Received: by 2002:ab2:6857:0:b0:1ef:ffd0:ce49 with SMTP id l23csp1337623lqp; Fri, 22 Mar 2024 11:47:08 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVTENtDnxpP2j10UbhZvvzwGkYvc45JzkXaxg4CX6KPC0KIbRJ0g4iAfZBWjSNlrnWYn8yaqOtgEuxo4NvFrGeBawglgyzAq//fsccUOQ== X-Google-Smtp-Source: AGHT+IGGpoP8ywKNWILY1Q1ubJpErejHd7XbQWTEvvw3a4OiWig3l+RO+7wdO6NNj+MrTVs3UBYt X-Received: by 2002:a17:906:a093:b0:a46:92a1:6459 with SMTP id q19-20020a170906a09300b00a4692a16459mr464031ejy.17.1711133227988; Fri, 22 Mar 2024 11:47:07 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711133227; cv=pass; d=google.com; s=arc-20160816; b=U+o2ZcC/c4Ab4PcTP80f3HshQMjwNAhEV3lqOoXrr9KwsJ7pjtZHyegatVVCDJ78cJ KwigI1TDit0SfNBrxQo1PE8bs1IrmDEOqy6c9YtW6mWfjHI4Njm9xr6VHrx7/91/EVCO NuJzCIMOsn5b8juwrGcn76UVIEJEVSI7IjR3UPNociw3G0xzGUp7V/BzFYSFNRV2aSyL Y91pw1Isg9W0IzVDgxjJOJVpp5+7zeM3BqlWVYfhCDTbFR5M92YP/p78cRAKgqRTxuuJ Ev+8/04B6eo42qCerO7LR8i9DsSygYDXbScL7dJ1AWD5oS1RQMhNdZ/aIWdBWn4sNoyt z5ag== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:user-agent:message-id:in-reply-to:date:references:cc:to :from; bh=u9YSuQR6gaiXF4X+tQfn3Hn0te5KWmVS7WR4LPt6z3o=; fh=PUjbRJn5AtG0byh91Xom5iibRFg/wIwNjQgfZfPZ0w0=; b=JjQb5Fzi4rI5GpBHvf8cJhls8fQ9Uxm7L5wRk945WEzBShPBpBGfcojrJ/j5fCmX6n nYOu5EAGUv6SDChxm81aUADTizz1/znPqDnMOlKC8RhekqfMy87tM6zZeLd89vginPCI u+DPJ+X87Vb1ji26RfpaFgZen874OwWUasWSth4r3LE2KK1yegf6n5ka6N5x/NlHeqpf J5SniSaUAGkrdRr4ZxhtzUK0evLHWzq0JVQGRuO1wstqvcS0eCuZ9I8OurkstYS/O+Cc Ei1S9uYVByfAdrJ8Wk/7H5/EEzW23CUMaY0iVpkDqWqAnXvacvH4JmvqTizCZaa3JjMw aU0g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=xmission.com dmarc=pass fromdomain=xmission.com); spf=pass (google.com: domain of linux-kernel+bounces-111964-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-111964-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id gf22-20020a170906e21600b00a473c31d30esi84317ejb.932.2024.03.22.11.47.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Mar 2024 11:47:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-111964-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=xmission.com dmarc=pass fromdomain=xmission.com); spf=pass (google.com: domain of linux-kernel+bounces-111964-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-111964-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 761D21F225EF for ; Fri, 22 Mar 2024 18:47:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 82B8A6F08C; Fri, 22 Mar 2024 18:46:59 +0000 (UTC) Received: from out03.mta.xmission.com (out03.mta.xmission.com [166.70.13.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C9C7F6E609; Fri, 22 Mar 2024 18:46:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=166.70.13.233 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711133218; cv=none; b=duFMF5pWnwZ6n1kW8ECigABrFb8Du96JqGWZhV38fryECt6cTTHbGaeJfRm5dYodjqDUv81SKrHXRj/qJD6UyedaPwFs/cuxZ9+dJLCXG14jx4ioo0iiMZhQ6zaZq/ppxEqGyHhRBLqz2sVAs1Z2sgjogafCbW1s21WW1yxLuSQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711133218; c=relaxed/simple; bh=03Dg747A2OHVuEOp09BcVhm0o4yUsfAGR6i/kBtBbls=; h=From:To:Cc:References:Date:In-Reply-To:Message-ID:MIME-Version: Content-Type:Subject; b=rOi1KJYZQDC/b/ut6G813Y/0Rflwxh4UTDkYJHpnof/ZLzImitsc18tO9DbbR70fZV0YB3lfRw7bvUHNLiUi5Xl1kgiEPanflkYmU8BHd3y2bhm1s6WLRIr5twJZ+W23+CdDsTsRHpTNPmgeHHENKrOiSCt8nCAvvNE2G7DYDkE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=xmission.com; spf=pass smtp.mailfrom=xmission.com; arc=none smtp.client-ip=166.70.13.233 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=xmission.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=xmission.com Received: from in01.mta.xmission.com ([166.70.13.51]:59970) by out03.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1rnids-009kpI-Kq; Fri, 22 Mar 2024 11:25:20 -0600 Received: from ip68-227-168-167.om.om.cox.net ([68.227.168.167]:53186 helo=email.froward.int.ebiederm.org.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1rnidr-001ecQ-FZ; Fri, 22 Mar 2024 11:25:20 -0600 From: "Eric W. Biederman" To: Leo Yan Cc: Alexander Viro , Christian Brauner , Jan Kara , Kees Cook , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Namhyung Kim , Ian Rogers , Al Grant , James Clark , Mark Rutland References: <20240322162759.714141-1-leo.yan@arm.com> Date: Fri, 22 Mar 2024 12:24:54 -0500 In-Reply-To: <20240322162759.714141-1-leo.yan@arm.com> (Leo Yan's message of "Fri, 22 Mar 2024 16:27:59 +0000") Message-ID: <87zfuqb2mx.fsf@email.froward.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1rnidr-001ecQ-FZ;;;mid=<87zfuqb2mx.fsf@email.froward.