All of lore.kernel.org
 help / color / mirror / Atom feed
* Smack: wrong-looking capable() check in smk_ptrace_rule_check()
@ 2018-09-06 18:22 ` Jann Horn
  0 siblings, 0 replies; 4+ messages in thread
From: Jann Horn @ 2018-09-06 18:22 UTC (permalink / raw)
  To: Casey Schaufler; +Cc: linux-security-module, kernel list

Hi!

I noticed the following check in smk_ptrace_rule_check():

                if (tracer_known->smk_known == tracee_known->smk_known)
                        rc = 0;
                else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
                        rc = -EACCES;
                else if (capable(CAP_SYS_PTRACE))
                        rc = 0;
                else
                        rc = -EACCES;

Note that smk_ptrace_rule_check() can be called from not just
smack_ptrace_access_check() and smack_ptrace_traceme(), but also
smack_bprm_set_creds(). AFAICS this means that if a task executes with
a smack privilege transition and smack_ptrace_rule is
SMACK_PTRACE_EXACT, whether the execution is permitted depends on
whether _the debugged task_ has CAP_SYS_PTRACE (and not on whether the
debugger has that capability).
This seems like it's probably unintentional?

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Smack: wrong-looking capable() check in smk_ptrace_rule_check()
@ 2018-09-06 18:22 ` Jann Horn
  0 siblings, 0 replies; 4+ messages in thread
From: Jann Horn @ 2018-09-06 18:22 UTC (permalink / raw)
  To: linux-security-module

Hi!

I noticed the following check in smk_ptrace_rule_check():

                if (tracer_known->smk_known == tracee_known->smk_known)
                        rc = 0;
                else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
                        rc = -EACCES;
                else if (capable(CAP_SYS_PTRACE))
                        rc = 0;
                else
                        rc = -EACCES;

Note that smk_ptrace_rule_check() can be called from not just
smack_ptrace_access_check() and smack_ptrace_traceme(), but also
smack_bprm_set_creds(). AFAICS this means that if a task executes with
a smack privilege transition and smack_ptrace_rule is
SMACK_PTRACE_EXACT, whether the execution is permitted depends on
whether _the debugged task_ has CAP_SYS_PTRACE (and not on whether the
debugger has that capability).
This seems like it's probably unintentional?

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Fwd: Smack: wrong-looking capable() check in smk_ptrace_rule_check()
       [not found]   ` <2fafaca2-73c4-d344-98be-089e17e95055@schaufler-ca.com>
@ 2018-09-07  9:47       ` Lukasz Pawelczyk
  0 siblings, 0 replies; 4+ messages in thread
From: Lukasz Pawelczyk @ 2018-09-07  9:47 UTC (permalink / raw)
  To: Casey Schaufler; +Cc: linux-security-module, kernel list

Hi,

On Thu, 2018-09-06 at 11:53 -0700, Casey Schaufler wrote:
> Lukasz, does this analysis seem correct to you? This is code you
> wrote in 2014.

It seems correct.
Moreover I've sent a patch that fixes this bug long time ago with the
namespace series.

https://lists.linux-foundation.org/pipermail/containers/2015-October/036318.html

Not sure this is the latest version. The latest I ever wrote can be
found here:
https://github.com/Havner/smack-namespace/commit/52d6e4be2db51e9aca53e0e112a7ff9625000994

Without namespaces, parts of this patch are probably irrelevant, but it
does fix this bug and one or two similar elsewhere.

