Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2548844yba; Fri, 10 May 2019 13:42:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqxittXxB+ekTD5ny8hylUb02XEBbFUuM7iqbHp/Zea9Y+E2VO6v66Mqiu1/Oxq7WGcp35rO X-Received: by 2002:a17:902:7685:: with SMTP id m5mr15960749pll.330.1557520976681; Fri, 10 May 2019 13:42:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557520976; cv=none; d=google.com; s=arc-20160816; b=EMnSFHdOqFAQTA47dKiyFyOxZbMvNBZMdJ1RWkozNet4SVLf9/47zhos84lxfrIcGd IIpgakk99ZHeGm3kIXF22++I4X8HdvTZmMyQCjKwtZz6xWld31oddBiaxuTtgHKRqQtA lq9VXPOEr3V2up1ygEs0N4A0wJPu3iMG0ExnMooDaREu3t8VhbS9e0qv7ucOOqaoy5hS Hshh4TsbmSmkJK5s9nDSs6/ItG597G3ePsBcTGeDQ/SXIPnKkOt235q7U6z93K8D1l9F 4iIheKwRM+pxDT4gKXQw3DgMi8t2rsuLH6WABgZZz4ahcHshqKwzCcmujuipiou6ee8j 85DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=ganxwCo69+MjYlGVZok+ayq0HYAVtlcSkabz2Ai2RCk=; b=mVsnFzIF8/4cI1AdvYXi5yuqvF05kW7ZQPmb3HJGL8hkkIZoZPyYvdHa+RhyVyXNWa BX/nMW6pvjg0L8PGqKdWBWWZZO+Vd0QOnCOffSU2K2dMHmGjLpyuywsWIAVFuHcr4sHe iVoJhVBxGBhrTlziITSAunPeG4a8pXWFfu+y/TrRCBH464GhaDlQoBocw8Xwitsu2BbY VzAxUu1UkE94cks3tapxFfEmTUpIO3VpzPX85nuzN/4pFt4GcRT8X6O6Bf8kGURQqGIj 5sOi9kLlElY4EaSN7ubQ8+zQgAF4VgmLzAtpqCK9hkJ/whzTfv+H3UV0RPZh02DsB53d NUlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=PX2FYdIQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h29si8869660pfd.180.2019.05.10.13.42.40; Fri, 10 May 2019 13:42:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=PX2FYdIQ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727984AbfEJUlv (ORCPT + 99 others); Fri, 10 May 2019 16:41:51 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:39255 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727676AbfEJUlv (ORCPT ); Fri, 10 May 2019 16:41:51 -0400 Received: by mail-ed1-f65.google.com with SMTP id e24so6780370edq.6 for ; Fri, 10 May 2019 13:41:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ganxwCo69+MjYlGVZok+ayq0HYAVtlcSkabz2Ai2RCk=; b=PX2FYdIQmLYOG9DttH4kv0cprRCB1CVkzY1eQ8hgHHfnNYlZVbH8CkFKMApWWjI0HT j5gDUyr+dgeMEfMtJZKOl6Avf3+OFUhwoaDxYrbETZB0PXHFBlolbkxshIsiYJkw3xz0 ExmEM4ZdWgWVb98u3zlAzqBG13c4bV1FqysXsiqDc5fSBrP1nVEiCOuom7lIrU27F3+T PtJXUG+7sxBGLlZaplytARycQIqD1n7MGS0a1TxzoFrFhJ+W+rN/vxN8sj3a1jAx/DoJ aQAW8vAu2sRduqDDMMN5IWslifXd7edG+2owQD24IU5u1FkoJ80+KhpJxTdUd+90l+Ne ihmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ganxwCo69+MjYlGVZok+ayq0HYAVtlcSkabz2Ai2RCk=; b=HRCX/RtuRQbBMOJaoPuX4Mbk6/lZW2ssjzcaLnj8qZf+TgG1qRU83mnctnSP5uCd1B QT8dJBidmihql+WYa8edm4IBgxQNNmys53XLydq5dB7hmV7wmzNSWuW+50EtgRuIhOal wfWTMNVCzsYOSwAMF8PFqtU4GPwoO+pWUCslu/wH7gwo8u4IHBknrSEpO/Cz7iKOXCwZ VmgAxe9sBFFbwShpFgpvmIPXrW06e838R6HvymFP+aYs5mzCDsDVMdzeZD/gulT+pf7V jaD0tAAosSpgrXveDGp2ImV7CfY5xcGozLu2RoN7L2d/XYzBlmtqNOeDiAfsbEZ6MTX0 8MlQ== X-Gm-Message-State: APjAAAW8y54N53WTD7J7yBJIGXkgQ+HaOhDF1UMq0bzq/MsXkwmK2gfR WNPyWJTENBgcaT0BFabhpdNkzQ== X-Received: by 2002:a50:9968:: with SMTP id l37mr13505242edb.143.1557520909008; Fri, 10 May 2019 13:41:49 -0700 (PDT) Received: from google.com ([2a00:79e0:1b:201:ee0a:cce3:df40:3ac5]) by smtp.gmail.com