Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp1403698pxx; Fri, 30 Oct 2020 09:11:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyoNPgqie3PEwAXj4SPLjU9d2zcDLgEKQWi1FDyOZ1yZl+LrNNB1EVi+aAkdIrd3TY/rHot X-Received: by 2002:aa7:da13:: with SMTP id r19mr3200405eds.20.1604074266116; Fri, 30 Oct 2020 09:11:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604074266; cv=none; d=google.com; s=arc-20160816; b=oKSINmbkRPKvA5YbZu7H1rDn3u85LPtQkcSTxg4vDC18PXjkPI2WfcmTGMzP7c3gei ACIWCXyOBIkX3nOt9giHT57p9lGbtFj/4qrmb9BA6wecrv4nYJVp0CBOoij85zVtTtFr BoLPl7d5n5MfoCwpjRE0USjvfjZVxOMUlUOVAfrbHREJ7jjGdKyHxzU5oGer/XI0AlzN tpkeJFESbDHL3efjEr2BzdHyqlyuyIzRfKQ1YYhcO/Ina0gUqaXRN4ELfUYjySfN+hEz kk6uEkh28wwByeVJ/sscqVAGArgBKlpF1iNlihKT4QcwTnsNC8l2k5xI380ZFd40ZK1E 7Lyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=WWryXyllSn6MbdbJ+Jl2vgndGc9RsF4+ejDvDoCnPOQ=; b=U3C/bOr17nI8jn7cWJQkds/o8DrdRMrF4bpu/Ao67KYXWTi73bMidRwQtyMymcwv4V J6/B3Wt3VAUC+ovJHFvdrL7QSkEoRE6iJzG8yMRQEzwXxvl0iace9uu05EbZoFJSJOeu ioeqt9fvktM72V1En91mtY6G84pPHJJUxTLrcS7Gm6h69M6QR1DQlH62ralIj71+q2u+ sXLo/iz/CJBYu9dPnleL740R+SEWjSz7cGDEJcw5Rj4tznd9el14C6qtFHQHAtzx/zJA p1+2R5tD3mRJkBy9PREg8/4mm1zXIRVTJY1LSFC8PaTM2hxppcwh/znJx3r7Kmv6aek4 nTDg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y11si4837468ejd.682.2020.10.30.09.10.40; Fri, 30 Oct 2020 09:11:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726236AbgJ3QGo (ORCPT + 99 others); Fri, 30 Oct 2020 12:06:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725355AbgJ3QGo (ORCPT ); Fri, 30 Oct 2020 12:06:44 -0400 Received: from smtp-42aa.mail.infomaniak.ch (smtp-42aa.mail.infomaniak.ch [IPv6:2001:1600:4:17::42aa]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 80628C0613CF for ; Fri, 30 Oct 2020 09:06:44 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4CN6cx2KK4zllGw2; Fri, 30 Oct 2020 17:06:41 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4CN6cw2Rr9zlh8TQ; Fri, 30 Oct 2020 17:06:40 +0100 (CET) Subject: Re: [PATCH v1 1/2] ptrace: Set PF_SUPERPRIV when checking capability To: Jann Horn Cc: Christian Brauner , Kees Cook , Oleg Nesterov , Eric Paris , James Morris , "Serge E . Hallyn" , Tyler Hicks , Will Drewry , kernel list , stable , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= References: <20201030123849.770769-1-mic@digikod.net> <20201030123849.770769-2-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <94a86084-5aab-4a2c-e654-f55130190c1a@digikod.net> Date: Fri, 30 Oct 2020 17:06:39 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 30/10/2020 16:47, Jann Horn wrote: > On Fri, Oct 30, 2020 at 1:39 PM Mickaël Salaün wrote: >> Commit 69f594a38967 ("ptrace: do not audit capability check when outputing >> /proc/pid/stat") replaced the use of ns_capable() with >> has_ns_capability{,_noaudit}() which doesn't set PF_SUPERPRIV. >> >> Commit 6b3ad6649a4c ("ptrace: reintroduce usage of subjective credentials in >> ptrace_has_cap()") replaced has_ns_capability{,_noaudit}() with >> security_capable(), which doesn't set PF_SUPERPRIV neither. >> >> Since commit 98f368e9e263 ("kernel: Add noaudit variant of ns_capable()"), a >> new ns_capable_noaudit() helper is available. Let's use it! >> >> As a result, the signature of ptrace_has_cap() is restored to its original one. >> >> Cc: Christian Brauner >> Cc: Eric Paris >> Cc: Jann Horn >> Cc: Kees Cook >> Cc: Oleg Nesterov >> Cc: Serge E. Hallyn >> Cc: Tyler Hicks >> Cc: stable@vger.kernel.org >> Fixes: 6b3ad6649a4c ("ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()") >> Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") >> Signed-off-by: Mickaël Salaün > > Yeah... I guess this makes sense. (We'd have to undo or change it if > we ever end up needing to use a different set of credentials, e.g. > from ->f_cred, but I guess that's really something we should avoid > anyway.) > > Reviewed-by: Jann Horn > > with one nit: > > > [...] >> /* Returns 0 on success, -errno on denial. */ >> static int __ptrace_may_access(struct task_struct *task, unsigned int mode) >> { >> - const struct cred *cred = current_cred(), *tcred; >> + const struct cred *const cred = current_cred(), *tcred; > > This is an unrelated change, and almost no kernel code marks local > pointer variables as "const". I would drop this change from the patch. This give guarantee that the cred variable will not be used for something else than current_cred(), which kinda prove that this patch doesn't change the behavior of __ptrace_may_access() by not using cred in ptrace_has_cap(). It doesn't hurt and I think it could be useful to spot issues when backporting. > >> struct mm_struct *mm; >> kuid_t caller_uid; >> kgid_t caller_gid;