* Re: Documenting ptrace access mode checking
2016-06-21 9:41 Documenting ptrace access mode checking Michael Kerrisk (man-pages)
@ 2016-06-21 19:55 ` Eric W. Biederman
2016-06-21 20:29 ` Kees Cook
` (2 more replies)
2016-06-21 20:55 ` Jann Horn
2016-06-23 18:05 ` Stephen Smalley
2 siblings, 3 replies; 25+ messages in thread
From: Eric W. Biederman @ 2016-06-21 19:55 UTC (permalink / raw)
To: Michael Kerrisk (man-pages)
Cc: Jann Horn, James Morris, linux-man, Stephen Smalley, lkml,
Kees Cook, linux-security-module, Linux API, Oleg Nesterov
Adding Oleg just because he seems to do most of the ptrace related
maintenance these days.
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Jann, Stephen, et al.
>
> Jann, since you recently committed a patch in this area, and Stephen,
> since you committed 006ebb40d3d much further back in time, I wonder if
> you might help me by reviewing the text below that I propose to add to
> the ptrace(2) man page, in order to document "ptrace access mode
> checking" that is performed in various parts of the kernel-user-space
> interface. Of course, I welcome input from anyone else as well.
>
> Here's the new ptrace(2) text. Any comments, technical or terminological
> fixes, other improvements, etc. are welcome.
>
> [[
> Ptrace access mode checking
> Various parts of the kernel-user-space API (not just ptrace(2)
> operations), require so-called "ptrace access mode permissions"
> which are gated by Linux Security Modules (LSMs) such as
> SELinux, Yama, Smack, or the default LSM. Prior to Linux
> 2.6.27, all such checks were of a single type. Since Linux
> 2.6.27, two access mode levels are distinguished:
>
> PTRACE_MODE_READ
> For "read" operations or other operations that are less
> dangerous, such as: get_robust_list(2); kcmp(2); reading
> /proc/[pid]/auxv, /proc/[pid]/environ, or
> /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
> file.
>
> PTRACE_MODE_ATTACH
> For "write" operations, or other operations that are
> more dangerous, such as: ptrace attaching
> (PTRACE_ATTACH) to another process or calling
> process_vm_writev(2). (PTRACE_MODE_ATTACH was effec‐
> tively the default before Linux 2.6.27.)
>
> Since Linux 4.5, the above access mode checks may be combined
> (ORed) with one of the following modifiers:
>
> PTRACE_MODE_FSCREDS
> Use the caller's filesystem UID and GID (see creden‐
> tials(7)) or effective capabilities for LSM checks.
>
> PTRACE_MODE_REALCREDS
> Use the caller's real UID and GID or permitted capabili‐
> ties for LSM checks. This was effectively the default
> before Linux 4.5.
>
> Because combining one of the credential modifiers with one of
> the aforementioned access modes is typical, some macros are
> defined in the kernel sources for the combinations:
>
> PTRACE_MODE_READ_FSCREDS
> Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
>
> PTRACE_MODE_READ_REALCREDS
> Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
>
> PTRACE_MODE_ATTACH_FSCREDS
> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
>
> PTRACE_MODE_ATTACH_REALCREDS
> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
>
> One further modifier can be ORed with the access mode:
>
> PTRACE_MODE_NOAUDIT (since Linux 3.3)
> Don't audit this access mode check.
>
> [I'd quite welcome some text to explain "auditing" here.]
AKA don't let the audit subsystem know. Which tends to
generate audit records capable is called.
>
> The algorithm employed for ptrace access mode checking deter‐
> mines whether the calling process is allowed to perform the
> corresponding action on the target process, as follows:
>
> 1. If the calling thread and the target thread are in the same
> thread group, access is always allowed.
This test only exsits because the LSMs historically and I suspect
continue to be broken and deny a process the ability to ptrace itself.
>
> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
> the check in the next step, employ the caller's filesystem
> user ID and group ID (see credentials(7)); otherwise (the
> access mode specifies PTRACE_MODE_REALCREDS, so) use the
> caller's real user ID and group ID.
>
> 3. Deny access if neither of the following is true:
>
> · The real, effective, and saved-set user IDs of the target
> match the caller's user ID, and the real, effective, and
> saved-set group IDs of the target match the caller's
> group ID.
>
> · The caller has the CAP_SYS_PTRACE capability.
>
> 4. Deny access if the target process "dumpable" attribute has
> a value other than 1 (SUID_DUMP_USER; see the discussion of
> PR_SET_DUMPABLE in prctl(2)), and the caller does not have
> the CAP_SYS_PTRACE capability in the user namespace of the
> target process.
>
> 5. The kernel LSM security_ptrace_access_check() interface is
> invoked to see if ptrace access is permitted. The results
> depend on the LSM. The implementation of this interface in
> the default LSM performs the following steps:
>
> a) If the access mode includes PTRACE_MODE_FSCREDS, then
> use the caller's effective capability set in the follow‐
> ing check; otherwise (the access mode specifies
> PTRACE_MODE_REALCREDS, so) use the caller's permitted
> capability set.
>
> b) Deny access if neither of the following is true:
>
> · The caller's capabilities are a proper superset of the
> target process's permitted capabilities.
>
> · The caller has the CAP_SYS_PTRACE capability in the
> target process's user namespace.
>
> Note that the default LSM does not distinguish between
> PTRACE_MODE_READ and PTRACE_MODE_ATTACH.
>
> 6. If access has not been denied by any of the preceding
> steps, then access is allowed.
> ]]
>
> There are accompanying changes to various pages that refer to
> the new text in ptrace(2), so that, for example, kcmp(2) adds:
>
> Permission to employ kcmp() is governed by ptrace access mode
> PTRACE_MODE_ATTACH_REALCREDS checks against both pid1 and pid2;
> see ptrace(2).
>
> and proc.5 has additions such as:
>
> /proc/[pid]/auxv (since 2.6.0-test7)
> ...
> Permission to access this file is governed by a ptrace
> access mode PTRACE_MODE_READ_FSCREDS check; see
> ptrace(2).
>
> /proc/[pid]/cwd
> ...
> Permission to dereference or read (readlink(2)) this
> symbolic link is governed by a ptrace access mode
> PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
Hmm.
When I gave this level of detail about the user namespace permission
checks you gave me some flack, because it was not particularly
comprehensible to the end users. I think you deserve the same feedback.
How do we say this in a way that does not describes a useful way to
think about it. I read this and I know a lot of what is going on and my
mind goes numb.
How about something like this:
If the callers uid and gid are the same as a processes uids and gids
and the processes is configured to allow core dumps (aka it was never
setuid or setgid) then the caller is allowed to ptrace a process.
Otherwise the caller must have CAP_SYS_PTRACE.
Linux security modules impose additional restrictions.
For consistency access to various process attributes are guarded with
the same security checks as the ptrace system call itself. As they are
all methods to get information about a process.
We certainly need something that gives a high level view so people
reading the man page can know what to expect. If you get down into the
weeds we run the danger of people beginning to think they can depend
upon bugs in the implementation.
Eric
^ permalink raw reply [flat|nested] 25+ messages in thread* Re: Documenting ptrace access mode checking
2016-06-21 19:55 ` Eric W. Biederman
@ 2016-06-21 20:29 ` Kees Cook
2016-06-21 20:58 ` Eric W. Biederman
2016-06-22 19:20 ` Michael Kerrisk (man-pages)
2016-06-22 19:20 ` Michael Kerrisk (man-pages)
2016-06-22 21:51 ` Oleg Nesterov
2 siblings, 2 replies; 25+ messages in thread
From: Kees Cook @ 2016-06-21 20:29 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Michael Kerrisk (man-pages),
Jann Horn, James Morris, linux-man, Stephen Smalley, lkml,
linux-security-module, Linux API, Oleg Nesterov
On Tue, Jun 21, 2016 at 12:55 PM, Eric W. Biederman
<ebiederm@xmission.com> wrote:
>
> Adding Oleg just because he seems to do most of the ptrace related
> maintenance these days.
>
> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>
>> Hi Jann, Stephen, et al.
>>
>> Jann, since you recently committed a patch in this area, and Stephen,
>> since you committed 006ebb40d3d much further back in time, I wonder if
>> you might help me by reviewing the text below that I propose to add to
>> the ptrace(2) man page, in order to document "ptrace access mode
>> checking" that is performed in various parts of the kernel-user-space
>> interface. Of course, I welcome input from anyone else as well.
Your text matches my understand of this code. :)
>> Here's the new ptrace(2) text. Any comments, technical or terminological
>> fixes, other improvements, etc. are welcome.
>>
>> [[
>> Ptrace access mode checking
>> Various parts of the kernel-user-space API (not just ptrace(2)
>> operations), require so-called "ptrace access mode permissions"
>> which are gated by Linux Security Modules (LSMs) such as
>> SELinux, Yama, Smack, or the default LSM. Prior to Linux
>> 2.6.27, all such checks were of a single type. Since Linux
>> 2.6.27, two access mode levels are distinguished:
>>
>> PTRACE_MODE_READ
>> For "read" operations or other operations that are less
>> dangerous, such as: get_robust_list(2); kcmp(2); reading
>> /proc/[pid]/auxv, /proc/[pid]/environ, or
>> /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
>> file.
>>
>> PTRACE_MODE_ATTACH
>> For "write" operations, or other operations that are
>> more dangerous, such as: ptrace attaching
>> (PTRACE_ATTACH) to another process or calling
>> process_vm_writev(2). (PTRACE_MODE_ATTACH was effec‐
>> tively the default before Linux 2.6.27.)
>>
>> Since Linux 4.5, the above access mode checks may be combined
>> (ORed) with one of the following modifiers:
>>
>> PTRACE_MODE_FSCREDS
>> Use the caller's filesystem UID and GID (see creden‐
>> tials(7)) or effective capabilities for LSM checks.
>>
>> PTRACE_MODE_REALCREDS
>> Use the caller's real UID and GID or permitted capabili‐
>> ties for LSM checks. This was effectively the default
>> before Linux 4.5.
>>
>> Because combining one of the credential modifiers with one of
>> the aforementioned access modes is typical, some macros are
>> defined in the kernel sources for the combinations:
>>
>> PTRACE_MODE_READ_FSCREDS
>> Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
>>
>> PTRACE_MODE_READ_REALCREDS
>> Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
>>
>> PTRACE_MODE_ATTACH_FSCREDS
>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
>>
>> PTRACE_MODE_ATTACH_REALCREDS
>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
>>
>> One further modifier can be ORed with the access mode:
>>
>> PTRACE_MODE_NOAUDIT (since Linux 3.3)
>> Don't audit this access mode check.
>>
>> [I'd quite welcome some text to explain "auditing" here.]
>
> AKA don't let the audit subsystem know. Which tends to
> generate audit records capable is called.
>>
>> The algorithm employed for ptrace access mode checking deter‐
>> mines whether the calling process is allowed to perform the
>> corresponding action on the target process, as follows:
>>
>> 1. If the calling thread and the target thread are in the same
>> thread group, access is always allowed.
>
> This test only exsits because the LSMs historically and I suspect
> continue to be broken and deny a process the ability to ptrace itself.
Well, it's not that the LSMs are broken, it's that self-inspection is
a short-circuited "allow". The LSMs aren't involved.
>> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
>> the check in the next step, employ the caller's filesystem
>> user ID and group ID (see credentials(7)); otherwise (the
>> access mode specifies PTRACE_MODE_REALCREDS, so) use the
>> caller's real user ID and group ID.
>>
>> 3. Deny access if neither of the following is true:
>>
>> · The real, effective, and saved-set user IDs of the target
>> match the caller's user ID, and the real, effective, and
>> saved-set group IDs of the target match the caller's
>> group ID.
>>
>> · The caller has the CAP_SYS_PTRACE capability.
>>
>> 4. Deny access if the target process "dumpable" attribute has
>> a value other than 1 (SUID_DUMP_USER; see the discussion of
>> PR_SET_DUMPABLE in prctl(2)), and the caller does not have
>> the CAP_SYS_PTRACE capability in the user namespace of the
>> target process.
