From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B35CC433DF for ; Thu, 2 Jul 2020 22:00:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 385F120885 for ; Thu, 2 Jul 2020 22:00:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=paul-moore-com.20150623.gappssmtp.com header.i=@paul-moore-com.20150623.gappssmtp.com header.b="y2q6/ZIm" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726791AbgGBWA0 (ORCPT ); Thu, 2 Jul 2020 18:00:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726072AbgGBWAX (ORCPT ); Thu, 2 Jul 2020 18:00:23 -0400 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF010C08C5DE for ; Thu, 2 Jul 2020 15:00:22 -0700 (PDT) Received: by mail-ej1-x643.google.com with SMTP id y10so31577184eje.1 for ; Thu, 02 Jul 2020 15:00:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hQjS9Ie2JLW+5joMKLIKCU6b/2UCakl57GgRGFSlTtk=; b=y2q6/ZImKC9EyqaN+Cp25cLz1ciVm4U7qtXibl4rJLq7yDQxPIwOaQiDW4uPnhkAI8 VRW0HSRxSAmlfFw/Jce/k0WugBY6dAl4O6HQ/sc/VLK6/v4c05dZ28qBMUNFtXbku8Ch AULevi22Fz6RKjCBjNEoLvV62nXHhiI0ALpbVAFFC6eC3/8cU19LT7W6/+o8hdExkIVp SpzhSXPTolBo/5B/rPenjUqcOQ+Q44Ekpah8XqISOcoMHY3/BTSU/R5r9kYGnOKn1iQ4 3Eelioz4+/tk104uJvI7uaxboR8nMC2mTgZeV8NgshGTgOJtB/3rVeJ8cjXz8tU5nKfO mLBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hQjS9Ie2JLW+5joMKLIKCU6b/2UCakl57GgRGFSlTtk=; b=scs1oMpIo7HgFxYTjsO+XHV3GWmsShWeeDMe2uPHHGtQPhC1TLTQn4xKAY8syJvaoZ Yh/yutJFiGNw3VSDgS11k3kdkKx0ewsVSBDc3yFPxXu6lNJyDDlDOgNknnsrscslblTd ciROxU3kErWvx2bUiPKQ6Zn3UVhR8KdvjONbpgaDXnU8AVYfw9GS9F2+LPFWxT+wkV2j hF/XBpE+lunzKCRGyiSU/hheO9E21foNC4EdhL1D5PAMG/4Y7pLwyQbuWYGA0CaoyEIu XXAHAVcMi3i+CZl0Y+5CAGw20ezRfhOT2T5KHjD1y8Mn4siUaXueau+J1A/uz/7aqZ0f cLGQ== X-Gm-Message-State: AOAM531xaJIgw9q7/FL/mKPXYRtSId4eidoxIwuBEP+0edn1+IuIdjN3 9Odsyhb+46cl1iEicpYsx2bAeWbkQDoE0n7P8EKX X-Google-Smtp-Source: ABdhPJymg7hoMn4NQo9VkFS8SsNN1VIXxrtL9dctJ/u8BOTmybW6CezLxVIBxEEQqtZorAPFuFOU58gSTBkhV1lUPSk= X-Received: by 2002:a17:906:456:: with SMTP id e22mr23944788eja.178.1593727221274; Thu, 02 Jul 2020 15:00:21 -0700 (PDT) MIME-Version: 1.0 References: <20200701064906.323185-1-areber@redhat.com> <20200701064906.323185-4-areber@redhat.com> <20200702211647.GB3283@mail.hallyn.com> In-Reply-To: <20200702211647.GB3283@mail.hallyn.com> From: Paul Moore Date: Thu, 2 Jul 2020 18:00:10 -0400 Message-ID: Subject: Re: [PATCH v4 3/3] prctl: Allow ptrace capable processes to change /proc/self/exe To: "Serge E. Hallyn" Cc: Adrian Reber , Christian Brauner , Eric Biederman , Pavel Emelyanov , Oleg Nesterov , Dmitry Safonov <0x7f454c46@gmail.com>, Andrei Vagin , Nicolas Viennot , =?UTF-8?B?TWljaGHFgiBDxYJhcGnFhHNraQ==?= , Kamil Yurtsever , Dirk Petersen , Christine Flood , Casey Schaufler , Mike Rapoport , Radostin Stoyanov , Cyrill Gorcunov , Stephen Smalley , Sargun Dhillon , Arnd Bergmann , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, Eric Paris , Jann Horn , linux-fsdevel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 2, 2020 at 5:16 PM Serge E. Hallyn wrote: > On Wed, Jul 01, 2020 at 08:49:06AM +0200, Adrian Reber wrote: > > From: Nicolas Viennot > > > > Previously, the current process could only change the /proc/self/exe > > link with local CAP_SYS_ADMIN. > > This commit relaxes this restriction by permitting such change with > > CAP_CHECKPOINT_RESTORE, and the ability to use ptrace. > > > > With access to ptrace facilities, a process can do the following: fork a > > child, execve() the target executable, and have the child use ptrace() > > to replace the memory content of the current process. This technique > > makes it possible to masquerade an arbitrary program as any executable, > > even setuid ones. > > > > Signed-off-by: Nicolas Viennot > > Signed-off-by: Adrian Reber > > This is scary. But I believe it is safe. > > Reviewed-by: Serge Hallyn > > I am a bit curious about the implications of the selinux patch. > IIUC you are using the permission of the tracing process to > execute the file without transition, so this is a way to work > around the policy which might prevent the tracee from doing so. > Given that SELinux wants to be MAC, I'm not *quite* sure that's > considered kosher. You also are skipping the PROCESS__PTRACE > to SECCLASS_PROCESS check which selinux_bprm_set_creds does later > on. Again I'm just not quite sure what's considered normal there > these days. > > Paul, do you have input there? I agree, the SELinux hook looks wrong. Building on what Christian said, this looks more like a ptrace operation than an exec operation. -- paul moore www.paul-moore.com