Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp140003pxx;
        Wed, 28 Oct 2020 00:21:41 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyr59E7fdU5PQED8FlYU8bUBhMVTsCpf3VlkqGFLzZzbSPOBsmJirwO6Oqog34f8AQR1kUq
X-Received: by 2002:a17:906:6805:: with SMTP id k5mr6538469ejr.79.1603869700977;
        Wed, 28 Oct 2020 00:21:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603869700; cv=none;
        d=google.com; s=arc-20160816;
        b=fOsIwNQfP0U07xAdvDDSEEJoPGPqluS5HxclHEY3mfJY0viVZGnqKj6i6MCB/p9x/j
         cB6ZIzdhRxb2DDLvcaZS3oMRsSxozLuCtXZg98XPr2MzG4n6jW4jTlSZzS8Omk66wmlL
         11q3c5pRkvSKtOQJ8MFHjI2qZ088rYna3KvQ/krRwrre9aAwg67GAc7t6YWhVgMDxo4V
         aALRWhYks86yF1ZSAsC3CekuD7XUGzxfFIJ6M8bwApjp+SQnEE2UiJdRqUHuxpbIGMn5
         hT7rGQ5kTWCunIM/5Dm8Yp4OIkrhNu7IRAexamSt/dL9fuEB0Hz8OQRsdS9Mnh1IeNeJ
         ogQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :mime-version:user-agent:date:message-id:subject:from:to:cc
         :dkim-signature;
        bh=WfciDPKN3LS+3fOztqseVE/Ebmzl7FBW7LNzYYpXqog=;
        b=Y11vwANtl8m4jOqFm5dnzmvi8o7DPc2AcjQDgv/PvGswZCy/O+9EgTq+htmgvkgLhj
         qMVEwKKhFGLkBMsO5NGbugGMYJlD2YF4f5ZN6XZaWCPzppjdN807YKl2hYVN8jxy9Bmi
         8rMvojPS3EwML7lt+6aoO21sS595bGfXhOHdH64+8ypjXDHtd0Rfehl4sdWm5g2N/GJR
         sYxgsbpesJQn6cDvonupPdWT3HOJbjCRdAsPpOG4gWkO29ce1HOyHYxh1Kl0iAWiUpPs
         mKfHhHRnY0gu1K6Z/8jwq2dnsXYfR0zxlLXZw6ky8dRe5teQ59FtjCZglndGV3EQOauy
         vjvQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=eWMO7qNT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id lm6si2716206ejb.334.2020.10.28.00.21.19;
        Wed, 28 Oct 2020 00:21:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=eWMO7qNT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750442AbgJ0MLp (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Tue, 27 Oct 2020 08:11:45 -0400
Received: from mail-wr1-f65.google.com ([209.85.221.65]:45256 "EHLO
        mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2394605AbgJ0MLo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Oct 2020 08:11:44 -0400
Received: by mail-wr1-f65.google.com with SMTP id e17so1587734wru.12;
        Tue, 27 Oct 2020 05:11:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=cc:to:from:subject:message-id:date:user-agent:mime-version
         :content-language:content-transfer-encoding;
        bh=WfciDPKN3LS+3fOztqseVE/Ebmzl7FBW7LNzYYpXqog=;
        b=eWMO7qNTnXXgGw3wGXJy8KkpHRnOwdRP+98W6uAvyCmZq7MHAsh9popALGKipDuLcy
         n/kmkElNghrsNILJyP73nR5vTMkeTD9a4CcQdYssDcOm6GtYdN/ZOotXVMIAj0MyfzHc
         2VrCHE8Fwnda40RiKnjRoCnuLOS0OHfuZ4by+BWPx8QudAXxl+/U+aESzHSj5Z/dvG9G
         ZUsGYWFaM0JeKkbjoLHN/e4rKROPicWwm8DSZqwwGOnoA7SbIpax/+Ma6vZcMhqkFVBy
         zvYbXz2kTLrZ9Umi/ebXtZXsnfTnnxvU3+nsrtVca1hb8da6oBk+nPayaYkQ0AOKl/nH
         cscA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:cc:to:from:subject:message-id:date:user-agent
         :mime-version:content-language:content-transfer-encoding;
        bh=WfciDPKN3LS+3fOztqseVE/Ebmzl7FBW7LNzYYpXqog=;
        b=GLR5Fex8l2ks0xDBp60Xp4vw3kEHjuCmpX3pyh8QFAcRW6N866O25POAxz9uRBm/qn
