From: Kees Cook <keescook@chromium.org>
To: Aleksa Sarai <asarai@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Oleg Nesterov <oleg@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>,
John Stultz <john.stultz@linaro.org>,
Mateusz Guzik <mguzik@redhat.com>,
Janis Danisevskis <jdanis@google.com>,
LKML <linux-kernel@vger.kernel.org>,
dev@opencontainers.org,
Linux Containers <containers@lists.linux-foundation.org>
Subject: Re: [PATCH] procfs: change the owner of non-dumpable and writeable files
Date: Wed, 18 Jan 2017 15:22:48 -0800 [thread overview]
Message-ID: <CAGXu5jL4R-rqv-33XvvsMOqcxBgPRm-eAeRThdN515Ux3TSiFw@mail.gmail.com> (raw)
In-Reply-To: <20170118040159.4751-1-asarai@suse.de>
On Tue, Jan 17, 2017 at 8:01 PM, Aleksa Sarai <asarai@suse.de> wrote:
> In order to protect against ptrace(2) and similar attacks on container
> runtimes when they join namespaces, many runtimes set mm->dumpable to
> SUID_DUMP_DISABLE. However, doing this means that attempting to set up
> an unprivileged user namespace will fail because an unprivileged process
> can no longer access /proc/self/{setgroups,{uid,gid}_map} for the
> container process (which is the same uid as the runtime process).
>
> Fix this by changing pid_getattr to *also* change the owner of regular
> files that have a mode of 0644 (when the process is not dumpable). This
> ensures that the important /proc/[pid]/... files mentioned above are
> properly accessible by a container runtime in a rootless container
> context.
>
> The most blantant issue is that a non-dumpable process in a rootless
> container context is unable to open /proc/self/setgroups, because it
> doesn't own the file.
This changes a lot more than just setgroups, doesn't it? This bypasses
the task_dumpable check for all kinds of things. Though, I expect the
has_pid_permissions() check to be the harder one to pass. Why does
has_pid_permissions() succeed in the case you've given?
-Kees
> int main(void)
> {
> prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
> unshare(CLONE_NEWUSER);
>
> /* This will fail. */
> int fd = open("/proc/self/setgroups", O_WRONLY);
> if (fd < 0)
> abort();
>
> return 0;
> }
>
> Cc: dev@opencontainers.org
> Cc: containers@lists.linux-foundation.org
> Signed-off-by: Aleksa Sarai <asarai@suse.de>
> ---
> fs/proc/base.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index ca651ac00660..ebabb12f4536 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -1729,6 +1729,7 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
> return -ENOENT;
> }
> if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
> + (inode->i_mode == (S_IFREG|S_IRUGO|S_IWUSR)) ||
> task_dumpable(task)) {
> cred = __task_cred(task);
> stat->uid = cred->euid;
> @@ -1770,6 +1771,7 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
>
> if (task) {
> if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
> + (inode->i_mode == (S_IFREG|S_IRUGO|S_IWUSR)) ||
> task_dumpable(task)) {
> rcu_read_lock();
> cred = __task_cred(task);
> @@ -2394,7 +2396,7 @@ static int proc_pident_instantiate(struct inode *dir,
> return -ENOENT;
> }
>
> -static struct dentry *proc_pident_lookup(struct inode *dir,
> +static struct dentry *proc_pident_lookup(struct inode *dir,
> struct dentry *dentry,
> const struct pid_entry *ents,
> unsigned int nents)
> @@ -2536,7 +2538,7 @@ static const struct pid_entry attr_dir_stuff[] = {
>
> static int proc_attr_dir_readdir(struct file *file, struct dir_context *ctx)
> {
> - return proc_pident_readdir(file, ctx,
> + return proc_pident_readdir(file, ctx,
> attr_dir_stuff, ARRAY_SIZE(attr_dir_stuff));
> }
>
> --
> 2.11.0
>
--
Kees Cook
Nexus Security
next prev parent reply other threads:[~2017-01-18 23:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-18 4:01 [PATCH] procfs: change the owner of non-dumpable and writeable files Aleksa Sarai
2017-01-18 23:22 ` Kees Cook [this message]
2017-01-18 23:34 ` Aleksa Sarai
2017-01-19 9:29 ` Michal Hocko
2017-01-19 13:08 ` Aleksa Sarai
2017-01-20 1:57 ` Eric W. Biederman
2017-01-20 2:35 ` Aleksa Sarai
2017-01-20 4:35 ` Eric W. Biederman
2017-01-25 6:43 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jL4R-rqv-33XvvsMOqcxBgPRm-eAeRThdN515Ux3TSiFw@mail.gmail.com \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=asarai@suse.de \
--cc=containers@lists.linux-foundation.org \
--cc=dev@opencontainers.org \
--cc=jdanis@google.com \
--cc=john.stultz@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mguzik@redhat.com \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).