Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1372479ybt;
        Thu, 18 Jun 2020 07:15:41 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxQ9E4Y9kqV27lFBgPPRDhkj+XP3VzJE2vn/eih032ZFQjhFPNRo4k+hF1GpkYa2pH1JONf
X-Received: by 2002:a17:906:c9d6:: with SMTP id hk22mr4010556ejb.101.1592489740981;
        Thu, 18 Jun 2020 07:15:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592489740; cv=none;
        d=google.com; s=arc-20160816;
        b=B2HqSE5wyU++3VboxEOc+8Fqw9O3v8/uKcBoVJGkwOt/6h379IDIgvOo7YWqtJwaa6
         qrg22QhU4NSHoMx5QluThtXzdDmNWLjR86f61z2Hj7J9gEuz9OdCuwaWgQv59ljOME63
         7CT46h/VXaFjD9I68fmybQvjz36FnmgjeiwBjXCzNkdNh6OP9BkqzT6iSByY8zeqdTdA
         umHPior0rGeVtXP7fFtq3EDHuJd7Bnf+QiktUZH2pveVRCGYb1MXMIwpgFtSujEt/QVC
         jW2PU1HO2kq0kIT21jT+MrfuQcCSAbKIqH3qPwObMMnvoHkx9MZDWsc6lBdb2WAkOrZv
         XnoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=p5Y6VzjE46+NhDt4mg2S5o4yQ1/eLUcB29QBrcYK8BY=;
        b=0RI9XEGu2B6gbE7ZYELGd27hExbUe7Z4mi+I3mbVLiDEuDKCAYdHZmTVzhH67gKz0b
         nmKFJ7ZPuHeGj7QfxzkLKKZ/hbDRKcT5Dl97mLKXi0GfDWhrWWMI/OU0XTrNYau0rvhI
         yAZjayaZlD12EXDzASVGfn3oSIJ9b/cOxHKXlwnL7fI4miScKUNY+NhofOltcR/dGJTr
         VfCsGlv0upmWuXZLSZYcLn5y224I1bTsQbuKZIf6zks1ZSzrvFIq4e+48kyvLQIndr6B
         6bLFKQzH/4fQf/o6zmN3ojuP5YsI+IhHvRh+cdtBeIuU4cOyTGk+mx94EqnD2xZiFZUW
         uZ9Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ZHO6wpiR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j24si1872865ejy.277.2020.06.18.07.15.18;
        Thu, 18 Jun 2020 07:15:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ZHO6wpiR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730682AbgFROL5 (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Thu, 18 Jun 2020 10:11:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52402 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730277AbgFROLs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 18 Jun 2020 10:11:48 -0400
Received: from mail-lf1-x142.google.com (mail-lf1-x142.google.com [IPv6:2a00:1450:4864:20::142])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4405CC0613EE
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jun 2020 07:11:48 -0700 (PDT)
Received: by mail-lf1-x142.google.com with SMTP id y13so3556176lfe.9
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jun 2020 07:11:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=p5Y6VzjE46+NhDt4mg2S5o4yQ1/eLUcB29QBrcYK8BY=;
        b=ZHO6wpiR6gUAr5OGQL9Lcu20ukX5A8y/2szri0NCuxCituzyRMXuO27B9wEQfv/wQ5
         7y3MVf0+4hgPlF8bXFksP8xwoZ/vdomiLdQCze5oKFf1FVpZjnqtLbAF90IwWaEjJXG/
         EpRVw459oeG5ruYEteC2Hn9T3jUj4kAClnKwWVevZ84vGeUPcRYvg9I1AHJdTqokRt4m
         f6FsQmiMzanQ1mLDBRXYEX7MDQp15PeiDU3j7ZC7gsS6F8uYpQRyaYITm+DkUwUXCiUi
         V4DqGZdQUqb/MK6hJwnEqnj9NkzUXPW7bCYIBL1CBG2GkbeibvP2ImUPFA3HzMyvlCcC
         US4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=p5Y6VzjE46+NhDt4mg2S5o4yQ1/eLUcB29QBrcYK8BY=;
        b=IHLbf7wdSAe3+qy3i0NGTXITbHErPoVyFUw9toRjo/vYM9X1Po2k9pIFW21hLePXN/
         zIqGkaqA/SXqGDRObiTO/HGQOofvlTMxXtNunSwLgFP04yWlvK76yU7gRIiOXbsZnHy8
         koEuqCxlnc8ZXU813xKgLrMXSjMbMjDr4ocKqu8vyps+kGL29QB2RnaBAkQmG2SyZxmm
         9PQqgOX5qU21yyYyRFOoDkJiN3ckZCh37MNAcpqiaYje6l9rCgxXWQzFlGDJD8o4HEpl
         9Atpc6wIAnRqrTSfO+MVIVSs0u/+Ww/ASMVeOJ0o52LnP8bTDH44tC9Qi3pjwmYlkIIl
         0cQA==
X-Gm-Message-State: AOAM530zCQPgB5leOuv28KabfjcoRi1ncwlNKhPwFKM8QU1u2gSdQLg+
        WGye8dkS77c2mbmbpFM/E/TEjcbL3ay384XAvptEUQ==
X-Received: by 2002:a19:be4b:: with SMTP id o72mr1872950lff.141.1592489506308;
 Thu, 18 Jun 2020 07:11:46 -0700 (PDT)
MIME-Version: 1.0
