From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from thejh.net ([37.221.195.125]:46588 "EHLO thejh.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S965253AbcIRUwo (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
        Sun, 18 Sep 2016 16:52:44 -0400
Date: Sun, 18 Sep 2016 22:52:39 +0200
From: Jann Horn <jann@thejh.net>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
        Roland McGrath <roland@hack.frob.com>,
        Oleg Nesterov <oleg@redhat.com>,
        John Johansen <john.johansen@canonical.com>,
        James Morris <james.l.morris@oracle.com>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Paul Moore <aul@paul-moore.com>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        Eric Paris <eparis@parisplace.org>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Kees Cook <eescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Janis Danisevskis <jdanis@google.com>,
        Seth Forshee <seth.forshee@canonical.com>,
        "Eric . Biederman" <ebiederm@xmission.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Benjamin LaHaise <bcrl@kvack.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        "security@kernel.org" <security@kernel.org>
Subject: Re: [PATCH 7/9] ptrace: forbid ptrace checks against current_cred()
 from VFS context
Message-ID: <20160918205239.GB2903@pc.thejh.net>
References: <1474211117-16674-1-git-send-email-jann@thejh.net>
 <1474211117-16674-8-git-send-email-jann@thejh.net>
 <CA+55aFwWSWJc17cpNUqWUUahp81zomSpOamDmF_JhYTRZoLecA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="p4qYPpj5QlsIQJ0K"
Content-Disposition: inline
In-Reply-To: <CA+55aFwWSWJc17cpNUqWUUahp81zomSpOamDmF_JhYTRZoLecA@mail.gmail.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>


--p4qYPpj5QlsIQJ0K
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 18, 2016 at 01:18:48PM -0700, Linus Torvalds wrote:
> On Sun, Sep 18, 2016 at 8:05 AM, Jann Horn <jann@thejh.net> wrote:
> > This ensures that VFS implementations don't call ptrace_may_access() fr=
om
> > VFS read or write handlers. In order for file descriptor passing to have
> > its intended security properties, VFS read/write handlers must not do a=
ny
> > kind of privilege checking.
>=20
> Quite frankly, this smells like it should be a static check, not some
> kind of runtime one. Or if runtime, it should be abstracted out so
> that you can do an occasional "let's run a checking pass" rather than
> enable it unconditionally and universally.

Hm, fair point.

I guess this could be implemented in eBPF or systemtap?

Then for now, I guess I'll remove this patch from the series - and maybe
I'll think about writing some external checker with eBPF kprobes or so.


> It's just too specialized. Soon you'll want to do other random context
> checking, and we can't just keep adding those kinds of ad-hoc things
> without it becoming a maintenance nightmare. I can well imagine
> somebody ending up writing some stupid patch to take that
> "in_unprivileged_vfs" thing into account for some semantics, and then
> we're *really* screwed. So there are many reasons to make sure this is
> *not* something that people actually expect to always be there.

Oh, yuck. Yes, those are good points.

--p4qYPpj5QlsIQJ0K
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJX3v6XAAoJED4KNFJOeCOo59QQAI3HRV0cT7wJh1c3/5C97AY7
hwayz2P/mz704KpHa1NLCGs6dUh3233zQLPA5v0jffCq1P8QGyfRe9jMvRIg33+x
1LYFkYVJn5aX3azH+PqaCeIsTWE5gebVwsetr/W9qGcgxkyobIC15hoeA4OH8yzv
ylwjlNm0F9D6L4HKz98yUWLBOgOpgI5CX38Wn4bHU05Bf4PqpbQyBL6zejIdxcNe
nXMquxO76ozQvh6GAdIDxdThI8yuTz+C93IuItNZ8QIMqsXXuxFGmUV9uO+bc/mL
Dkq3dOjnnl4dEx5jdcsWaDioQ8rAK551TvlE5Oa09aYFmVaYzeImPzpXUUCd7nFQ
lR1xqk7A/FXA3KyrKCvJQ6ilOLhoSQJR7YMHHMt5xmMlkTtMFL1I+XZxYR2VLB8O
mMarbVM+ZGP4aljnnZb3IuFoEFa4t7SWDtwDjB7Y6FyjaL+vgjZ5fBEvoRaI2cvk
UqUDCv3MERduZxi7lieszYJyE4sam+opu8ZLmpA0vAtC5oCmr3shfVTqLKVon5AQ
VuzvoH5zhRJ+ARjGuwH74nVHOFnSiuC7losVV2Tn7iXegF3oSc/GJu0gX7bjIXrN
k+rqznI4991x11op2ln6bQc8baiTHYfdLGwMXrbzjiQG+sRCQmPtatZcauZS3Jdk
4j8fbfy90rYJwfnmj20x
=q7TP
-----END PGP SIGNATURE-----

--p4qYPpj5QlsIQJ0K--