74-v6mr35592834pfk.217.1539177146665; Wed, 10 Oct 2018 06:12:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539177146; cv=none; d=google.com; s=arc-20160816; b=am5hlBH4rAWmCUkOZbkVPX2LwsemJgpb7h98gnuion2ZFYwkoS8mZUTy4zRSiigrl2 A3iaAQMI+h24KY0JQWH0OjYlbQdzUmVbAj+jhRvMtVDzx0oiVpJpLDpD/5S2f/T2T8zr yUtDUrFy6fJUfGvem6N6bbJ+lfcFgVCL6coT6SItatZuE37o9eAubAk/TTmWEkCga8yF ku6XN2UX5gJow2VVwexX5qL+HtZKU/pbLF4s5NGG52r8OpApHzotKVnYnDXSUkVZDaJy wYOM4WyKIjKSbokkr1Bt1kmKvcevxMYPpv4k7f11xSrHOo7cGWFsy7gi4oW1hEVQR5G2 HCdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=UgTWBkqoPAjW9G6eAe9zDTS5JLmWiDkeADWlVgHWFHE=; b=CQ6vjJrPZQN8zDUi0BJ2/3hziUeUmKGaL6nzZ8PN8bGHS7EsMhLhkOKXXO3xKVHjxH Ti1z6wYvnWZP6M6tAusnmaRXJIA2XLTiUV+P110R3JpWDn0XZs0afJOyPJGDP+0WPwpt vQoOTbdTy5Dqxg9sLbfga96B/blKydJ2UliLNozWRmA8ScfBqj05tczOdDgRrKIDv3qz y9vsBwYWZmKkXiSIr+t1cWmBJ3PA9dh+6kX7f9kLrl9bvB85EovLci4yZJuvXrcq6436 GAdQz/YUSLjhu8chbeNY9ONkX4Y6Lg75/CB8uk3tlaB55RvKmdv9ZCtUK8VvpETveMeS 9WeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=JzYBmMLU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v1-v6si18357533pfb.144.2018.10.10.06.12.11; Wed, 10 Oct 2018 06:12:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=JzYBmMLU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726873AbeJJUcL (ORCPT + 99 others); Wed, 10 Oct 2018 16:32:11 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:39874 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726689AbeJJUcK (ORCPT ); Wed, 10 Oct 2018 16:32:10 -0400 Received: by mail-wm1-f66.google.com with SMTP id y144-v6so5657575wmd.4 for ; Wed, 10 Oct 2018 06:10:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=UgTWBkqoPAjW9G6eAe9zDTS5JLmWiDkeADWlVgHWFHE=; b=JzYBmMLU1Iq+i1+/0MQ8+/P1pSECVKn+ialP6TDR9IDXxbuZmQXdig1thqzwoP2Qvv DTqmDZZtA66UlK44sK1qSZ8RAADqPTX5MzNwKY5eRTCp34DUmoOJiqxN1uC2I+zmlVd+ zTHsAm0yXBez9F1R3PDIOg2EA+57NRUr7x/SPr9DmdzI24kvBKA4zIAsL14taNsbxe7P 77SSJ0+FOpIYSrOe8XuVIPl+prZOTzN6RUoYK4ULgNXcNC2G5Bz2zyE6gb765s90qz9y QmGs0sOZ8P5kaiAW9A9j9zGPkLBImW+cdHAWUa6sG4yflWPL90pMaOQFjrW5IB9MrlxN CSpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=UgTWBkqoPAjW9G6eAe9zDTS5JLmWiDkeADWlVgHWFHE=; b=UoRSqmkkTs0rtASYID6kWD5XG8vNLpAuT7LYfxz0dguA1W3dUWK2sICHNBlR2tlQgX Z1H9rWWtG4Swa/gEYbqtxgRZlV+pL4LMTdezouywq17RdlXXB9rQyZojayaY2W4kRWIh OhmWwtb15kTZf2dGoxS1gOWgJTCp25Jqb5ZXXMqJnxJ5SNgshablQCIpxZnMn0vPGAZX gBHDz0wprPp0Vp5AfmpjZYMVMM+nsaPJ7dFgvKQjpaUOjQg3M7biTad72MTMC6BZdi5O FfliM5qL/twddszewd2ORs3Z2gvueQU/BSqZkof4wLwtF0QZkXcxQmHbHO+beqFzuqGp +C9g== X-Gm-Message-State: ABuFfoh9XA19B+tBW1hOtKFhLq/9GMKCpp2b3cTSTegPnf1K7/9N2Vxw OBaAk7n3K5l/71RIeNj7/Ox/tA== X-Received: by 2002:a1c:5801:: with SMTP id m1-v6mr868209wmb.118.1539177002125; Wed, 10 Oct 2018 06:10:02 -0700 (PDT) Received: from brauner.io ([2a02:8070:8895:9700:8197:8849:535a:4f00]) by smtp.gmail.com with ESMTPSA id a5-v6sm16249498wmh.8.2018.10.10.06.10.00 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Oct 2018 06:10:01 -0700 (PDT) Date: Wed, 10 Oct 2018 15:09:54 +0200 From: Christian Brauner To: Jann Horn Cc: Tycho Andersen , Kees Cook , Linux API , containers@lists.linux-foundation.org, suda.akihiro@lab.ntt.co.jp, Oleg Nesterov , kernel list , "Eric W. Biederman" , linux-fsdevel@vger.kernel.org, Christian Brauner , Andy Lutomirski , linux-security-module , selinux@tycho.nsa.gov, Paul Moore , Stephen Smalley , Eric Paris Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace Message-ID: <20181010130953.buvyzvyrsarzjt7v@brauner.io> References: <20181009132850.fp6yne2vgmfpi27k@brauner.io> <20181009134923.2fvf5roghqgaj5gq@brauner.io> <20181009140932.e5w5lgbgucbl72kt@brauner.io> <20181009162022.d7fd2wibyq6xi6sg@brauner.io> <20181010125422.rouslofknxzvygzr@brauner.io> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20181010125422.rouslofknxzvygzr@brauner.io> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 10, 2018 at 02:54:22PM +0200, Christian Brauner wrote: > On Tue, Oct 09, 2018 at 06:26:47PM +0200, Jann Horn wrote: > > On Tue, Oct 9, 2018 at 6:20 PM Christian Brauner wrote: > > > On Tue, Oct 09, 2018 at 05:26:26PM +0200, Jann Horn wrote: > > > > On Tue, Oct 9, 2018 at 4:09 PM Christian Brauner wrote: > > > > > On Tue, Oct 09, 2018 at 03:50:53PM +0200, Jann Horn wrote: > > > > > > On Tue, Oct 9, 2018 at 3:49 PM Christian Brauner wrote: > > > > > > > On Tue, Oct 09, 2018 at 03:36:04PM +0200, Jann Horn wrote: > > > > > > > > On Tue, Oct 9, 2018 at 3:29 PM Christian Brauner wrote: > > > > > > > > > One more thing. Citing from [1] > > > > > > > > > > > > > > > > > > > I think there's a security problem here. Imagine the following scenario: > > > > > > > > > > > > > > > > > > > > 1. task A (uid==0) sets up a seccomp filter that uses SECCOMP_RET_USER_NOTIF > > > > > > > > > > 2. task A forks off a child B > > > > > > > > > > 3. task B uses setuid(1) to drop its privileges > > > > > > > > > > 4. task B becomes dumpable again, either via prctl(PR_SET_DUMPABLE, 1) > > > > > > > > > > or via execve() > > > > > > > > > > 5. task C (the attacker, uid==1) attaches to task B via ptrace > > > > > > > > > > 6. task C uses PTRACE_SECCOMP_NEW_LISTENER on task B > > > > > > > > > > > > > > > > > > Sorry, to be late to the party but would this really pass > > > > > > > > > __ptrace_may_access() in ptrace_attach()? It doesn't seem obvious to me > > > > > > > > > that it would... Doesn't look like it would get past: > > > > > > > > > > > > > > > > > > tcred = __task_cred(task); > > > > > > > > > if (uid_eq(caller_uid, tcred->euid) && > > > > > > > > > uid_eq(caller_uid, tcred->suid) && > > > > > > > > > uid_eq(caller_uid, tcred->uid) && > > > > > > > > > gid_eq(caller_gid, tcred->egid) && > > > > > > > > > gid_eq(caller_gid, tcred->sgid) && > > > > > > > > > gid_eq(caller_gid, tcred->gid)) > > > > > > > > > goto ok; > > > > > > > > > if (ptrace_has_cap(tcred->user_ns, mode)) > > > > > > > > > goto ok; > > > > > > > > > rcu_read_unlock(); > > > > > > > > > return -EPERM; > > > > > > > > > ok: > > > > > > > > > rcu_read_unlock(); > > > > > > > > > mm = task->mm; > > > > > > > > > if (mm && > > > > > > > > > ((get_dumpable(mm) != SUID_DUMP_USER) && > > > > > > > > > !ptrace_has_cap(mm->user_ns, mode))) > > > > > > > > > return -EPERM; > > > > > > > > > > > > > > > > Which specific check would prevent task C from attaching to task B? If > > > > > > > > the UIDs match, the first "goto ok" executes; and you're dumpable, so > > > > > > > > you don't trigger the second "return -EPERM". > > > > > > > > > > > > > > You'd also need CAP_SYS_PTRACE in the mm->user_ns which you shouldn't > > > > > > > have if you did a setuid to an unpriv user. (But I always find that code > > > > > > > confusing.) > > > > > > > > > > > > Only if the target hasn't gone through execve() since setuid(). > > > > > > > > > > Sorry if I want to know this in excessive detail but I'd like to > > > > > understand this properly so bear with me :) > > > > > - If task B has setuid()ed and prctl(PR_SET_DUMPABLE, 1)ed but not > > > > > execve()ed then C won't pass ptrace_has_cap(mm->user_ns, mode). > > > > > > > > Yeah. > > > > > > > > > - If task B has setuid()ed, exeved()ed it will get its dumpable flag set > > > > > to /proc/sys/fs/suid_dumpable > > > > > > > > Not if you changed all UIDs (e.g. by calling setuid() as root). In > > > > that case, setup_new_exec() calls "set_dumpable(current->mm, > > > > SUID_DUMP_USER)". > > > > > > Actually, looking at this when C is trying to PTRACE_ATTACH to B as an > > > unprivileged user even if B execve()ed and it is dumpable C still > > > wouldn't have CAP_SYS_PTRACE in the mm->user_ns unless it already is > > > privileged over mm->user_ns which means it must be in an ancestor > > > user_ns. > > > > Huh? Why would you need CAP_SYS_PTRACE for anything here? You can > > ptrace another process running under your UID just fine, no matter > > what the namespaces are. I'm not sure what you're saying. > > Sorry, I was out the door yesterday when answering this and was too > brief. I forgot to mention: /proc/sys/kernel/yama/ptrace_scope. It > should be enabled by default on nearly all distros and even if not - > which is an administrators choice - you can usually easily enable it via > sysctl. > > 1 ("restricted ptrace") [default value] > When performing an operation that requires a PTRACE_MODE_ATTACH check, > the calling process must either have the CAP_SYS_PTRACE capability in > the user namespace of the target process or it must have a predeā€ fined > relationship with the target process. By default, the predefined > relationship is that the target process must be a descendant of the > caller. > > If you don't have it set you're already susceptible to all kinds of > other attacks and I'm still not convinced we need to bring out the big > capable(CAP_SYS_ADMIN) gun here. That being said, given that Tycho agreed to leave in the native seccomp() way of retrieving an fd from the task without the sys_admin restriction [1] which we prefer and if we merge it with aforementioned feature I care way less about whether or not the restriction is upheld for ptrace() or not. [1]: https://lists.linuxfoundation.org/pipermail/containers/2018-October/039553.html