Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp488586ybl; Sat, 18 Jan 2020 04:48:25 -0800 (PST) X-Google-Smtp-Source: APXvYqyLrIyQMknNzey0Hy1nPTffGigeTwo0fWhHNbSPaearaO7TaHK4f8j2LPfzqcofHP26jxHc X-Received: by 2002:a05:6808:30d:: with SMTP id i13mr6689941oie.144.1579351705459; Sat, 18 Jan 2020 04:48:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579351705; cv=none; d=google.com; s=arc-20160816; b=m3pNkrhcvsVJUHVgJsLpMhO1+xhqXbJo+ade0vAk9qEJZwts8azBD8JCHhCndiRn4c Iezbs4LmRPZxrgpN9sRjtIe2H/xnlA6Tz2uDixBi9JjxJ70QJKTK62BLBuLOXh2I3mr+ TCphQK7samD2/HaQhYMQjxIR1uIkA4a3zqSW41h7y+EqgK4JRggFk4kX9c6hfKq1DkkC 5Jn//6VkeDeKyfvC57O2qtzFj9B358y8vqVrFJweeHr8bJ4RIuYG6DgGTp1+xX4p2iqf rl7hbfrYqTyBTsQUIC+oZL6mLrfVZRRt2LAjA4D/fBPrZ5zglEnBglCyrDkfRAyKXyyF Z49w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Eq7NiBKcMO7wDUWiC0szpZj2oZ6dLOp+rF7uPgjrT74=; b=xv7+z/bXneJMdDGyrhHY8Io2nzIz8YFUXEsVr3KxfezP8lyoSL3V4Wl//GP/LZYUBV vxqJ4UcW2WZqkQmgrPm2aCpOwuy2L++jWwjFObEbUxbgIyNJJer6DvvGnDSs57YeR+3O K+kG3N+/Ll/UOx9+Ped0z5nTOy3qQtvFKRt8e+gSXLzHY32Ic4ngbVuEZvdSald5nxEg ZvOs+XVDXHJOQTPv43HYWeKtU6+sGXvpNXrnewq/9JEVTLtkfaw4+8rjLhjOGN7XZJLs S5tVuGnLNm1/yyGpnAT+TTyfRJAzHwaHQ42jA7UEPefyMYCY+ql1MNXiS/yJDJVail6c 9fKQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u130si15301381oif.94.2020.01.18.04.48.13; Sat, 18 Jan 2020 04:48:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729043AbgARMq6 (ORCPT + 99 others); Sat, 18 Jan 2020 07:46:58 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:43618 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728760AbgARMq6 (ORCPT ); Sat, 18 Jan 2020 07:46:58 -0500 Received: from ip5f5bf7da.dynamic.kabel-deutschland.de ([95.91.247.218] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1isnV9-0000mc-9p; Sat, 18 Jan 2020 12:46:55 +0000 Date: Sat, 18 Jan 2020 13:46:54 +0100 From: Christian Brauner To: Andrei Vagin Cc: LKML , Serge Hallyn , Jann Horn , Oleg Nesterov , Eric Paris , stable@vger.kernel.org, Dmitry Safonov <0x7f454c46@gmail.com>, Adrian Reber Subject: Re: [PATCH] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Message-ID: <20200118124653.k7exqcu4fyojd63e@wittgenstein> References: <20200115171736.16994-1-christian.brauner@ubuntu.com> <20200118011701.ciqiuutgyyvtk5a4@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200118011701.ciqiuutgyyvtk5a4@wittgenstein> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jan 18, 2020 at 02:17:01AM +0100, Christian Brauner wrote: > On Fri, Jan 17, 2020 at 05:08:14PM -0800, Andrei Vagin wrote: > > On Wed, Jan 15, 2020 at 9:18 AM Christian Brauner > > wrote: > > > > > > Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") > > > introduced the ability to opt out of audit messages for accesses to > > > various proc files since they are not violations of policy. > > > While doing so it somehow switched the check from ns_capable() to > > > has_ns_capability{_noaudit}(). That means it switched from checking the > > > subjective credentials of the task to using the objective credentials. I > > > couldn't find the original lkml thread and so I don't know why this switch > > > was done. But it seems wrong since ptrace_has_cap() is currently only used > > > in ptrace_may_access(). And it's used to check whether the calling task > > > (subject) has the CAP_SYS_PTRACE capability in the provided user namespace > > > to operate on the target task (object). According to the cred.h comments > > > this would mean the subjective credentials of the calling task need to be > > > used. > > > This switches it to use security_capable() because we only call > > > ptrace_has_cap() in ptrace_may_access() and in there we already have a > > > stable reference to the calling tasks creds under cred_guard_mutex so > > > there's no need to go through another series of dereferences and rcu > > > locking done in ns_capable{_noaudit}(). > > > > > > The criu process is started with all capabilities in the root user namespace. > > > > I don't have time to investigate this issue right now, will provide > > more details next Tuesday. > > Yeah, we've detected the issue. security_capable() indicates success by > returning 0 for whatever reason whereas has_ns_capability() returns 1. > So the logic was inverted. This is fixed in the new version. Sorry for > the noise! So, I just finished compiling criu and running the test suite on the criu-dev branch. The test-suite passes fine after the security_capable() braino in my original patch was corrected to security_capable() == 0: ################## ALL TEST(S) PASSED (TOTAL 178/SKIPPED 16) ################### Thanks! Christian