>>
>> 5. The kernel LSM security_ptrace_access_check() interface is
>> invoked to see if ptrace access is permitted. The results
>> depend on the LSM. The implementation of this interface in
>> the default LSM performs the following steps:
>>
>> a) If the access mode includes PTRACE_MODE_FSCREDS, then
>> use the caller's effective capability set in the follow‐
>> ing check; otherwise (the access mode specifies
>> PTRACE_MODE_REALCREDS, so) use the caller's permitted
>> capability set.
>>
>> b) Deny access if neither of the following is true:
>>
>> · The caller's capabilities are a proper superset of the
>> target process's permitted capabilities.
>>
>> · The caller has the CAP_SYS_PTRACE capability in the
>> target process's user namespace.
>>
>> Note that the default LSM does not distinguish between
>> PTRACE_MODE_READ and PTRACE_MODE_ATTACH.
>>
>> 6. If access has not been denied by any of the preceding
>> steps, then access is allowed.
>> ]]
>>
>> There are accompanying changes to various pages that refer to
>> the new text in ptrace(2), so that, for example, kcmp(2) adds:
>>
>> Permission to employ kcmp() is governed by ptrace access mode
>> PTRACE_MODE_ATTACH_REALCREDS checks against both pid1 and pid2;
>> see ptrace(2).
>>
>> and proc.5 has additions such as:
>>
>> /proc/[pid]/auxv (since 2.6.0-test7)
>> ...
>> Permission to access this file is governed by a ptrace
>> access mode PTRACE_MODE_READ_FSCREDS check; see
>> ptrace(2).
>>
>> /proc/[pid]/cwd
>> ...
>> Permission to dereference or read (readlink(2)) this
>> symbolic link is governed by a ptrace access mode
>> PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
>
> Hmm.
>
> When I gave this level of detail about the user namespace permission
> checks you gave me some flack, because it was not particularly
> comprehensible to the end users. I think you deserve the same feedback.
>
> How do we say this in a way that does not describes a useful way to
> think about it. I read this and I know a lot of what is going on and my
> mind goes numb.
If the goal is to document the kernel behavior, then the details
around the various MODE flags makes sense. If this is just about
userspace-visible behavior, I would agree: the MODE flag details may
be overkill (since they are not exposed to userspace).
-Kees
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-21 20:29 ` Kees Cook
@ 2016-06-21 20:58 ` Eric W. Biederman
2016-06-22 19:20 ` Michael Kerrisk (man-pages)
1 sibling, 0 replies; 25+ messages in thread
From: Eric W. Biederman @ 2016-06-21 20:58 UTC (permalink / raw)
To: Kees Cook
Cc: Michael Kerrisk (man-pages),
Jann Horn, James Morris, linux-man, Stephen Smalley, lkml,
linux-security-module, Linux API, Oleg Nesterov
Kees Cook <keescook@chromium.org> writes:
> On Tue, Jun 21, 2016 at 12:55 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>
>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>
>>> The algorithm employed for ptrace access mode checking deter‐
>>> mines whether the calling process is allowed to perform the
>>> corresponding action on the target process, as follows:
>>>
>>> 1. If the calling thread and the target thread are in the same
>>> thread group, access is always allowed.
>>
>> This test only exsits because the LSMs historically and I suspect
>> continue to be broken and deny a process the ability to ptrace itself.
>
> Well, it's not that the LSMs are broken, it's that self-inspection is
> a short-circuited "allow". The LSMs aren't involved.
Long ago and far away. I modified /proc/self/something to use the same
permissions as ptrace. This broken everyone's selinux setups. So the
short circuit was added.
Or in short the LSMs aren't involved because they got it wrong.
If the selinux breakage was not in the selinux rules that are loaded from
userspace but in the kernel module that short circuit check would have
been confined to selinux.
I have had an occasional thought and the occassional discussion about
removing that check and just fixing the LSMs but at this point I don't
think anyone cares enough to make that change.
Eric
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-21 20:29 ` Kees Cook
2016-06-21 20:58 ` Eric W. Biederman
@ 2016-06-22 19:20 ` Michael Kerrisk (man-pages)
1 sibling, 0 replies; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-22 19:20 UTC (permalink / raw)
To: Kees Cook, Eric W. Biederman
Cc: mtk.manpages, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, linux-security-module, Linux API,
Oleg Nesterov
Hi Kees,
On 06/21/2016 10:29 PM, Kees Cook wrote:
> On Tue, Jun 21, 2016 at 12:55 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>>
>> Adding Oleg just because he seems to do most of the ptrace related
>> maintenance these days.
>>
>> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>>
>>> Hi Jann, Stephen, et al.
>>>
>>> Jann, since you recently committed a patch in this area, and Stephen,
>>> since you committed 006ebb40d3d much further back in time, I wonder if
>>> you might help me by reviewing the text below that I propose to add to
>>> the ptrace(2) man page, in order to document "ptrace access mode
>>> checking" that is performed in various parts of the kernel-user-space
>>> interface. Of course, I welcome input from anyone else as well.
>
> Your text matches my understand of this code. :)
Thanks for reviewing the text!
>>> Here's the new ptrace(2) text. Any comments, technical or terminological
>>> fixes, other improvements, etc. are welcome.
>>>
>>> [[
>>> Ptrace access mode checking
>>> Various parts of the kernel-user-space API (not just ptrace(2)
>>> operations), require so-called "ptrace access mode permissions"
>>> which are gated by Linux Security Modules (LSMs) such as
>>> SELinux, Yama, Smack, or the default LSM. Prior to Linux
>>> 2.6.27, all such checks were of a single type. Since Linux
>>> 2.6.27, two access mode levels are distinguished:
>>>
>>> PTRACE_MODE_READ
>>> For "read" operations or other operations that are less
>>> dangerous, such as: get_robust_list(2); kcmp(2); reading
>>> /proc/[pid]/auxv, /proc/[pid]/environ, or
>>> /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
>>> file.
>>>
>>> PTRACE_MODE_ATTACH
>>> For "write" operations, or other operations that are
>>> more dangerous, such as: ptrace attaching
>>> (PTRACE_ATTACH) to another process or calling
>>> process_vm_writev(2). (PTRACE_MODE_ATTACH was effec‐
>>> tively the default before Linux 2.6.27.)
>>>
>>> Since Linux 4.5, the above access mode checks may be combined
>>> (ORed) with one of the following modifiers:
>>>
>>> PTRACE_MODE_FSCREDS
>>> Use the caller's filesystem UID and GID (see creden‐
>>> tials(7)) or effective capabilities for LSM checks.
>>>
>>> PTRACE_MODE_REALCREDS
>>> Use the caller's real UID and GID or permitted capabili‐
>>> ties for LSM checks. This was effectively the default
>>> before Linux 4.5.
>>>
>>> Because combining one of the credential modifiers with one of
>>> the aforementioned access modes is typical, some macros are
>>> defined in the kernel sources for the combinations:
>>>
>>> PTRACE_MODE_READ_FSCREDS
>>> Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
>>>
>>> PTRACE_MODE_READ_REALCREDS
>>> Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
>>>
>>> PTRACE_MODE_ATTACH_FSCREDS
>>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
>>>
>>> PTRACE_MODE_ATTACH_REALCREDS
>>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
>>>
>>> One further modifier can be ORed with the access mode:
>>>
>>> PTRACE_MODE_NOAUDIT (since Linux 3.3)
>>> Don't audit this access mode check.
>>>
>>> [I'd quite welcome some text to explain "auditing" here.]
>>
>> AKA don't let the audit subsystem know. Which tends to
>> generate audit records capable is called.
>>>
>>> The algorithm employed for ptrace access mode checking deter‐
>>> mines whether the calling process is allowed to perform the
>>> corresponding action on the target process, as follows:
>>>
>>> 1. If the calling thread and the target thread are in the same
>>> thread group, access is always allowed.
>>
>> This test only exsits because the LSMs historically and I suspect
>> continue to be broken and deny a process the ability to ptrace itself.
>
> Well, it's not that the LSMs are broken, it's that self-inspection is
> a short-circuited "allow". The LSMs aren't involved.
>
>>> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
>>> the check in the next step, employ the caller's filesystem
>>> user ID and group ID (see credentials(7)); otherwise (the
>>> access mode specifies PTRACE_MODE_REALCREDS, so) use the
>>> caller's real user ID and group ID.
>>>
>>> 3. Deny access if neither of the following is true:
>>>
>>> · The real, effective, and saved-set user IDs of the target
>>> match the caller's user ID, and the real, effective, and
>>> saved-set group IDs of the target match the caller's
>>> group ID.
>>>
>>> · The caller has the CAP_SYS_PTRACE capability.
>>>
>>> 4. Deny access if the target process "dumpable" attribute has
>>> a value other than 1 (SUID_DUMP_USER; see the discussion of
>>> PR_SET_DUMPABLE in prctl(2)), and the caller does not have
>>> the CAP_SYS_PTRACE capability in the user namespace of the
>>> target process.
>>>
>>> 5. The kernel LSM security_ptrace_access_check() interface is
>>> invoked to see if ptrace access is permitted. The results
>>> depend on the LSM. The implementation of this interface in
>>> the default LSM performs the following steps:
>>>
>>> a) If the access mode includes PTRACE_MODE_FSCREDS, then
>>> use the caller's effective capability set in the follow‐
>>> ing check; otherwise (the access mode specifies
>>> PTRACE_MODE_REALCREDS, so) use the caller's permitted
>>> capability set.
>>>
>>> b) Deny access if neither of the following is true:
>>>
>>> · The caller's capabilities are a proper superset of the
>>> target process's permitted capabilities.
>>>
>>> · The caller has the CAP_SYS_PTRACE capability in the
>>> target process's user namespace.
>>>
>>> Note that the default LSM does not distinguish between
>>> PTRACE_MODE_READ and PTRACE_MODE_ATTACH.
>>>
>>> 6. If access has not been denied by any of the preceding
>>> steps, then access is allowed.
>>> ]]
>>>
>>> There are accompanying changes to various pages that refer to
>>> the new text in ptrace(2), so that, for example, kcmp(2) adds:
>>>
>>> Permission to employ kcmp() is governed by ptrace access mode
>>> PTRACE_MODE_ATTACH_REALCREDS checks against both pid1 and pid2;
>>> see ptrace(2).
>>>
>>> and proc.5 has additions such as:
>>>
>>> /proc/[pid]/auxv (since 2.6.0-test7)
>>> ...
>>> Permission to access this file is governed by a ptrace
>>> access mode PTRACE_MODE_READ_FSCREDS check; see
>>> ptrace(2).
>>>
>>> /proc/[pid]/cwd
>>> ...
>>> Permission to dereference or read (readlink(2)) this
>>> symbolic link is governed by a ptrace access mode
>>> PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
>>
>> Hmm.
>>
>> When I gave this level of detail about the user namespace permission
>> checks you gave me some flack, because it was not particularly
>> comprehensible to the end users. I think you deserve the same feedback.
>>
>> How do we say this in a way that does not describes a useful way to
>> think about it. I read this and I know a lot of what is going on and my
>> mind goes numb.
>
> If the goal is to document the kernel behavior, then the details
> around the various MODE flags makes sense. If this is just about
> userspace-visible behavior, I would agree: the MODE flag details may
> be overkill (since they are not exposed to userspace).
The problem is that this is about user-space-visible behavior, but in
order to explain that behavior at what I believe is a sufficient level
of detail (e.g., to differentiate the various types of checks that
are performed for various system calls and pseudofile accesses),
one needs (1) to discuss the MODE flag details as implemented in
the kernel, and (2) to have a shorthand way to refer to the various
cases from other pages. It's not absolutely necessary to name the
flags for (1), but using the flag names is certainly a handy
shorthand for (2).
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-21 19:55 ` Eric W. Biederman
2016-06-21 20:29 ` Kees Cook
@ 2016-06-22 19:20 ` Michael Kerrisk (man-pages)
2016-06-23 19:04 ` Eric W. Biederman
2016-06-22 21:51 ` Oleg Nesterov
2 siblings, 1 reply; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-22 19:20 UTC (permalink / raw)
To: Eric W. Biederman
Cc: mtk.manpages, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, Kees Cook, linux-security-module,
Linux API, Oleg Nesterov
Hi Eric,
On 06/21/2016 09:55 PM, Eric W. Biederman wrote:
>
> Adding Oleg just because he seems to do most of the ptrace related
> maintenance these days.
>
> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>
>> Hi Jann, Stephen, et al.
