Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1821294ybt; Thu, 2 Jul 2020 15:01:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxSLkJLGM35mcOKhcwimhchKZWgZfQ5EN3Evr3rmLIsvXbueP5ehsrNiFxAw62HdaCl8Ets X-Received: by 2002:a50:ee01:: with SMTP id g1mr29643749eds.264.1593727275368; Thu, 02 Jul 2020 15:01:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593727275; cv=none; d=google.com; s=arc-20160816; b=D/M//IKTuKC4DANDAS0XZP5XiNAHagMnvluz3vUNTqNrwuD+YOioqX8URLl2g75Bil PX47wN4tsRPMjIofITrUTMPz5vs3teaHB7qGKXRtVe+raHlPHP835RwxUJA0O92l0Xlq JcsxBVlu+OFnHFnH0NGqemEWVZ0xwt7wF+Y5NEEQo2+QcFJ/E54GsB95DJLJ6snAoJba SNJISd5AVmodEJipS5scGWbEMLF+njWSRJ2cFy5g22btkrYGogthkRvsDSAJeQfOB1Ea lXkohglgFNrlc5JBvcnqpofiFHo6xsh3V0U/HRUa5tBkMnZDkfMUO/pK1zp1FR0Rs5pl X4EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=hQjS9Ie2JLW+5joMKLIKCU6b/2UCakl57GgRGFSlTtk=; b=vZxjoW3j65vSD/Sf13EPCGhoegfxJTcx0wnqjD5Xq7wkCUqmv+hUYwSN0Oa3siPzOj MLtiECQ6Pk5NqOX0jSvDVbfDcQVq10zxzGl1YwZe3W0ejkTuD1qMeMelT2fEGt9damXj Ok1sTLBZMtnq6GvS0zwehF1Hjtlx4jeLYOt5YTsgk3PqGKEU/mLIr7Uq3DVnjOWhIOyJ QcasG9j72zhtUliObPXdjl/KeRjP7guvW0bT8wagc6X/K4/N794EOhOl3w9kYZA7VoMK kkNIBrV17cbAkqgFDpHD4bsgCvYp6QHYgxKNXrfrkxVIEDC+Ix3aMaX8iQwboZdC6E/L f4rA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="y2q6/ZIm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d10si6219142ejw.210.2020.07.02.15.00.52; Thu, 02 Jul 2020 15:01:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b="y2q6/ZIm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726014AbgGBWA0 (ORCPT + 99 others); Thu, 2 Jul 2020 18:00:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726072AbgGBWAX (ORCPT ); Thu, 2 Jul 2020 18:00:23 -0400 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF010C08C5DE for ; Thu, 2 Jul 2020 15:00:22 -0700 (PDT) Received: by mail-ej1-x643.google.com with SMTP id y10so31577184eje.1 for ; Thu, 02 Jul 2020 15:00:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hQjS9Ie2JLW+5joMKLIKCU6b/2UCakl57GgRGFSlTtk=; b=y2q6/ZImKC9EyqaN+Cp25cLz1ciVm4U7qtXibl4rJLq7yDQxPIwOaQiDW4uPnhkAI8 VRW0HSRxSAmlfFw/Jce/k0WugBY6dAl4O6HQ/sc/VLK6/v4c05dZ28qBMUNFtXbku8Ch AULevi22Fz6RKjCBjNEoLvV62nXHhiI0ALpbVAFFC6eC3/8cU19LT7W6/+o8hdExkIVp SpzhSXPTolBo/5B/rPenjUqcOQ+Q44Ekpah8XqISOcoMHY3/BTSU/R5r9kYGnOKn1iQ4 3Eelioz4+/tk104uJvI7uaxboR8nMC2mTgZeV8NgshGTgOJtB/3rVeJ8cjXz8tU5nKfO mLBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hQjS9Ie2JLW+5joMKLIKCU6b/2UCakl57GgRGFSlTtk=; b=scs1oMpIo7HgFxYTjsO+XHV3GWmsShWeeDMe2uPHHGtQPhC1TLTQn4xKAY8syJvaoZ Yh/yutJFiGNw3VSDgS11k3kdkKx0ewsVSBDc3yFPxXu6lNJyDDlDOgNknnsrscslblTd ciROxU3kErWvx2bUiPKQ6Zn3UVhR8KdvjONbpgaDXnU8AVYfw9GS9F2+LPFWxT+wkV2j hF/XBpE+lunzKCRGyiSU/hheO9E21foNC4EdhL1D5PAMG/4Y7pLwyQbuWYGA0CaoyEIu XXAHAVcMi3i+CZl0Y+5CAGw20ezRfhOT2T5KHjD1y8Mn4siUaXueau+J1A/uz/7aqZ0f