Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp636126lqs; Tue, 5 Mar 2024 11:38:29 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVA/w3LkWNLXtLJPxXNJg29QmNQRS1K+oJzrhZZxHvpbRh14AZYd9raeS6l5xq9o4FkCxbeo+MeI1kqC1HSIGvxY8/W8buih98Q0osaCw== X-Google-Smtp-Source: AGHT+IHERu/mE4ToycDWe0tqupBxyGFI9Pg1HARD6yOVR5CRbbxrcs61vvHqiCNTm/Xvf+7v6Kx3 X-Received: by 2002:a50:fb98:0:b0:566:93d9:a184 with SMTP id e24-20020a50fb98000000b0056693d9a184mr3925128edq.7.1709667509546; Tue, 05 Mar 2024 11:38:29 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709667509; cv=pass; d=google.com; s=arc-20160816; b=g2hOC3velM4DlBHhKIa61nBVhX2GCh92OtTEEGT0PoSoQzwZLwiz51Bg9b7hiQKX3d iTWifAc4VjLAs786acXPJGFmyxKf//k3M33xg1H5ufC4oDowwS80JjJliskU2cV6uv1Q oj5Ob+eVnzai3x+Qngpb3TBCIS1HWjTRIcPlQe6Qv9lFW1E5AJR8HdySiciF1XqQGBHU HT5zDJaa/Pyt80fv91QM29dmySfTU82FGpyYqXNwXSILm6XnG4LnMaFXUkaXfyXhINOg a/UiEPeyI1lESTZ+b7ruLsBmqR3PiI9W40JtD+UVdoK/3iI7Ko+JgfsYicVbAS/tymCF 8y6w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=HA7mlV83NfUZx2uZSPlTtkihc76ZZ9iwfT6eqOr1MbM=; fh=Pcg2u8+M0mISZ0cg7KAaeK28+6oSxqJkuFWM0jjPsEg=; b=wf7uXtBdJwAkTG5xN1sWsw4LNaUC+prW8p0WjyEoGyG8VgWoRvcu6qmXpREG366eVd PLAYcKtr03wLyq8WM5Wf5lujd2bHiKA5lArzMLQcyqxiR+M2k3CDXynlLQNUGwZ+ooTL tKe0koFLMHNdD36LiOA4IiSFrSVup6KlhW2EhOTeVaFlRmdv0fTnAK6U7i3my/SMbsQP Bb9rEFjFNljtsceCZ4Jaw0Tq9hqfFYN1pKZWUfxp/huJm3CQBBmIOMzGxjmskA4PAZFO BHeWtQgXsgDkSrUSVIo4ZoKVwhr8A/8q6qNeHOPQiI8CyWvA74zDkEv45CiQrtnd4o0e mhJQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=dRdSLyFL; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-92892-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92892-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id z15-20020a05640240cf00b00566c1d0e2aesi4504853edb.68.2024.03.05.11.38.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 11:38:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-92892-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=dRdSLyFL; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-92892-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92892-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 1EEA81F27F21 for ; Tue, 5 Mar 2024 19:38:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 102E85C614; Tue, 5 Mar 2024 19:38:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="dRdSLyFL" Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9430F18639 for ; Tue, 5 Mar 2024 19:38:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709667497; cv=none; b=RjmVFwcypKR5GG+nhmSy4LWTql2Y6bSpvlX3qnSU+drYE6O7Yh8VgXmMZTSxP+6L5POEwhbzz8y+NdIL2T9OiaPLicrZLnKf43ITUAUlFbkztC3alhYeqlps+hKCzW+rEA5E+BVgXRW3x+Z95blpWova1oaiZWzsvnyhMP8yA8A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709667497; c=relaxed/simple; bh=yjCr221DADkA5bNqdiY3x3UI306XYd+UggCeyz1yRHo=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=T5OvWFIrnmUbqjGQ/No8Uh1ToIK8YGh/xgbMmL8p3rps38uXHynFYbh05EDzTNboidT40AlQAVFdBE3TzQ4oMHTMfNB4+AEXoMs6ozAQapFY6vdHFZn32TEXRxcgH0p3hujUEZbI4fle9riAGThecblmL03vLn0XAVb6cBiuV1M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=dRdSLyFL; arc=none smtp.client-ip=209.85.210.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-6e622b46f45so2135347b3a.1 for ; Tue, 05 Mar 2024 11:38:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1709667495; x=1710272295; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=HA7mlV83NfUZx2uZSPlTtkihc76ZZ9iwfT6eqOr1MbM=; b=dRdSLyFLWUwFE7SkDpzX3lGrbbKJCXv7b25F3N1BSaoWCN4AMTYspJp8sArHg3f5/f WEbQVWXoqKTUVQH5c8n+pQ+q4NY4tjOaLmXs9wCNZ+6wP/3zNegJnX6qwfjukMtDfwb1 Qa4yKG0JnV+CBMpQeyUVWCkjnij8/Jwo/AqC4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709667495; x=1710272295; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=HA7mlV83NfUZx2uZSPlTtkihc76ZZ9iwfT6eqOr1MbM=; b=svmwkFuHl5FqaRBtPtKB06vcxblN6wNxrahKEydPs/j+4ub/0ykug0XDUlJl4rKIOO 8npVFWOPIOglKAmlcASdEDY9gRsfkmCa6bYPY1ivIdmixPmwkrqDxtHXoYk+r1ASapM6 q8EG0xTHD5e6dG/4uTOVUtvt61z0v+LnJ2PGyYMyLGx2HvI6Cgc1wUsi5FkKF17J9mTV +C0oUkeq2R6Ov/boUrWD60vIHY8/ICQKTT4oLiFBEJbL6WHkIN7jIno/upQlSXCqFBCt LZDLBEIwcT8GJWkfcLw9uGAh8Fbrpgr0CLlwQohhahxBrJPXkKCXxvXJf4ffkK1zzkxK U1Jg== X-Forwarded-Encrypted: i=1; AJvYcCWu40TRc4pXgo+hW7bW8XNUamUKfMZjKjdc9Ar9Zh00WtmxNObM/WeHHhreSMfrq94xMvYcyExFw094//FbWrbiuh4RQf8d3ByPodf8 X-Gm-Message-State: AOJu0YwXlrxglB5R+hOuruX3HXZmO47y+afbiLi9F+K4ZftKMV8Vfd6Y 6SMiAz9iDpGqYEOksnK9/TS7qZDtsIUI/78Wbfolxl+uwO/+LP0hunR/4Q+dEA== X-Received: by 2002:a05:6a20:d04e:b0:1a1:e41:979b with SMTP id hv14-20020a056a20d04e00b001a10e41979bmr3227567pzb.41.1709667494966; Tue, 05 Mar 2024 11:38:14 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id 11-20020a63104b000000b005d8e30897e4sm9348461pgq.69.2024.03.05.11.38.