Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp7945753ybl;
        Thu, 16 Jan 2020 08:10:03 -0800 (PST)
X-Google-Smtp-Source: APXvYqxbDjEJkdr22IqrK9o3rYkKtO+Nualk1WfxwjBZE0JqW2DyyyUQWYR1NmvRh1J7BvRwBA//
X-Received: by 2002:aca:ea46:: with SMTP id i67mr4519078oih.149.1579191003443;
        Thu, 16 Jan 2020 08:10:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579191003; cv=none;
        d=google.com; s=arc-20160816;
        b=uyomCRmSZx2fVyIXrsRCWEuujZcY/O0AqXXHca7oXgqs/L9Go61WWpQVUivWO2YC13
         JZ0Sz7bnM+/zIBFdpcvLWj6j6sX1UM0wH1jSpwqZFnS2aqnSSFhiqeeXlcSOpZqRz6Lo
         5E60JnoilfjzXYdeVLLxrTB6USeBzwr62toZilnkpnG7fQoUcnBgum276K8UZBxzcX0g
         OkBJQ61Z1x0PtrQxijG6g9PKYlbG83EE12IWEclwBBpBs/XZ9lVpUvjDABMmtea5HXJq
         jGkSaa/dKm/CTEu+HVOS6gHwUJThMQXHrIaNeQptqXOvWME7uPxc6JloeQgmXAjQ6gUm
         yFWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=gDuFqql+JEz7x/898HzhnsGGGeg+dfg/2JIhrphhmK8=;
        b=XT9BMWp8xqVfJ6qkglFfz3J6n04mIOdq39lLg27ysGuOkbPbUOlR+rBYnuf5rtpAgU
         l2Vko01JQJb3ew3PCnmKFV9AfiGQIoWOfcOQqVyDYHAnZevMRkz9XD2tC73k+428G8hI
         dq4vjxHV6JfEgW+EX391rXJLNaxrrU62g0jEuGTPTu1tHUIG0/KpLPwnJ4AZLahPUSsS
         lHxF5EopfD6A3Xpa3p2DhWkTBzWFgVy2RLpmxbtDJGGH51QcqiND84TaIyN+/Ry06De/
         VbcVyOH3FxQL1X3ra2tsvRPmBdScdeGw0G++Lh/pqJg2sLecjJFSy2wtwB3i4a8OnGcP
         3SwA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QFapwm46;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p22si12318718ota.43.2020.01.16.08.09.46;
        Thu, 16 Jan 2020 08:10:03 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QFapwm46;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726890AbgAPQIJ (ORCPT <rfc822;luigi.mantellini.ml@gmail.com>
        + 99 others); Thu, 16 Jan 2020 11:08:09 -0500
Received: from mail-ot1-f67.google.com ([209.85.210.67]:41687 "EHLO
        mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726857AbgAPQIJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Jan 2020 11:08:09 -0500
Received: by mail-ot1-f67.google.com with SMTP id r27so19809541otc.8
        for <linux-kernel@vger.kernel.org>; Thu, 16 Jan 2020 08:08:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=gDuFqql+JEz7x/898HzhnsGGGeg+dfg/2JIhrphhmK8=;
        b=QFapwm462FQoVQl/kr91qj9NPenciw8IdAY/MBoZZvB5FkBJouBJWY72zIhfjlXMmv
         tIh55LDJ59bntriovGTpODK8Uf1lsLIpRkIMnrBizZKw8h6XSfD44lOAKvSj9RDIOLrz
         Hj11BnlA6gcU2fYaq3nDBARDU1eYJy57jykhmVS3zZUKDgGCSrUdQQ+20Ow/B0xnu2/b
         rr34682IkCzR2ZeEQG/oanziSN6bJ0W/Q4/kX4MmaWCIeALT3IUF6RNwrGd8+ZN0KcOF
         qYHDBjrASd/RjsswAznOjdVVl9MIlAiBtrl8qH+9rGo7QG+VhXeND7bZxgNO67eKmdBz
         Dobg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=gDuFqql+JEz7x/898HzhnsGGGeg+dfg/2JIhrphhmK8=;
        b=SGBHCsvFgYiEZfRDLYFGe8dSEKAi74lU/26n75L0vdjmRBWlDXBiLC4w/uDQhiVm1D
         cEluDH1uFoJlNpL9NffGBsdms1jnkaRvoZ7l34TPfGfDrbN/Fx90vqIje+3JkIITSJCW
         KgTNFuKD7xSnT6KygOgLxHqXfhtT4oRfYrueJCqHDDkKR2oLemKf9Tx6UtovZ2WKdUuG
         Qk9Oau748uBcd6wkNjxLhDz3kBXPa48NypmElqdMYa6HmnKk/og8+upTsBk40JwhQa9+
         NcoV7uZrUypvfjNKYVJIthe1NYn8xVWPmSzX7t90HkhBPc37QMHJfEpZdxuwIH0YFtCt
         wg0A==
X-Gm-Message-State: APjAAAXKgWU+qR2dkT1H5pYA+LiTRkSnzHDsBW9uq/BYUAToasmbkoFc
        Zhh9Cem1RgSSJp6z0DSIrPuv5w6L8MgHOpy3Y0v1eA==
X-Received: by 2002:a05:6830:44e:: with SMTP id d14mr2454184otc.228.1579190888095;
 Thu, 16 Jan 2020 08:08:08 -0800 (PST)
MIME-Version: 1.0
References: <20200115171736.16994-1-christian.brauner@ubuntu.com> <20200115172355.19209-1-christian.brauner@ubuntu.com>
In-Reply-To: <20200115172355.19209-1-christian.brauner@ubuntu.com>
From:   Jann Horn <jannh@google.com>
Date:   Thu, 16 Jan 2020 17:07:42 +0100
Message-ID: <CAG48ez2LhxbnfF1Y6u_QhrqXcPKVQZyG6N9-GgSw1D6fLgsfwA@mail.gmail.com>
Subject: Re: [PATCH v2] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
To:     Christian Brauner <christian.brauner@ubuntu.com>
Cc:     eparis@redhat.com, kernel list <linux-kernel@vger.kernel.org>,
        Oleg Nesterov <oleg@redhat.com>, shallyn@cisco.com,
        stable <stable@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jan 15, 2020 at 6:24 PM Christian Brauner
<christian.brauner@ubuntu.com> wrote:
> Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat")
> introduced the ability to opt out of audit messages for accesses to
> various proc files since they are not violations of policy.
> While doing so it somehow switched the check from ns_capable() to
> has_ns_capability{_noaudit}(). That means it switched from checking the
> subjective credentials of the task to using the objective credentials. I
> couldn't find the original lkml thread and so I don't know why this switch
> was done. But it seems wrong since ptrace_has_cap() is currently only used
> in ptrace_may_access(). And it's used to check whether the calling task
> (subject) has the CAP_SYS_PTRACE capability in the provided user namespace
> to operate on the target task (object). According to the cred.h comments
> this would mean the subjective credentials of the calling task need to be
> used.
> This switches it to use security_capable() because we only call
> ptrace_has_cap() in ptrace_may_access() and in there we already have a
> stable reference to the calling tasks creds under cred_guard_mutex so
> there's no need to go through another series of dereferences and rcu
> locking done in ns_capable{_noaudit}().

Reviewed-by: Jann Horn <jannh@google.com>