From: ebiederm@xmission.com (Eric W. Biederman)
To: Willy Tarreau <w@1wt.eu>
Cc: Kees Cook <keescook@chromium.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mm\@kvack.org" <linux-mm@kvack.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Michal Hocko <mhocko@kernel.org>, Jann Horn <jann@thejh.net>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file
Date: Thu, 17 Nov 2016 15:51:09 -0600 [thread overview]
Message-ID: <874m3522sy.fsf@xmission.com> (raw)
In-Reply-To: <20161117213258.GA10839@1wt.eu> (Willy Tarreau's message of "Thu, 17 Nov 2016 22:32:59 +0100")
Willy Tarreau <w@1wt.eu> writes:
> On Thu, Nov 17, 2016 at 01:07:33PM -0800, Kees Cook wrote:
>> I'm not opposed to a sysctl for this. Regardless, I think we need to
>> embrace this idea now, though, since we'll soon end up with
>> architectures that enforce executable-only memory, in which case
>> ptrace will again fail. Almost better to get started here and then not
>> have more surprises later.
>
> Also that makes me realize that by far the largest use case of ptrace
> is strace and that strace needs very little capabilities. I guess that
> most users would be fine with having only pointers and not contents
> for addresses or read/write of data, as they have on some other OSes,
> when the process is not readable. But in my opinion when a process
> is executable we should be able to trace its execution (even without
> memory read access).
Given all of this I will respin this series with a replacement patch
that adds a permission check ion the path where ptrace calls
access_process_vm.
I avoided it because the patch is a bit larger and with full ptrace control
is much better at leaking information. Even if you can't read the
data. But ptrace works even if it won't give you the memory based
arguments to system calls anymore.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Willy Tarreau <w@1wt.eu>
Cc: Kees Cook <keescook@chromium.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mm\@kvack.org" <linux-mm@kvack.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Michal Hocko <mhocko@kernel.org>, Jann Horn <jann@thejh.net>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file
Date: Thu, 17 Nov 2016 15:51:09 -0600 [thread overview]
Message-ID: <874m3522sy.fsf@xmission.com> (raw)
In-Reply-To: <20161117213258.GA10839@1wt.eu> (Willy Tarreau's message of "Thu, 17 Nov 2016 22:32:59 +0100")
Willy Tarreau <w@1wt.eu> writes:
> On Thu, Nov 17, 2016 at 01:07:33PM -0800, Kees Cook wrote:
>> I'm not opposed to a sysctl for this. Regardless, I think we need to
>> embrace this idea now, though, since we'll soon end up with
>> architectures that enforce executable-only memory, in which case
>> ptrace will again fail. Almost better to get started here and then not
>> have more surprises later.
>
> Also that makes me realize that by far the largest use case of ptrace
> is strace and that strace needs very little capabilities. I guess that
> most users would be fine with having only pointers and not contents
> for addresses or read/write of data, as they have on some other OSes,
> when the process is not readable. But in my opinion when a process
> is executable we should be able to trace its execution (even without
> memory read access).
Given all of this I will respin this series with a replacement patch
that adds a permission check ion the path where ptrace calls
access_process_vm.
I avoided it because the patch is a bit larger and with full ptrace control
is much better at leaking information. Even if you can't read the
data. But ptrace works even if it won't give you the memory based
arguments to system calls anymore.
Eric
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Willy Tarreau <w@1wt.eu>
Cc: Kees Cook <keescook@chromium.org>,
Linux Containers <containers@lists.linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
Michal Hocko <mhocko@kernel.org>, Jann Horn <jann@thejh.net>,
Andy Lutomirski <luto@amacapital.net>
Subject: Re: [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file
Date: Thu, 17 Nov 2016 15:51:09 -0600 [thread overview]
Message-ID: <874m3522sy.fsf@xmission.com> (raw)
In-Reply-To: <20161117213258.GA10839@1wt.eu> (Willy Tarreau's message of "Thu, 17 Nov 2016 22:32:59 +0100")
Willy Tarreau <w@1wt.eu> writes:
> On Thu, Nov 17, 2016 at 01:07:33PM -0800, Kees Cook wrote:
>> I'm not opposed to a sysctl for this. Regardless, I think we need to
>> embrace this idea now, though, since we'll soon end up with
>> architectures that enforce executable-only memory, in which case
>> ptrace will again fail. Almost better to get started here and then not
>> have more surprises later.
>
> Also that makes me realize that by far the largest use case of ptrace
> is strace and that strace needs very little capabilities. I guess that
> most users would be fine with having only pointers and not contents
> for addresses or read/write of data, as they have on some other OSes,
> when the process is not readable. But in my opinion when a process
> is executable we should be able to trace its execution (even without
> memory read access).
