From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752031AbcFWTRA (ORCPT <rfc822;w@1wt.eu>);
	Thu, 23 Jun 2016 15:17:00 -0400
Received: from out02.mta.xmission.com ([166.70.13.232]:43404 "EHLO
	out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751523AbcFWTQ5 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 23 Jun 2016 15:16:57 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Cc: Jann Horn <jann@thejh.net>, James Morris <jmorris@namei.org>,
        linux-man <linux-man@vger.kernel.org>,
        Stephen Smalley <sds@tycho.nsa.gov>,
        lkml <linux-kernel@vger.kernel.org>, Kees Cook <keescook@chromium.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>, Oleg Nesterov <oleg@redhat.com>
References: <e335a243-2199-2185-c7b3-fb1c898e9ab4@gmail.com>
	<87ziqewc3r.fsf@x220.int.ebiederm.org>
	<4c6a338f-619b-9e99-9fd8-1cf6d86ecfed@gmail.com>
Date: Thu, 23 Jun 2016 14:04:43 -0500
In-Reply-To: <4c6a338f-619b-9e99-9fd8-1cf6d86ecfed@gmail.com> (Michael
	Kerrisk's message of "Wed, 22 Jun 2016 21:20:32 +0200")
Message-ID: <87por7hgl0.fsf@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1bGA7Q-0000C2-G3;;;mid=<87por7hgl0.fsf@x220.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=67.3.204.119;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1/l7Ybas9832m+mCItNDT3a+FnV0mk2Fi8=
X-SA-Exim-Connect-IP: 67.3.204.119
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5000]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;"Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
X-Spam-Relay-Country: 
X-Spam-Timing: total 1342 ms - load_scoreonly_sql: 0.05 (0.0%),
	signal_user_changed: 3.4 (0.3%), b_tie_ro: 2.4 (0.2%), parse: 1.10 (0.1%),
	extract_message_metadata: 5 (0.4%), get_uri_detail_list: 2.8 (0.2%),
	tests_pri_-1000: 3.8 (0.3%), tests_pri_-950: 1.21 (0.1%), tests_pri_-900:
	1.03 (0.1%), tests_pri_-400: 29 (2.1%), check_bayes: 28 (2.1%), b_tokenize:
	11 (0.8%), b_tok_get_all: 9 (0.7%), b_comp_prob: 2.5 (0.2%), b_tok_touch_all:
	3.3 (0.2%), b_finish: 0.74 (0.1%), tests_pri_0: 1281 (95.4%),
	check_dkim_signature: 0.54 (0.0%), check_dkim_adsp: 3.2 (0.2%),
	tests_pri_500: 4.3 (0.3%), rewrite_mail: 0.00 (0.0%)
Subject: Re: Documenting ptrace access mode checking
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hi Eric,
>
> On 06/21/2016 09:55 PM, Eric W. Biederman wrote:
>> Hmm.
>>
>> When I gave this level of detail about the user namespace permission
>> checks you gave me some flack, because it was not particularly
>> comprehensible to the end users.  I think you deserve the same feedback.
>>
>> How do we say this in a way that does not describes a useful way to
>> think about it.  I read this and I know a lot of what is going on and my
>> mind goes numb.
>>
>> How about something like this:
>>
>>    If the callers uid and gid are the same as a processes uids and gids
>>    and the processes is configured to allow core dumps (aka it was never
>>    setuid or setgid) then the caller is allowed to ptrace a process.
>>
>>    Otherwise the caller must have CAP_SYS_PTRACE.
>>
>>    Linux security modules impose additional restrictions.
>>
>>    For consistency access to various process attributes are guarded with
>>    the same security checks as the ptrace system call itself.  As they are
>>    all methods to get information about a process.
>>
>> We certainly need something that gives a high level view so people
>> reading the man page can know what to expect.   If you get down into the
>> weeds we run the danger of people beginning to think they can depend
>> upon bugs in the implementation.
>
> Thanks for the feedback, but I think more detail is required than you
> suggest. (And I added all of that detail somewhat reluctantly.)
> See my other replies for my rationale.

What I saw badly missing from your description is not the level of
detail but bring things into a form that ordinary mortals can
understand.

For an explanation to be clear I think we very much need the high level
overview first.  Then we can expand that description with the very
detailed view.

I very much think we need to describe things in such a way that people
understand the principles behind the permission checks, and not just
have the documentation echo the code, so that people can know what weird
things LSMs like yama are likely to do, and how these checks are likely
to evolve in the future.

Because one thing is clear to me.  The evolution of these details is
clearly not done, and will continue to change in the future.

Eric