Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp148098pxx; Wed, 28 Oct 2020 00:40:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy4+oq45bG7DWM3mt1Sr5ZeqjPBYEIY5vltm7j7YzFhM/lRF/SH/hLb/DwV9VNNFfinpg/p X-Received: by 2002:aa7:d699:: with SMTP id d25mr6274724edr.44.1603870814833; Wed, 28 Oct 2020 00:40:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603870814; cv=none; d=google.com; s=arc-20160816; b=lov+pnbHZOO2cOWamh+CHuUoV447TaFzlpMWXF3jIYkIaZ19rcYet+4sGqbeg04SEK I6JeBnVxACQjq90NlHBpnEFBBmJvpobYpJc2e9umE9L1cOw7+S9lwJhEB61XnraEr8XI zlJC0zYjSVw3oLl6/2ahxN+U0B9PS5aLNa8YobodAesAYhIzUR3XejKi68cYLus+CZ1F wycd3fGjFHTvA9zwGZdQ0UIbLJym60qU7zzF2TzkOcpTGNYuT6eoKv48VHARGblOhlT0 4s+DRjFGGQv3XIjpnehyoovs8YfYNXK5/cIf1wQXXZY4qNma2x6mYwWKeFGhvEk8ccbu R1CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=ftk1EYAFLOBR6UlEa4OpWRTYRPIM3tkKJGAeflcbmic=; b=PvOl+xyfEVylJATMlUgNeg2Gwjd2TZBzxFdDj3/smMS7aNNE7LY55OdB9G8hlAuNqB UpVkVUJGa6IZFG1PhIlfu9zr6VTjM1chcNrH/p6+YIEjeJUeZ22nmYuE3lziPxM2fAF4 IGT4Oo9U0HYkanoJ78eZHN129F6HlfOjmcohbwPJNAPJyM1P5HzfpkXLPOx/NdtLioI+ VRXIpkksqWB6uy8JDRZs9dZkP1I4fkq7dH05u6cbfMjYhzlvohm2NrAKhFk+PaxBtIGa vyka349o9cute4y4/RQDqRDtNRIRrIzebR56z0BBrptUKuaMHNd0Jvud0fmcPHBgYR91 78nA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NvEOlY46; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c26si2637864eds.166.2020.10.28.00.39.53; Wed, 28 Oct 2020 00:40:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NvEOlY46; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751540AbgJ0Mvz (ORCPT + 99 others); Tue, 27 Oct 2020 08:51:55 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:42927 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751532AbgJ0Mvy (ORCPT ); Tue, 27 Oct 2020 08:51:54 -0400 Received: by mail-lj1-f194.google.com with SMTP id h20so1605153lji.9; Tue, 27 Oct 2020 05:51:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ftk1EYAFLOBR6UlEa4OpWRTYRPIM3tkKJGAeflcbmic=; b=NvEOlY46HtypZNbSAOEr4+nLo2M2E1I8caU/D754l2qRDHg9QLSDC3V/cxFRuef+5X G8M/irG2x4w68zuSfLEsrtWb6SxbvPjLi4FLqAswQR+KYk2XsXklHpsEh6LJX9ZW/T2j W3ZPw/wux6ErhTCiRC8dWfmjauAc/ceWmLAkaQ53HJrXSr870Afs9doQP4NfgRzz/Afz 0z1kldssWecLJaKBbkrBMNaU75xuwTjJQa/5F1YzQtQo7qbD/BoAuPIg61uTQtJ6uQhT euiJziC/JcI5DtN422sWeFz5GXQEJTSLU1XDtevAmcKLYZ9MshwuFZj1qepKZ1cSebRi tNPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ftk1EYAFLOBR6UlEa4OpWRTYRPIM3tkKJGAeflcbmic=; b=WQ+hvX8wqdsufT5keVDd+w1P0U9Qo3CL8K9nAthYHXT031Lt47T5GI8AKEQuWyOdXH BXrRqt5cJ4dvDypS/zQpS51DHxh7j3G67x4xmdVi08FFzEtm64ukdfom7hTN0i8R0kFV TDAwvDOj5/uUsWV8mmqFeo4E32sKNT9a4Ut9LBTdzjad8mHLFT0PUhXfDpcbt8AEEvDq zu2RNdFM2PatqSU1knrw8C7P14M46JE/2ZNjP3RiSA3n/mdRh3GtWOX5lkbWYtrjFYDx BGfGHb75h2vQv8LIOB1x4qMscuDOOwRVldHsz9+mqOHS9tEIws/0437FFG61w0XFRO5N O5kg== X-Gm-Message-State: AOAM5313raAK1xl011rC7sqQ/w6ljm3FtzlKsgXnkonzWkV53/Fe88k1 7coaComFaFBx4kgZk6ihF8M= X-Received: by 2002:a2e:3112:: with SMTP id x18mr1050673ljx.149.1603803110624; Tue, 27 Oct 2020 05:51:50 -0700 (PDT) Received: from grain.localdomain ([5.18.91.94]) by smtp.gmail.com with ESMTPSA id 21sm166406lfd.272.2020.10.27.05.51.