Given all of this I will respin this series with a replacement patch
that adds a permission check ion the path where ptrace calls
access_process_vm.
I avoided it because the patch is a bit larger and with full ptrace control
is much better at leaking information. Even if you can't read the
data. But ptrace works even if it won't give you the memory based
arguments to system calls anymore.
Eric
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-11-17 21:53 UTC|newest]
Thread overview: 166+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-17 16:39 [REVIEW][PATCH] mm: Add a user_ns owner to mm_struct and fix ptrace_may_access Eric W. Biederman
2016-10-17 16:39 ` Eric W. Biederman
2016-10-17 16:39 ` Eric W. Biederman
2016-10-17 17:25 ` Jann Horn
[not found] ` <20161017172547.GJ14666-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-10-17 17:33 ` Eric W. Biederman
2016-10-17 17:33 ` Eric W. Biederman
2016-10-17 17:33 ` Eric W. Biederman
2016-10-17 17:33 ` Eric W. Biederman
[not found] ` <87twcbq696.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2016-10-17 17:25 ` Jann Horn
2016-10-18 13:50 ` Michal Hocko
2016-10-18 13:50 ` Michal Hocko
2016-10-18 13:50 ` Michal Hocko
[not found] ` <20161018135031.GB13117-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2016-10-18 13:57 ` Jann Horn
2016-10-18 13:57 ` Jann Horn
2016-10-18 14:56 ` Eric W. Biederman
2016-10-18 14:56 ` Eric W. Biederman
2016-10-18 14:56 ` Eric W. Biederman
2016-10-18 14:56 ` Eric W. Biederman
2016-10-18 15:05 ` Jann Horn
[not found] ` <20161018150507.GP14666-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-10-18 15:35 ` Eric W. Biederman
2016-10-18 15:35 ` Eric W. Biederman
2016-10-18 15:35 ` Eric W. Biederman
2016-10-18 15:35 ` Eric W. Biederman
[not found] ` <87twc9656s.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-18 19:12 ` Jann Horn
2016-10-18 19:12 ` Jann Horn
2016-10-18 19:12 ` Jann Horn
[not found] ` <20161018191206.GA1210-GiL72Q0nGm9Crx9znvW9yA@public.gmane.org>
2016-10-18 21:07 ` Eric W. Biederman
2016-10-18 21:07 ` Eric W. Biederman
2016-10-18 21:07 ` Eric W. Biederman
2016-10-18 21:07 ` Eric W. Biederman
[not found] ` <87r37dnz74.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-18 21:15 ` [REVIEW][PATCH] exec: Don't exec files the userns root can not read Eric W. Biederman
2016-10-18 21:15 ` Eric W. Biederman
2016-10-18 21:15 ` Eric W. Biederman
2016-10-18 21:15 ` Eric W. Biederman
2016-10-19 6:13 ` Amir Goldstein
2016-10-19 6:13 ` Amir Goldstein
2016-10-19 13:33 ` Eric W. Biederman
2016-10-19 13:33 ` Eric W. Biederman
2016-10-19 13:33 ` Eric W. Biederman
[not found] ` <87mvi0mpix.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-19 17:04 ` Eric W. Biederman
2016-10-19 17:04 ` Eric W. Biederman
2016-10-19 17:04 ` Eric W. Biederman
2016-10-19 17:04 ` Eric W. Biederman
[not found] ` <CAOQ4uxjyZF346vq-Oi=HwB=jj6ePycHBnEfvVPet9KqPxL9mgg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-19 13:33 ` Eric W. Biederman
[not found] ` <87k2d5nytz.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-19 6:13 ` Amir Goldstein
2016-10-19 15:30 ` Andy Lutomirski
2016-10-19 15:30 ` Andy Lutomirski
2016-10-19 15:30 ` Andy Lutomirski
[not found] ` <CALCETrU4SZYUEPrv4JkpUpA+0sZ=EirZRftRDp+a5hce5E7HgA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-19 16:52 ` Eric W. Biederman
2016-10-19 16:52 ` Eric W. Biederman
2016-10-19 16:52 ` Eric W. Biederman
2016-10-19 16:52 ` Eric W. Biederman
[not found] ` <87y41kjn6l.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-19 17:29 ` Jann Horn
