linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: jannh@google.com (Jann Horn)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED
Date: Wed, 26 Sep 2018 23:18:35 +0200	[thread overview]
Message-ID: <CAG48ez15jcFQT1NdZekRuo9_GKLru_R1HpgF0TNKUKAZ8_6UNA@mail.gmail.com> (raw)
In-Reply-To: <CAG48ez1xu_WJi5_UZvrTO_H6o=DHRvm5LMp_jg=GauLbpkYARg@mail.gmail.com>

On Wed, Sep 26, 2018 at 11:16 PM Jann Horn <jannh@google.com> wrote:
>
> On Wed, Sep 26, 2018 at 10:35 PM Casey Schaufler
> <casey.schaufler@intel.com> wrote:
> > A ptrace access check with mode PTRACE_MODE_SCHED gets called
> > from process switching code. This precludes the use of audit,
> > as the locking is incompatible. Don't do audit in the PTRACE_MODE_SCHED
> > case.
>
> Why is this separate from PTRACE_MODE_NOAUDIT? It looks like
> apparmor_ptrace_access_check() currently ignores PTRACE_MODE_NOAUDIT.
> Could you, instead of adding a new flag, fix the handling of
> PTRACE_MODE_NOAUDIT?

Er, after looking at more of the series, I see that PTRACE_MODE_SCHED
is necessary; but could you handle the "don't audit" part for AppArmor
using PTRACE_MODE_NOAUDIT instead?

> > Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
> > ---
> >  security/apparmor/domain.c      | 2 +-
> >  security/apparmor/include/ipc.h | 2 +-
> >  security/apparmor/ipc.c         | 8 +++++---
> >  security/apparmor/lsm.c         | 5 +++--
> >  4 files changed, 10 insertions(+), 7 deletions(-)
> >
> > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> > index 08c88de0ffda..28300f4c3ef9 100644
> > --- a/security/apparmor/domain.c
> > +++ b/security/apparmor/domain.c
> > @@ -77,7 +77,7 @@ static int may_change_ptraced_domain(struct aa_label *to_label,
> >         if (!tracer || unconfined(tracerl))
> >                 goto out;
> >
> > -       error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH);
> > +       error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH, true);
> >
> >  out:
> >         rcu_read_unlock();
> > diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
> > index 5ffc218d1e74..299d1c45fef0 100644
> > --- a/security/apparmor/include/ipc.h
> > +++ b/security/apparmor/include/ipc.h
> > @@ -34,7 +34,7 @@ struct aa_profile;
> >         "xcpu xfsz vtalrm prof winch io pwr sys emt lost"
> >
> >  int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
> > -                 u32 request);
> > +                 u32 request, bool audit);
> >  int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig);
> >
> >  #endif /* __AA_IPC_H */
> > diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
> > index 527ea1557120..9ed110afc822 100644
> > --- a/security/apparmor/ipc.c
> > +++ b/security/apparmor/ipc.c
> > @@ -121,15 +121,17 @@ static int profile_tracer_perm(struct aa_profile *tracer,
> >   * Returns: %0 else error code if permission denied or error
> >   */
> >  int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
> > -                 u32 request)
> > +                 u32 request, bool audit)
> >  {
> >         struct aa_profile *profile;
> >         u32 xrequest = request << PTRACE_PERM_SHIFT;
> >         DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
> >
> >         return xcheck_labels(tracer, tracee, profile,
> > -                       profile_tracer_perm(profile, tracee, request, &sa),
> > -                       profile_tracee_perm(profile, tracer, xrequest, &sa));
> > +                       profile_tracer_perm(profile, tracee, request,
> > +                                           audit ? &sa : NULL),
> > +                       profile_tracee_perm(profile, tracer, xrequest,
> > +                                           audit ? &sa : NULL));
> >  }
> >
> >
> > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > index 8b8b70620bbe..da9d0b228857 100644
> > --- a/security/apparmor/lsm.c
> > +++ b/security/apparmor/lsm.c
> > @@ -118,7 +118,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
> >         tracee = aa_get_task_label(child);
> >         error = aa_may_ptrace(tracer, tracee,
> >                         (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
> > -                                                 : AA_PTRACE_TRACE);
> > +                                                 : AA_PTRACE_TRACE,
> > +                       !(mode & PTRACE_MODE_SCHED));
> >         aa_put_label(tracee);
> >         end_current_label_crit_section(tracer);
> >
> > @@ -132,7 +133,7 @@ static int apparmor_ptrace_traceme(struct task_struct *parent)
> >
> >         tracee = begin_current_label_crit_section();
> >         tracer = aa_get_task_label(parent);
> > -       error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
> > +       error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE, true);
> >         aa_put_label(tracer);
> >         end_current_label_crit_section(tracee);
> >
> > --
> > 2.17.1
> >

  reply	other threads:[~2018-09-26 21:18 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-26 20:34 [PATCH v5 0/5] LSM: Support ptrace sidechannel access checks Casey Schaufler
2018-09-26 20:34 ` [PATCH v5 1/5] AppArmor: Prepare for PTRACE_MODE_SCHED Casey Schaufler
2018-09-26 21:16   ` Jann Horn
2018-09-26 21:18     ` Jann Horn [this message]
2018-09-26 22:47       ` Schaufler, Casey
2018-09-26 20:34 ` [PATCH v5 2/5] Smack: " Casey Schaufler
2018-09-26 21:30   ` Jann Horn
2018-09-26 22:53     ` Schaufler, Casey
2018-09-26 22:58       ` Jann Horn
2018-10-04  7:47         ` Jiri Kosina
2018-10-04 11:36           ` Jann Horn
2018-10-16 11:44             ` Jiri Kosina
2018-09-26 20:34 ` [PATCH v5 3/5] SELinux: " Casey Schaufler
2018-09-27 15:50   ` Stephen Smalley
2018-09-27 16:23     ` Schaufler, Casey
2018-09-26 20:34 ` [PATCH v5 4/5] Capability: Complete PTRACE_MODE_SCHED Casey Schaufler
2018-09-26 21:26   ` Jann Horn
2018-09-26 22:24     ` Schaufler, Casey
2018-09-26 20:34 ` [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel Casey Schaufler
2018-09-27 21:45   ` James Morris
2018-09-27 22:39     ` Casey Schaufler
2018-09-27 22:47       ` James Morris
2018-09-27 23:19         ` Schaufler, Casey
2018-09-27 23:43           ` James Morris
2018-09-27 23:47             ` Jann Horn
2018-09-28 16:33               ` James Morris
2018-09-28 17:40                 ` Schaufler, Casey

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAG48ez15jcFQT1NdZekRuo9_GKLru_R1HpgF0TNKUKAZ8_6UNA@mail.gmail.com \
    --to=jannh@google.com \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).