From: jannh@google.com (Jann Horn)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED
Date: Wed, 26 Sep 2018 23:18:35 +0200 [thread overview]
Message-ID: <CAG48ez15jcFQT1NdZekRuo9_GKLru_R1HpgF0TNKUKAZ8_6UNA@mail.gmail.com> (raw)
In-Reply-To: <CAG48ez1xu_WJi5_UZvrTO_H6o=DHRvm5LMp_jg=GauLbpkYARg@mail.gmail.com>
On Wed, Sep 26, 2018 at 11:16 PM Jann Horn <jannh@google.com> wrote:
>
> On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
> <casey.schaufler@intel.com> wrote:
> > A ptrace access check with mode PTRACE_MODE_SCHED gets called
> > from process switching code. This precludes the use of audit,
> > as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED
> > case.
>
> Why is this separate from PTRACE_MODE_NOAUDIT? It looks like
> apparmor_ptrace_access_check() currently ignores PTRACE_MODE_NOAUDIT.
> Could you, instead of adding a new flag, fix the handling of
> PTRACE_MODE_NOAUDIT?
Er, after looking at more of the series, I see that PTRACE_MODE_SCHED
is necessary; but could you handle the "don't audit" part for AppArmor
using PTRACE_MODE_NOAUDIT instead?
> > Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
> > ---
> > security/apparmor/domain.c | 2 +-
> > security/apparmor/include/ipc.h | 2 +-
> > security/apparmor/ipc.c | 8 +++++---
> > security/apparmor/lsm.c | 5 +++--
> > 4 files changed, 10 insertions(+), 7 deletions(-)
> >
> > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> > index 08c88de0ffda..28300f4c3ef9 100644
> > --- a/security/apparmor/domain.c
> > +++ b/security/apparmor/domain.c
> > @@ -77,7 +77,7 @@ static int may_change_ptraced_domain(struct aa_label *to_label,
> > if (!tracer || unconfined(tracerl))
> > goto out;
> >
> > - error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH);
> > + error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH, true);
> >
> > out:
> > rcu_read_unlock();
> > diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
> > index 5ffc218d1e74..299d1c45fef0 100644
> > --- a/security/apparmor/include/ipc.h
> > +++ b/security/apparmor/include/ipc.h
> > @@ -34,7 +34,7 @@ struct aa_profile;
> > "xcpu xfsz vtalrm prof winch io pwr sys emt lost"
> >
> > int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
> > - u32 request);
> > + u32 request, bool audit);
> > int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig);
> >
> > #endif /* __AA_IPC_H */
> > diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
> > index 527ea1557120..9ed110afc822 100644
> > --- a/security/apparmor/ipc.c
> > +++ b/security/apparmor/ipc.c
> > @@ -121,15 +121,17 @@ static int profile_tracer_perm(struct aa_profile *tracer,
> > * Returns: %0 else error code if permission denied or error
> > */
> > int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
> > - u32 request)
> > + u32 request, bool audit)
> > {
> > struct aa_profile *profile;
> > u32 xrequest = request << PTRACE_PERM_SHIFT;
> > DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
> >
> > return xcheck_labels(tracer, tracee, profile,
> > - profile_tracer_perm(profile, tracee, request, &sa),
> > - profile_tracee_perm(profile, tracer, xrequest, &sa));
> > + profile_tracer_perm(profile, tracee, request,
> > + audit ? &sa : NULL),
> > + profile_tracee_perm(profile, tracer, xrequest,
> > + audit ? &sa : NULL));
> > }
> >
> >
> > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > index 8b8b70620bbe..da9d0b228857 100644
> > --- a/security/apparmor/lsm.c
> > +++ b/security/apparmor/lsm.c
> > @@ -118,7 +118,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
> > tracee = aa_get_task_label(child);
> > error = aa_may_ptrace(tracer, tracee,
> > (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
> > - : AA_PTRACE_TRACE);
> > + : AA_PTRACE_TRACE,
> > + !(mode & PTRACE_MODE_SCHED));
> > aa_put_label(tracee);
> > end_current_label_crit_section(tracer);
> >
> > @@ -132,7 +133,7 @@ static int apparmor_ptrace_traceme(struct task_struct *parent)
> >
> > tracee = begin_current_label_crit_section();
> > tracer = aa_get_task_label(parent);
> > - error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
> > + error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE, true);
> > aa_put_label(tracer);
> > end_current_label_crit_section(tracee);
> >
> > --
> > 2.17.1
> >
next prev parent reply other threads:[~2018-09-26 21:18 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-26 20:34 [PATCH v5 0/5] LSM: Support ptrace sidechannel access checks Casey Schaufler
2018-09-26 20:34 ` [PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED Casey Schaufler
2018-09-26 21:16 ` Jann Horn
2018-09-26 21:18 ` Jann Horn [this message]
2018-09-26 22:47 ` Schaufler, Casey
2018-09-26 20:34 ` [PATCH v5 2/5] Smack: " Casey Schaufler
2018-09-26 21:30 ` Jann Horn
2018-09-26 22:53 ` Schaufler, Casey
2018-09-26 22:58 ` Jann Horn
2018-10-04 7:47 ` Jiri Kosina
2018-10-04 11:36 ` Jann Horn
2018-10-16 11:44 ` Jiri Kosina
2018-09-26 20:34 ` [PATCH v5 3/5] SELinux: " Casey Schaufler
2018-09-27 15:50 ` Stephen Smalley
2018-09-27 16:23 ` Schaufler, Casey
2018-09-26 20:34 ` [PATCH v5 4/5] Capability: Complete PTRACE_MODE_SCHED Casey Schaufler
2018-09-26 21:26 ` Jann Horn
2018-09-26 22:24 ` Schaufler, Casey
2018-09-26 20:34 ` [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel Casey Schaufler
2018-09-27 21:45 ` James Morris
2018-09-27 22:39 ` Casey Schaufler
2018-09-27 22:47 ` James Morris
2018-09-27 23:19 ` Schaufler, Casey
2018-09-27 23:43 ` James Morris
2018-09-27 23:47 ` Jann Horn
2018-09-28 16:33 ` James Morris
2018-09-28 17:40 ` Schaufler, Casey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez15jcFQT1NdZekRuo9_GKLru_R1HpgF0TNKUKAZ8_6UNA@mail.gmail.com \
--to=jannh@google.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).