Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1179885imm; Fri, 12 Oct 2018 13:12:50 -0700 (PDT) X-Google-Smtp-Source: ACcGV610UrhNyvtqguObF+Eo0ZfKGiIvgVWpcf2xj1jnU0hP8o0Tdkr0x4lGN0AUQ9cztWq3L6/L X-Received: by 2002:a63:a047:: with SMTP id u7-v6mr6831747pgn.145.1539375170134; Fri, 12 Oct 2018 13:12:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539375170; cv=none; d=google.com; s=arc-20160816; b=Me7skviYsRzKGtYdqn0fQcArDIvJCiYsXr4d17IRcO14Ug7r5Gc7rUNilW612t9mtT 44pxZcJtI8xAvRh0/TjnaVAaQpfnZtqQDKKy6xk0A0yhd+p+eYy8tHBefCwZZZIlujQd iKwiN49BfbBr/vMe9qKa9hI6gpNVHFjq3hgROG7zv85QbMFDlJNl54bYFXYbRppeEBRx 9TpcJR5ooDkFm0En1sodMDEyW5EGU9upRDX3hPuwhLdZaV/RRWAHMsue9c7hW0rLIQVM +fyrrrgrGvmRJ6So6W5wK8AoFxyRZoPSas29KMJNNIQJU+OZAeNp59taK0LhZRKm/C5+ 14rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=/22EgvWHixaIJnreyqMAb8eGvNuURDo/SHpTjnP7eZ0=; b=aK48BBs5BhstgpOMSVawkUDSkGRKKkrgRYFkA25pEwzkYGPeaxBC3t6yqchptHo2Sa F/7BOrykqUTyBoUUwO9LS6iND19iE7Yf+0G4eTadrI9ScCCy2VNd0PpneqFpBrbxT68J tzHxPFVEZEUOoRY9tDjzP4Z0wCcarmqK6GA2cdphiVtjyGw+iCVRndGN2sExi0TsgvxC +1Qz5xIyABUBQXO6OzlZRlbHB231jyIEED16/vB8zPnKMISpq3gTDNYwDgsLgPvdoyxI z7kQ8OGDARHzz8vaYFRsQSac7oRgiV7dWZyY5HatLdkGC95d9rBFpJ1uXNqIIM2RWacJ hO/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=cNGOb0SP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y23-v6si2083468plp.371.2018.10.12.13.12.33; Fri, 12 Oct 2018 13:12:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=cNGOb0SP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726779AbeJMDqN (ORCPT + 99 others); Fri, 12 Oct 2018 23:46:13 -0400 Received: from mail-wr1-f68.google.com ([209.85.221.68]:41370 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726775AbeJMDqN (ORCPT ); Fri, 12 Oct 2018 23:46:13 -0400 Received: by mail-wr1-f68.google.com with SMTP id x12-v6so14643737wru.8 for ; Fri, 12 Oct 2018 13:12:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=/22EgvWHixaIJnreyqMAb8eGvNuURDo/SHpTjnP7eZ0=; b=cNGOb0SPpv3m5cxT3bG5bMNGbDib2mC+syROY1kHr91vrs7Zg1yLa8OqsykcAyHBPd FdRVBWtjVR69Wm6RTHkazZogKgk4HFUrnVf0/qcQ7mJjxMQWBhLHP42fGhopvo80ydPj TQSQjg2atF3FIfB9Z5D8W7VUZ0C5yX8NMUD9LayQgeJev/whptsYVp+YjtXk3PShD2lF Gn6xuWieADOLNLP3CKntRnj5W3LYGY5CBweINgAlRYTOiLbd2mOIr2Bz2iiO0itjjhs4 MY6ZSr6kWNLeB9X5K0np0gNiWCrLudyTR7fuZY/MXCj/MIct6kqTxTbasT/WOdEkihP/ P4Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=/22EgvWHixaIJnreyqMAb8eGvNuURDo/SHpTjnP7eZ0=; b=KurkKyD8FZrum6BFgVxt8vB3Qm1kr03JRQKv+DSmwGTPJWmcERrs8oOiUr8LzBapCd ZSOvhtC3X8X6KXG3XRXQR1qZJZoKQl8HosDBBxbEHTR8qS9MsFD/geEoFgrfiOZGe8XL QeH5xnmBg9hRIUR0CZU1bS0VnAUZjra82vGqk3F4w7X2Yz441Se3dGCeZjqLp4Xi1Two MxNg0Hw+qREem5H652FIetgyEKVYQhGGVvc3HZPbCzreMEblx47Kth+cYH1g6PjPvdX2 +98WHfAH9iFzPwzeID8MO5UdcZrHiS2saQpKS/z0+wEqAY9JV3sYQHG2sKsDtEfvx7VR d6Bg== X-Gm-Message-State: ABuFfojqR6SNqQ7AZyiWubHSvPSSjTvjrTkCqwrGgKIeyTgF/oRieV3s uQ/qE+aFwPa3ShHMQiVOzwbW2g== X-Received: by 2002:adf:a144:: with SMTP id r4-v6mr6385385wrr.169.1539375122303; Fri, 12 Oct 2018 13:12:02 -0700 (PDT) Received: from brauner.io ([2a02:8070:8895:9700:8197:8849:535a:4f00]) by smtp.gmail.com with ESMTPSA id u76-v6sm4056140wmd.10.2018.10.12.13.12.00 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 12 Oct 2018 13:12:01 -0700 (PDT) Date: Fri, 12 Oct 2018 22:11:54 +0200 From: Christian Brauner To: Tycho Andersen Cc: Andy Lutomirski , Paul Moore , Jann Horn , Kees Cook , Linux API , Linux Containers , Akihiro Suda , Oleg Nesterov , LKML , "Eric W. Biederman" , Linux FS Devel , Christian Brauner , LSM List , SELinux-NSA , Stephen Smalley , Eric Paris Subject: Re: [PATCH v7 3/6] seccomp: add a way to get a listener fd from ptrace Message-ID: <20181012201153.psyjrjzpiyjksqba@brauner.io> References: <20181009132850.fp6yne2vgmfpi27k@brauner.io> <16662034750.2781.85c95baa4474aabc7814e68940a78392@paul-moore.com> <1666564e4f8.2781.85c95baa4474aabc7814e68940a78392@paul-moore.com> <20181012200220.GC5530@cisco> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20181012200220.GC5530@cisco> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Oct 12, 2018 at 01:02:20PM -0700, Tycho Andersen wrote: > On Thu, Oct 11, 2018 at 06:02:06PM -0700, Andy Lutomirski wrote: > > On Thu, Oct 11, 2018 at 4:10 PM Paul Moore wrote: > > > > > > On October 11, 2018 9:40:06 AM Jann Horn wrote: > > > > On Thu, Oct 11, 2018 at 9:24 AM Paul Moore wrote: > > > >> On October 10, 2018 11:34:11 AM Jann Horn wrote: > > > >>> On Wed, Oct 10, 2018 at 5:32 PM Paul Moore wrote: > > > >>>> On Tue, Oct 9, 2018 at 9:36 AM Jann Horn wrote: > > > >>>>> +cc selinux people explicitly, since they probably have opinions on this > > > >>>> > > > >>>> I just spent about twenty minutes working my way through this thread, > > > >>>> and digging through the containers archive trying to get a good > > > >>>> understanding of what you guys are trying to do, and I'm not quite > > > >>>> sure I understand it all. However, from what I have seen, this > > > >>>> approach looks very ptrace-y to me (I imagine to others as well based > > > >>>> on the comments) and because of this I think ensuring the usual ptrace > > > >>>> access controls are evaluated, including the ptrace LSM hooks, is the > > > >>>> right thing to do. > > > >>> > > > >>> Basically the problem is that this new ptrace() API does something > > > >>> that doesn't just influence the target task, but also every other task > > > >>> that has the same seccomp filter. So the classic ptrace check doesn't > > > >>> work here. > > > >> > > > >> Due to some rather unfortunate events today I'm suddenly without easy access to the kernel code, but would it be possible to run the LSM ptrace access control checks against all of the affected tasks? If it is possible, how painful would it be? > > > > > > > > There are currently no backlinks from seccomp filters to the tasks > > > > that use them; the only thing you have is a refcount. If the refcount > > > > is 1, and the target task uses the filter directly (it is the last > > > > installed one), you'd be able to infer that the ptrace target is the > > > > only task with a reference to the filter, and you could just do the > > > > direct check; but if the refcount is >1, you might end up having to > > > > take some spinlock and then iterate over all tasks' filters with that > > > > spinlock held, or something like that. > > > > > > That's what I was afraid of. > > > > > > Unfortunately, I stand by my previous statements that we still probably want a LSM access check similar to what we currently do for ptrace. > > > > > > > I would argue that once "LSM" enters this conversation, it just means > > we're on the wrong track. Let's try to make this work without ptrace > > if possible :) The whole seccomp() mechanism is very carefully > > designed so that it's perfectly safe to install seccomp filters > > without involving LSM or even involving credentials at all. > > In a last ditch effort to save the ptrace() interface: can we just > only allow it when refcount_read(filter->usage) == 1? I mean, the filter->usage == 1 means lets us get rid of capable(CAP_SYS_ADMIN) making the ptrace() way of getting an fd useable in nesting scenarios and from within user namespaces. That makes it a whole lot more useful and aligns it with the seccomp() way of getting the fd. So I wouldn't argue against it. I guess it comes down to (for me) whether you consider this a necessary part of this patchset aka meaning without it it wouldn't be useable. Christian