         Fmj6SWk5z/K0z8v+qUIqHx5K05KbASIPmp7FzymdfU+WA7XibGTIQ8eIXgG9oxZ+tbtS
         J0wZR5sMvcaL4F673OPbyV/9iHlRgiwdzRTUj85hCZKBbIcnkES83wpKNirqfgjiJpSS
         IhzbPUHCymkYcqkChPFrg7aYqeXpXCjOYhL2hvW5ZaIx9VRjiebHAOcaFs/DC9w39Xgo
         5aAzXt2AAVBvb1iQhVVwn1FFhwcCzshTrCEqi19pkhfDXW9CQcIdLZqmWjLW9b8/3fY+
         r88w==
X-Gm-Message-State: AOAM531VrUFFQdxNRtlfVXNp2tOyQi8s/y5D+7DvSbdEFQUzn7we5s+V
        Hkjtf037z1RNmPB4UE4qLPA=
X-Received: by 2002:adf:e443:: with SMTP id t3mr2555760wrm.14.1603800702246;
        Tue, 27 Oct 2020 05:11:42 -0700 (PDT)
Received: from ?IPv6:2001:a61:245a:d801:2e74:88ad:ef9:5218? ([2001:a61:245a:d801:2e74:88ad:ef9:5218])
        by smtp.gmail.com with ESMTPSA id p11sm1829840wrm.44.2020.10.27.05.11.40
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 27 Oct 2020 05:11:41 -0700 (PDT)
Cc:     mtk.manpages@gmail.com, Oleg Nesterov <oleg@redhat.com>,
        Pavel Emelyanov <ovzxemul@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        lkml <linux-kernel@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Jann Horn <jannh@google.com>, Andrei Vagin <avagin@gmail.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>
To:     Nicolas Viennot <Nicolas.Viennot@twosigma.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Adrian Reber <areber@redhat.com>,
        Cyrill Gorcunov <gorcunov@gmail.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Kirill Tkhai <ktkhai@virtuozzo.com>
From:   "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Subject: Inconsistent capability requirements for prctl_set_mm_exe_file()
Message-ID: <7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com>
Date:   Tue, 27 Oct 2020 13:11:40 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.11.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello Nicolas, Cyrill, and others,

@Nicolas, your commit ebd6de6812387a changed the capability 
requirements for the prctl_set_mm_exe_file() operation from

    ns_capable(CAP_SYS_ADMIN)

to

    ns_capable(CAP_SYS_ADMIN) || ns_capable(CAP_CHECKPOINT_RESTORE).

That's fine I guess, but while looking at that change, I found
an anomaly.

The same prctl_set_mm_exe_file() functionality is also available
via the prctl() PR_SET_MM_EXE_FILE operation, which was added
by Cyrill's commit b32dfe377102ce668. However, there the 
prctl_set_mm_exe_file() operation is guarded by a check

    capable(CAP_SYS_RESOURCE).

There are two things I note:

* The capability requirements are different in the two cases.
* In one case the checks are with ns_capable(), while in the 
  other case the check is with capable().

In both cases, the inconsistencies predate Nicolas's patch,
and appear to have been introduced in Kirill Tkhai's commit
4d28df6152aa3ff.

I'm not sure what is right, but those inconsistencies seem
seem odd, and presumably unintended. Similarly, I'm not
sure what fix, if any, should be applied. However, I thought
it worth mentioning these details, since the situation is odd
and surprising.

Thanks,

Michael

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/