>>
>> Jann, since you recently committed a patch in this area, and Stephen,
>> since you committed 006ebb40d3d much further back in time, I wonder if
>> you might help me by reviewing the text below that I propose to add to
>> the ptrace(2) man page, in order to document "ptrace access mode
>> checking" that is performed in various parts of the kernel-user-space
>> interface. Of course, I welcome input from anyone else as well.
>>
>> Here's the new ptrace(2) text. Any comments, technical or terminological
>> fixes, other improvements, etc. are welcome.
>>
>> [[
>> Ptrace access mode checking
>> Various parts of the kernel-user-space API (not just ptrace(2)
>> operations), require so-called "ptrace access mode permissions"
>> which are gated by Linux Security Modules (LSMs) such as
>> SELinux, Yama, Smack, or the default LSM. Prior to Linux
>> 2.6.27, all such checks were of a single type. Since Linux
>> 2.6.27, two access mode levels are distinguished:
>>
>> PTRACE_MODE_READ
>> For "read" operations or other operations that are less
>> dangerous, such as: get_robust_list(2); kcmp(2); reading
>> /proc/[pid]/auxv, /proc/[pid]/environ, or
>> /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
>> file.
>>
>> PTRACE_MODE_ATTACH
>> For "write" operations, or other operations that are
>> more dangerous, such as: ptrace attaching
>> (PTRACE_ATTACH) to another process or calling
>> process_vm_writev(2). (PTRACE_MODE_ATTACH was effec‐
>> tively the default before Linux 2.6.27.)
>>
>> Since Linux 4.5, the above access mode checks may be combined
>> (ORed) with one of the following modifiers:
>>
>> PTRACE_MODE_FSCREDS
>> Use the caller's filesystem UID and GID (see creden‐
>> tials(7)) or effective capabilities for LSM checks.
>>
>> PTRACE_MODE_REALCREDS
>> Use the caller's real UID and GID or permitted capabili‐
>> ties for LSM checks. This was effectively the default
>> before Linux 4.5.
>>
>> Because combining one of the credential modifiers with one of
>> the aforementioned access modes is typical, some macros are
>> defined in the kernel sources for the combinations:
>>
>> PTRACE_MODE_READ_FSCREDS
>> Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
>>
>> PTRACE_MODE_READ_REALCREDS
>> Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
>>
>> PTRACE_MODE_ATTACH_FSCREDS
>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
>>
>> PTRACE_MODE_ATTACH_REALCREDS
>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
>>
>> One further modifier can be ORed with the access mode:
>>
>> PTRACE_MODE_NOAUDIT (since Linux 3.3)
>> Don't audit this access mode check.
>>
>> [I'd quite welcome some text to explain "auditing" here.]
>
> AKA don't let the audit subsystem know. Which tends to
> generate audit records capable is called.
>>
>> The algorithm employed for ptrace access mode checking deter‐
>> mines whether the calling process is allowed to perform the
>> corresponding action on the target process, as follows:
>>
>> 1. If the calling thread and the target thread are in the same
>> thread group, access is always allowed.
>
> This test only exsits because the LSMs historically and I suspect
> continue to be broken and deny a process the ability to ptrace itself.
>>
>> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
>> the check in the next step, employ the caller's filesystem
>> user ID and group ID (see credentials(7)); otherwise (the
>> access mode specifies PTRACE_MODE_REALCREDS, so) use the
>> caller's real user ID and group ID.
>>
>> 3. Deny access if neither of the following is true:
>>
>> · The real, effective, and saved-set user IDs of the target
>> match the caller's user ID, and the real, effective, and
>> saved-set group IDs of the target match the caller's
>> group ID.
>>
>> · The caller has the CAP_SYS_PTRACE capability.
>>
>> 4. Deny access if the target process "dumpable" attribute has
>> a value other than 1 (SUID_DUMP_USER; see the discussion of
>> PR_SET_DUMPABLE in prctl(2)), and the caller does not have
>> the CAP_SYS_PTRACE capability in the user namespace of the
>> target process.
>>
>> 5. The kernel LSM security_ptrace_access_check() interface is
>> invoked to see if ptrace access is permitted. The results
>> depend on the LSM. The implementation of this interface in
>> the default LSM performs the following steps:
>>
>> a) If the access mode includes PTRACE_MODE_FSCREDS, then
>> use the caller's effective capability set in the follow‐
>> ing check; otherwise (the access mode specifies
>> PTRACE_MODE_REALCREDS, so) use the caller's permitted
>> capability set.
>>
>> b) Deny access if neither of the following is true:
>>
>> · The caller's capabilities are a proper superset of the
>> target process's permitted capabilities.
>>
>> · The caller has the CAP_SYS_PTRACE capability in the
>> target process's user namespace.
>>
>> Note that the default LSM does not distinguish between
>> PTRACE_MODE_READ and PTRACE_MODE_ATTACH.
>>
>> 6. If access has not been denied by any of the preceding
>> steps, then access is allowed.
>> ]]
>>
>> There are accompanying changes to various pages that refer to
>> the new text in ptrace(2), so that, for example, kcmp(2) adds:
>>
>> Permission to employ kcmp() is governed by ptrace access mode
>> PTRACE_MODE_ATTACH_REALCREDS checks against both pid1 and pid2;
>> see ptrace(2).
>>
>> and proc.5 has additions such as:
>>
>> /proc/[pid]/auxv (since 2.6.0-test7)
>> ...
>> Permission to access this file is governed by a ptrace
>> access mode PTRACE_MODE_READ_FSCREDS check; see
>> ptrace(2).
>>
>> /proc/[pid]/cwd
>> ...
>> Permission to dereference or read (readlink(2)) this
>> symbolic link is governed by a ptrace access mode
>> PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
>
> Hmm.
>
> When I gave this level of detail about the user namespace permission
> checks you gave me some flack, because it was not particularly
> comprehensible to the end users. I think you deserve the same feedback.
>
> How do we say this in a way that does not describes a useful way to
> think about it. I read this and I know a lot of what is going on and my
> mind goes numb.
>
> How about something like this:
>
> If the callers uid and gid are the same as a processes uids and gids
> and the processes is configured to allow core dumps (aka it was never
> setuid or setgid) then the caller is allowed to ptrace a process.
>
> Otherwise the caller must have CAP_SYS_PTRACE.
>
> Linux security modules impose additional restrictions.
>
> For consistency access to various process attributes are guarded with
> the same security checks as the ptrace system call itself. As they are
> all methods to get information about a process.
>
> We certainly need something that gives a high level view so people
> reading the man page can know what to expect. If you get down into the
> weeds we run the danger of people beginning to think they can depend
> upon bugs in the implementation.
Thanks for the feedback, but I think more detail is required than you
suggest. (And I added all of that detail somewhat reluctantly.)
See my other replies for my rationale.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-22 19:20 ` Michael Kerrisk (man-pages)
@ 2016-06-23 19:04 ` Eric W. Biederman
2016-06-24 9:57 ` Michael Kerrisk (man-pages)
0 siblings, 1 reply; 25+ messages in thread
From: Eric W. Biederman @ 2016-06-23 19:04 UTC (permalink / raw)
To: Michael Kerrisk (man-pages)
Cc: Jann Horn, James Morris, linux-man, Stephen Smalley, lkml,
Kees Cook, linux-security-module, Linux API, Oleg Nesterov
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Eric,
>
> On 06/21/2016 09:55 PM, Eric W. Biederman wrote:
>> Hmm.
>>
>> When I gave this level of detail about the user namespace permission
>> checks you gave me some flack, because it was not particularly
>> comprehensible to the end users. I think you deserve the same feedback.
>>
>> How do we say this in a way that does not describes a useful way to
>> think about it. I read this and I know a lot of what is going on and my
>> mind goes numb.
>>
>> How about something like this:
>>
>> If the callers uid and gid are the same as a processes uids and gids
>> and the processes is configured to allow core dumps (aka it was never
>> setuid or setgid) then the caller is allowed to ptrace a process.
>>
>> Otherwise the caller must have CAP_SYS_PTRACE.
>>
>> Linux security modules impose additional restrictions.
>>
>> For consistency access to various process attributes are guarded with
>> the same security checks as the ptrace system call itself. As they are
>> all methods to get information about a process.
>>
>> We certainly need something that gives a high level view so people
>> reading the man page can know what to expect. If you get down into the
>> weeds we run the danger of people beginning to think they can depend
>> upon bugs in the implementation.
>
> Thanks for the feedback, but I think more detail is required than you
> suggest. (And I added all of that detail somewhat reluctantly.)
> See my other replies for my rationale.
What I saw badly missing from your description is not the level of
detail but bring things into a form that ordinary mortals can
understand.
For an explanation to be clear I think we very much need the high level
overview first. Then we can expand that description with the very
detailed view.
I very much think we need to describe things in such a way that people
understand the principles behind the permission checks, and not just
have the documentation echo the code, so that people can know what weird
things LSMs like yama are likely to do, and how these checks are likely
to evolve in the future.
Because one thing is clear to me. The evolution of these details is
clearly not done, and will continue to change in the future.
Eric
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-23 19:04 ` Eric W. Biederman
@ 2016-06-24 9:57 ` Michael Kerrisk (man-pages)
0 siblings, 0 replies; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-24 9:57 UTC (permalink / raw)
To: Eric W. Biederman
Cc: mtk.manpages, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, Kees Cook, linux-security-module,
Linux API, Oleg Nesterov
Hi Eric,
On 06/23/2016 09:04 PM, Eric W. Biederman wrote:
> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>
>> Hi Eric,
>>
>> On 06/21/2016 09:55 PM, Eric W. Biederman wrote:
>>> Hmm.
>>>
>>> When I gave this level of detail about the user namespace permission
>>> checks you gave me some flack, because it was not particularly
>>> comprehensible to the end users. I think you deserve the same feedback.
>>>
>>> How do we say this in a way that does not describes a useful way to
>>> think about it. I read this and I know a lot of what is going on and my
>>> mind goes numb.
>>>
>>> How about something like this:
>>>
>>> If the callers uid and gid are the same as a processes uids and gids
>>> and the processes is configured to allow core dumps (aka it was never
>>> setuid or setgid) then the caller is allowed to ptrace a process.
>>>
>>> Otherwise the caller must have CAP_SYS_PTRACE.
>>>
>>> Linux security modules impose additional restrictions.
>>>
>>> For consistency access to various process attributes are guarded with
>>> the same security checks as the ptrace system call itself. As they are
>>> all methods to get information about a process.
>>>
>>> We certainly need something that gives a high level view so people
>>> reading the man page can know what to expect. If you get down into the
>>> weeds we run the danger of people beginning to think they can depend
>>> upon bugs in the implementation.
>>
>> Thanks for the feedback, but I think more detail is required than you
>> suggest. (And I added all of that detail somewhat reluctantly.)
>> See my other replies for my rationale.
>
> What I saw badly missing from your description is not the level of
> detail but bring things into a form that ordinary mortals can
> understand.
>
> For an explanation to be clear I think we very much need the high level
> overview first. Then we can expand that description with the very
> detailed view.
>
> I very much think we need to describe things in such a way that people
> understand the principles behind the permission checks, and not just
> have the documentation echo the code, so that people can know what weird
> things LSMs like yama are likely to do, and how these checks are likely
> to evolve in the future.
So, I completely agree with you, and I agree that this could be better.
At first, I understood your meaning to be that I should avoid all of the
detail, and just limit the man page to some very high level text as
you proposed. So, I think it's worth prefixing the details with some
attempt at a high-level picture. How about this as an introductory
paragraph:
Various parts of the kernel-user-space API (not just ptrace(2)
operations), require so-called "ptrace access mode" checks,
whose outcome determines whether an operation is permitted (or,
in a few cases, causes a "read" operation to return sanitized
data). These checks are performed in cases where one process
can inspect sensitive information about, or in some cases mod‐
ify the state of, another process. The checks are based on
factors such as the credentials and capabilities of the two
processes, whether or not the "target" process is dumpable, and
the results of checks performed by any enabled Linux Security
Module (LSM)—for example, SELinux, Yama, or Smack—and by the
commoncap LSM (which is always invoked).
?
> Because one thing is clear to me. The evolution of these details is
> clearly not done, and will continue to change in the future.
