Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree

Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree

[Alexey Dobriyan]

On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
> On Mon, Mar 5, 2018 at 4:07 PM,  <akpm@linux-foundation.org> wrote:

> > It is more natural to check for read-from-memory permissions in case of
> > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
> > permissions.
> 
> NAK, this weakens the existing permission model for reading

What if existing permission model is overezealous?

/proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
everything else should do PTRACE_MODE_ATTACH.

> cross-process memory. ptrace-readable memory can only be done with
> ATTACH, and /proc/$pid/mem also requires ATTACH:
> 
> static int mem_open(struct inode *inode, struct file *file)
> {
>         int ret = __mem_open(inode, file, PTRACE_MODE_ATTACH);
> 
> Only auxv and environ use READ. We should absolutely not create a pass
> to a lower permission requirement here.

Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree

[Alexey Dobriyan]

On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote:
> On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
> > On Mon, Mar 5, 2018 at 4:07 PM,  <akpm@linux-foundation.org> wrote:
> 
> > > It is more natural to check for read-from-memory permissions in case of
> > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
> > > permissions.
> > 
> > NAK, this weakens the existing permission model for reading
> 
> What if existing permission model is overezealous?
> 
> /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
> for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
> everything else should do PTRACE_MODE_ATTACH.

Or in other words:

what if there should be 3 levels:
1) permission to write to address space
2) permission to read arbitrarily from adress space
3) permission to read auxv, argv and envp

Current code conflates (1) and (2).

Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree

[Kees Cook]

On Tue, Mar 6, 2018 at 10:03 AM, Alexey Dobriyan <adobriyan@gmail.com> wrote:
> On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote:
>> On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
>> > On Mon, Mar 5, 2018 at 4:07 PM,  <akpm@linux-foundation.org> wrote:
>>
>> > > It is more natural to check for read-from-memory permissions in case of
>> > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
>> > > permissions.
>> >
>> > NAK, this weakens the existing permission model for reading
>>
>> What if existing permission model is overezealous?
>>
>> /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
>> for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
>> everything else should do PTRACE_MODE_ATTACH.
>
> Or in other words:
>
> what if there should be 3 levels:
> 1) permission to write to address space
> 2) permission to read arbitrarily from adress space
> 3) permission to read auxv, argv and envp
>
> Current code conflates (1) and (2).

There is also:

4) permission to read address layout (e.g. access to /proc/$pid/maps)

1 and 2 require ATTACH
3 and 4 require READ

ATTACH is a higher bar, and I think it is appropriate here, still, for
2, since being able to examine secrets in memory should be considered
a security boundary.

Is there something you're trying from userspace that is being blocked?

-Kees

-- 
Kees Cook
Pixel Security