From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yw0-f182.google.com ([209.85.161.182]:33888 "EHLO mail-yw0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756174AbcIRT6S (ORCPT ); Sun, 18 Sep 2016 15:58:18 -0400 Received: by mail-yw0-f182.google.com with SMTP id g192so122112833ywh.1 for ; Sun, 18 Sep 2016 12:58:18 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <1474211117-16674-8-git-send-email-jann@thejh.net> References: <1474211117-16674-1-git-send-email-jann@thejh.net> <1474211117-16674-8-git-send-email-jann@thejh.net> From: Andy Lutomirski Date: Sun, 18 Sep 2016 12:57:57 -0700 Message-ID: Subject: Re: [PATCH 7/9] ptrace: forbid ptrace checks against current_cred() from VFS context To: Jann Horn Cc: Thomas Gleixner , Stephen Smalley , Andrew Morton , "security@kernel.org" , James Morris , Janis Danisevskis , Casey Schaufler , Kees Cook , Roland McGrath , Alexander Viro , LSM List , "Serge E. Hallyn" , "Eric . Biederman" , Paul Moore , Linux FS Devel , Oleg Nesterov , Benjamin LaHaise , Eric Paris , Seth Forshee , John Johansen Content-Type: text/plain; charset=UTF-8 Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Sep 18, 2016 5:05 AM, "Jann Horn" wrote: > > This ensures that VFS implementations don't call ptrace_may_access() from > VFS read or write handlers. In order for file descriptor passing to have > its intended security properties, VFS read/write handlers must not do any > kind of privilege checking. > Ooh, nifty! Can you warn about capable() too? Warning about all access to current->cred could be fun. I expect we have zillions of these bugs. Think keys, netlink, proc, etc.