Maybe people will even write man page patches when that happens :-).
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-21 19:55 ` Eric W. Biederman
2016-06-21 20:29 ` Kees Cook
2016-06-22 19:20 ` Michael Kerrisk (man-pages)
@ 2016-06-22 21:51 ` Oleg Nesterov
2016-06-23 7:06 ` Michael Kerrisk (man-pages)
2 siblings, 1 reply; 25+ messages in thread
From: Oleg Nesterov @ 2016-06-22 21:51 UTC (permalink / raw)
To: Eric W. Biederman
Cc: Michael Kerrisk (man-pages),
Jann Horn, James Morris, linux-man, Stephen Smalley, lkml,
Kees Cook, linux-security-module, Linux API
On 06/21, Eric W. Biederman wrote:
>
> Adding Oleg just because he seems to do most of the ptrace related
> maintenance these days.
so I have to admit that I never even tried to actually understand
ptrace_may_access ;)
> We certainly need something that gives a high level view so people
> reading the man page can know what to expect. If you get down into the
> weeds we run the danger of people beginning to think they can depend
> upon bugs in the implementation.
Personally I agree. I think "man ptrace" shouldn't not tell too much
about kernel internals.
Perhaps Documentation/security/ makes more sense?
Oleg.
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-22 21:51 ` Oleg Nesterov
@ 2016-06-23 7:06 ` Michael Kerrisk (man-pages)
2016-06-23 18:56 ` Eric W. Biederman
0 siblings, 1 reply; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-23 7:06 UTC (permalink / raw)
To: Oleg Nesterov, Eric W. Biederman
Cc: mtk.manpages, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, Kees Cook, linux-security-module,
Linux API
Hi Oleg,
On 06/22/2016 11:51 PM, Oleg Nesterov wrote:
> On 06/21, Eric W. Biederman wrote:
>>
>> Adding Oleg just because he seems to do most of the ptrace related
>> maintenance these days.
>
> so I have to admit that I never even tried to actually understand
> ptrace_may_access ;)
>
>> We certainly need something that gives a high level view so people
>> reading the man page can know what to expect. If you get down into the
>> weeds we run the danger of people beginning to think they can depend
>> upon bugs in the implementation.
>
> Personally I agree. I think "man ptrace" shouldn't not tell too much
> about kernel internals.
See my other replies on this topic. Somehow, we need a way of
describing the behavior that user-space sees. I think it's
inevitable that that means talking about what;s going on
"under the hood".
Regarding Eric's point that "we run the danger of people beginning
to think they can depend upon bugs in the implementation": when it
comes to breaking the ABI, the presence or absence of documentation
doesn't save us on that point (Linus has a few times made his position
wrt to documentation clear).
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-23 7:06 ` Michael Kerrisk (man-pages)
@ 2016-06-23 18:56 ` Eric W. Biederman
2016-06-24 8:18 ` Michael Kerrisk (man-pages)
0 siblings, 1 reply; 25+ messages in thread
From: Eric W. Biederman @ 2016-06-23 18:56 UTC (permalink / raw)
To: Michael Kerrisk (man-pages)
Cc: Oleg Nesterov, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, Kees Cook, linux-security-module,
Linux API
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
> Hi Oleg,
>
> On 06/22/2016 11:51 PM, Oleg Nesterov wrote:
>> On 06/21, Eric W. Biederman wrote:
>>>
>>> Adding Oleg just because he seems to do most of the ptrace related
>>> maintenance these days.
>>
>> so I have to admit that I never even tried to actually understand
>> ptrace_may_access ;)
>>
>>> We certainly need something that gives a high level view so people
>>> reading the man page can know what to expect. If you get down into the
>>> weeds we run the danger of people beginning to think they can depend
>>> upon bugs in the implementation.
>>
>> Personally I agree. I think "man ptrace" shouldn't not tell too much
>> about kernel internals.
>
> See my other replies on this topic. Somehow, we need a way of
> describing the behavior that user-space sees. I think it's
> inevitable that that means talking about what;s going on
> "under the hood".
>
> Regarding Eric's point that "we run the danger of people beginning
> to think they can depend upon bugs in the implementation": when it
> comes to breaking the ABI, the presence or absence of documentation
> doesn't save us on that point (Linus has a few times made his position
> wrt to documentation clear).
Which are interesting in this respect as a bug in the implementation
that is a security issue can and will be changed, even if userspace
breaks. Breaking userspace is not desirable but when there is no other
reasonable choice it will happen.
Eric
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-23 18:56 ` Eric W. Biederman
@ 2016-06-24 8:18 ` Michael Kerrisk (man-pages)
0 siblings, 0 replies; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-24 8:18 UTC (permalink / raw)
To: Eric W. Biederman
Cc: mtk.manpages, Oleg Nesterov, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, Kees Cook, linux-security-module,
Linux API
On 06/23/2016 08:56 PM, Eric W. Biederman wrote:
> "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:
>
>> Hi Oleg,
>>
>> On 06/22/2016 11:51 PM, Oleg Nesterov wrote:
>>> On 06/21, Eric W. Biederman wrote:
>>>>
>>>> Adding Oleg just because he seems to do most of the ptrace related
>>>> maintenance these days.
>>>
>>> so I have to admit that I never even tried to actually understand
>>> ptrace_may_access ;)
>>>
>>>> We certainly need something that gives a high level view so people
>>>> reading the man page can know what to expect. If you get down into the
>>>> weeds we run the danger of people beginning to think they can depend
>>>> upon bugs in the implementation.
>>>
>>> Personally I agree. I think "man ptrace" shouldn't not tell too much
>>> about kernel internals.
>>
>> See my other replies on this topic. Somehow, we need a way of
>> describing the behavior that user-space sees. I think it's
>> inevitable that that means talking about what;s going on
>> "under the hood".
>>
>> Regarding Eric's point that "we run the danger of people beginning
>> to think they can depend upon bugs in the implementation": when it
>> comes to breaking the ABI, the presence or absence of documentation
>> doesn't save us on that point (Linus has a few times made his position
>> wrt to documentation clear).
>
> Which are interesting in this respect as a bug in the implementation
> that is a security issue can and will be changed, even if userspace
> breaks. Breaking userspace is not desirable but when there is no other
> reasonable choice it will happen.
Yes, good point.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-21 9:41 Documenting ptrace access mode checking Michael Kerrisk (man-pages)
2016-06-21 19:55 ` Eric W. Biederman
@ 2016-06-21 20:55 ` Jann Horn
2016-06-22 19:21 ` Michael Kerrisk (man-pages)
2016-06-23 18:05 ` Stephen Smalley
2 siblings, 1 reply; 25+ messages in thread
From: Jann Horn @ 2016-06-21 20:55 UTC (permalink / raw)
To: Michael Kerrisk (man-pages)
Cc: James Morris, linux-man, Stephen Smalley, lkml, Kees Cook,
Eric W. Biederman, linux-security-module, Linux API
[-- Attachment #1: Type: text/plain, Size: 7926 bytes --]
On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages) wrote:
> Hi Jann, Stephen, et al.
>
> Jann, since you recently committed a patch in this area, and Stephen,
> since you committed 006ebb40d3d much further back in time, I wonder if
> you might help me by reviewing the text below that I propose to add to
> the ptrace(2) man page, in order to document "ptrace access mode
> checking" that is performed in various parts of the kernel-user-space
> interface. Of course, I welcome input from anyone else as well.
>
> Here's the new ptrace(2) text. Any comments, technical or terminological
> fixes, other improvements, etc. are welcome.
As others have said, I'm surprised about seeing documentation about
kernel-internal constants in manpages - but I think it might be a good
thing to have there, given that people who look at ptrace(2) are likely
to be interested in low-level details.
> [[
> Ptrace access mode checking
> Various parts of the kernel-user-space API (not just ptrace(2)
> operations), require so-called "ptrace access mode permissions"
> which are gated by Linux Security Modules (LSMs) such as
> SELinux, Yama, Smack, or the default LSM. Prior to Linux
> 2.6.27, all such checks were of a single type. Since Linux
> 2.6.27, two access mode levels are distinguished:
>
> PTRACE_MODE_READ
> For "read" operations or other operations that are less
> dangerous, such as: get_robust_list(2); kcmp(2); reading
> /proc/[pid]/auxv, /proc/[pid]/environ, or
> /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
> file.
>
> PTRACE_MODE_ATTACH
> For "write" operations, or other operations that are
> more dangerous, such as: ptrace attaching
> (PTRACE_ATTACH) to another process or calling
> process_vm_writev(2). (PTRACE_MODE_ATTACH was effec‐
> tively the default before Linux 2.6.27.)
>
> Since Linux 4.5, the above access mode checks may be combined
s/may/must/; otherwise __ptrace_may_access() will yell about the kernel
code being broken and deny access.
> (ORed) with one of the following modifiers:
>
> PTRACE_MODE_FSCREDS
> Use the caller's filesystem UID and GID (see creden‐
> tials(7)) or effective capabilities for LSM checks.
>
> PTRACE_MODE_REALCREDS
> Use the caller's real UID and GID or permitted capabili‐
> ties for LSM checks. This was effectively the default
> before Linux 4.5.
>
> Because combining one of the credential modifiers with one of
> the aforementioned access modes is typical, some macros are
> defined in the kernel sources for the combinations:
>
> PTRACE_MODE_READ_FSCREDS
> Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
>
> PTRACE_MODE_READ_REALCREDS
> Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
>
> PTRACE_MODE_ATTACH_FSCREDS
> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
>
> PTRACE_MODE_ATTACH_REALCREDS
> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
>
> One further modifier can be ORed with the access mode:
>
> PTRACE_MODE_NOAUDIT (since Linux 3.3)
> Don't audit this access mode check.
>
> [I'd quite welcome some text to explain "auditing" here.]
>
> The algorithm employed for ptrace access mode checking deter‐
> mines whether the calling process is allowed to perform the
> corresponding action on the target process, as follows:
>
> 1. If the calling thread and the target thread are in the same
> thread group, access is always allowed.
>
> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
> the check in the next step, employ the caller's filesystem
> user ID and group ID (see credentials(7)); otherwise (the
> access mode specifies PTRACE_MODE_REALCREDS, so) use the
> caller's real user ID and group ID.
Might want to add a "for historical reasons" or so here.
> 3. Deny access if neither of the following is true:
>
> · The real, effective, and saved-set user IDs of the target
> match the caller's user ID, and the real, effective, and
> saved-set group IDs of the target match the caller's
> group ID.
>
> · The caller has the CAP_SYS_PTRACE capability.
Might want to also specify here (like below) that the caller needs to
have the capability relative to the user ns of the target.
> 4. Deny access if the target process "dumpable" attribute has
> a value other than 1 (SUID_DUMP_USER; see the discussion of
> PR_SET_DUMPABLE in prctl(2)), and the caller does not have
> the CAP_SYS_PTRACE capability in the user namespace of the
> target process.
>
> 5. The kernel LSM security_ptrace_access_check() interface is
> invoked to see if ptrace access is permitted. The results
> depend on the LSM. The implementation of this interface in
> the default LSM performs the following steps:
For people who are unaware of how the LSM API works, it might be good to
clarify that the commoncap LSM is *always* invoked; otherwise, it might
give the impression that using another LSM would replace it.
(Also, are there other documents that refer to it as "default LSM"? I
think that that term is slightly confusing.)
> a) If the access mode includes PTRACE_MODE_FSCREDS, then
> use the caller's effective capability set in the follow‐
> ing check; otherwise (the access mode specifies
> PTRACE_MODE_REALCREDS, so) use the caller's permitted
> capability set.
>
> b) Deny access if neither of the following is true:
>
> · The caller's capabilities are a proper superset of the
> target process's permitted capabilities.
This also requires the caller and the target to be in the same user
namespace.
> · The caller has the CAP_SYS_PTRACE capability in the
> target process's user namespace.
>
> Note that the default LSM does not distinguish between
> PTRACE_MODE_READ and PTRACE_MODE_ATTACH.
>
> 6. If access has not been denied by any of the preceding
> steps, then access is allowed.
> ]]
>
> There are accompanying changes to various pages that refer to
> the new text in ptrace(2), so that, for example, kcmp(2) adds:
>
> Permission to employ kcmp() is governed by ptrace access mode
> PTRACE_MODE_ATTACH_REALCREDS checks against both pid1 and pid2;
> see ptrace(2).
