Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2906260pxj;
        Mon, 14 Jun 2021 09:46:32 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzS/wOAnWKSrYNCgYIIs9D6Y4i9gfoulsZ2+GBMefjxyEI62a03j1h3cQ76tCGSCgpGL81C
X-Received: by 2002:aa7:d413:: with SMTP id z19mr18338584edq.37.1623689192312;
        Mon, 14 Jun 2021 09:46:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623689192; cv=none;
        d=google.com; s=arc-20160816;
        b=TxhqmeVZhJAgPb65NNVG+IoVbMdLktY6YHPi56gPiliC7nFwFlF5BCBUoB7WwaRbm0
         Bq6hcvg79Sdcran6Uj9YzvE65HTY+V8oMI2JzsitGehQK1NG6V2E8gZl14y15ph7hR/r
         rwgbQONaKWL7JbcQH1guRTZiyn76gGPXhNr91BkFFur0deeQ2l8xEpfd+0L3isz0NI8s
         KCW9PHc1OQMeuKxZ18PBftvzySpeGwCUoZatNLPvHyaTz0Rm8Nqg4k0bbtmb3EL6ywSQ
         LesIR6Iu6h4UTHim1zV1UAoXusNpidyizfJE5qd2Cuw4YTkNiaGrPv48siFhXKmwEadj
         74kA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=XE6H10v+4K87NjIk8prkM4d2wneLI3dvub+7esrDVfg=;
        b=y8glKb78S5fTDNEXGATgY3mypTU1GOYqkk22+l6Or5Cdn42Rm6SpSFzHz6O5j+km7Y
         +9nOwIF7PHXfjG213pDNDGVbVPLk3gdTNBHhvwkjo0AiWcggardMs0VZ1C4wMgXJnYcZ
         SLbstfnO7M2q7c/DV+eX8KW20gUAx877kocYlQmj9LDxdb9P5zV6GZYYWUXvq1G6FfS0
         lRMlRuoBdpzQBLdwmgw2b9HFb7pnLXEEcupTcOT23oTjjnC2uYV4MvU3WDJUJ68+2Lqi
         7sdvMRkUjNAXNg5D53sHXxFyGSctQ2u6vo4yCtCPO4AUCQdOJXpc4JU8hjpNp3eiI5Vj
         8f8A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=R0hyyNf1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h24si8507149ejt.504.2021.06.14.09.46.09;
        Mon, 14 Jun 2021 09:46:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=R0hyyNf1;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234859AbhFNQrV (ORCPT <rfc822;ly15351151@gmail.com> + 99 others);
        Mon, 14 Jun 2021 12:47:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58274 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233492AbhFNQrU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Jun 2021 12:47:20 -0400
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 944B1C061574
        for <linux-kernel@vger.kernel.org>; Mon, 14 Jun 2021 09:45:17 -0700 (PDT)
Received: by mail-pj1-x102e.google.com with SMTP id o10-20020a17090aac0ab029016e92770073so348421pjq.5
        for <linux-kernel@vger.kernel.org>; Mon, 14 Jun 2021 09:45:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=XE6H10v+4K87NjIk8prkM4d2wneLI3dvub+7esrDVfg=;
        b=R0hyyNf1j+XUxrhZftIz5PLMAsBn54xSfjcVXYP907o++1arq7NfEa45NVVz42sL8q
         GBGVdvdrlosa2afujLnozFUBk6Ce/L8avJARYyxS3JFAO5Z8PE/vZQfhledSVQX6FneX
         nwVEInObC20oR9SLh5V7CUs1c+gzSpjgElVt4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=XE6H10v+4K87NjIk8prkM4d2wneLI3dvub+7esrDVfg=;
        b=myBHFZNvuZv2yZc9/Kb/aPz72LQ7/bV+rxlNlB4jDqgZ/BXBk48P9kFYri8abfbFgu
         tmGhz6g97y3gMEURcl9N/U4c3v8K7Iq0h8qfMW3EXlSKM3LW+ItLSUWz6mt2Q1w8rpMf
         snovZ5H6FVjNRNUFU/bwmvc+z1giHMtqbyc5LMNeXTiffm3RO1uOi4cNQ9UdkI4qNhbB
         +elMeEgtl24wuKvunq9mik53b7GKbTWOc60Ca9602VBiHZ464+H9GEtVIP642I6Zf/kK
         v9Vs+3JsK0qNAdrx1TiFS2jEUA7NW6Gbo0HZ6MObilRW45aaqs56A+G8LLBfYB4XYVRu
         XaYw==
X-Gm-Message-State: AOAM533ahV+w7Bs3jeOqx15sTooGTgfJkhGVVcyXefaHhpNAGK6+VHS8
        rrI+g2fJbFWw+5pPXVSi7hk/6w==
X-Received: by 2002:a17:90b:901:: with SMTP id bo1mr20049707pjb.0.1623689117081;
        Mon, 14 Jun 2021 09:45:17 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id ms5sm20953pjb.19.2021.06.14.09.45.16
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 14 Jun 2021 09:45:16 -0700 (PDT)
Date:   Mon, 14 Jun 2021 09:45:15 -0700
From:   Kees Cook <keescook@chromium.org>
To:     youling257 <youling257@gmail.com>
Cc:     torvalds@linux-foundation.org, christian.brauner@ubuntu.com,
        andrea.righi@canonical.com, linux-kernel@vger.kernel.org,
        stable@vger.kernel.org, regressions@lists.linux.dev,
        linux-security-module@vger.kernel.org,
        Paul Moore <paul@paul-moore.com>,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] proc: Track /proc/$pid/attr/ opener mm_struct
Message-ID: <202106140941.7CE5AE64@keescook>
References: <20210608171221.276899-1-keescook@chromium.org>
 <20210614100234.12077-1-youling257@gmail.com>
 <202106140826.7912F27CD@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202106140826.7912F27CD@keescook>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jun 14, 2021 at 08:32:35AM -0700, Kees Cook wrote:
> On Mon, Jun 14, 2021 at 06:02:34PM +0800, youling257 wrote:
> > I used mainline kernel on android, this patch cause "failed to retrieve pid context" problem.
> > 
> > 06-14 02:15:51.165  1685  1685 E ServiceManager: SELinux: getpidcon(pid=1682) failed to retrieve pid context.

