Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp140003pxx; Wed, 28 Oct 2020 00:21:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyr59E7fdU5PQED8FlYU8bUBhMVTsCpf3VlkqGFLzZzbSPOBsmJirwO6Oqog34f8AQR1kUq X-Received: by 2002:a17:906:6805:: with SMTP id k5mr6538469ejr.79.1603869700977; Wed, 28 Oct 2020 00:21:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603869700; cv=none; d=google.com; s=arc-20160816; b=fOsIwNQfP0U07xAdvDDSEEJoPGPqluS5HxclHEY3mfJY0viVZGnqKj6i6MCB/p9x/j cB6ZIzdhRxb2DDLvcaZS3oMRsSxozLuCtXZg98XPr2MzG4n6jW4jTlSZzS8Omk66wmlL 11q3c5pRkvSKtOQJ8MFHjI2qZ088rYna3KvQ/krRwrre9aAwg67GAc7t6YWhVgMDxo4V aALRWhYks86yF1ZSAsC3CekuD7XUGzxfFIJ6M8bwApjp+SQnEE2UiJdRqUHuxpbIGMn5 hT7rGQ5kTWCunIM/5Dm8Yp4OIkrhNu7IRAexamSt/dL9fuEB0Hz8OQRsdS9Mnh1IeNeJ ogQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:user-agent:date:message-id:subject:from:to:cc :dkim-signature; bh=WfciDPKN3LS+3fOztqseVE/Ebmzl7FBW7LNzYYpXqog=; b=Y11vwANtl8m4jOqFm5dnzmvi8o7DPc2AcjQDgv/PvGswZCy/O+9EgTq+htmgvkgLhj qMVEwKKhFGLkBMsO5NGbugGMYJlD2YF4f5ZN6XZaWCPzppjdN807YKl2hYVN8jxy9Bmi 8rMvojPS3EwML7lt+6aoO21sS595bGfXhOHdH64+8ypjXDHtd0Rfehl4sdWm5g2N/GJR sYxgsbpesJQn6cDvonupPdWT3HOJbjCRdAsPpOG4gWkO29ce1HOyHYxh1Kl0iAWiUpPs mKfHhHRnY0gu1K6Z/8jwq2dnsXYfR0zxlLXZw6ky8dRe5teQ59FtjCZglndGV3EQOauy vjvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=eWMO7qNT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lm6si2716206ejb.334.2020.10.28.00.21.19; Wed, 28 Oct 2020 00:21:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=eWMO7qNT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750442AbgJ0MLp (ORCPT + 99 others); Tue, 27 Oct 2020 08:11:45 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:45256 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2394605AbgJ0MLo (ORCPT ); Tue, 27 Oct 2020 08:11:44 -0400 Received: by mail-wr1-f65.google.com with SMTP id e17so1587734wru.12; Tue, 27 Oct 2020 05:11:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=cc:to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=WfciDPKN3LS+3fOztqseVE/Ebmzl7FBW7LNzYYpXqog=; b=eWMO7qNTnXXgGw3wGXJy8KkpHRnOwdRP+98W6uAvyCmZq7MHAsh9popALGKipDuLcy n/kmkElNghrsNILJyP73nR5vTMkeTD9a4CcQdYssDcOm6GtYdN/ZOotXVMIAj0MyfzHc 2VrCHE8Fwnda40RiKnjRoCnuLOS0OHfuZ4by+BWPx8QudAXxl+/U+aESzHSj5Z/dvG9G ZUsGYWFaM0JeKkbjoLHN/e4rKROPicWwm8DSZqwwGOnoA7SbIpax/+Ma6vZcMhqkFVBy zvYbXz2kTLrZ9Umi/ebXtZXsnfTnnxvU3+nsrtVca1hb8da6oBk+nPayaYkQ0AOKl/nH cscA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:cc:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=WfciDPKN3LS+3fOztqseVE/Ebmzl7FBW7LNzYYpXqog=; b=GLR5Fex8l2ks0xDBp60Xp4vw3kEHjuCmpX3pyh8QFAcRW6N866O25POAxz9uRBm/qn Fmj6SWk5z/K0z8v+qUIqHx5K05KbASIPmp7FzymdfU+WA7XibGTIQ8eIXgG9oxZ+tbtS J0wZR5sMvcaL4F673OPbyV/9iHlRgiwdzRTUj85hCZKBbIcnkES83wpKNirqfgjiJpSS IhzbPUHCymkYcqkChPFrg7aYqeXpXCjOYhL2hvW5ZaIx9VRjiebHAOcaFs/DC9w39Xgo 5aAzXt2AAVBvb1iQhVVwn1FFhwcCzshTrCEqi19pkhfDXW9CQcIdLZqmWjLW9b8/3fY+ r88w== X-Gm-Message-State: AOAM531VrUFFQdxNRtlfVXNp2tOyQi8s/y5D+7DvSbdEFQUzn7we5s+V Hkjtf037z1RNmPB4UE4qLPA= X-Received: by 2002:adf:e443:: with SMTP id t3mr2555760wrm.14.1603800702246; Tue, 27 Oct 2020 05:11:42 -0700 (PDT) Received: from ?IPv6:2001:a61:245a:d801:2e74:88ad:ef9:5218? ([2001:a61:245a:d801:2e74:88ad:ef9:5218]) by smtp.gmail.com with ESMTPSA id p11sm1829840wrm.44.2020.10.27.05.11.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 27 Oct 2020 05:11:41 -0700 (PDT) Cc: mtk.manpages@gmail.com, Oleg Nesterov , Pavel Emelyanov , Kees Cook , Casey Schaufler , lkml , linux-security-module , Jann Horn , Andrei Vagin , Dmitry Safonov <0x7f454c46@gmail.com> To: Nicolas Viennot , Christian Brauner , Adrian Reber , Cyrill Gorcunov , "Eric W. Biederman" , Kirill Tkhai From: "Michael Kerrisk (man-pages)" Subject: Inconsistent capability requirements for prctl_set_mm_exe_file() Message-ID: <7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com> Date: Tue, 27 Oct 2020 13:11:40 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Nicolas, Cyrill, and others, @Nicolas, your commit ebd6de6812387a changed the capability requirements for the prctl_set_mm_exe_file() operation from ns_capable(CAP_SYS_ADMIN) to ns_capable(CAP_SYS_ADMIN) || ns_capable(CAP_CHECKPOINT_RESTORE). That's fine I guess, but while looking at that change, I found an anomaly. The same prctl_set_mm_exe_file() functionality is also available via the prctl() PR_SET_MM_EXE_FILE operation, which was added by Cyrill's commit b32dfe377102ce668. However, there the prctl_set_mm_exe_file() operation is guarded by a check capable(CAP_SYS_RESOURCE). There are two things I note: * The capability requirements are different in the two cases. * In one case the checks are with ns_capable(), while in the other case the check is with capable(). In both cases, the inconsistencies predate Nicolas's patch, and appear to have been introduced in Kirill Tkhai's commit 4d28df6152aa3ff. I'm not sure what is right, but those inconsistencies seem seem odd, and presumably unintended. Similarly, I'm not sure what fix, if any, should be applied. However, I thought it worth mentioning these details, since the situation is odd and surprising. Thanks, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/