(Actually, kcmp() just needs READ access - you described that accurately
earlier, but it's wrong here.)
> and proc.5 has additions such as:
>
> /proc/[pid]/auxv (since 2.6.0-test7)
> ...
> Permission to access this file is governed by a ptrace
> access mode PTRACE_MODE_READ_FSCREDS check; see
> ptrace(2).
>
> /proc/[pid]/cwd
> ...
> Permission to dereference or read (readlink(2)) this
> symbolic link is governed by a ptrace access mode
> PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
That sounds great! :)
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-21 20:55 ` Jann Horn
@ 2016-06-22 19:21 ` Michael Kerrisk (man-pages)
2016-06-22 21:11 ` Kees Cook
2016-06-22 22:44 ` Jann Horn
0 siblings, 2 replies; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-22 19:21 UTC (permalink / raw)
To: Jann Horn
Cc: mtk.manpages, James Morris, linux-man, Stephen Smalley, lkml,
Kees Cook, Eric W. Biederman, linux-security-module, Linux API
Hi Jann,
On 06/21/2016 10:55 PM, Jann Horn wrote:
> On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages) wrote:
>> Hi Jann, Stephen, et al.
>>
>> Jann, since you recently committed a patch in this area, and Stephen,
>> since you committed 006ebb40d3d much further back in time, I wonder if
>> you might help me by reviewing the text below that I propose to add to
>> the ptrace(2) man page, in order to document "ptrace access mode
>> checking" that is performed in various parts of the kernel-user-space
>> interface. Of course, I welcome input from anyone else as well.
>>
>> Here's the new ptrace(2) text. Any comments, technical or terminological
>> fixes, other improvements, etc. are welcome.
>
> As others have said, I'm surprised about seeing documentation about
> kernel-internal constants in manpages - but I think it might be a good
> thing to have there, given that people who look at ptrace(2) are likely
> to be interested in low-level details.
I agree that it is a little surprising to add kernel-internal
constants in a man page. (There are precedents, but they are few.)
But see my reply to Kees. It's more than just explaining low level
details: there are various kinds of user-space behavior differences
(real vs filesystem credentials; permitted vs effective capabilities)
produced by the ptrace_may_access() checks, and those behaviors need
to be described and *somehow* labeled for cross-referencing from
other man pages.
>> [[
>> Ptrace access mode checking
>> Various parts of the kernel-user-space API (not just ptrace(2)
>> operations), require so-called "ptrace access mode permissions"
>> which are gated by Linux Security Modules (LSMs) such as
>> SELinux, Yama, Smack, or the default LSM. Prior to Linux
>> 2.6.27, all such checks were of a single type. Since Linux
>> 2.6.27, two access mode levels are distinguished:
>>
>> PTRACE_MODE_READ
>> For "read" operations or other operations that are less
>> dangerous, such as: get_robust_list(2); kcmp(2); reading
>> /proc/[pid]/auxv, /proc/[pid]/environ, or
>> /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
>> file.
>>
>> PTRACE_MODE_ATTACH
>> For "write" operations, or other operations that are
>> more dangerous, such as: ptrace attaching
>> (PTRACE_ATTACH) to another process or calling
>> process_vm_writev(2). (PTRACE_MODE_ATTACH was effec‐
>> tively the default before Linux 2.6.27.)
>>
>> Since Linux 4.5, the above access mode checks may be combined
>
> s/may/must/; otherwise __ptrace_may_access() will yell about the kernel
> code being broken and deny access.
Good point. I changed "may" to "are". ("must" is not quite right to my
"user-space" ear; it might be misread as implying that the user-space
developer must do something.)
>> (ORed) with one of the following modifiers:
>>
>> PTRACE_MODE_FSCREDS
>> Use the caller's filesystem UID and GID (see creden‐
>> tials(7)) or effective capabilities for LSM checks.
>>
>> PTRACE_MODE_REALCREDS
>> Use the caller's real UID and GID or permitted capabili‐
>> ties for LSM checks. This was effectively the default
>> before Linux 4.5.
>>
>> Because combining one of the credential modifiers with one of
>> the aforementioned access modes is typical, some macros are
>> defined in the kernel sources for the combinations:
>>
>> PTRACE_MODE_READ_FSCREDS
>> Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
>>
>> PTRACE_MODE_READ_REALCREDS
>> Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
>>
>> PTRACE_MODE_ATTACH_FSCREDS
>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
>>
>> PTRACE_MODE_ATTACH_REALCREDS
>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
>>
>> One further modifier can be ORed with the access mode:
>>
>> PTRACE_MODE_NOAUDIT (since Linux 3.3)
>> Don't audit this access mode check.
>>
>> [I'd quite welcome some text to explain "auditing" here.]
>>
>> The algorithm employed for ptrace access mode checking deter‐
>> mines whether the calling process is allowed to perform the
>> corresponding action on the target process, as follows:
>>
>> 1. If the calling thread and the target thread are in the same
>> thread group, access is always allowed.
>>
>> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
>> the check in the next step, employ the caller's filesystem
>> user ID and group ID (see credentials(7)); otherwise (the
>> access mode specifies PTRACE_MODE_REALCREDS, so) use the
>> caller's real user ID and group ID.
>
> Might want to add a "for historical reasons" or so here.
Can you be a little more precise about "here", and maybe tell me why
you think it helps?
>> 3. Deny access if neither of the following is true:
>>
>> · The real, effective, and saved-set user IDs of the target
>> match the caller's user ID, and the real, effective, and
>> saved-set group IDs of the target match the caller's
>> group ID.
>>
>> · The caller has the CAP_SYS_PTRACE capability.
>
> Might want to also specify here (like below) that the caller needs to
> have the capability relative to the user ns of the target.
Done.
>> 4. Deny access if the target process "dumpable" attribute has
>> a value other than 1 (SUID_DUMP_USER; see the discussion of
>> PR_SET_DUMPABLE in prctl(2)), and the caller does not have
>> the CAP_SYS_PTRACE capability in the user namespace of the
>> target process.
>>
>> 5. The kernel LSM security_ptrace_access_check() interface is
>> invoked to see if ptrace access is permitted. The results
>> depend on the LSM. The implementation of this interface in
>> the default LSM performs the following steps:
>
> For people who are unaware of how the LSM API works, it might be good to
> clarify that the commoncap LSM is *always* invoked; otherwise, it might
> give the impression that using another LSM would replace it.
As we can see, I am one of those who are unaware of how the LSM API
works :-/.
> (Also, are there other documents that refer to it as "default LSM"? I
> think that that term is slightly confusing.)
No, that's a terminological confusion of my own making. Fixed now.
I changed this text to:
Various parts of the kernel-user-space API (not just ptrace(2)
operations), require so-called "ptrace access mode permissions"
which are gated by any enabled Linux Security Module (LSMs)—for
example, SELinux, Yama, or Smack—and by the the commoncap LSM
(which is always invoked). Prior to Linux 2.6.27, all such
checks were of a single type. Since Linux 2.6.27, two access
mode levels are distinguished:
BTW, can you point me at the piece(s) of kernel code that show that
"commoncap" is always invoked in addition to any other LSM that has
been installed?
>> a) If the access mode includes PTRACE_MODE_FSCREDS, then
>> use the caller's effective capability set in the follow‐
>> ing check; otherwise (the access mode specifies
>> PTRACE_MODE_REALCREDS, so) use the caller's permitted
>> capability set.
>>
>> b) Deny access if neither of the following is true:
>>
>> · The caller's capabilities are a proper superset of the
>> target process's permitted capabilities.
>
> This also requires the caller and the target to be in the same user
> namespace.
Thanks! Fixed.
>> · The caller has the CAP_SYS_PTRACE capability in the
>> target process's user namespace.
>>
>> Note that the default LSM does not distinguish between
>> PTRACE_MODE_READ and PTRACE_MODE_ATTACH.
>>
>> 6. If access has not been denied by any of the preceding
>> steps, then access is allowed.
>> ]]
>>
>> There are accompanying changes to various pages that refer to
>> the new text in ptrace(2), so that, for example, kcmp(2) adds:
>>
>> Permission to employ kcmp() is governed by ptrace access mode
>> PTRACE_MODE_ATTACH_REALCREDS checks against both pid1 and pid2;
>> see ptrace(2).
>
> (Actually, kcmp() just needs READ access - you described that accurately
> earlier, but it's wrong here.)
D'oh! Thanks!
>> and proc.5 has additions such as:
>>
>> /proc/[pid]/auxv (since 2.6.0-test7)
>> ...
>> Permission to access this file is governed by a ptrace
>> access mode PTRACE_MODE_READ_FSCREDS check; see
>> ptrace(2).
>>
>> /proc/[pid]/cwd
>> ...
>> Permission to dereference or read (readlink(2)) this
>> symbolic link is governed by a ptrace access mode
>> PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
>
> That sounds great! :)
Thanks for the review!
Thanks,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread* Re: Documenting ptrace access mode checking
2016-06-22 19:21 ` Michael Kerrisk (man-pages)
@ 2016-06-22 21:11 ` Kees Cook
2016-06-23 7:02 ` Michael Kerrisk (man-pages)
2016-06-24 8:40 ` Michael Kerrisk (man-pages)
2016-06-22 22:44 ` Jann Horn
1 sibling, 2 replies; 25+ messages in thread
From: Kees Cook @ 2016-06-22 21:11 UTC (permalink / raw)
To: Michael Kerrisk (man-pages)
Cc: Jann Horn, James Morris, linux-man, Stephen Smalley, lkml,
Eric W. Biederman, linux-security-module, Linux API,
Casey Schaufler
On Wed, Jun 22, 2016 at 12:21 PM, Michael Kerrisk (man-pages)
<mtk.manpages@gmail.com> wrote:
> On 06/21/2016 10:55 PM, Jann Horn wrote:
>> On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages)
>> wrote:
>>> 5. The kernel LSM security_ptrace_access_check() interface is
>>> invoked to see if ptrace access is permitted. The results
>>> depend on the LSM. The implementation of this interface in
>>> the default LSM performs the following steps:
>>
>>
>> For people who are unaware of how the LSM API works, it might be good to
>> clarify that the commoncap LSM is *always* invoked; otherwise, it might
>> give the impression that using another LSM would replace it.
>
>
> As we can see, I am one of those who are unaware of how the LSM API
> works :-/.
>
>> (Also, are there other documents that refer to it as "default LSM"? I
>> think that that term is slightly confusing.)
>
>
> No, that's a terminological confusion of my own making. Fixed now.
>
> I changed this text to:
>
> Various parts of the kernel-user-space API (not just ptrace(2)
> operations), require so-called "ptrace access mode permissions"
> which are gated by any enabled Linux Security Module (LSMs)—for
> example, SELinux, Yama, or Smack—and by the the commoncap LSM
> (which is always invoked). Prior to Linux 2.6.27, all such
> checks were of a single type. Since Linux 2.6.27, two access
> mode levels are distinguished:
>
> BTW, can you point me at the piece(s) of kernel code that show that
> "commoncap" is always invoked in addition to any other LSM that has
> been installed?
It's not entirely obvious, but the bottom of security/commoncap.c shows:
#ifdef CONFIG_SECURITY
struct security_hook_list capability_hooks[] = {
LSM_HOOK_INIT(capable, cap_capable),
...
};
void __init capability_add_hooks(void)
{
security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
}
#endif
And security/security.c shows the initialization order of the LSMs:
int __init security_init(void)
{
pr_info("Security Framework initialized\n");
/*
* Load minor LSMs, with the capability module always first.
*/
capability_add_hooks();
yama_add_hooks();
loadpin_add_hooks();
/*
* Load all the remaining security modules.