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.168.167;;;frm=ebiederm@xmission.com;;;spf=pass X-XM-AID: U2FsdGVkX18snvkqDraPiZ7Bkn94EiEyuPU/BkxIg2g= X-SA-Exim-Connect-IP: 68.227.168.167 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Level: X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4997] * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa05 1397; Body=1 Fuz1=1 Fuz2=1] * -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Spam-DCC: XMission; sa05 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Leo Yan X-Spam-Relay-Country: X-Spam-Timing: total 592 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 13 (2.2%), b_tie_ro: 11 (1.9%), parse: 1.57 (0.3%), extract_message_metadata: 19 (3.3%), get_uri_detail_list: 4.1 (0.7%), tests_pri_-2000: 14 (2.4%), tests_pri_-1000: 4.1 (0.7%), tests_pri_-950: 1.59 (0.3%), tests_pri_-900: 1.27 (0.2%), tests_pri_-90: 134 (22.7%), check_bayes: 132 (22.3%), b_tokenize: 13 (2.1%), b_tok_get_all: 12 (2.0%), b_comp_prob: 4.0 (0.7%), b_tok_touch_all: 100 (16.8%), b_finish: 1.18 (0.2%), tests_pri_0: 389 (65.6%), check_dkim_signature: 0.78 (0.1%), check_dkim_adsp: 3.3 (0.6%), poll_dns_idle: 0.61 (0.1%), tests_pri_10: 2.2 (0.4%), tests_pri_500: 7 (1.2%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH] exec: Don't disable perf events for setuid root executables X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Leo Yan writes: > Al Grant reported that the 'perf record' command terminates abnormally > after setting the setuid bit for the executable. To reproduce this > issue, an additional condition is the binary file is owned by the root > user but is running under a non-privileged user. The logs below provide > details: > > $ sudo chmod u+s perf > $ ls -l perf > -rwsr-xr-x 1 root root 13147600 Mar 17 14:56 perf > $ ./perf record -e cycles -- uname > [ perf record: Woken up 1 times to write data ] > [ perf record: Captured and wrote 0.003 MB perf.data (7 samples) ] > Terminated > > Comparatively, the same command can succeed if the setuid bit is cleared > for the perf executable: > > $ sudo chmod u-s perf > $ ls -l perf > -rwxr-xr-x 1 root root 13147600 Mar 17 14:56 perf > $ ./perf record -e cycles -- uname > Linux > [ perf record: Woken up 1 times to write data ] > [ perf record: Captured and wrote 0.003 MB perf.data (13 samples) ] > > After setting the setuid bit, the problem arises when begin_new_exec() > disables the perf events upon detecting that a regular user is executing > a setuid binary, which notifies the perf process. Consequently, the perf > tool in user space exits from polling and sends a SIGTERM signal to kill > child processes and itself. This explains why we observe the tool being > 'Terminated'. > > With the setuid bit a non-privileged user can obtain the same > permissions as the executable's owner. If the owner has the privileged > permission for accessing perf events, the kernel should keep enabling > perf events. For this reason, this patch adds a condition checking for > perfmon_capable() to not disabling perf events when the user has > privileged permission yet. > > Note the begin_new_exec() function only checks permission for the > per-thread mode in a perf session. This is why we don't need to add any > extra checking for the global knob 'perf_event_paranoid', as it always > grants permission for per-thread performance monitoring for unprivileged > users (see Documentation/admin-guide/perf-security.rst). This code change makes no sense. The logic you are attempting to implement, allowing performance measurements of a setuid application if it has sufficient capabilities does make sense. perfmon_capable tests if the current program has sufficient privileges to use perf, not the program that enabled performance measurements. The location perfmon_capable is being called in the new executable is after the new executable gets it's new credentials. AKA the suidroot has already happened. So it will always succeed for suidroot executables. I suggest you take a look at ptracer_capable that is used to test if the ptracer has sufficient credentials to trace a suid root exectuable. Eric > Signed-off-by: Leo Yan > Cc: Al Grant > Cc: James Clark > Cc: Mark Rutland > --- > fs/exec.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index ff6f26671cfc..5ded01190278 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1401,7 +1401,8 @@ int begin_new_exec(struct linux_binprm * bprm) > * wait until new credentials are committed > * by commit_creds() above > */ > - if (get_dumpable(me->mm) != SUID_DUMP_USER) > + if ((get_dumpable(me->mm) != SUID_DUMP_USER) && > + !perfmon_capable()) > perf_event_exit_task(me); > /* > * cred_guard_mutex must be held at least to this point to prevent