Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp532997ybi;
        Thu, 13 Jun 2019 22:11:32 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz8qiVp2vK/l6hWEJTtZ2Cbj+gVqm/MSZoc4sLUWEuZaAVv2lzpznj/ZaVa3gSPHnA1j8c2
X-Received: by 2002:aa7:910e:: with SMTP id 14mr22671873pfh.153.1560489092122;
        Thu, 13 Jun 2019 22:11:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560489092; cv=none;
        d=google.com; s=arc-20160816;
        b=elyDgaiPY4ni4BpnH9jbtKKxbRbv/HktT0bS3TGciynnvh/EVeFapeazzjhXKNlK7p
         iYnglqSu7RRxwtq6yJvzR3RAsMjuqyBlACIaXST6F+WrPtKMOGy37M1/rrwsDqeEUDII
         IrLAj2aVd020b+ml5fiq1FRh9se9QqmC1v16XXmieqWub5dYBUCgKpPSYTKBQcaa9cKd
         dkjAx978jwZ5Cm9Ln35OQs8+D2CXCoR9lSa995cOhIocuJPNZkyqhe0YH0cMV1fRG0b6
         HG7WF9XdnaAzrJEwlOI6Dt+vySRwUw198WpIPEMp+JSb8rRMDabsjzD7xbi/a2sRkqRW
         6uUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=CTSerRYKTTiqwTbNZRsIdwoYyucfrtaou+X7WAy+dEQ=;
        b=QxkWeOTLQOPKT1+B96N5oyNFjXtC8Cw2tDMPXyzsAeePu+qRe94iuecNs0oOFr5i0R
         +4VTKhDgNCo7RLbBB5fZN00aOboEA1AjRaK/ZJnqaTVVfposC+Cptth47Sg8wJi+69KL
         cZUCGHDtxkJ54QyhfH4/jMnqwXL8qj6aK54doywb2qm0btJRtiifuklhnfdBCSKpA58Y
         WifdkADqmHgBtX8xBuULVzuKgwHl4mElRpYsooR1vg35kjy9/RPngmLuujkJFjyws42f
         fecCG+QEParxIWy0Px7HYh2x6vHOTyV3dmr92ePDmJgOdmzkiPJ1mpbV1Fx43VcLi5n/
         Djkw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g7si1208282plo.42.2019.06.13.22.11.15;
        Thu, 13 Jun 2019 22:11:32 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725835AbfFNFJv (ORCPT <rfc822;0330sisy@gmail.com> + 99 others);
        Fri, 14 Jun 2019 01:09:51 -0400
Received: from namei.org ([65.99.196.166]:39104 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725767AbfFNFJu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 14 Jun 2019 01:09:50 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x5E59h5n012192;
        Fri, 14 Jun 2019 05:09:43 GMT
Date:   Fri, 14 Jun 2019 15:09:43 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Igor Lubashev <ilubashe@akamai.com>
cc:     Serge Hallyn <serge@hallyn.com>,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve
 fsuid/fsgid across execve
In-Reply-To: <1560473087-27754-1-git-send-email-ilubashe@akamai.com>
Message-ID: <alpine.LRH.2.21.1906141445010.7150@namei.org>
References: <1560473087-27754-1-git-send-email-ilubashe@akamai.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 13 Jun 2019, Igor Lubashev wrote:

> I've posted this in March but received no response. Reposting.
> 
> This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be
> preserved across execve. It is currently impossible to execve a
> program such that effective and filesystem uid differ.
> 
> The need for this functionality arose from a desire to allow certain
> non-privileged users to run perf. To do this, we install perf without
> set-uid-root and have a set-uid-root wrapper decide who is allowed to
> run perf (and with what arguments).
> 
> The wrapper must execve perf with real and effective root uid, because
> perf and KASLR require this. However, that presently resets fsuid to
> root, giving the user ability to read and overwrite any file owned by
> root (perf report -i, perf record -o). Also, perf record will create
> perf.data that cannot be deleted by the user.
> 
> We cannot reset /proc/sys/kernel/perf_event_paranoid to a permissive
> level, since we must be selective which users have the permissions.
> 
> Of course, we could fix our problem by a patch to perf to allow
> passing a username on the command line and having perf execute
> setfsuid before opening files. However, perf is not the only program
> that uses kernel features that require root uid/euid, so a general
> solution that does not involve updating all such programs seems
> warranted.

This seems like a very specific corner case, depending on fsuid!=0 for an 
euid=0 process, along with a whitelist policy for perf arguments. It would 
be a great way to escalate to root via a bug in an executed app or via a 
wrapper misconfiguration.

It also adds complexity to kernel credential handling -- it's yet another 
thing to consider when trying to reason about this.

Have you considered the example security configuration in 
Documentation/admin-guide/perf-security.rst ?

What are some other examples of programs that could utilize this scheme?



-- 
James Morris
<jmorris@namei.org>