*/
do_security_initcalls();
return 0;
}
-Kees
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 25+ messages in thread* Re: Documenting ptrace access mode checking
2016-06-22 21:11 ` Kees Cook
@ 2016-06-23 7:02 ` Michael Kerrisk (man-pages)
2016-06-24 8:40 ` Michael Kerrisk (man-pages)
1 sibling, 0 replies; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-23 7:02 UTC (permalink / raw)
To: Kees Cook
Cc: mtk.manpages, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, Eric W. Biederman, linux-security-module,
Linux API, Casey Schaufler
On 06/22/2016 11:11 PM, Kees Cook wrote:
> On Wed, Jun 22, 2016 at 12:21 PM, Michael Kerrisk (man-pages)
> <mtk.manpages@gmail.com> wrote:
>> On 06/21/2016 10:55 PM, Jann Horn wrote:
>>> On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages)
>>> wrote:
>>>> 5. The kernel LSM security_ptrace_access_check() interface is
>>>> invoked to see if ptrace access is permitted. The results
>>>> depend on the LSM. The implementation of this interface in
>>>> the default LSM performs the following steps:
>>>
>>>
>>> For people who are unaware of how the LSM API works, it might be good to
>>> clarify that the commoncap LSM is *always* invoked; otherwise, it might
>>> give the impression that using another LSM would replace it.
>>
>>
>> As we can see, I am one of those who are unaware of how the LSM API
>> works :-/.
>>
>>> (Also, are there other documents that refer to it as "default LSM"? I
>>> think that that term is slightly confusing.)
>>
>>
>> No, that's a terminological confusion of my own making. Fixed now.
>>
>> I changed this text to:
>>
>> Various parts of the kernel-user-space API (not just ptrace(2)
>> operations), require so-called "ptrace access mode permissions"
>> which are gated by any enabled Linux Security Module (LSMs)—for
>> example, SELinux, Yama, or Smack—and by the the commoncap LSM
>> (which is always invoked). Prior to Linux 2.6.27, all such
>> checks were of a single type. Since Linux 2.6.27, two access
>> mode levels are distinguished:
>>
>> BTW, can you point me at the piece(s) of kernel code that show that
>> "commoncap" is always invoked in addition to any other LSM that has
>> been installed?
>
> It's not entirely obvious, but the bottom of security/commoncap.c shows:
Thanks Kees!
Cheers,
Michael
>
> #ifdef CONFIG_SECURITY
>
> struct security_hook_list capability_hooks[] = {
> LSM_HOOK_INIT(capable, cap_capable),
> ...
> };
>
> void __init capability_add_hooks(void)
> {
> security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
> }
>
> #endif
>
> And security/security.c shows the initialization order of the LSMs:
>
> int __init security_init(void)
> {
> pr_info("Security Framework initialized\n");
>
> /*
> * Load minor LSMs, with the capability module always first.
> */
> capability_add_hooks();
> yama_add_hooks();
> loadpin_add_hooks();
>
> /*
> * Load all the remaining security modules.
> */
> do_security_initcalls();
>
> return 0;
> }
>
>
> -Kees
>
>
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread* Re: Documenting ptrace access mode checking
2016-06-22 21:11 ` Kees Cook
2016-06-23 7:02 ` Michael Kerrisk (man-pages)
@ 2016-06-24 8:40 ` Michael Kerrisk (man-pages)
2016-06-24 15:18 ` Casey Schaufler
1 sibling, 1 reply; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-24 8:40 UTC (permalink / raw)
To: Kees Cook
Cc: mtk.manpages, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, Eric W. Biederman, linux-security-module,
Linux API, Casey Schaufler
On 06/22/2016 11:11 PM, Kees Cook wrote:
> On Wed, Jun 22, 2016 at 12:21 PM, Michael Kerrisk (man-pages)
> <mtk.manpages@gmail.com> wrote:
>> On 06/21/2016 10:55 PM, Jann Horn wrote:
>>> On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages)
>>> wrote:
>>>> 5. The kernel LSM security_ptrace_access_check() interface is
>>>> invoked to see if ptrace access is permitted. The results
>>>> depend on the LSM. The implementation of this interface in
>>>> the default LSM performs the following steps:
>>>
>>>
>>> For people who are unaware of how the LSM API works, it might be good to
>>> clarify that the commoncap LSM is *always* invoked; otherwise, it might
>>> give the impression that using another LSM would replace it.
>>
>>
>> As we can see, I am one of those who are unaware of how the LSM API
>> works :-/.
>>
>>> (Also, are there other documents that refer to it as "default LSM"? I
>>> think that that term is slightly confusing.)
>>
>>
>> No, that's a terminological confusion of my own making. Fixed now.
>>
>> I changed this text to:
>>
>> Various parts of the kernel-user-space API (not just ptrace(2)
>> operations), require so-called "ptrace access mode permissions"
>> which are gated by any enabled Linux Security Module (LSMs)—for
>> example, SELinux, Yama, or Smack—and by the the commoncap LSM
>> (which is always invoked). Prior to Linux 2.6.27, all such
>> checks were of a single type. Since Linux 2.6.27, two access
>> mode levels are distinguished:
>>
>> BTW, can you point me at the piece(s) of kernel code that show that
>> "commoncap" is always invoked in addition to any other LSM that has
>> been installed?
>
> It's not entirely obvious, but the bottom of security/commoncap.c shows:
>
> #ifdef CONFIG_SECURITY
>
> struct security_hook_list capability_hooks[] = {
> LSM_HOOK_INIT(capable, cap_capable),
> ...
> };
>
> void __init capability_add_hooks(void)
> {
> security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
> }
>
> #endif
>
> And security/security.c shows the initialization order of the LSMs:
>
> int __init security_init(void)
> {
> pr_info("Security Framework initialized\n");
>
> /*
> * Load minor LSMs, with the capability module always first.
> */
> capability_add_hooks();
> yama_add_hooks();
> loadpin_add_hooks();
>
> /*
> * Load all the remaining security modules.
> */
> do_security_initcalls();
>
> return 0;
> }
So, I just want to check my understanding of a couple of points:
1. The commoncap LSM is invoked first, and if it denies access,
then no further LSM is/needs to be called.
2. Is it the case that only one of the other LSMs (SELinux, Yama,
AppArmor, etc.) is invoked, or can more than one be invoked.
I thought only one is invoked, but perhaps I am out of date
in my understanding.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread* Re: Documenting ptrace access mode checking
2016-06-24 8:40 ` Michael Kerrisk (man-pages)
@ 2016-06-24 15:18 ` Casey Schaufler
2016-06-24 20:07 ` Kees Cook
2016-06-25 7:21 ` Michael Kerrisk (man-pages)
0 siblings, 2 replies; 25+ messages in thread
From: Casey Schaufler @ 2016-06-24 15:18 UTC (permalink / raw)
To: Michael Kerrisk (man-pages), Kees Cook
Cc: Jann Horn, James Morris, linux-man, Stephen Smalley, lkml,
Eric W. Biederman, linux-security-module, Linux API
On 6/24/2016 1:40 AM, Michael Kerrisk (man-pages) wrote:
> On 06/22/2016 11:11 PM, Kees Cook wrote:
>> On Wed, Jun 22, 2016 at 12:21 PM, Michael Kerrisk (man-pages)
>> <mtk.manpages@gmail.com> wrote:
>>> On 06/21/2016 10:55 PM, Jann Horn wrote:
>>>> On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages)
>>>> wrote:
>>>>> 5. The kernel LSM security_ptrace_access_check() interface is
>>>>> invoked to see if ptrace access is permitted. The results
>>>>> depend on the LSM. The implementation of this interface in
>>>>> the default LSM performs the following steps:
>>>>
>>>>
>>>> For people who are unaware of how the LSM API works, it might be good to
>>>> clarify that the commoncap LSM is *always* invoked; otherwise, it might
>>>> give the impression that using another LSM would replace it.
>>>
>>>
>>> As we can see, I am one of those who are unaware of how the LSM API
>>> works :-/.
>>>
>>>> (Also, are there other documents that refer to it as "default LSM"? I
>>>> think that that term is slightly confusing.)
>>>
>>>
>>> No, that's a terminological confusion of my own making. Fixed now.
>>>
>>> I changed this text to:
>>>
>>> Various parts of the kernel-user-space API (not just ptrace(2)
>>> operations), require so-called "ptrace access mode permissions"
>>> which are gated by any enabled Linux Security Module (LSMs)—for
>>> example, SELinux, Yama, or Smack—and by the the commoncap LSM
>>> (which is always invoked). Prior to Linux 2.6.27, all such
>>> checks were of a single type. Since Linux 2.6.27, two access
>>> mode levels are distinguished:
>>>
>>> BTW, can you point me at the piece(s) of kernel code that show that
>>> "commoncap" is always invoked in addition to any other LSM that has
>>> been installed?
>>
>> It's not entirely obvious, but the bottom of security/commoncap.c shows:
>>
>> #ifdef CONFIG_SECURITY
>>
>> struct security_hook_list capability_hooks[] = {
>> LSM_HOOK_INIT(capable, cap_capable),
>> ...
>> };
>>
>> void __init capability_add_hooks(void)
>> {
>> security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
>> }
>>
>> #endif
>>
>> And security/security.c shows the initialization order of the LSMs:
>>
>> int __init security_init(void)
>> {
>> pr_info("Security Framework initialized\n");
>>
>> /*
>> * Load minor LSMs, with the capability module always first.
>> */
>> capability_add_hooks();
>> yama_add_hooks();
>> loadpin_add_hooks();
>>
>> /*
>> * Load all the remaining security modules.
>> */
>> do_security_initcalls();
>>
>> return 0;
>> }
>
> So, I just want to check my understanding of a couple of points:
>
> 1. The commoncap LSM is invoked first, and if it denies access,
> then no further LSM is/needs to be called.
Yes. The LSM infrastructure is "bail on fail".
>
> 2. Is it the case that only one of the other LSMs (SELinux, Yama,
> AppArmor, etc.) is invoked, or can more than one be invoked.
> I thought only one is invoked, but perhaps I am out of date
> in my understanding.
All registered modules are invoked, but only one "major"
module can be registered. The "minor" modules show up in
security_init, while the majors come in via do_security_initcalls.
I am in the process of messing that all up with patches
allowing multiple major modules. Stay tuned.
>
> Cheers,
>
> Michael
>
>
^ permalink raw reply [flat|nested] 25+ messages in thread* Re: Documenting ptrace access mode checking
2016-06-24 15:18 ` Casey Schaufler
@ 2016-06-24 20:07 ` Kees Cook
2016-06-25 7:21 ` Michael Kerrisk (man-pages)
1 sibling, 0 replies; 25+ messages in thread
From: Kees Cook @ 2016-06-24 20:07 UTC (permalink / raw)
To: Casey Schaufler
Cc: Michael Kerrisk (man-pages),
Jann Horn, James Morris, linux-man, Stephen Smalley, lkml,
Eric W. Biederman, linux-security-module, Linux API
On Fri, Jun 24, 2016 at 8:18 AM, Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 6/24/2016 1:40 AM, Michael Kerrisk (man-pages) wrote:
>> So, I just want to check my understanding of a couple of points:
>>
>> 1. The commoncap LSM is invoked first, and if it denies access,
>> then no further LSM is/needs to be called.
>
> Yes. The LSM infrastructure is "bail on fail".
>
>>
>> 2. Is it the case that only one of the other LSMs (SELinux, Yama,
>> AppArmor, etc.) is invoked, or can more than one be invoked.
>> I thought only one is invoked, but perhaps I am out of date
>> in my understanding.
>
> All registered modules are invoked, but only one "major"
> module can be registered. The "minor" modules show up in
> security_init, while the majors come in via do_security_initcalls.
Just to fill in the history: prior the the recent LSM stacking changes
(v4.2), commoncap (which is effectively an LSM) was hard-coded to be
stacked with the single selected primary LSM. Then Yama got hard-coded
stacked with the primary LSM too, and then Casey saved us from total
insanity by providing a proper way to stack LSMs.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-24 15:18 ` Casey Schaufler
2016-06-24 20:07 ` Kees Cook
@ 2016-06-25 7:21 ` Michael Kerrisk (man-pages)
1 sibling, 0 replies; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-25 7:21 UTC (permalink / raw)
To: Casey Schaufler, Kees Cook
Cc: mtk.manpages, Jann Horn, James Morris, linux-man,
Stephen Smalley, lkml, Eric W. Biederman, linux-security-module,
Linux API
On 06/24/2016 05:18 PM, Casey Schaufler wrote:
>
>
> On 6/24/2016 1:40 AM, Michael Kerrisk (man-pages) wrote:
>> On 06/22/2016 11:11 PM, Kees Cook wrote:
>>> On Wed, Jun 22, 2016 at 12:21 PM, Michael Kerrisk (man-pages)
>>> <mtk.manpages@gmail.com> wrote:
>>>> On 06/21/2016 10:55 PM, Jann Horn wrote:
>>>>> On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages)
>>>>> wrote:
>>>>>> 5. The kernel LSM security_ptrace_access_check() interface is
>>>>>> invoked to see if ptrace access is permitted. The results
>>>>>> depend on the LSM. The implementation of this interface in
>>>>>> the default LSM performs the following steps:
>>>>>
>>>>>
>>>>> For people who are unaware of how the LSM API works, it might be good to
>>>>> clarify that the commoncap LSM is *always* invoked; otherwise, it might
>>>>> give the impression that using another LSM would replace it.