2016-10-19 18:36 ` Andy Lutomirski
2016-10-19 17:29 ` Jann Horn
2016-10-19 17:29 ` Jann Horn
[not found] ` <20161019172917.GE1210-GiL72Q0nGm9Crx9znvW9yA@public.gmane.org>
2016-10-19 17:32 ` Andy Lutomirski
2016-10-19 17:32 ` Andy Lutomirski
2016-10-19 17:32 ` Andy Lutomirski
2016-10-19 17:55 ` Eric W. Biederman
2016-10-19 17:55 ` Eric W. Biederman
2016-10-19 17:55 ` Eric W. Biederman
[not found] ` <87pomwi5p2.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-19 18:38 ` Andy Lutomirski
2016-10-19 18:38 ` Andy Lutomirski
2016-10-19 18:38 ` Andy Lutomirski
2016-10-19 21:26 ` Eric W. Biederman
2016-10-19 21:26 ` Eric W. Biederman
2016-10-19 21:26 ` Eric W. Biederman
2016-10-19 23:17 ` Andy Lutomirski
2016-10-19 23:17 ` Andy Lutomirski
2016-11-17 17:02 ` [REVIEW][PATCH 0/3] Fixing ptrace vs exec vs userns interactions Eric W. Biederman
2016-11-17 17:02 ` Eric W. Biederman
2016-11-17 17:02 ` Eric W. Biederman
2016-11-17 17:05 ` [REVIEW][PATCH 1/3] ptrace: Capture the ptracer's creds not PT_PTRACE_CAP Eric W. Biederman
2016-11-17 17:05 ` Eric W. Biederman
2016-11-17 17:05 ` Eric W. Biederman
2016-11-17 23:14 ` Kees Cook
2016-11-17 23:14 ` Kees Cook
2016-11-18 18:56 ` Eric W. Biederman
2016-11-18 18:56 ` Eric W. Biederman
2016-11-18 18:56 ` Eric W. Biederman
[not found] ` <CAGXu5jKbVkCGVSoxNQ=pTCBX1Boe3rPR1P56P-kR9AHWYHBs2w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-18 18:56 ` Eric W. Biederman
[not found] ` <87oa1eavfx.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-11-17 23:14 ` Kees Cook
2016-11-17 23:27 ` Andy Lutomirski
2016-11-17 23:27 ` Andy Lutomirski
2016-11-17 23:27 ` Andy Lutomirski
[not found] ` <CALCETrUSnPfzpabQMNuyOu09j9QDzRDeoQVF_U51=ow3bP5pkw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-17 23:44 ` Eric W. Biederman
2016-11-17 23:44 ` Eric W. Biederman
2016-11-17 23:44 ` Eric W. Biederman
2016-11-17 23:44 ` Eric W. Biederman
2016-11-17 17:08 ` [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file Eric W. Biederman
2016-11-17 17:08 ` Eric W. Biederman
2016-11-17 17:08 ` Eric W. Biederman
[not found] ` <87inrmavax.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-11-17 20:47 ` Willy Tarreau
2016-11-17 23:29 ` Andy Lutomirski
2016-11-17 20:47 ` Willy Tarreau
2016-11-17 20:47 ` Willy Tarreau
[not found] ` <20161117204707.GB10421-K+wRfnb2/UA@public.gmane.org>
2016-11-17 21:07 ` Kees Cook
2016-11-17 21:07 ` Kees Cook
2016-11-17 21:07 ` Kees Cook
2016-11-17 21:32 ` Willy Tarreau
2016-11-17 21:32 ` Willy Tarreau
2016-11-17 21:51 ` Eric W. Biederman [this message]
2016-11-17 21:51 ` Eric W. Biederman
2016-11-17 21:51 ` Eric W. Biederman
2016-11-17 22:50 ` [REVIEW][PATCH 2/3] ptrace: Don't allow accessing an undumpable mm Eric W. Biederman
2016-11-17 22:50 ` Eric W. Biederman
2016-11-17 22:50 ` Eric W. Biederman
[not found] ` <87shqpzpok.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-11-17 23:17 ` Kees Cook
2016-11-17 23:17 ` Kees Cook
2016-11-17 23:17 ` Kees Cook
[not found] ` <874m3522sy.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-11-17 22:50 ` Eric W. Biederman
[not found] ` <20161117213258.GA10839-K+wRfnb2/UA@public.gmane.org>
2016-11-17 21:51 ` [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file Eric W. Biederman
[not found] ` <CAGXu5jJc6TmzdVp+4OMDAt5Kd68hHbNBXaRPD8X0+m558hx3qw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-17 21:32 ` Willy Tarreau
2016-11-17 23:28 ` Andy Lutomirski
2016-11-17 23:28 ` Andy Lutomirski
2016-11-17 23:28 ` Andy Lutomirski
2016-11-17 23:29 ` Andy Lutomirski
2016-11-17 23:29 ` Andy Lutomirski
