Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp6738942ybl; Wed, 15 Jan 2020 09:25:22 -0800 (PST) X-Google-Smtp-Source: APXvYqyJEjlup1ckfl0V+RFszzn5t9016Ml7pnYIOpmLKO7f3r3JJb4N8bzsV85/g4uDTWRz2jsD X-Received: by 2002:aca:36c1:: with SMTP id d184mr734812oia.70.1579109121863; Wed, 15 Jan 2020 09:25:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579109121; cv=none; d=google.com; s=arc-20160816; b=o0b1xc8VzuNdGrExqij/dfHVi5GF0hKd80eQpvCcRjFp4ODUXbqOi5gkoAdJnnRcxk N0G/UVHYvfj8MXMq5Ho5FIXR09KIkZH52dmhV/sYv8NzjmUgG4ZXTzeWNTUkbOVC9a01 ObSm7giAnReJLPMiKO7Pk8kZyRxbXzG60h+QSEIX3J7XsuvSR7ePqcBufblRQEqpHT2C Jz6gIlBAeZRBEV5GGoOpjwMwG9JwDewtNX13HLtHBjszXgS1SdgWjEKyfTb0pSEiHTLR uPYUyJ8uxVQxutSWWr6Hq26qhDSkWaiJcsFrFWxm9l5XQMI9w6ps0gq+h9m9TEVNm2Yj 85+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=tMtRGXcUdnYOMiGFuT9cGq867/VT1X8lcv6aJjXEbyA=; b=D9suoQ2gmvS1sFvQKlNO63UMM60BvJ1BEnrA1jI0t/MT762/Rt8mPGADKroV/cX2oX ADSB8zw+BAGbWBpXIfbp1N1AJO6OEq8tekd7Gqn6trJdkUZHr3cPtemIDGPDCAmS1g5S CgGM9kczBZ3UPD1TPrf9KbjoP2N4ubmnnRDUvFbPpEQf4LPuf/L+kKKoS2hQnDwaHJKh JFUMr5nD+vidAe7Gn85hjkFPqtz/mvJsOQv+PDl9rWeVwS2ZPt2LpjKncVlYA8wx06Tw vv/5NKEYrC1kF4gkJtDwopDUZC3iNnT58sl0YOPYis/o+xhZ2/f8AlZ7DJMe1q45QyuU N79w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f3si10171967oia.264.2020.01.15.09.25.09; Wed, 15 Jan 2020 09:25:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729037AbgAORYG (ORCPT + 99 others); Wed, 15 Jan 2020 12:24:06 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:37144 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726574AbgAORYG (ORCPT ); Wed, 15 Jan 2020 12:24:06 -0500 Received: from ip5f5bd663.dynamic.kabel-deutschland.de ([95.91.214.99] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1irmOg-0007GP-4Z; Wed, 15 Jan 2020 17:24:02 +0000 From: Christian Brauner To: christian.brauner@ubuntu.com Cc: eparis@redhat.com, jannh@google.com, linux-kernel@vger.kernel.org, oleg@redhat.com, shallyn@cisco.com, stable@vger.kernel.org Subject: [PATCH v2] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Date: Wed, 15 Jan 2020 18:23:55 +0100 Message-Id: <20200115172355.19209-1-christian.brauner@ubuntu.com> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200115171736.16994-1-christian.brauner@ubuntu.com> References: <20200115171736.16994-1-christian.brauner@ubuntu.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") introduced the ability to opt out of audit messages for accesses to various proc files since they are not violations of policy. While doing so it somehow switched the check from ns_capable() to has_ns_capability{_noaudit}(). That means it switched from checking the subjective credentials of the task to using the objective credentials. I couldn't find the original lkml thread and so I don't know why this switch was done. But it seems wrong since ptrace_has_cap() is currently only used in ptrace_may_access(). And it's used to check whether the calling task (subject) has the CAP_SYS_PTRACE capability in the provided user namespace to operate on the target task (object). According to the cred.h comments this would mean the subjective credentials of the calling task need to be used. This switches it to use security_capable() because we only call ptrace_has_cap() in ptrace_may_access() and in there we already have a stable reference to the calling tasks creds under cred_guard_mutex so there's no need to go through another series of dereferences and rcu locking done in ns_capable{_noaudit}(). Cc: Serge Hallyn Cc: Jann Horn Cc: Oleg Nesterov Cc: Eric Paris Cc: stable@vger.kernel.org Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") Signed-off-by: Christian Brauner --- kernel/ptrace.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index cb9ddcc08119..d146133e97f1 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -264,12 +264,13 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) return ret; } -static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) +static int ptrace_has_cap(const struct cred *cred, struct user_namespace *ns, + unsigned int mode) { if (mode & PTRACE_MODE_NOAUDIT) - return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); + return security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NOAUDIT); else - return has_ns_capability(current, ns, CAP_SYS_PTRACE); + return security_capable(cred, ns, CAP_SYS_PTRACE, CAP_OPT_NONE); } /* Returns 0 on success, -errno on denial. */ @@ -321,7 +322,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) gid_eq(caller_gid, tcred->sgid) && gid_eq(caller_gid, tcred->gid)) goto ok; - if (ptrace_has_cap(tcred->user_ns, mode)) + if (ptrace_has_cap(cred, tcred->user_ns, mode)) goto ok; rcu_read_unlock(); return -EPERM; @@ -340,7 +341,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) mm = task->mm; if (mm && ((get_dumpable(mm) != SUID_DUMP_USER) && - !ptrace_has_cap(mm->user_ns, mode))) + !ptrace_has_cap(cred, mm->user_ns, mode))) return -EPERM; return security_ptrace_access_check(task, mode); base-commit: b3a987b0264d3ddbb24293ebff10eddfc472f653 -- 2.25.0