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Oct 2020 05:51:49 -0700 (PDT) Received: by grain.localdomain (Postfix, from userid 1000) id 2ABF41A0078; Tue, 27 Oct 2020 15:51:48 +0300 (MSK) Date: Tue, 27 Oct 2020 15:51:48 +0300 From: Cyrill Gorcunov To: "Michael Kerrisk (man-pages)" Cc: Nicolas Viennot , Christian Brauner , Adrian Reber , "Eric W. Biederman" , Kirill Tkhai , Oleg Nesterov , Pavel Emelyanov , Kees Cook , Casey Schaufler , lkml , linux-security-module , Jann Horn , Andrei Vagin , Dmitry Safonov <0x7f454c46@gmail.com> Subject: Re: Inconsistent capability requirements for prctl_set_mm_exe_file() Message-ID: <20201027125148.GA2093@grain> References: <7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com> User-Agent: Mutt/1.14.6 (2020-07-11) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 27, 2020 at 01:11:40PM +0100, Michael Kerrisk (man-pages) wrote: > Hello Nicolas, Cyrill, and others, > > @Nicolas, your commit ebd6de6812387a changed the capability > requirements for the prctl_set_mm_exe_file() operation from > > ns_capable(CAP_SYS_ADMIN) > > to > > ns_capable(CAP_SYS_ADMIN) || ns_capable(CAP_CHECKPOINT_RESTORE). > > That's fine I guess, but while looking at that change, I found > an anomaly. > > The same prctl_set_mm_exe_file() functionality is also available > via the prctl() PR_SET_MM_EXE_FILE operation, which was added > by Cyrill's commit b32dfe377102ce668. However, there the > prctl_set_mm_exe_file() operation is guarded by a check > > capable(CAP_SYS_RESOURCE). > > There are two things I note: > > * The capability requirements are different in the two cases. > * In one case the checks are with ns_capable(), while in the > other case the check is with capable(). > > In both cases, the inconsistencies predate Nicolas's patch, > and appear to have been introduced in Kirill Tkhai's commit > 4d28df6152aa3ff. > > I'm not sure what is right, but those inconsistencies seem > seem odd, and presumably unintended. Similarly, I'm not > sure what fix, if any, should be applied. However, I thought > it worth mentioning these details, since the situation is odd > and surprising. Hi Michael! This is more likely due to historical reasons: the initial version of prctl(PR_SET_MM, ...) been operating with individual fields and this was very unsafe. Because of this we left it under CAP_SYS_RESOURCE (because you must have enough rights to change such deep fields). Later we switched to PR_SET_MM_MAP which is a safe version and allows to modify memory map as a "whole" so we can do a precise check. And this allowed us to relax requirements. As to me the old PR_SET_MM should be deprecated and finally removed from the kernel, but since it is a part of API we can't do such thing easily. Same time current PR_SET_MM internally is rather an alias for PR_SET_MM_MAP because we create a temporary map and pass it to the verification procedure so it looks like we can relax requirements here to match the PR_SET_MM_MAP call. But need to think maybe I miss something obvious here.