Received: by 2002:a89:2c3:0:b0:1ed:23cc:44d1 with SMTP id d3csp634275lqs; Tue, 5 Mar 2024 11:34:51 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXTW3BdciUGIWDO7XLGo+utHq/Y54eFqy2yRBgrSUB6TmwnfHidhQA6DLzKr+dYwQTuNoO8Xb+wH5XQPwy0PDovCbgpuIfQZ5qaaHtlWA== X-Google-Smtp-Source: AGHT+IGLa8IwY6xrq7OjuFBeOQoIRq9OAueKiPP2cIAsCa36D0u7hztQGunBgPBYk4xC56qmM19j X-Received: by 2002:a05:6a00:99a:b0:6e6:38b8:a1e6 with SMTP id u26-20020a056a00099a00b006e638b8a1e6mr3853883pfg.10.1709667290915; Tue, 05 Mar 2024 11:34:50 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709667290; cv=pass; d=google.com; s=arc-20160816; b=WaKyAlQ7APSrZH9KyDueUMx9Fm5Rhbu3cM/A++h2LYROrznFrpeKolC0Z0f/4h6QRe 7ZkmEcjRUy6FdD5TTqEE0/GD9ADbvMkdD1CTxnCCdrOktwQg/awPK0RgaLF5WwGHj185 rbEQiY7bA45Yd06pLtuVpYxaW83MtYeGdR+GZdjKdeN2XOE9UMvUM0af0uxVLFtLrWpR 0gG6rDnVE+WvqmNR7YH6MVOhe63A/iZx0cX36j0v/oN6t3PIcLXKSMIfaFP5k524bgrG OYCLZzMlTH6iBYO1rlGhYdWQxMYoBRIs66xYABN8FwFNqWyKft+EZCHZAkDhbWCI/mlA Sm/w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:user-agent:subject:message-id :mime-version:list-unsubscribe:list-subscribe:list-id:precedence:to :cc:date:references:in-reply-to:from; bh=+104wAx1VWixjRafK+Ljf4Q19IahK5I41G+q/gAO1eg=; fh=q7VP03C5/uVUnSCgU9/jjMsqs//6YWlgPdTo0KUOTq0=; b=VERwiaEojOhQFR9ygii2iwww8LMiXoWArsaL49fJbnBtKf7iYO7gneKHENWE6obEOj HPx+6W9cdc3J46fZiJkgi3oh9gWUVKUa/z2UqXuwWARGqB4l4HkTw4YJkP5YAUhx5+m8 TwFJffXLPFP1dewDZCjUJ6h4HrE0XOC9Y4gtca6cfpxS+mrkb8OEfezQFL7Hxhyv8FX1 /dWp8AhLUoL9JIacWu4LDIEmMzz2VFrLQoD7/rkbdtiregqy4ucCEB0+F1wNUCP9PGMB V8RnUDZeGonlMVhSazjVe//sf7aA3VNYp8vH5rRwaBT3RfPKwo3kfLCGZKNNYJYs/B+o gtqw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=collabora.com dmarc=pass fromdomain=collabora.com); spf=pass (google.com: domain of linux-kernel+bounces-92886-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92886-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id e6-20020a656886000000b005dc8554d4f6si5149517pgt.49.2024.03.05.11.34.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Mar 2024 11:34:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-92886-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=collabora.com dmarc=pass fromdomain=collabora.com); spf=pass (google.com: domain of linux-kernel+bounces-92886-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-92886-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 9543428D27D for ; Tue, 5 Mar 2024 19:34:50 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DC26C5C5FB; Tue, 5 Mar 2024 19:34:39 +0000 (UTC) Received: from madrid.collaboradmins.com (madrid.collaboradmins.com [46.235.227.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CAC301B809; Tue, 5 Mar 2024 19:34:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=46.235.227.194 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709667279; cv=none; b=KL0BTA0dGaMd2Dm7E0iPsqA8Z0JObFWlsRYOMZqe8NehhWZAEnwpaAqQGyelL86XnLd7sGliT5oExGtfjR8SQQaDczVJYqW/VE2p3X8QC56xDF9QL+zaPATL8Lr+W69Hjkz+qOu3HiC5A9tqK3vclWXlmOYeNTG/jJ6/o0vuIW0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709667279; c=relaxed/simple; bh=UdyplhazAm9JcbRu3RQ5VQwxs4WDrQvjdtcSkVIwiPg=; h=From:In-Reply-To:Content-Type:References:Date:Cc:To:MIME-Version: Message-ID:Subject; b=Cnp/49c4kih4FhSFasio2E1NwnXzURpDkv858iAo29LpFCtTIC8RrfJTvrtUY0lBtjirjH0yM5L+iNHT6zlWMTPKaB0xu7Kxo2Bimwgoxfx4tsI7nadm9eOe4k0DzWwtp+lhsaSF2fnnTDmgYDnlnu073ASb+cKUuUET4BDWzrE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=collabora.com; spf=pass smtp.mailfrom=collabora.com; arc=none smtp.client-ip=46.235.227.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=collabora.