cLGQ== X-Gm-Message-State: AOAM531xaJIgw9q7/FL/mKPXYRtSId4eidoxIwuBEP+0edn1+IuIdjN3 9Odsyhb+46cl1iEicpYsx2bAeWbkQDoE0n7P8EKX X-Received: by 2002:a17:906:456:: with SMTP id e22mr23944788eja.178.1593727221274; Thu, 02 Jul 2020 15:00:21 -0700 (PDT) MIME-Version: 1.0 References: <20200701064906.323185-1-areber@redhat.com> <20200701064906.323185-4-areber@redhat.com> <20200702211647.GB3283@mail.hallyn.com> In-Reply-To: <20200702211647.GB3283@mail.hallyn.com> From: Paul Moore Date: Thu, 2 Jul 2020 18:00:10 -0400 Message-ID: Subject: Re: [PATCH v4 3/3] prctl: Allow ptrace capable processes to change /proc/self/exe To: "Serge E. Hallyn" Cc: Adrian Reber , Christian Brauner , Eric Biederman , Pavel Emelyanov , Oleg Nesterov , Dmitry Safonov <0x7f454c46@gmail.com>, Andrei Vagin , Nicolas Viennot , =?UTF-8?B?TWljaGHFgiBDxYJhcGnFhHNraQ==?= , Kamil Yurtsever , Dirk Petersen , Christine Flood , Casey Schaufler , Mike Rapoport , Radostin Stoyanov , Cyrill Gorcunov , Stephen Smalley , Sargun Dhillon , Arnd Bergmann , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, Eric Paris , Jann Horn , linux-fsdevel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 2, 2020 at 5:16 PM Serge E. Hallyn wrote: > On Wed, Jul 01, 2020 at 08:49:06AM +0200, Adrian Reber wrote: > > From: Nicolas Viennot > > > > Previously, the current process could only change the /proc/self/exe > > link with local CAP_SYS_ADMIN. > > This commit relaxes this restriction by permitting such change with > > CAP_CHECKPOINT_RESTORE, and the ability to use ptrace. > > > > With access to ptrace facilities, a process can do the following: fork a > > child, execve() the target executable, and have the child use ptrace() > > to replace the memory content of the current process. This technique > > makes it possible to masquerade an arbitrary program as any executable, > > even setuid ones. > > > > Signed-off-by: Nicolas Viennot > > Signed-off-by: Adrian Reber > > This is scary. But I believe it is safe. > > Reviewed-by: Serge Hallyn > > I am a bit curious about the implications of the selinux patch. > IIUC you are using the permission of the tracing process to > execute the file without transition, so this is a way to work > around the policy which might prevent the tracee from doing so. > Given that SELinux wants to be MAC, I'm not *quite* sure that's > considered kosher. You also are skipping the PROCESS__PTRACE > to SECCLASS_PROCESS check which selinux_bprm_set_creds does later > on. Again I'm just not quite sure what's considered normal there > these days. > > Paul, do you have input there? I agree, the SELinux hook looks wrong. Building on what Christian said, this looks more like a ptrace operation than an exec operation. -- paul moore www.paul-moore.com