From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.nsa.gov ([8.44.101.9]:34840 "EHLO emsm-gh1-uea11.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755172AbcISNIo (ORCPT ); Mon, 19 Sep 2016 09:08:44 -0400 Subject: Re: [PATCH 3/9] proc: use open()-time creds for ptrace checks To: Jann Horn , Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise References: <1474211117-16674-1-git-send-email-jann@thejh.net> <1474211117-16674-4-git-send-email-jann@thejh.net> Cc: linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org From: Stephen Smalley Message-ID: <4f10ddba-fb7c-04a3-0426-550b435e6f3a@tycho.nsa.gov> Date: Mon, 19 Sep 2016 09:01:19 -0400 MIME-Version: 1.0 In-Reply-To: <1474211117-16674-4-git-send-email-jann@thejh.net> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On 09/18/2016 11:05 AM, Jann Horn wrote: > This adds a new ptrace_may_access_noncurrent() method that > uses the supplied credentials instead of those of the > current task. (However, the current task may still be > inspected for auditing purposes, e.g. by the Smack LSM.) > > procfs used the caller's creds for a few ptrace_may_access() > checks at read() time, which made a confused deputy attack > by passing an FD to a procfs file to a setuid program > possible. Therefore, the following was a local userspace > ASLR bypass: > > rm -f /tmp/foobar > procmail <(echo 'DEFAULT=/tmp/foobar') ( > echo 'obase=16' > cut -d' ' -f26-30,45-51 ) | bc > rm /tmp/foobar > > procmail is installed setuid root on Debian and read()s > data from stdin before dropping privs, so the > ptrace_may_access() check in the VFS read handler of > /proc/1/stat passes. Procmail then dumps the read data > to a user-accessible file (/tmp/foobar here). > > Signed-off-by: Jann Horn > --- > fs/proc/array.c | 3 +- > fs/proc/base.c | 63 ++++++++++++++++++++++++++++++++++------- > fs/proc/internal.h | 14 +++++++++ > include/linux/lsm_hooks.h | 3 +- > include/linux/ptrace.h | 5 ++++ > include/linux/security.h | 10 ++++--- > kernel/ptrace.c | 40 +++++++++++++++++++------- > security/apparmor/include/ipc.h | 2 +- > security/apparmor/ipc.c | 4 +-- > security/apparmor/lsm.c | 14 +++++++-- > security/commoncap.c | 8 +++--- > security/security.c | 5 ++-- > security/selinux/hooks.c | 4 +-- > security/smack/smack_lsm.c | 18 ++++++++---- > security/yama/yama_lsm.c | 9 ++++-- > 15 files changed, 150 insertions(+), 52 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 13185a6..f9a0be7 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -2133,10 +2133,10 @@ static int selinux_binder_transfer_file(struct task_struct *from, > } > > static int selinux_ptrace_access_check(struct task_struct *child, > - unsigned int mode) > + unsigned int mode, const struct cred *cred) > { > if (mode & PTRACE_MODE_READ) { > - u32 sid = current_sid(); > + u32 sid = cred_sid(cred); > u32 csid = task_sid(child); > return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); > } For consistency, don't you also need to change the next line of code to use cred_has_perm() rather than current_has_perm()?