References: <20200618134825.487467-1-areber@redhat.com> <20200618134825.487467-4-areber@redhat.com>
In-Reply-To: <20200618134825.487467-4-areber@redhat.com>
From:   Jann Horn <jannh@google.com>
Date:   Thu, 18 Jun 2020 16:11:19 +0200
Message-ID: <CAG48ez1ocnFNSPdVDaVtB2-S+B4uBeLTLaekCYq=m1DuMyA-CA@mail.gmail.com>
Subject: Re: [PATCH v3 3/3] prctl: Allow ptrace capable processes to change exe_fd
To:     Adrian Reber <areber@redhat.com>
Cc:     Christian Brauner <christian.brauner@ubuntu.com>,
        Eric Biederman <ebiederm@xmission.com>,
        Pavel Emelyanov <ovzxemul@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>,
        Andrei Vagin <avagin@gmail.com>,
        Nicolas Viennot <Nicolas.Viennot@twosigma.com>,
        =?UTF-8?B?TWljaGHFgiBDxYJhcGnFhHNraQ==?= <mclapinski@google.com>,
        Kamil Yurtsever <kyurtsever@google.com>,
        Dirk Petersen <dipeit@gmail.com>,
        Christine Flood <chf@redhat.com>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Radostin Stoyanov <rstoyanov1@gmail.com>,
        Cyrill Gorcunov <gorcunov@openvz.org>,
        Serge Hallyn <serge@hallyn.com>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Sargun Dhillon <sargun@sargun.me>,
        Arnd Bergmann <arnd@arndb.de>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        SElinux list <selinux@vger.kernel.org>,
        Eric Paris <eparis@parisplace.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 18, 2020 at 3:50 PM Adrian Reber <areber@redhat.com> wrote:
> The current process is authorized to change its /proc/self/exe link via
> two policies:
> 1) The current user can do checkpoint/restore In other words is
>    CAP_SYS_ADMIN or CAP_CHECKPOINT_RESTORE capable.
> 2) The current user can use ptrace.
>
> With access to ptrace facilities, a process can do the following: fork a
> child, execve() the target executable, and have the child use ptrace()
> to replace the memory content of the current process. This technique
> makes it possible to masquerade an arbitrary program as any executable,
> even setuid ones.
>
> This commit also changes the permission error code from -EINVAL to
> -EPERM for consistency with the rest of the prctl() syscall when
> checking capabilities.
[...]
> diff --git a/kernel/sys.c b/kernel/sys.c
[...]
> @@ -2007,12 +2007,23 @@ static int prctl_set_mm_map(int opt, const void __user *addr, unsigned long data
>
>         if (prctl_map.exe_fd != (u32)-1) {
>                 /*
> -                * Make sure the caller has the rights to
> -                * change /proc/pid/exe link: only local sys admin should
> -                * be allowed to.
> +                * The current process is authorized to change its
> +                * /proc/self/exe link via two policies:
> +                * 1) The current user can do checkpoint/restore
> +                *    In other words is CAP_SYS_ADMIN or
> +                *    CAP_CHECKPOINT_RESTORE capable.
> +                * 2) The current user can use ptrace.
> +                *
> +                * With access to ptrace facilities, a process can do the
> +                * following: fork a child, execve() the target executable,
> +                * and have the child use ptrace() to replace the memory
> +                * content of the current process. This technique makes it
> +                * possible to masquerade an arbitrary program as the target
> +                * executable, even if it is setuid.

(That is not necessarily true in the presence of LSMs like SELinux:
You'd have to be able to FILE__EXECUTE_NO_TRANS the target executable
according to the system's security policy.)