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 11:38:14 -0800 (PST) Date: Tue, 5 Mar 2024 11:38:13 -0800 From: Kees Cook To: Adrian Ratiu Cc: Christian Brauner , linux-fsdevel@vger.kernel.org, kernel@collabora.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, Guenter Roeck , Doug Anderson , Jann Horn , Andrew Morton , Randy Dunlap , Mike Frysinger Subject: Re: [PATCH v2] proc: allow restricting /proc/pid/mem writes Message-ID: <202403051135.708135A8@keescook> References: <20240301213442.198443-1-adrian.ratiu@collabora.com> <20240304-zugute-abtragen-d499556390b3@brauner> <202403040943.9545EBE5@keescook> <20240305-attentat-robust-b0da8137b7df@brauner> <202403050134.784D787337@keescook> <20240305-kontakt-ticken-77fc8f02be1d@brauner> <202403050211.86A44769@keescook> <20240305-brotkrumen-vorbild-9709ce924d25@brauner> <202403051033.9527DD75@keescook> <45d98-65e77400-5-31aa8000@248840925> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <45d98-65e77400-5-31aa8000@248840925> On Tue, Mar 05, 2024 at 07:34:34PM +0000, Adrian Ratiu wrote: > On Tuesday, March 05, 2024 20:37 EET, Kees Cook wrote: > > > On Tue, Mar 05, 2024 at 11:32:04AM +0100, Christian Brauner wrote: > > > On Tue, Mar 05, 2024 at 02:12:26AM -0800, Kees Cook wrote: > > > > On Tue, Mar 05, 2024 at 10:58:25AM +0100, Christian Brauner wrote: > > > > > Since the write handler for /proc//mem does raise FOLL_FORCE > > > > > unconditionally it likely would implicitly. But I'm not familiar enough > > > > > with FOLL_FORCE to say for sure. > > > > > > > > I should phrase the question better. :) Is the supervisor writing into > > > > read-only regions of the child process? > > > > > > Hm... I suspect we don't. Let's take two concrete examples so you can > > > tell me. > > > > > > Incus intercepts the sysinfo() syscall. It prepares a struct sysinfo > > > with cgroup aware values for the supervised process and then does: > > > > > > unix.Pwrite(siov.memFd, &sysinfo, sizeof(struct sysinfo), seccomp_data.args[0])) > > > > > > It also intercepts some bpf system calls attaching bpf programs for the > > > caller. If that fails we update the log buffer for the supervised > > > process: > > > > > > union bpf_attr attr = {}, new_attr = {}; > > > > > > // read struct bpf_attr from mem_fd > > > ret = pread(mem_fd, &attr, attr_len, req->data.args[1]); > > > if (ret < 0) > > > return -errno; > > > > > > // Do stuff with attr. Stuff fails. Update log buffer for supervised process: > > > if ((new_attr.log_size) > 0 && (pwrite(mem_fd, new_attr.log_buf, new_attr.log_size, attr.log_buf) != new_attr.log_size)) > > > > This is almost certainly in writable memory (either stack or .data). > > Mostly yes, but we can't be certain where it comes from, because > SECCOMP_IOCTL_NOTIF_RECV passes any addresses set by the > caller to the supervisor process. > > It is a kind of "implementation defined" behavior, just like we > can't predict what the supervisor will do with the caller mem :) > > > > > > But I'm not sure if there are other use-cases that would require this. > > > > Maybe this option needs to be per-process (like no_new_privs), and with > > a few access levels: > > > > - as things are now > > - no FOLL_FORCE unless by ptracer > > - no writes unless by ptracer > > - no FOLL_FORCE ever > > - no writes ever > > - no reads unless by ptracer > > - no reads ever > > > > Which feels more like 3 toggles: read, write, FOLL_FORCE. Each set to > > "DAC", "ptracer", and "none"? > > I really like this approach because it provides a mechanism > with maximum flexibility without imposing a specific policy. > > What does DAC mean in this context? My mind jumps to > Digital to Analog Converter :) Ah yes, sorry, this is Discretionary Access Control (which is my short-hand for saying "basic file permissions"). But I guess that's kind of not really true since the open() access checks are doing a "ptrace-able" check in addition to the file perms check. > Shall I give it a try in v3? Yeah, though maybe see if Mike or Jann chime in over the next few days? -Kees -- Kees Cook