I found getpidcon() in libselinux:
https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/procattr.c#L159

> > 06-14 02:15:51.166  1685  1685 E ServiceManager: add_service('batteryproperties',1) uid=0 - PERMISSION DENIED
> > 06-14 02:15:51.166  1682  1682 I ServiceManager: addService() batteryproperties failed (err -1 - no service manager yet?).  Retrying...
> > 06-14 02:15:51.197  1685  1685 E ServiceManager: SELinux: getpidcon(pid=1695) failed to retrieve pid context.
> > 06-14 02:15:51.197  1685  1685 E ServiceManager: add_service('android.security.keystore',1) uid=1017 - PERMISSION DENIED
> > 06-14 02:15:51.198  1695  1695 I ServiceManager: addService() android.security.keystore failed (err -1 - no service manager yet?).  Retrying...
> > 06-14 02:15:51.207  1685  1685 E ServiceManager: SELinux: getpidcon(pid=1708) failed to retrieve pid context.
> > 06-14 02:15:51.207  1685  1685 E ServiceManager: add_service('android.service.gatekeeper.IGateKeeperService',1) uid=1000 - PERMISSION DENIED
> > 06-14 02:15:51.207  1708  1708 I ServiceManager: addService() android.service.gatekeeper.IGateKeeperService failed (err -1 - no service manager yet?).  Retrying...
> > 06-14 02:15:51.275  1685  1685 E ServiceManager: SELinux: getpidcon(pid=1693) failed to retrieve pid context.
> > 06-14 02:15:51.275  1692  1692 I cameraserver: ServiceManager: 0xf6d309e0
> > 06-14 02:15:51.275  1685  1685 E ServiceManager: add_service('drm.drmManager',1) uid=1019 - PERMISSION DENIED
> > 06-14 02:15:51.276  1693  1693 I ServiceManager: addService() drm.drmManager failed (err -1 - no service manager yet?).  Retrying...
> > 
> 
> Argh. Are you able to uncover what userspace is doing here?

It looks like this is a case of attempting to _read_ the attr file, and
the new opener check was requiring the opener/target relationship pass
the mm_access() checks, which is clearly too strict.

> So far, my test cases are:
> 
> 1) self: open, write, close: allowed
> 2) self: open, clone thread. thread: change privileges, write, close: allowed
> 3) self: open, give to privileged process. privileged process: write: reject

I've now added:

4) self: open privileged process's attr, read, close: allowed

Can folks please test this patch to double-check?


diff --git a/fs/proc/base.c b/fs/proc/base.c
index 7118ebe38fa6..7c55301674e0 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2676,7 +2676,14 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
 #ifdef CONFIG_SECURITY
 static int proc_pid_attr_open(struct inode *inode, struct file *file)
 {
-	return __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS);
+	struct mm_struct *mm = __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS);
+
+	/* Reads do not require mm_struct access. */
+	if (IS_ERR(mm))
+		mm = NULL;
+
+	file->private_data = mm;
+	return 0;
 }
 
 static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
@@ -2709,7 +2716,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
 	int rv;
 
 	/* A task may only write when it was the opener. */
-	if (file->private_data != current->mm)
+	if (!file->private_data || file->private_data != current->mm)
 		return -EPERM;
 
 	rcu_read_lock();


Wheee.

-- 
Kees Cook