Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp23096ybl; Fri, 17 Jan 2020 17:18:27 -0800 (PST) X-Google-Smtp-Source: APXvYqyADVI/mU6Nz+0thuXv+Rv7Da3QEoAb6eigjPAKNY39btcmCLqBGhigV6ABGwItiOh00ZBC X-Received: by 2002:a05:6830:44e:: with SMTP id d14mr7873206otc.228.1579310307541; Fri, 17 Jan 2020 17:18:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579310307; cv=none; d=google.com; s=arc-20160816; b=FEVNKLcxomBBrFwYkFnOhq0Id7voUIBr5JUSkbs4yVGpmpD0JPjP8o8c4LUQKd7DQK vkA2SGt5S4C7fgyxFE39r7XxeMkVL5TSO3P4RV8r1kRsTBtVkOl7VY7eFWVrOWAaoOUz dq8AeHEt1x3D6rUkh7LO9GvrIOZAgmgiuUAgtaM6uvZDM6eFWZjxBvf2m/DPaLCE+iuk 5WuG+SIGg7t8xvPX3cnG/6Jp6RCSFhwrMQhThLQ0SPJkUExNdjUkAQTMRaNig2cAr2Ug +Jd009IW8lUbOAoIlOSaSo909gkwxQGpPz/85YRHYutxvZCcTsVhO3it75HrG/4MnKZP z2XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=DiPu6PR86yY2ZvrLgOTYDEelu1CiM8gFusYtp8J8e5A=; b=Pod1hUInC7w7QAT7KBLrp1XXb+3PjE7z3OrL6ULEjd8ZuJ5jopk9DZU/MY8CmLo/5g tNTLNnjoJwf2Rv3lHFrfWI1FbwYGiimYz1+QPaUykfNE1IfpuDT643LM6jYRSioMCu/1 Qr4LfLd8CYuEQmxt3nZEjCVA9wpbGA+uCl6lJX7OPHwffWlDUmR3yjd5l79cAmU4XxXV 5zJ7ETFL4/OnzFf6trbjNxPJ6cOCCODDhfQ3qXA4DchpA/wjiEEubt6y948bIKVYIuI9 SwlgM7kdilrMu7tL43rgyqt3Ylpt6g5cn+GgbUzQUwqOtqIcGcBh6SauqNQWW8ZkifwB XG+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a5si14874346oie.17.2020.01.17.17.18.13; Fri, 17 Jan 2020 17:18:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730461AbgARBRG (ORCPT + 99 others); Fri, 17 Jan 2020 20:17:06 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:59257 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729035AbgARBRG (ORCPT ); Fri, 17 Jan 2020 20:17:06 -0500 Received: from ip5f5bf7da.dynamic.kabel-deutschland.de ([95.91.247.218] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iscjX-0001uv-KK; Sat, 18 Jan 2020 01:17:03 +0000 Date: Sat, 18 Jan 2020 02:17:02 +0100 From: Christian Brauner To: Andrei Vagin Cc: LKML , Serge Hallyn , Jann Horn , Oleg Nesterov , Eric Paris , stable@vger.kernel.org, Dmitry Safonov <0x7f454c46@gmail.com>, Adrian Reber Subject: Re: [PATCH] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Message-ID: <20200118011701.ciqiuutgyyvtk5a4@wittgenstein> References: <20200115171736.16994-1-christian.brauner@ubuntu.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 17, 2020 at 05:08:14PM -0800, Andrei Vagin wrote: > On Wed, Jan 15, 2020 at 9:18 AM Christian Brauner > wrote: > > > > Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") > > introduced the ability to opt out of audit messages for accesses to > > various proc files since they are not violations of policy. > > While doing so it somehow switched the check from ns_capable() to > > has_ns_capability{_noaudit}(). That means it switched from checking the > > subjective credentials of the task to using the objective credentials. I > > couldn't find the original lkml thread and so I don't know why this switch > > was done. But it seems wrong since ptrace_has_cap() is currently only used > > in ptrace_may_access(). And it's used to check whether the calling task > > (subject) has the CAP_SYS_PTRACE capability in the provided user namespace > > to operate on the target task (object). According to the cred.h comments > > this would mean the subjective credentials of the calling task need to be > > used. > > This switches it to use security_capable() because we only call > > ptrace_has_cap() in ptrace_may_access() and in there we already have a > > stable reference to the calling tasks creds under cred_guard_mutex so > > there's no need to go through another series of dereferences and rcu > > locking done in ns_capable{_noaudit}(). > > > The criu process is started with all capabilities in the root user namespace. > > I don't have time to investigate this issue right now, will provide > more details next Tuesday. Yeah, we've detected the issue. security_capable() indicates success by returning 0 for whatever reason whereas has_ns_capability() returns 1. So the logic was inverted. This is fixed in the new version. Sorry for the noise! Thanks! Christian