From: youling 257 <youling257@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: torvalds@linux-foundation.org, christian.brauner@ubuntu.com,
andrea.righi@canonical.com, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, regressions@lists.linux.dev,
linux-security-module@vger.kernel.org,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] proc: Track /proc/$pid/attr/ opener mm_struct
Date: Tue, 15 Jun 2021 02:46:19 +0800 [thread overview]
Message-ID: <CAOzgRdZJeN6sQWP=Ou0H3bTrp+7ijKuJikG-f4eer5f1oVjrCQ@mail.gmail.com> (raw)
In-Reply-To: <202106140941.7CE5AE64@keescook>
[-- Attachment #1: Type: text/plain, Size: 3983 bytes --]
I test this patch cause "init: cannot setexeccon(u:r:ueventd:s0)
operation not permitted.
init ctrl_write_limited.
2021-06-15 0:45 GMT+08:00, Kees Cook <keescook@chromium.org>:
> On Mon, Jun 14, 2021 at 08:32:35AM -0700, Kees Cook wrote:
>> On Mon, Jun 14, 2021 at 06:02:34PM +0800, youling257 wrote:
>> > I used mainline kernel on android, this patch cause "failed to retrieve
>> > pid context" problem.
>> >
>> > 06-14 02:15:51.165 1685 1685 E ServiceManager: SELinux:
>> > getpidcon(pid=1682) failed to retrieve pid context.
>
> I found getpidcon() in libselinux:
> https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/procattr.c#L159
>
>> > 06-14 02:15:51.166 1685 1685 E ServiceManager:
>> > add_service('batteryproperties',1) uid=0 - PERMISSION DENIED
>> > 06-14 02:15:51.166 1682 1682 I ServiceManager: addService()
>> > batteryproperties failed (err -1 - no service manager yet?).
>> > Retrying...
>> > 06-14 02:15:51.197 1685 1685 E ServiceManager: SELinux:
>> > getpidcon(pid=1695) failed to retrieve pid context.
>> > 06-14 02:15:51.197 1685 1685 E ServiceManager:
>> > add_service('android.security.keystore',1) uid=1017 - PERMISSION DENIED
>> > 06-14 02:15:51.198 1695 1695 I ServiceManager: addService()
>> > android.security.keystore failed (err -1 - no service manager yet?).
>> > Retrying...
>> > 06-14 02:15:51.207 1685 1685 E ServiceManager: SELinux:
>> > getpidcon(pid=1708) failed to retrieve pid context.
>> > 06-14 02:15:51.207 1685 1685 E ServiceManager:
>> > add_service('android.service.gatekeeper.IGateKeeperService',1) uid=1000
>> > - PERMISSION DENIED
>> > 06-14 02:15:51.207 1708 1708 I ServiceManager: addService()
>> > android.service.gatekeeper.IGateKeeperService failed (err -1 - no
>> > service manager yet?). Retrying...
>> > 06-14 02:15:51.275 1685 1685 E ServiceManager: SELinux:
>> > getpidcon(pid=1693) failed to retrieve pid context.
>> > 06-14 02:15:51.275 1692 1692 I cameraserver: ServiceManager:
>> > 0xf6d309e0
>> > 06-14 02:15:51.275 1685 1685 E ServiceManager:
>> > add_service('drm.drmManager',1) uid=1019 - PERMISSION DENIED
>> > 06-14 02:15:51.276 1693 1693 I ServiceManager: addService()
>> > drm.drmManager failed (err -1 - no service manager yet?). Retrying...
>> >
>>
>> Argh. Are you able to uncover what userspace is doing here?
>
> It looks like this is a case of attempting to _read_ the attr file, and
> the new opener check was requiring the opener/target relationship pass
> the mm_access() checks, which is clearly too strict.
>
>> So far, my test cases are:
>>
>> 1) self: open, write, close: allowed
>> 2) self: open, clone thread. thread: change privileges, write, close:
>> allowed
>> 3) self: open, give to privileged process. privileged process: write:
>> reject
>
> I've now added:
>
> 4) self: open privileged process's attr, read, close: allowed
>
> Can folks please test this patch to double-check?
>
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 7118ebe38fa6..7c55301674e0 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2676,7 +2676,14 @@ static int proc_pident_readdir(struct file *file,
> struct dir_context *ctx,
> #ifdef CONFIG_SECURITY
> static int proc_pid_attr_open(struct inode *inode, struct file *file)
> {
> - return __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS);
> + struct mm_struct *mm = __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS);
> +
> + /* Reads do not require mm_struct access. */
> + if (IS_ERR(mm))
> + mm = NULL;
> +
> + file->private_data = mm;
> + return 0;
> }
>
> static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
> @@ -2709,7 +2716,7 @@ static ssize_t proc_pid_attr_write(struct file * file,
> const char __user * buf,
> int rv;
>
> /* A task may only write when it was the opener. */
> - if (file->private_data != current->mm)
> + if (!file->private_data || file->private_data != current->mm)
> return -EPERM;
>
> rcu_read_lock();
>
>
> Wheee.
>
> --
> Kees Cook
>
[-- Attachment #2: wp_ss_20210615_0001.png --]
[-- Type: image/png, Size: 1198107 bytes --]
next prev parent reply other threads:[~2021-06-14 18:46 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-08 17:12 [PATCH] proc: Track /proc/$pid/attr/ opener mm_struct Kees Cook
2021-06-09 6:40 ` Christian Brauner
2021-06-14 10:02 ` youling257
2021-06-14 15:32 ` Kees Cook
2021-06-14 16:45 ` Kees Cook
2021-06-14 18:02 ` Linus Torvalds
2021-06-14 18:02 ` Linus Torvalds
2021-06-14 18:46 ` youling 257 [this message]
2021-06-14 18:46 ` youling 257
2021-06-14 22:50 ` Kees Cook
2021-06-15 1:55 ` youling 257
2021-06-15 1:55 ` youling 257
2021-06-15 18:19 ` Linus Torvalds
2021-06-15 18:19 ` Linus Torvalds
2021-06-15 21:50 ` Kees Cook
2021-06-16 5:56 ` Greg KH
2021-06-16 5:15 ` youling 257
2021-06-16 5:15 ` youling 257
2021-06-14 17:52 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOzgRdZJeN6sQWP=Ou0H3bTrp+7ijKuJikG-f4eer5f1oVjrCQ@mail.gmail.com' \
--to=youling257@gmail.com \
--cc=andrea.righi@canonical.com \
--cc=christian.brauner@ubuntu.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=regressions@lists.linux.dev \
--cc=selinux@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.