Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp147837pxx;
        Wed, 28 Oct 2020 00:39:41 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwiopp4TNKkGKE7LICndT5OzCI2A0dwSpgBKX3S+tlGZlZnYm4WusRRESnfajqFWTX+gMNO
X-Received: by 2002:a17:907:40eb:: with SMTP id nn19mr6542277ejb.240.1603870780833;
        Wed, 28 Oct 2020 00:39:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603870780; cv=none;
        d=google.com; s=arc-20160816;
        b=sD33FlDY+W5Ri7R44fizWvMh6HtGtDFpUdSM9wOLOJ3bJUsG35r8/VHWMV205LDOE9
         f6IX13Ht3P9WSHhFeGX1efmUwBzbN9F4B91m7pRv/C7crCxN+BhcTN59YKPpYFTtVbN1
         gYCY7ErubFY7Jq2ad4JjPocIrXnonmKbmHZ7UbqBK5jPvOj4QifAh9kQ64L8ngUzCDUZ
         jW/lVzbuGyd4UtVVcAJ15iS1ukhIlZYRDSU0J/EgegkNeSO1rWRvYDCkyWY1tZnUG+PN
         Tvb7QmYlRyh9xYtu/50gcZgL9OucETQaxNQ9ioiUT/77XyNleQWfi6qRWyJlFLAMN+nq
         qukw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=VdLy/kUakjSURD5xQ/YFBTUhQyiMJ2S037Fpg6j6Zn8=;
        b=TnEVsYzPRl7HB3/yacQlTYVGBZCo2uKaCVSvl9BniCU42Y+413qteJulJCYW2+v6Qc
         jlMV2pkZFhBYpq6jYUFiKgJ8Cu6lf1XOKHncZNODH0GRuK5zZbu6pSSw3YHscDjf6FFr
         uwFboEveUomEog65YSoNbInb5I8B5E2NAE+jy+3smpNi6AowbuKkVKZIjMvh9Agh62ny
         Z9HqY0x0d9W4TO/qT4EqVgmXIqtTJufSX15MIBmShVM7QtkTUyWvHmIgpoeglkuXrVG2
         TNb7EKbxgsQw8a9/xVNEB80Li0lFsYZocveK3oxRC/tw5C2ky65SBwD2sgEObyAvMboV
         f4Wg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=WVLjvL+8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a92si2690148edf.114.2020.10.28.00.39.18;
        Wed, 28 Oct 2020 00:39:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=WVLjvL+8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751549AbgJ0MwB (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Tue, 27 Oct 2020 08:52:01 -0400
Received: from mail-lj1-f194.google.com ([209.85.208.194]:43998 "EHLO
        mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751552AbgJ0Mv7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Oct 2020 08:51:59 -0400
Received: by mail-lj1-f194.google.com with SMTP id d24so1597586ljg.10
        for <linux-kernel@vger.kernel.org>; Tue, 27 Oct 2020 05:51:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=VdLy/kUakjSURD5xQ/YFBTUhQyiMJ2S037Fpg6j6Zn8=;
        b=WVLjvL+8dqcJznCqZnu75mvjazgE1nMYXHTx7zirRvSptOBgkQ1vHrdTfvB48AmPQb
         LYXyA+izaR+l/1zC5h/2bTn2dkLukQJBb55K/VELvkpSe3MzRuj16dNkX6SKe9aoTnRg
         kdYm2i6MXROyrqVbw2ZFU1y/ca1sepsH0WK7o8N5Ln5R6zdNyAHsl488z5E4YgPgCwoh
         Q+sGKejzoi5/x/3tw5764pxu7ZackNaNEgXIcJCS1qiD1E0/9qK7Dkd81j4y0UWlt2kp
         sJhe0hX9CDFvhkcWyboTxD8r5cS960E1TaF6ETWOf7doZoc9wDKvcwTSrXdd4dfmLu5r
         ok/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=VdLy/kUakjSURD5xQ/YFBTUhQyiMJ2S037Fpg6j6Zn8=;
        b=KqtnJR/Iy5V41iUMqhMOfMMPZ6s8tIY1js5071YsXF0KAYih//mQE/caSs28Pzk4P/
         6ySlmo8vF6QFFxFO+IyW/xM0mewMqmze5ZSd438ThqQpIv/c4lAsWU1HQP5F22fd2oVu
         j0xz54OIGTuCXBIUTK6s4+xa++Lbl4dfu88SGvHci3yOq5jKG3ecCiEzSixeruWkA8xx
         MIZ85+6Xcs4QDipy/36Iz7PwY1AOCdH+W+0bWANzKdaXYxcVAMNClZHTsGsV7/eUeyoM
         JHw5o308XjfHQK5MHrodnFECDtFFo6m95OGG24+qawX2AlGoDqgMatu3mvnc81bXYPvs
         Hlxg==
X-Gm-Message-State: AOAM532MjKhUDljp0iObbEkGybz4z4MXbRCl4XweBansbE60p8n69RX8