>>>>
>>>>
>>>> As we can see, I am one of those who are unaware of how the LSM API
>>>> works :-/.
>>>>
>>>>> (Also, are there other documents that refer to it as "default LSM"? I
>>>>> think that that term is slightly confusing.)
>>>>
>>>>
>>>> No, that's a terminological confusion of my own making. Fixed now.
>>>>
>>>> I changed this text to:
>>>>
>>>> Various parts of the kernel-user-space API (not just ptrace(2)
>>>> operations), require so-called "ptrace access mode permissions"
>>>> which are gated by any enabled Linux Security Module (LSMs)—for
>>>> example, SELinux, Yama, or Smack—and by the the commoncap LSM
>>>> (which is always invoked). Prior to Linux 2.6.27, all such
>>>> checks were of a single type. Since Linux 2.6.27, two access
>>>> mode levels are distinguished:
>>>>
>>>> BTW, can you point me at the piece(s) of kernel code that show that
>>>> "commoncap" is always invoked in addition to any other LSM that has
>>>> been installed?
>>>
>>> It's not entirely obvious, but the bottom of security/commoncap.c shows:
>>>
>>> #ifdef CONFIG_SECURITY
>>>
>>> struct security_hook_list capability_hooks[] = {
>>> LSM_HOOK_INIT(capable, cap_capable),
>>> ...
>>> };
>>>
>>> void __init capability_add_hooks(void)
>>> {
>>> security_add_hooks(capability_hooks, ARRAY_SIZE(capability_hooks));
>>> }
>>>
>>> #endif
>>>
>>> And security/security.c shows the initialization order of the LSMs:
>>>
>>> int __init security_init(void)
>>> {
>>> pr_info("Security Framework initialized\n");
>>>
>>> /*
>>> * Load minor LSMs, with the capability module always first.
>>> */
>>> capability_add_hooks();
>>> yama_add_hooks();
>>> loadpin_add_hooks();
>>>
>>> /*
>>> * Load all the remaining security modules.
>>> */
>>> do_security_initcalls();
>>>
>>> return 0;
>>> }
>>
>> So, I just want to check my understanding of a couple of points:
>>
>> 1. The commoncap LSM is invoked first, and if it denies access,
>> then no further LSM is/needs to be called.
>
> Yes. The LSM infrastructure is "bail on fail".
>
>>
>> 2. Is it the case that only one of the other LSMs (SELinux, Yama,
>> AppArmor, etc.) is invoked, or can more than one be invoked.
>> I thought only one is invoked, but perhaps I am out of date
>> in my understanding.
>
> All registered modules are invoked, but only one "major"
> module can be registered. The "minor" modules show up in
> security_init, while the majors come in via do_security_initcalls.
>
> I am in the process of messing that all up with patches
> allowing multiple major modules. Stay tuned.
Thanks for the info, Casey.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-22 19:21 ` Michael Kerrisk (man-pages)
2016-06-22 21:11 ` Kees Cook
@ 2016-06-22 22:44 ` Jann Horn
2016-06-23 7:42 ` Michael Kerrisk (man-pages)
1 sibling, 1 reply; 25+ messages in thread
From: Jann Horn @ 2016-06-22 22:44 UTC (permalink / raw)
To: Michael Kerrisk (man-pages)
Cc: James Morris, linux-man, Stephen Smalley, lkml, Kees Cook,
Eric W. Biederman, linux-security-module, Linux API
[-- Attachment #1: Type: text/plain, Size: 3451 bytes --]
On Wed, Jun 22, 2016 at 09:21:29PM +0200, Michael Kerrisk (man-pages) wrote:
> On 06/21/2016 10:55 PM, Jann Horn wrote:
> >On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages) wrote:
> >>Here's the new ptrace(2) text. Any comments, technical or terminological
> >>fixes, other improvements, etc. are welcome.
> >
> >As others have said, I'm surprised about seeing documentation about
> >kernel-internal constants in manpages - but I think it might be a good
> >thing to have there, given that people who look at ptrace(2) are likely
> >to be interested in low-level details.
>
> I agree that it is a little surprising to add kernel-internal
> constants in a man page. (There are precedents, but they are few.)
> But see my reply to Kees. It's more than just explaining low level
> details: there are various kinds of user-space behavior differences
> (real vs filesystem credentials; permitted vs effective capabilities)
> produced by the ptrace_may_access() checks, and those behaviors need
> to be described and *somehow* labeled for cross-referencing from
> other man pages.
Makes sense.
> >> The algorithm employed for ptrace access mode checking deter‐
> >> mines whether the calling process is allowed to perform the
> >> corresponding action on the target process, as follows:
> >>
> >> 1. If the calling thread and the target thread are in the same
> >> thread group, access is always allowed.
> >>
> >> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
> >> the check in the next step, employ the caller's filesystem
> >> user ID and group ID (see credentials(7)); otherwise (the
> >> access mode specifies PTRACE_MODE_REALCREDS, so) use the
> >> caller's real user ID and group ID.
> >
> >Might want to add a "for historical reasons" or so here.
>
> Can you be a little more precise about "here", and maybe tell me why
> you think it helps?
I'm not sure, but it might be a good idea to add something like this at the
end of 2.:
"(Most other APIs that check one of the caller's UIDs use the effective one.
This API uses the real UID instead for historical reasons.)"
In my opinion, it is inconsistent to use the real UID/GID here, the
effective one would be more appropriate. But since the existing code uses
the real UID/GID and that's not a security issue for existing users of
the ptrace API, this wasn't changed when I added the REALCREDS/FSCREDS
distinction.
I think that for a reader, it might help to point out that in most cases,
when a process is the subject in an access check, its effective UID/GID
are used, and this is (together with kill()) an exception to that rule.
But you're the expert on writing documentation, if you think that that's
too much detail / confusing here, it probably is.
> I changed this text to:
>
> Various parts of the kernel-user-space API (not just ptrace(2)
> operations), require so-called "ptrace access mode permissions"
> which are gated by any enabled Linux Security Module (LSMs)—for
> example, SELinux, Yama, or Smack—and by the the commoncap LSM
> (which is always invoked). Prior to Linux 2.6.27, all such
> checks were of a single type. Since Linux 2.6.27, two access
> mode levels are distinguished:
Sounds good to me.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-22 22:44 ` Jann Horn
@ 2016-06-23 7:42 ` Michael Kerrisk (man-pages)
2016-06-24 6:35 ` Jann Horn
0 siblings, 1 reply; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-23 7:42 UTC (permalink / raw)
To: Jann Horn
Cc: mtk.manpages, James Morris, linux-man, Stephen Smalley, lkml,
Kees Cook, Eric W. Biederman, linux-security-module, Linux API
Hi Jann,
Thanks for your further review. Follow-up of one point below.
On 06/23/2016 12:44 AM, Jann Horn wrote:
> On Wed, Jun 22, 2016 at 09:21:29PM +0200, Michael Kerrisk (man-pages) wrote:
>> On 06/21/2016 10:55 PM, Jann Horn wrote:
>>> On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages) wrote:
[...]
>>>> The algorithm employed for ptrace access mode checking deter‐
>>>> mines whether the calling process is allowed to perform the
>>>> corresponding action on the target process, as follows:
>>>>
>>>> 1. If the calling thread and the target thread are in the same
>>>> thread group, access is always allowed.
>>>>
>>>> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
>>>> the check in the next step, employ the caller's filesystem
>>>> user ID and group ID (see credentials(7)); otherwise (the
>>>> access mode specifies PTRACE_MODE_REALCREDS, so) use the
>>>> caller's real user ID and group ID.
>>>
>>> Might want to add a "for historical reasons" or so here.
>>
>> Can you be a little more precise about "here", and maybe tell me why
>> you think it helps?
>
> I'm not sure, but it might be a good idea to add something like this at the
> end of 2.:
> "(Most other APIs that check one of the caller's UIDs use the effective one.
> This API uses the real UID instead for historical reasons.)"
>
> In my opinion, it is inconsistent to use the real UID/GID here, the
> effective one would be more appropriate. But since the existing code uses
> the real UID/GID and that's not a security issue for existing users of
> the ptrace API, this wasn't changed when I added the REALCREDS/FSCREDS
> distinction.
>
> I think that for a reader, it might help to point out that in most cases,
> when a process is the subject in an access check, its effective UID/GID
> are used, and this is (together with kill()) an exception to that rule.
> But you're the expert on writing documentation, if you think that that's
> too much detail / confusing here, it probably is.
Okay -- got it now, I think. I made this text:
2. If the access mode specifies PTRACE_MODE_FSCREDS, then, for
the check in the next step, employ the caller's filesystem
UID and GID. (As noted in credentials(7), the filesystem
UID and GID almost always have the same values as the cor‐
responding effective IDs.)
Otherwise, the access mode specifies PTRACE_MODE_REALCREDS,
so use the caller's real UID and GID for the checks in the
next step. (Most APIs that check the caller's UID and GID
use the effective IDs. For historical reasons, the
PTRACE_MODE_REALCREDS check uses the real IDs instead.)
[...]
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread* Re: Documenting ptrace access mode checking
2016-06-23 7:42 ` Michael Kerrisk (man-pages)
@ 2016-06-24 6:35 ` Jann Horn
0 siblings, 0 replies; 25+ messages in thread
From: Jann Horn @ 2016-06-24 6:35 UTC (permalink / raw)
To: Michael Kerrisk (man-pages)
Cc: James Morris, linux-man, Stephen Smalley, lkml, Kees Cook,
Eric W. Biederman, linux-security-module, Linux API
[-- Attachment #1: Type: text/plain, Size: 3075 bytes --]
On Thu, Jun 23, 2016 at 09:42:09AM +0200, Michael Kerrisk (man-pages) wrote:
> Hi Jann,
>
> Thanks for your further review. Follow-up of one point below.
>
> On 06/23/2016 12:44 AM, Jann Horn wrote:
> >On Wed, Jun 22, 2016 at 09:21:29PM +0200, Michael Kerrisk (man-pages) wrote:
> >>On 06/21/2016 10:55 PM, Jann Horn wrote:
> >>>On Tue, Jun 21, 2016 at 11:41:16AM +0200, Michael Kerrisk (man-pages) wrote:
>
> [...]
>
> >>>> The algorithm employed for ptrace access mode checking deter‐
> >>>> mines whether the calling process is allowed to perform the
> >>>> corresponding action on the target process, as follows:
> >>>>
> >>>> 1. If the calling thread and the target thread are in the same
> >>>> thread group, access is always allowed.
> >>>>
> >>>> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
> >>>> the check in the next step, employ the caller's filesystem
> >>>> user ID and group ID (see credentials(7)); otherwise (the
> >>>> access mode specifies PTRACE_MODE_REALCREDS, so) use the
> >>>> caller's real user ID and group ID.
> >>>
> >>>Might want to add a "for historical reasons" or so here.
> >>
> >>Can you be a little more precise about "here", and maybe tell me why
> >>you think it helps?
> >
> >I'm not sure, but it might be a good idea to add something like this at the
> >end of 2.:
> >"(Most other APIs that check one of the caller's UIDs use the effective one.
> >This API uses the real UID instead for historical reasons.)"
> >
> >In my opinion, it is inconsistent to use the real UID/GID here, the
> >effective one would be more appropriate. But since the existing code uses
> >the real UID/GID and that's not a security issue for existing users of
> >the ptrace API, this wasn't changed when I added the REALCREDS/FSCREDS
> >distinction.
