Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1174525imm; Fri, 12 Oct 2018 13:07:14 -0700 (PDT) X-Google-Smtp-Source: ACcGV63oeeuaKOyYhaFnrL3qnb3A5V6TpKWUYnmpPbe7rYDgSaF/hFrWht2f42kdQuNjnQA9+e40 X-Received: by 2002:a17:902:5c4:: with SMTP id f62-v6mr7298102plf.18.1539374834953; Fri, 12 Oct 2018 13:07:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539374834; cv=none; d=google.com; s=arc-20160816; b=Pic09a8+wlcfEdPD4HwLoMZypqS7k9i5G+gh3a6Hx2Ph+cSwo6S1nNZNANjI2QWGmR 2Iz1f/2/gW4Pl5OKQD4yVdkfgUbZkaT5YqxakstGh27dfh9W1Vx0k0elN6Txfn3Y8Ris YhVDkx3C76IvOwSn5ekyBIgHDjxNmCuKYmmPnUhU3hlTTEylXAapyKsR5zNyHLiccEsb Lu1Zeel6Orkq0hM6YXKTeOqBL6HXpE/LwRZvKwy0ZbJQL7xwXUUcFszPmNfAsUiIrDbQ 5m+nq5nmO4hOfq5IMRM8y8b8ILCyJU+mpG+fWHJVIg0bCwgPVOfPs4SrLRH/DSmpMaQg 1zsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=uuFoRplXvuDg46hTY7eUtJi9J7lxsD7NBeqO8bQS2sU=; b=OwrK9mVsOyJyQUXXwDvKbcwfEg8rzImEBffJRVPv+ORP5U8WDpLC6cC53wdM+6QJK8 aa2nOIg0boFucb2+cYM+cpIpIyFVfDHns1VEy3fkgUNg4WkHL/xw66Y/MbXIUSHXsytJ /gDqM/fdRYqT9r4yAF5/5v4V8Q9aHXE/pWBRt9Z/VcMj51cuub1WjTzl3DB632XGAtFA rYqmSsgTRnCdXKZTu27YIQ0vNWecWt9TPJSIjzpKI//eGAa6TzMlHn9Jt5uFLjA68Juh uA1kp/0T5iGT8a0VCBh8g3FJooEHRnAWrbXwF04yvvsGcTjXOt938fZo5bMODdhwJ+vn Tg1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Wv3KQJCw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z9-v6si2158124pgh.213.2018.10.12.13.06.59; Fri, 12 Oct 2018 13:07:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Wv3KQJCw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726887AbeJMDkh (ORCPT + 99 others); Fri, 12 Oct 2018 23:40:37 -0400 Received: from mail-ot1-f65.google.com ([209.85.210.65]:45328 "EHLO mail-ot1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726714AbeJMDkg (ORCPT ); Fri, 12 Oct 2018 23:40:36 -0400 Received: by mail-ot1-f65.google.com with SMTP id u22so13467122ota.12 for ; Fri, 12 Oct 2018 13:06:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uuFoRplXvuDg46hTY7eUtJi9J7lxsD7NBeqO8bQS2sU=; b=Wv3KQJCwZZffnr9xmpNIUnptsIKSFgA9EiAwatfbv+YM20VkNox/0y55fUkx/7ghw+ pnrbPE0fitpeqXABKqxZ+DtjjL1Qu65KSmBgc6CHpwdWI14YfGcE3F2yVTuv/ffTEm8n 9uNpIqAY5Cfz8GNrip5DtYxjdXBAvNeKaUEaATCpizlb+zBSQ/p2lqI0G8N9xrcEdkRR wcZAQdPiZzGnBZK70fstC3MWOVJUy1OJ2wX6V5udh8g8RziR4jbHd448LKVYGMrfF/Xg PKqv8XwX3EY6kTW+wGvHdUqy3ETgGyZKA9nqRVw5SxMRe7kN+Eb979vgqqbfvjy6zjXT b4iQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uuFoRplXvuDg46hTY7eUtJi9J7lxsD7NBeqO8bQS2sU=; b=BKuSPvD6KRGJ9fRcrvVkq8Ity1hYfDSPGNQeVOBn3/ZqcNVAbvpEY8sf3V5fzl6F5I VgDS045jZopOAqFYNRusAEcqSK4PV+iugHxShz0kTrdrzbVi5UqDxfPZL188md/uM4gT amHlLCHGU8M+nU9V1Kto+rv3/6fQ3HnAMOlsEkJIjIU2yn6KjK7EymRYyn3lqGipPVBk KG9o7oh04E90hkdf2dyAk8DYa/5khw+FxN5PmDkPc4KOAgAPgqh/oQhl1fwaXd7DvEv5 jDpzgNJWLgmQY9YGm9A+WRmIZj9Cl5Ht3r9y7z2/upsHH6+jqWMJLalghDsM0bDEYIGb cLoA== X-Gm-Message-State: ABuFfogMcyIq/kO6U9LH5VyJB2TgaJK3kUZan8fmmsLeOA2a0B4X/qB9 WkNtmWwtRu0A1aE5/t/7OtG8TRH8lfwBP/vmRxMyEg== X-Received: by 2002:a9d:4c15:: with SMTP id l21mr4905031otf.242.1539374787986; Fri, 12 Oct 2018 13:06:27 -0700 (PDT) MIME-Version: 1.0 References: <20181008181815.pwnqxngj22mhm2vj@brauner.io> <20181009132850.fp6yne2vgmfpi27k@brauner.io> <16662034750.2781.85c95baa4474aabc7814e68940a78392@paul-moore.com> <1666564e4f8.2781.85c95baa4474aabc7814e68940a78392@paul-moore.com> <20181012200220.GC5530@cisco> In-Reply-To: <20181012200220.GC5530@cisco> From: Jann Horn Date: Fri, 12 Oct 2018 22:06:00 +0200 Message-ID: Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace To: Tycho Andersen Cc: Andy Lutomirski , Paul Moore , christian@brauner.io, Kees Cook , Linux API , containers@lists.linux-foundation.org, suda.akihiro@lab.ntt.co.jp, Oleg Nesterov , kernel list , "Eric W. Biederman" , linux-fsdevel@vger.kernel.org, Christian Brauner , linux-security-module , selinux@tycho.nsa.gov, Stephen Smalley , Eric Paris Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 12, 2018 at 10:02 PM Tycho Andersen wrote: > On Thu, Oct 11, 2018 at 06:02:06PM -0700, Andy Lutomirski wrote: > > On Thu, Oct 11, 2018 at 4:10 PM Paul Moore wrote: > > > > > > On October 11, 2018 9:40:06 AM Jann Horn wrote: > > > > On Thu, Oct 11, 2018 at 9:24 AM Paul Moore wrote: > > > >> On October 10, 2018 11:34:11 AM Jann Horn wrote: > > > >>> On Wed, Oct 10, 2018 at 5:32 PM Paul Moore wrote: > > > >>>> On Tue, Oct 9, 2018 at 9:36 AM Jann Horn wrote: > > > >>>>> +cc selinux people explicitly, since they probably have opinions on this > > > >>>> > > > >>>> I just spent about twenty minutes working my way through this thread, > > > >>>> and digging through the containers archive trying to get a good > > > >>>> understanding of what you guys are trying to do, and I'm not quite > > > >>>> sure I understand it all. However, from what I have seen, this > > > >>>> approach looks very ptrace-y to me (I imagine to others as well based > > > >>>> on the comments) and because of this I think ensuring the usual ptrace > > > >>>> access controls are evaluated, including the ptrace LSM hooks, is the > > > >>>> right thing to do. > > > >>> > > > >>> Basically the problem is that this new ptrace() API does something > > > >>> that doesn't just influence the target task, but also every other task > > > >>> that has the same seccomp filter. So the classic ptrace check doesn't > > > >>> work here. > > > >> > > > >> Due to some rather unfortunate events today I'm suddenly without easy access to the kernel code, but would it be possible to run the LSM ptrace access control checks against all of the affected tasks? If it is possible, how painful would it be? > > > > > > > > There are currently no backlinks from seccomp filters to the tasks > > > > that use them; the only thing you have is a refcount. If the refcount > > > > is 1, and the target task uses the filter directly (it is the last > > > > installed one), you'd be able to infer that the ptrace target is the > > > > only task with a reference to the filter, and you could just do the > > > > direct check; but if the refcount is >1, you might end up having to > > > > take some spinlock and then iterate over all tasks' filters with that > > > > spinlock held, or something like that. > > > > > > That's what I was afraid of. > > > > > > Unfortunately, I stand by my previous statements that we still probably want a LSM access check similar to what we currently do for ptrace. > > > > > > > I would argue that once "LSM" enters this conversation, it just means > > we're on the wrong track. Let's try to make this work without ptrace > > if possible :) The whole seccomp() mechanism is very carefully > > designed so that it's perfectly safe to install seccomp filters > > without involving LSM or even involving credentials at all. > > In a last ditch effort to save the ptrace() interface: can we just > only allow it when refcount_read(filter->usage) == 1? From a security perspective, I think that would be fine, assuming that we know that the target task is stopped. (But note that if the target process e.g. uses the filter on multiple threads, the refcount will be higher.)