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=collabora.com Received: from harlem.collaboradmins.com (harlem.collaboradmins.com [IPv6:2a01:4f8:1c0c:5936::1]) by madrid.collaboradmins.com (Postfix) with ESMTP id 178E8378204B; Tue, 5 Mar 2024 19:34:35 +0000 (UTC) From: "Adrian Ratiu" In-Reply-To: <202403051033.9527DD75@keescook> Content-Type: text/plain; charset="utf-8" X-Forward: 127.0.0.1 References: <20240301213442.198443-1-adrian.ratiu@collabora.com> <20240304-zugute-abtragen-d499556390b3@brauner> <202403040943.9545EBE5@keescook> <20240305-attentat-robust-b0da8137b7df@brauner> <202403050134.784D787337@keescook> <20240305-kontakt-ticken-77fc8f02be1d@brauner> <202403050211.86A44769@keescook> <20240305-brotkrumen-vorbild-9709ce924d25@brauner> <202403051033.9527DD75@keescook> Date: Tue, 05 Mar 2024 19:34:34 +0000 Cc: "Christian Brauner" , linux-fsdevel@vger.kernel.org, kernel@collabora.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, "Guenter Roeck" , "Doug Anderson" , "Jann Horn" , "Andrew Morton" , "Randy Dunlap" , "Mike Frysinger" To: "Kees Cook" Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <45d98-65e77400-5-31aa8000@248840925> Subject: =?utf-8?q?Re=3A?= [PATCH v2] =?utf-8?q?proc=3A?= allow restricting /proc/pid/mem writes User-Agent: SOGoMail 5.10.0 Content-Transfer-Encoding: quoted-printable On Tuesday, March 05, 2024 20:37 EET, Kees Cook = wrote: > On Tue, Mar 05, 2024 at 11:32:04AM +0100, Christian Brauner wrote: > > On Tue, Mar 05, 2024 at 02:12:26AM -0800, Kees Cook wrote: > > > On Tue, Mar 05, 2024 at 10:58:25AM +0100, Christian Brauner wrote= : > > > > Since the write handler for /proc//mem does raise FOLL=5FF= ORCE > > > > unconditionally it likely would implicitly. But I'm not familia= r enough > > > > with FOLL=5FFORCE to say for sure. > > >=20 > > > I should phrase the question better. :) Is the supervisor writing= into > > > read-only regions of the child process? > >=20 > > Hm... I suspect we don't. Let's take two concrete examples so you c= an > > tell me. > >=20 > > Incus intercepts the sysinfo() syscall. It prepares a struct sysinf= o > > with cgroup aware values for the supervised process and then does: > >=20 > > unix.Pwrite(siov.memFd, &sysinfo, sizeof(struct sysinfo), seccomp=5F= data.args[0])) > >=20 > > It also intercepts some bpf system calls attaching bpf programs for= the > > caller. If that fails we update the log buffer for the supervised > > process: > >=20 > > union bpf=5Fattr attr =3D {}, new=5Fattr =3D {}; > >=20 > > // read struct bpf=5Fattr from mem=5Ffd > > ret =3D pread(mem=5Ffd, &attr, attr=5Flen, req->data.args[1]); > > if (ret < 0) > > return -errno; > >=20 > > // Do stuff with attr. Stuff fails. Update log buffer for supervise= d process: > > if ((new=5Fattr.log=5Fsize) > 0 && (pwrite(mem=5Ffd, new=5Fattr.log= =5Fbuf, new=5Fattr.log=5Fsize, attr.log=5Fbuf) !=3D new=5Fattr.log=5Fsi= ze)) >=20 > This is almost certainly in writable memory (either stack or .data). Mostly yes, but we can't be certain where it comes from, because SECCOMP=5FIOCTL=5FNOTIF=5FRECV passes any addresses set by the caller to the supervisor process. It is a kind of "implementation defined" behavior, just like we can't predict what the supervisor will do with the caller mem :) >=20 > > But I'm not sure if there are other use-cases that would require th= is. >=20 > Maybe this option needs to be per-process (like no=5Fnew=5Fprivs), an= d with > a few access levels: >=20 > - as things are now > - no FOLL=5FFORCE unless by ptracer > - no writes unless by ptracer > - no FOLL=5FFORCE ever > - no writes ever > - no reads unless by ptracer > - no reads ever >=20 > Which feels more like 3 toggles: read, write, FOLL=5FFORCE. Each set = to > "DAC", "ptracer", and "none"? I really like this approach because it provides a mechanism with maximum flexibility without imposing a specific policy. What does DAC mean in this context? My mind jumps to Digital to Analog Converter :) Shall I give it a try in v3? >=20 > --=20 > Kees Cook