> >
> >I think that for a reader, it might help to point out that in most cases,
> >when a process is the subject in an access check, its effective UID/GID
> >are used, and this is (together with kill()) an exception to that rule.
> >But you're the expert on writing documentation, if you think that that's
> >too much detail / confusing here, it probably is.
>
> Okay -- got it now, I think. I made this text:
>
> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then, for
> the check in the next step, employ the caller's filesystem
> UID and GID. (As noted in credentials(7), the filesystem
> UID and GID almost always have the same values as the cor‐
> responding effective IDs.)
>
> Otherwise, the access mode specifies PTRACE_MODE_REALCREDS,
> so use the caller's real UID and GID for the checks in the
> next step. (Most APIs that check the caller's UID and GID
> use the effective IDs. For historical reasons, the
> PTRACE_MODE_REALCREDS check uses the real IDs instead.)
Thanks, that sounds good.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 25+ messages in thread
* Re: Documenting ptrace access mode checking
2016-06-21 9:41 Documenting ptrace access mode checking Michael Kerrisk (man-pages)
2016-06-21 19:55 ` Eric W. Biederman
2016-06-21 20:55 ` Jann Horn
@ 2016-06-23 18:05 ` Stephen Smalley
2016-06-24 8:33 ` Michael Kerrisk (man-pages)
2 siblings, 1 reply; 25+ messages in thread
From: Stephen Smalley @ 2016-06-23 18:05 UTC (permalink / raw)
To: Michael Kerrisk (man-pages), Jann Horn
Cc: James Morris, linux-man, lkml, Kees Cook, Eric W. Biederman,
linux-security-module, Linux API
On 06/21/2016 05:41 AM, Michael Kerrisk (man-pages) wrote:
> Hi Jann, Stephen, et al.
>
> Jann, since you recently committed a patch in this area, and Stephen,
> since you committed 006ebb40d3d much further back in time, I wonder if
> you might help me by reviewing the text below that I propose to add to
> the ptrace(2) man page, in order to document "ptrace access mode
> checking" that is performed in various parts of the kernel-user-space
> interface. Of course, I welcome input from anyone else as well.
>
> Here's the new ptrace(2) text. Any comments, technical or terminological
> fixes, other improvements, etc. are welcome.
>
> [[
> Ptrace access mode checking
> Various parts of the kernel-user-space API (not just ptrace(2)
> operations), require so-called "ptrace access mode permissions"
> which are gated by Linux Security Modules (LSMs) such as
> SELinux, Yama, Smack, or the default LSM. Prior to Linux
> 2.6.27, all such checks were of a single type. Since Linux
> 2.6.27, two access mode levels are distinguished:
>
> PTRACE_MODE_READ
> For "read" operations or other operations that are less
> dangerous, such as: get_robust_list(2); kcmp(2); reading
> /proc/[pid]/auxv, /proc/[pid]/environ, or
> /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
> file.
>
> PTRACE_MODE_ATTACH
> For "write" operations, or other operations that are
> more dangerous, such as: ptrace attaching
> (PTRACE_ATTACH) to another process or calling
> process_vm_writev(2). (PTRACE_MODE_ATTACH was effec‐
> tively the default before Linux 2.6.27.)
That was the intent when the distinction was introduced, but it doesn't
appear to have been properly maintained, e.g. there is now a common
helper lock_trace() that is used for
/proc/pid/{stack,syscall,personality} but checks PTRACE_MODE_ATTACH, and
PTRACE_MODE_ATTACH is also used in timerslack_ns_write/show(). Likely
should review and make them consistent. There was also some debate
about proper handling of /proc/pid/fd. Arguably that one might belong
back in the _ATTACH camp.
>
> Since Linux 4.5, the above access mode checks may be combined
> (ORed) with one of the following modifiers:
>
> PTRACE_MODE_FSCREDS
> Use the caller's filesystem UID and GID (see creden‐
> tials(7)) or effective capabilities for LSM checks.
>
> PTRACE_MODE_REALCREDS
> Use the caller's real UID and GID or permitted capabili‐
> ties for LSM checks. This was effectively the default
> before Linux 4.5.
>
> Because combining one of the credential modifiers with one of
> the aforementioned access modes is typical, some macros are
> defined in the kernel sources for the combinations:
>
> PTRACE_MODE_READ_FSCREDS
> Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
>
> PTRACE_MODE_READ_REALCREDS
> Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
>
> PTRACE_MODE_ATTACH_FSCREDS
> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
>
> PTRACE_MODE_ATTACH_REALCREDS
> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
>
> One further modifier can be ORed with the access mode:
>
> PTRACE_MODE_NOAUDIT (since Linux 3.3)
> Don't audit this access mode check.
>
> [I'd quite welcome some text to explain "auditing" here.]
Some ptrace access mode checks, such as checks when reading
/proc/pid/stat, merely cause the output to be filtered/sanitized rather
than an error to be returned to the caller. In these cases, accessing
the file is not a security violation and there is no reason to generate
a security audit record. This modifier suppresses the generation of
such an audit record for the particular access check.
>
> The algorithm employed for ptrace access mode checking deter‐
> mines whether the calling process is allowed to perform the
> corresponding action on the target process, as follows:
>
> 1. If the calling thread and the target thread are in the same
> thread group, access is always allowed.
>
> 2. If the access mode specifies PTRACE_MODE_FSCREDS, then for
> the check in the next step, employ the caller's filesystem
> user ID and group ID (see credentials(7)); otherwise (the
> access mode specifies PTRACE_MODE_REALCREDS, so) use the
> caller's real user ID and group ID.
>
> 3. Deny access if neither of the following is true:
>
> · The real, effective, and saved-set user IDs of the target
> match the caller's user ID, and the real, effective, and
> saved-set group IDs of the target match the caller's
> group ID.
>
> · The caller has the CAP_SYS_PTRACE capability.
>
> 4. Deny access if the target process "dumpable" attribute has
> a value other than 1 (SUID_DUMP_USER; see the discussion of
> PR_SET_DUMPABLE in prctl(2)), and the caller does not have
> the CAP_SYS_PTRACE capability in the user namespace of the
> target process.
>
> 5. The kernel LSM security_ptrace_access_check() interface is
> invoked to see if ptrace access is permitted. The results
> depend on the LSM. The implementation of this interface in
> the default LSM performs the following steps:
>
> a) If the access mode includes PTRACE_MODE_FSCREDS, then
> use the caller's effective capability set in the follow‐
> ing check; otherwise (the access mode specifies
> PTRACE_MODE_REALCREDS, so) use the caller's permitted
> capability set.
>
> b) Deny access if neither of the following is true:
>
> · The caller's capabilities are a proper superset of the
> target process's permitted capabilities.
>
> · The caller has the CAP_SYS_PTRACE capability in the
> target process's user namespace.
>
> Note that the default LSM does not distinguish between
> PTRACE_MODE_READ and PTRACE_MODE_ATTACH.
>
> 6. If access has not been denied by any of the preceding
> steps, then access is allowed.
> ]]
>
> There are accompanying changes to various pages that refer to
> the new text in ptrace(2), so that, for example, kcmp(2) adds:
>
> Permission to employ kcmp() is governed by ptrace access mode
> PTRACE_MODE_ATTACH_REALCREDS checks against both pid1 and pid2;
> see ptrace(2).
>
> and proc.5 has additions such as:
>
> /proc/[pid]/auxv (since 2.6.0-test7)
> ...
> Permission to access this file is governed by a ptrace
> access mode PTRACE_MODE_READ_FSCREDS check; see
> ptrace(2).
>
> /proc/[pid]/cwd
> ...
> Permission to dereference or read (readlink(2)) this
> symbolic link is governed by a ptrace access mode
> PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
>
> Thanks,
>
> Michael
>
^ permalink raw reply [flat|nested] 25+ messages in thread* Re: Documenting ptrace access mode checking
2016-06-23 18:05 ` Stephen Smalley
@ 2016-06-24 8:33 ` Michael Kerrisk (man-pages)
0 siblings, 0 replies; 25+ messages in thread
From: Michael Kerrisk (man-pages) @ 2016-06-24 8:33 UTC (permalink / raw)
To: Stephen Smalley, Jann Horn
Cc: mtk.manpages, James Morris, linux-man, lkml, Kees Cook,
Eric W. Biederman, linux-security-module, Linux API
Stephen,
On 06/23/2016 08:05 PM, Stephen Smalley wrote:
> On 06/21/2016 05:41 AM, Michael Kerrisk (man-pages) wrote:
>> Hi Jann, Stephen, et al.
>>
>> Jann, since you recently committed a patch in this area, and Stephen,
>> since you committed 006ebb40d3d much further back in time, I wonder if
>> you might help me by reviewing the text below that I propose to add to
>> the ptrace(2) man page, in order to document "ptrace access mode
>> checking" that is performed in various parts of the kernel-user-space
>> interface. Of course, I welcome input from anyone else as well.
>>
>> Here's the new ptrace(2) text. Any comments, technical or terminological
>> fixes, other improvements, etc. are welcome.
>>
>> [[
>> Ptrace access mode checking
>> Various parts of the kernel-user-space API (not just ptrace(2)
>> operations), require so-called "ptrace access mode permissions"
>> which are gated by Linux Security Modules (LSMs) such as
>> SELinux, Yama, Smack, or the default LSM. Prior to Linux
>> 2.6.27, all such checks were of a single type. Since Linux
>> 2.6.27, two access mode levels are distinguished:
>>
>> PTRACE_MODE_READ
>> For "read" operations or other operations that are less
>> dangerous, such as: get_robust_list(2); kcmp(2); reading
>> /proc/[pid]/auxv, /proc/[pid]/environ, or
>> /proc/[pid]/stat; or readlink(2) of a /proc/[pid]/ns/*
>> file.
>>
>> PTRACE_MODE_ATTACH
>> For "write" operations, or other operations that are
>> more dangerous, such as: ptrace attaching
>> (PTRACE_ATTACH) to another process or calling
>> process_vm_writev(2). (PTRACE_MODE_ATTACH was effec‐
>> tively the default before Linux 2.6.27.)
>
> That was the intent when the distinction was introduced, but it doesn't
> appear to have been properly maintained, e.g. there is now a common
> helper lock_trace() that is used for
> /proc/pid/{stack,syscall,personality} but checks PTRACE_MODE_ATTACH, and
> PTRACE_MODE_ATTACH is also used in timerslack_ns_write/show(). Likely
> should review and make them consistent. There was also some debate
> about proper handling of /proc/pid/fd. Arguably that one might belong
> back in the _ATTACH camp.
Thanks for the background info.
>> Since Linux 4.5, the above access mode checks may be combined
>> (ORed) with one of the following modifiers:
>>
>> PTRACE_MODE_FSCREDS
>> Use the caller's filesystem UID and GID (see creden‐
>> tials(7)) or effective capabilities for LSM checks.
>>
>> PTRACE_MODE_REALCREDS
>> Use the caller's real UID and GID or permitted capabili‐
>> ties for LSM checks. This was effectively the default
>> before Linux 4.5.
>>
>> Because combining one of the credential modifiers with one of
>> the aforementioned access modes is typical, some macros are
>> defined in the kernel sources for the combinations:
>>
>> PTRACE_MODE_READ_FSCREDS
>> Defined as PTRACE_MODE_READ | PTRACE_MODE_FSCREDS.
>>
>> PTRACE_MODE_READ_REALCREDS
>> Defined as PTRACE_MODE_READ | PTRACE_MODE_REALCREDS.
>>
>> PTRACE_MODE_ATTACH_FSCREDS
>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS.
>>
>> PTRACE_MODE_ATTACH_REALCREDS
>> Defined as PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS.
>>
>> One further modifier can be ORed with the access mode:
>>
>> PTRACE_MODE_NOAUDIT (since Linux 3.3)
>> Don't audit this access mode check.
>>
>> [I'd quite welcome some text to explain "auditing" here.]
>
> Some ptrace access mode checks, such as checks when reading
> /proc/pid/stat, merely cause the output to be filtered/sanitized rather
> than an error to be returned to the caller. In these cases, accessing
> the file is not a security violation and there is no reason to generate
> a security audit record. This modifier suppresses the generation of
> such an audit record for the particular access check.
Thanks, I've added that text to the man page more or less as you
gave it here.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
^ permalink raw reply [flat|nested] 25+ messages in thread