with ESMTPSA id q4sm878740ejb.65.2019.05.10.13.41.47 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 10 May 2019 13:41:47 -0700 (PDT) Date: Fri, 10 May 2019 22:41:41 +0200 From: Jann Horn To: Aleksa Sarai Cc: Andy Lutomirski , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Christian Brauner , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linus Torvalds , containers@lists.linux-foundation.org, linux-fsdevel , Linux API , kernel list , linux-arch Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters Message-ID: <20190510204141.GB253532@google.com> References: <20190506165439.9155-1-cyphar@cyphar.com> <20190506165439.9155-6-cyphar@cyphar.com> <20190506191735.nmzf7kwfh7b6e2tf@yavin> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190506191735.nmzf7kwfh7b6e2tf@yavin> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 07, 2019 at 05:17:35AM +1000, Aleksa Sarai wrote: > On 2019-05-06, Jann Horn wrote: > > In my opinion, CVE-2019-5736 points out two different problems: > > > > The big problem: The __ptrace_may_access() logic has a special-case > > short-circuit for "introspection" that you can't opt out of; this > > makes it possible to open things in procfs that are related to the > > current process even if the credentials of the process wouldn't permit > > accessing another process like it. I think the proper fix to deal with > > this would be to add a prctl() flag for "set whether introspection is > > allowed for this process", and if userspace has manually un-set that > > flag, any introspection special-case logic would be skipped. > > We could do PR_SET_DUMPABLE=3 for this, I guess? Hmm... I'd make it a new prctl() command, since introspection is somewhat orthogonal to dumpability. Also, dumpability is per-mm, and I think the introspection flag should be per-thread. > > An additional problem: /proc/*/exe can be used to open a file for > > writing; I think it may have been Andy Lutomirski who pointed out some > > time ago that it would be nice if you couldn't use /proc/*/fd/* to > > re-open files with more privileges, which is sort of the same thing. > > This is something I'm currently working on a series for, which would > boil down to some restrictions on how re-opening of file descriptors > works through procfs. Ah, nice! > However, execveat() of a procfs magiclink is a bit hard to block -- > there is no way for userspace to to represent a file being "open for > execute" so they are all "open for execute" by default and blocking it > outright seems a bit extreme (though I actually hope to eventually add > the ability to mark an O_PATH as "open for X" to resolveat(2) -- hence > why I've reserved some bits). (For what it's worth, I'm mostly concerned about read vs write, not really about execute, since execute really is just another form of reading in my opinion.) > (Thinking more about it, there is an argument that I should include the > above patch into this series so that we can block re-opening of fds > opened through resolveat(2) without explicit flags from the outset.)