[not found] ` <CALCETrUvKpRCXRE+K512E_q9-o8Gzgb+3XsAzSo+ZFdgqeX-eQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-17 23:55 ` Eric W. Biederman
2016-11-17 23:55 ` Eric W. Biederman
2016-11-17 23:55 ` Eric W. Biederman
2016-11-17 23:55 ` Eric W. Biederman
2016-11-18 0:10 ` Andy Lutomirski
2016-11-18 0:10 ` Andy Lutomirski
2016-11-18 0:35 ` Eric W. Biederman
2016-11-18 0:35 ` Eric W. Biederman
2016-11-18 0:35 ` Eric W. Biederman
[not found] ` <CALCETrX=61Sk9qim+Psjn83gohuizEsrpUC9gF-vwQTtR4GuJw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-18 0:35 ` Eric W. Biederman
[not found] ` <87mvgxwtjv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-11-18 0:10 ` Andy Lutomirski
2016-11-17 17:10 ` [REVIEW][PATCH 3/3] exec: Ensure mm->user_ns contains the execed files Eric W. Biederman
2016-11-17 17:10 ` Eric W. Biederman
2016-11-17 17:10 ` Eric W. Biederman
2016-11-19 7:17 ` [REVIEW][PATCH 0/3] Fixing ptrace vs exec vs userns interactions Willy Tarreau
2016-11-19 7:17 ` Willy Tarreau
2016-11-19 9:28 ` Willy Tarreau
2016-11-19 9:28 ` Willy Tarreau
2016-11-19 9:33 ` Willy Tarreau
2016-11-19 9:33 ` Willy Tarreau
[not found] ` <20161119092804.GA13553-K+wRfnb2/UA@public.gmane.org>
2016-11-19 9:33 ` Willy Tarreau
2016-11-19 18:44 ` Eric W. Biederman
2016-11-19 18:44 ` Eric W. Biederman
2016-11-19 18:44 ` Eric W. Biederman
2016-11-19 18:44 ` Eric W. Biederman
[not found] ` <20161119071700.GA13347-K+wRfnb2/UA@public.gmane.org>
2016-11-19 9:28 ` Willy Tarreau
2016-11-19 18:35 ` Eric W. Biederman
2016-11-19 18:35 ` Eric W. Biederman
2016-11-19 18:35 ` Eric W. Biederman
2016-11-19 18:35 ` Eric W. Biederman
2016-11-19 18:37 ` Eric W. Biederman
2016-11-19 18:37 ` Eric W. Biederman
2016-11-19 18:37 ` Eric W. Biederman
[not found] ` <87d1hrjp23.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-11-19 18:37 ` Eric W. Biederman
[not found] ` <87twb6avk8.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-11-17 17:05 ` [REVIEW][PATCH 1/3] ptrace: Capture the ptracer's creds not PT_PTRACE_CAP Eric W. Biederman
2016-11-17 17:08 ` [REVIEW][PATCH 2/3] exec: Don't allow ptracing an exec of an unreadable file Eric W. Biederman
2016-11-17 17:10 ` [REVIEW][PATCH 3/3] exec: Ensure mm->user_ns contains the execed files Eric W. Biederman
2016-11-19 7:17 ` [REVIEW][PATCH 0/3] Fixing ptrace vs exec vs userns interactions Willy Tarreau
[not found] ` <CALCETrXA2EnE8X3HzetLG6zS8YSVjJQJrsSumTfvEcGq=r5vsw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-17 17:02 ` Eric W. Biederman
[not found] ` <87pomwghda.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-19 23:17 ` [REVIEW][PATCH] exec: Don't exec files the userns root can not read Andy Lutomirski
[not found] ` <CALCETrUz2oU6OYwQ9K4M-SUg6FeDsd6Q1gf1w-cJRGg2PdmK8g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-19 21:26 ` Eric W. Biederman
[not found] ` <CALCETrWSY1SRse5oqSwZ=goQ+ZALd2XcTP3SZ8ry49C8rNd98Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-19 17:55 ` Eric W. Biederman
2016-10-19 18:36 ` Andy Lutomirski
2016-10-18 18:06 ` [REVIEW][PATCH] mm: Add a user_ns owner to mm_struct and fix ptrace_may_access Michal Hocko
2016-10-18 18:06 ` Michal Hocko
[not found] ` <8737jt903u.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2016-10-18 15:05 ` Jann Horn
2016-10-18 18:06 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874m3522sy.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=containers@lists.linux-foundation.org \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mhocko@kernel.org \
--cc=oleg@redhat.com \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.