Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2536329yba; Fri, 10 May 2019 13:26:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqw2GyHOWdil1GSnTh8n/t4DEi7DjQHFHQivk9F4A5JMMxqEtGu7v3fk1PqLk/xY3I4n7nWA X-Received: by 2002:a17:902:2962:: with SMTP id g89mr15570607plb.190.1557519976121; Fri, 10 May 2019 13:26:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557519976; cv=none; d=google.com; s=arc-20160816; b=MTlaW6EbDXuKdW2P9f7ZJ+NHaN5BCIHlDeU7C0jifEHELXlbXgf64iyHu+AjH5yA5m F0NJNwEp0Md0gFqrD34ebVwcUEMt3+x3WIsxLVEmG1oiN+I5pP1WITu3vxBMO6InViVu KJ4V/J84cTZjXzCIfQ8D42RMixlekr8yajEJWH9ckVGNXv+UtXZD6JHgauMPLG5AHubg JuntHoxwTV4kOLtG85Arc1THji+tyvITrN0O/Lds76PzNVdLCXSqWfCtHQlaJ8u+GZZf oi+h2reS5fn0d0OAUVd7QK50BFxfQTNM1VfIhLF/LRBrsvFAgr30vlwxEZzUee0XKEyM Pbyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=lt6uPVHRTb6qycTyfS8wkIJ7UlOCcAUHHaR/0rJBxrQ=; b=04ajEgbS0zWQwOkpuF6x2WB5rvpyKTsODYSmXMQ6321P4hDVPPSKB5DzaCZB4oVL+v gadBHginNhpn88OXHH0OLXgugsHYP/VHRKTCP9X1A8q9X1haZEvvczf7cT7acBrp3o0h ArTFG+DpFd5Qa8yyWTOWtsfSRwsFcosxrtJpqL/CwDSdaOz8kN+JCkUtrSPwjwctk6aV H+/2YN6M5PY0FJx97rIO0J0hbnH8ugb3O6T8ds6NA41OxK7ltKkIZNwlct9T4EQZ20Dl CnctICK4rlDdmuN6IdQaBHqfVTuaN2eW6UtGBsd01XfzytmJkIMQe5yCUPi44Dx0w7xb 2sbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QV72T8OM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r10si9145559pfh.147.2019.05.10.13.26.00; Fri, 10 May 2019 13:26:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QV72T8OM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728018AbfEJUKn (ORCPT + 99 others); Fri, 10 May 2019 16:10:43 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:44873 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727984AbfEJUKm (ORCPT ); Fri, 10 May 2019 16:10:42 -0400 Received: by mail-ed1-f68.google.com with SMTP id b8so6666474edm.11 for ; Fri, 10 May 2019 13:10:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=lt6uPVHRTb6qycTyfS8wkIJ7UlOCcAUHHaR/0rJBxrQ=; b=QV72T8OMOUUuvtH5oPeL7SVsQpebI/2757iB7nfbi1QgQeFEOr2Pzznb+d2dTeQJaB 75txDSZZkqVnX5uQQsVZIGR7r1ncJFMx40HiqBczLATKX+lLzoAyQ1V+YExXXPTkrUaN X1M2+twWwnDTuIqBKLxkHrxqOmrDznz1TXYRI9Lc0vSRp6S2FI2NSwJhVeLJM4hzPC8X QJhJL217BpKHtcGFYN/Evmo/EX1PKkh85bbGMdRJ93FXIygL7dHcx843s3QZlSHEfmn4 R+NqS8iRGL49r2mAQfDtJGZi2y12ooafACxZWAizNtF2SobCC1chFXd0fWimueXDK9Gs FtoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=lt6uPVHRTb6qycTyfS8wkIJ7UlOCcAUHHaR/0rJBxrQ=; b=XIEcsMJHip4E5kTIfkjoySlwUNlXlWP5tax7G89G1bRRjfdJ5EZtEpQ612cG9NFCaQ 7Wp0nfFON31bFKt+1EmaOfbq0MT+y6BAOLwDzRJqiJUrluyUUO8DO+qngK6SeTMn5zwv mwKeJCJfQkN0SJbjZw1gZSboayLFnUH5RmP4HEksj7v3G/669lP6qTsi33MecrBdVmoD NVvpkWjPrM3jh7T/9HAMplAz357zHHdo/NqwVRjD3ZrBX9PGBrS7YnCMfYWJm7sutv91 SxZi/2d5WM2IXl3GDCLOemRKW0V8qf70noa14bBejdCZfHTFiw4Z5vwlw6HYm5FkZEtJ Xuyw== X-Gm-Message-State: APjAAAVnOVAiM1UGVpTQQ+AMh5nX2WalHp5uTvp1qDJwcyA48eTunK0U 3xxLo6+uQsHePOVWMekYD9nXQw== X-Received: by 2002:a50:982f:: with SMTP id g44mr13613170edb.278.1557519040152; Fri, 10 May 2019 13:10:40 -0700 (PDT) Received: from google.com ([2a00:79e0:1b:201:ee0a:cce3:df40:3ac5]) by smtp.gmail.com with ESMTPSA id k37sm1719073edb.11.2019.05.10.13.10.38 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 10 May 2019 13:10:38 -0700 (PDT) Date: Fri, 10 May 2019 22:10:32 +0200 From: Jann Horn To: "Eric W. Biederman" Cc: Aleksa Sarai , Andy Lutomirski , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Andrew Morton , Alexei Starovoitov , Kees Cook , Christian Brauner , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linus Torvalds , containers@lists.linux-foundation.org, linux-fsdevel , Linux API , kernel list , linux-arch Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters Message-ID: <20190510201032.GA253532@google.com> References: <20190506165439.9155-1-cyphar@cyphar.com> <20190506165439.9155-6-cyphar@cyphar.com> <87o94d6aql.fsf@xmission.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87o94d6aql.fsf@xmission.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 07, 2019 at 07:38:58PM -0500, Eric W. Biederman wrote: > Jann Horn writes: > > In my opinion, CVE-2019-5736 points out two different problems: > > > > The big problem: The __ptrace_may_access() logic has a special-case > > short-circuit for "introspection" that you can't opt out of; > > Once upon a time in a galaxy far far away I fixed a bug where we missing > ptrace_may_access checks on various proc files and systems using selinux > stopped working. At the time selinux did not allow ptrace like access > to yourself. The "introspection" special case was the quick and simple > work-around. > > There is nothing fundamental in having the "introspection" special case > except that various lsms have probably grown to depend upon it being > there. I expect without difficulty we could move the check down > into the various lsms. Which would get that check out of the core > kernel code. Oh, if that's an option, that would be great, I think. But this means, for example, that a non-root, non-dumpable process can't open /proc/self/maps anymore, or open /proc/self/fd/*, and things like that, without making itself dumpable. I would be surprised if there is no code out there that relies on that. From what I can tell, without the introspection special case, introspection would fail in the following cases (assuming that the process is not capable and isn't using sys_setfs[ug]id()): - ruid/euid/suid are not all the same - rgid/egid/sgid are not all the same - process is not dumpable I think that there probably should be some way for a non-dumpable process to look at its own procfs entries? If we could start from a clean slate, I'd propose an opt-in flag to openat() for that, but since we don't have a clean slate, I'd be afraid of breaking things with that. But maybe I'm just being overly careful here?