        0SFAFgY90qPxYuqa4kU52/n4ECBGJIoAzEYAz256IQ==
X-Received: by 2002:a05:651c:1313:: with SMTP id u19mr1028801lja.47.1603803116472;
 Tue, 27 Oct 2020 05:51:56 -0700 (PDT)
MIME-Version: 1.0
References: <7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com>
In-Reply-To: <7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com>
From:   Jann Horn <jannh@google.com>
Date:   Tue, 27 Oct 2020 13:51:30 +0100
Message-ID: <CAG48ez2W+p2RuAPMyxE+hggNtHsVx3-NHCawk18_F5tonX20LQ@mail.gmail.com>
Subject: Re: Inconsistent capability requirements for prctl_set_mm_exe_file()
To:     "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc:     Nicolas Viennot <Nicolas.Viennot@twosigma.com>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Adrian Reber <areber@redhat.com>,
        Cyrill Gorcunov <gorcunov@gmail.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Kirill Tkhai <ktkhai@virtuozzo.com>,
        Oleg Nesterov <oleg@redhat.com>,
        Pavel Emelyanov <ovzxemul@gmail.com>,
        Kees Cook <keescook@chromium.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        lkml <linux-kernel@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Andrei Vagin <avagin@gmail.com>,
        Dmitry Safonov <0x7f454c46@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Oct 27, 2020 at 1:11 PM Michael Kerrisk (man-pages)
<mtk.manpages@gmail.com> wrote:
> @Nicolas, your commit ebd6de6812387a changed the capability
> requirements for the prctl_set_mm_exe_file() operation from
>
>     ns_capable(CAP_SYS_ADMIN)
>
> to
>
>     ns_capable(CAP_SYS_ADMIN) || ns_capable(CAP_CHECKPOINT_RESTORE).
>
> That's fine I guess, but while looking at that change, I found
> an anomaly.
>
> The same prctl_set_mm_exe_file() functionality is also available
> via the prctl() PR_SET_MM_EXE_FILE operation, which was added
> by Cyrill's commit b32dfe377102ce668. However, there the
> prctl_set_mm_exe_file() operation is guarded by a check
>
>     capable(CAP_SYS_RESOURCE).
>
> There are two things I note:
>
> * The capability requirements are different in the two cases.
> * In one case the checks are with ns_capable(), while in the
>   other case the check is with capable().
>
> In both cases, the inconsistencies predate Nicolas's patch,
> and appear to have been introduced in Kirill Tkhai's commit
> 4d28df6152aa3ff.
>
> I'm not sure what is right, but those inconsistencies seem
> seem odd, and presumably unintended. Similarly, I'm not
> sure what fix, if any, should be applied. However, I thought
> it worth mentioning these details, since the situation is odd
> and surprising.

FWIW, as a bit of context here: I believe that these checks are more
driven by "what capabilitiies do we think a typical caller will have"
than by a proper security design of "what capabilities do we have to
require to establish certain security guarantees". As people have
noted elsewhere, on a system without LSMs, a process can point
/proc/self/exe to almost any executable file of its choice anyway (by
executing that file and then replacing the executable code of the
resulting process).

The properly engineered solution would probably be to let LSMs hook
these APIs (if they care) and then remove the capable()/ns_capable()
checks.