Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2393090pxb; Wed, 9 Feb 2022 18:07:06 -0800 (PST) X-Google-Smtp-Source: ABdhPJx5CIsXS5I/rhyOwwcSP0bsIn1n58rMAFZu8zN3MWR9g+y+vtrIBTBXoyGPFBzGm/sBo87B X-Received: by 2002:a63:243:: with SMTP id 64mr4390998pgc.117.1644458825974; Wed, 09 Feb 2022 18:07:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644458825; cv=none; d=google.com; s=arc-20160816; b=0kNPSW1rVqYhAbSmRKHJhS0ACfamidqHTKDz3M8HcTQYbgRe7dVYqPOBMBS24MAI1C A3BopSXb7hmNp5n4wZfrO4kfrC8aRhUckiFbKOXKpYtTWd5aEGUSWLyCTHf/nBRAnMCI SsL0yqRUUwMrKq/fU0jX6tIKyT9atMewDaTAtb7mXe0uCA/3HQ3VmMA2xi2LUP/qPoWi OsT5SidknvmSE6CbBt8bUMzy51Enyw1kaygZFgdxgWPQ2yv2UwU7RLsOFCYn83Ne+1c6 M0miPvmKnfOJLunCIm/gdyfZ/ZpeQL0nU4zm1oxESddffAofGNR7FND7/NWamRHx8q7Q 49ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=vQWpxI3iK3SG6B0IBE7c9+SHQ3c0kCnMnTaUS3Jfcfo=; b=WpuFjfnAsDWuJDiY21p24WUQKPbcm07JKDQ8AqC1GCZMEH4Vuhy9avcHtNseuLb0Bf TxLnfXsZ/k+wMvvurkIa+cq24nsd/VoKjNWyf7G802juWd6HW8E3VR+h0iB1GB3dIuj3 yO3SrT7Ir/ioarNwbLUgqQsxhL2vlyo02sPJb/FOwbFu5lgMQpRtJxGgyLjtb7bNtz4l tIuJAnxOa7qMvHba2k3O12VuQVBsgoStwK/L25bdtFBBppHeuemitnaDF8bJF7TiFw6T Gcnp+9Z15Rg7tni4hqF5uIP0dbbBEHFbTNTGGTaZRM1PtWU24xcyG/EG/mHIHHOQ20yl iXXw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id bj6si16463025pgb.190.2022.02.09.18.07.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Feb 2022 18:07:05 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 19BE010FE; Wed, 9 Feb 2022 17:57:44 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233580AbiBJB5h (ORCPT + 99 others); Wed, 9 Feb 2022 20:57:37 -0500 Received: from gmail-smtp-in.l.google.com ([23.128.96.19]:33168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233169AbiBJB4B (ORCPT ); Wed, 9 Feb 2022 20:56:01 -0500 X-Greylist: delayed 1201 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 09 Feb 2022 17:43:16 PST Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 29BB02B6A0 for ; Wed, 9 Feb 2022 17:43:14 -0800 (PST) Received: (qmail 7392 invoked from network); 10 Feb 2022 01:16:33 -0000 Received: from localhost (HELO pvt.openwall.com) (127.0.0.1) by localhost with SMTP; 10 Feb 2022 01:16:33 -0000 Received: by pvt.openwall.com (Postfix, from userid 503) id 0E08DAB88C; Thu, 10 Feb 2022 02:14:05 +0100 (CET) Date: Thu, 10 Feb 2022 02:14:05 +0100 From: Solar Designer To: Michal =?iso-8859-1?Q?Koutn=FD?= Cc: Eric Biederman , Alexey Gladkov , Kees Cook , Shuah Khan , Christian Brauner , Ran Xiaokai , linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Linux Containers Subject: Re: [RFC PATCH 1/6] set_user: Perform RLIMIT_NPROC capability check against new user credentials Message-ID: <20220210011405.GA17076@openwall.com> References: <20220207121800.5079-1-mkoutny@suse.com> <20220207121800.5079-2-mkoutny@suse.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220207121800.5079-2-mkoutny@suse.com> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Michal, On Mon, Feb 07, 2022 at 01:17:55PM +0100, Michal Koutn? wrote: > The check is currently against the current->cred but since those are > going to change and we want to check RLIMIT_NPROC condition after the > switch, supply the capability check with the new cred. > But since we're checking new_user being INIT_USER any new cred's > capability-based allowance may be redundant when the check fails and the > alternative solution would be revert of the commit 2863643fb8b9 > ("set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds") > > Fixes: 2863643fb8b9 ("set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds") > > Cc: Solar Designer > Cc: Christian Brauner > Signed-off-by: Michal Koutn? > --- > kernel/sys.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/sys.c b/kernel/sys.c > index 8ea20912103a..48c90dcceff3 100644 > --- a/kernel/sys.c > +++ b/kernel/sys.c > @@ -481,7 +481,8 @@ static int set_user(struct cred *new) > */ > if (ucounts_limit_cmp(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) >= 0 && > new_user != INIT_USER && > - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) > + !security_capable(new, &init_user_ns, CAP_SYS_RESOURCE, CAP_OPT_NONE) && > + !security_capable(new, &init_user_ns, CAP_SYS_ADMIN, CAP_OPT_NONE)) > current->flags |= PF_NPROC_EXCEEDED; > else > current->flags &= ~PF_NPROC_EXCEEDED; Thank you for working on this and CC'ing me on it. This is related to the discussion Christian and I had in September: https://lore.kernel.org/all/20210913100140.bxqlg47pushoqa3r@wittgenstein/ Christian was going to revert 2863643fb8b9, but apparently that never happened. Back then, I also suggested: "Alternatively, we could postpone the set_user() calls until we're running with the new user's capabilities, but that's an invasive change that's likely to create its own issues." The change you propose above is similar to that, but is more limited and non-invasive. That looks good to me. However, I think you need to drop the negations of the return value from security_capable(). security_capable() returns 0 or -EPERM, while capable() returns a bool, in kernel/capability.c: ns_capable_common(): capable = security_capable(current_cred(), ns, cap, opts); if (capable == 0) { current->flags |= PF_SUPERPRIV; return true; } return false; Also, your change would result in this no longer setting PF_SUPERPRIV. This may be fine, but you could want to document it. On a related note, this comment in security/commoncap.c needs an update: * NOTE WELL: cap_has_capability() cannot be used like the kernel's capable() * and has_capability() functions. That is, it has the reverse semantics: * cap_has_capability() returns 0 when a task has a capability, but the * kernel's capable() and has_capability() returns 1 for this case. cap_has_capability() doesn't actually exist, and perhaps the comment should refer to cap_capable(). Alexander