Best regards,
Lukasz



> 
> -------- Forwarded Message --------
> Subject:	Smack: wrong-looking capable() check in
> smk_ptrace_rule_check()
> Date:	Thu, 6 Sep 2018 20:22:35 +0200
> From:	Jann Horn <jannh@google.com>
> To:	Casey Schaufler <casey@schaufler-ca.com>
> CC:	linux-security-module <linux-security-module@vger.kernel.org>,
> kernel list <linux-kernel@vger.kernel.org>
> 
> Hi!
> 
> I noticed the following check in smk_ptrace_rule_check():
> 
>                 if (tracer_known->smk_known == tracee_known-
> >smk_known)
>                         rc = 0;
>                 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
>                         rc = -EACCES;
>                 else if (capable(CAP_SYS_PTRACE))
>                         rc = 0;
>                 else
>                         rc = -EACCES;
> 
> Note that smk_ptrace_rule_check() can be called from not just
> smack_ptrace_access_check() and smack_ptrace_traceme(), but also
> smack_bprm_set_creds(). AFAICS this means that if a task executes
> with
> a smack privilege transition and smack_ptrace_rule is
> SMACK_PTRACE_EXACT, whether the execution is permitted depends on
> whether _the debugged task_ has CAP_SYS_PTRACE (and not on whether
> the
> debugger has that capability).
> This seems like it's probably unintentional?
> 
> 


-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics




^ permalink raw reply	[flat|nested] 4+ messages in thread
* Fwd: Smack: wrong-looking capable() check in smk_ptrace_rule_check()
@ 2018-09-07  9:47       ` Lukasz Pawelczyk
  0 siblings, 0 replies; 4+ messages in thread
From: Lukasz Pawelczyk @ 2018-09-07  9:47 UTC (permalink / raw)
  To: linux-security-module

Hi,

On Thu, 2018-09-06 at 11:53 -0700, Casey Schaufler wrote:
> Lukasz, does this analysis seem correct to you? This is code you
> wrote in 2014.

It seems correct.
Moreover I've sent a patch that fixes this bug long time ago with the
namespace series.

https://lists.linux-foundation.org/pipermail/containers/2015-October/036318.html

Not sure this is the latest version. The latest I ever wrote can be
found here:
https://github.com/Havner/smack-namespace/commit/52d6e4be2db51e9aca53e0e112a7ff9625000994

Without namespaces, parts of this patch are probably irrelevant, but it
does fix this bug and one or two similar elsewhere.

Best regards,
Lukasz



> 
> -------- Forwarded Message --------
> Subject:	Smack: wrong-looking capable() check in
> smk_ptrace_rule_check()
> Date:	Thu, 6 Sep 2018 20:22:35 +0200
> From:	Jann Horn <jannh@google.com>
> To:	Casey Schaufler <casey@schaufler-ca.com>
> CC:	linux-security-module <linux-security-module@vger.kernel.org>,
> kernel list <linux-kernel@vger.kernel.org>
> 
> Hi!
> 
> I noticed the following check in smk_ptrace_rule_check():
> 
>                 if (tracer_known->smk_known == tracee_known-
> >smk_known)
>                         rc = 0;
>                 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
>                         rc = -EACCES;
>                 else if (capable(CAP_SYS_PTRACE))
>                         rc = 0;
>                 else
>                         rc = -EACCES;
> 
> Note that smk_ptrace_rule_check() can be called from not just
> smack_ptrace_access_check() and smack_ptrace_traceme(), but also
> smack_bprm_set_creds(). AFAICS this means that if a task executes
> with
> a smack privilege transition and smack_ptrace_rule is
> SMACK_PTRACE_EXACT, whether the execution is permitted depends on
> whether _the debugged task_ has CAP_SYS_PTRACE (and not on whether
> the
> debugger has that capability).
> This seems like it's probably unintentional?
> 
> 


-- 
Lukasz Pawelczyk
Samsung R&D Institute Poland
Samsung Electronics

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-09-07  9:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-06 18:22 Smack: wrong-looking capable() check in smk_ptrace_rule_check() Jann Horn
2018-09-06 18:22 ` Jann Horn
     [not found] ` <CGME20180906185359epcas4p249c16d651266a1cb8ee8273a6daff3a5@epcas4p2.samsung.com>
     [not found]   ` <2fafaca2-73c4-d344-98be-089e17e95055@schaufler-ca.com>
2018-09-07  9:47     ` Fwd: " Lukasz Pawelczyk
2018-09-07  9:47       ` Lukasz Pawelczyk

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.