[RESEND][PATCH] proc: Fix timerslack_ns CAP_SYS_NICE check when adjusting self

[RESEND][PATCH] proc: Fix timerslack_ns CAP_SYS_NICE check when adjusting self

[John Stultz]

In changing from checking ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)
to capable(CAP_SYS_NICE), I missed that ptrace_my_access succeeds
when p == current, but the CAP_SYS_NICE doesn't.

Thus while the previous commit was intended to loosen the needed
privledges to modify a processes timerslack, it needlessly restricted
a task modifying its own timerslack via the proc/<tid>/timerslack_ns
(which is permitted also via the PR_SET_TIMERSLACK method).

This patch corrects this by checking if p == current before checking
the CAP_SYS_NICE value.

This patch applies on top of my two previous patches currently in -mm

Cc: Kees Cook <keescook@chromium.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
CC: Arjan van de Ven <arjan@linux.intel.com>
Cc: Oren Laadan <orenl@cellrox.com>
Cc: Ruchi Kandoi <kandoiruchi@google.com>
Cc: Rom Lemarchand <romlem@android.com>
Cc: Todd Kjos <tkjos@google.com>
Cc: Colin Cross <ccross@android.com>
Cc: Nick Kralevich <nnk@google.com>
Cc: Dmitry Shmidt <dimitrysh@google.com>
Cc: Elliott Hughes <enh@google.com>
Cc: Android Kernel Team <kernel-team@android.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 fs/proc/base.c | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 02f8389..01c3c2d 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2281,15 +2281,17 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf,
 	if (!p)
 		return -ESRCH;
 
-	if (!capable(CAP_SYS_NICE)) {
-		count = -EPERM;
-		goto out;
-	}
+	if (p != current) {
+		if (!capable(CAP_SYS_NICE)) {
+			count = -EPERM;
+			goto out;
+		}
 
-	err = security_task_setscheduler(p);
-	if (err) {
-		count = err;
-		goto out;
+		err = security_task_setscheduler(p);
+		if (err) {
+			count = err;
+			goto out;
+		}
 	}
 
 	task_lock(p);
@@ -2315,14 +2317,16 @@ static int timerslack_ns_show(struct seq_file *m, void *v)
 	if (!p)
 		return -ESRCH;
 
-	if (!capable(CAP_SYS_NICE)) {
-		err = -EPERM;
-		goto out;
-	}
+	if (p != current) {
 
-	err = security_task_getscheduler(p);
-	if (err)
-		goto out;
+		if (!capable(CAP_SYS_NICE)) {
+			err = -EPERM;
+			goto out;
+		}
+		err = security_task_getscheduler(p);
+		if (err)
+			goto out;
+	}
 
 	task_lock(p);
 	seq_printf(m, "%llu\n", p->timer_slack_ns);
-- 
1.9.1

Re: [RESEND][PATCH] proc: Fix timerslack_ns CAP_SYS_NICE check when adjusting self

[John Stultz]

On Mon, Aug 22, 2016 at 4:01 PM, John Stultz <john.stultz@linaro.org> wrote:
> In changing from checking ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)
> to capable(CAP_SYS_NICE), I missed that ptrace_my_access succeeds
> when p == current, but the CAP_SYS_NICE doesn't.
>
> Thus while the previous commit was intended to loosen the needed
> privledges to modify a processes timerslack, it needlessly restricted
> a task modifying its own timerslack via the proc/<tid>/timerslack_ns
> (which is permitted also via the PR_SET_TIMERSLACK method).
>
> This patch corrects this by checking if p == current before checking
> the CAP_SYS_NICE value.
>
> This patch applies on top of my two previous patches currently in -mm

Ping? Any feedback or comments on this one?

thanks
-john

Re: [RESEND][PATCH] proc: Fix timerslack_ns CAP_SYS_NICE check when adjusting self

[Kees Cook]

On Mon, Aug 22, 2016 at 7:01 PM, John Stultz <john.stultz@linaro.org> wrote:
> In changing from checking ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)
> to capable(CAP_SYS_NICE), I missed that ptrace_my_access succeeds
> when p == current, but the CAP_SYS_NICE doesn't.
>
> Thus while the previous commit was intended to loosen the needed
> privledges to modify a processes timerslack, it needlessly restricted
> a task modifying its own timerslack via the proc/<tid>/timerslack_ns
> (which is permitted also via the PR_SET_TIMERSLACK method).
>
> This patch corrects this by checking if p == current before checking
> the CAP_SYS_NICE value.
>
> This patch applies on top of my two previous patches currently in -mm
>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: "Serge E. Hallyn" <serge@hallyn.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> CC: Arjan van de Ven <arjan@linux.intel.com>
> Cc: Oren Laadan <orenl@cellrox.com>
> Cc: Ruchi Kandoi <kandoiruchi@google.com>
> Cc: Rom Lemarchand <romlem@android.com>
> Cc: Todd Kjos <tkjos@google.com>
> Cc: Colin Cross <ccross@android.com>
> Cc: Nick Kralevich <nnk@google.com>
> Cc: Dmitry Shmidt <dimitrysh@google.com>
> Cc: Elliott Hughes <enh@google.com>
> Cc: Android Kernel Team <kernel-team@android.com>
> Acked-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: John Stultz <john.stultz@linaro.org>

Andrew, can you take this for v4.8?

-Kees

> ---
>  fs/proc/base.c | 34 +++++++++++++++++++---------------
>  1 file changed, 19 insertions(+), 15 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 02f8389..01c3c2d 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2281,15 +2281,17 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf,
>         if (!p)
>                 return -ESRCH;
>
> -       if (!capable(CAP_SYS_NICE)) {
> -               count = -EPERM;
> -               goto out;
> -       }
> +       if (p != current) {
> +               if (!capable(CAP_SYS_NICE)) {
> +                       count = -EPERM;
> +                       goto out;
> +               }
>
> -       err = security_task_setscheduler(p);
> -       if (err) {
> -               count = err;
> -               goto out;
> +               err = security_task_setscheduler(p);
> +               if (err) {
> +                       count = err;
> +                       goto out;
> +               }
>         }
>
>         task_lock(p);
> @@ -2315,14 +2317,16 @@ static int timerslack_ns_show(struct seq_file *m, void *v)
>         if (!p)
>                 return -ESRCH;
>
> -       if (!capable(CAP_SYS_NICE)) {
> -               err = -EPERM;
> -               goto out;
> -       }
> +       if (p != current) {
>
> -       err = security_task_getscheduler(p);
> -       if (err)
> -               goto out;
> +               if (!capable(CAP_SYS_NICE)) {
> +                       err = -EPERM;
> +                       goto out;
> +               }
> +               err = security_task_getscheduler(p);
> +               if (err)
> +                       goto out;
> +       }
>
>         task_lock(p);
>         seq_printf(m, "%llu\n", p->timer_slack_ns);
> --
> 1.9.1
>



-- 
Kees Cook
Nexus Security

Re: [RESEND][PATCH] proc: Fix timerslack_ns CAP_SYS_NICE check when adjusting self

[Andrew Morton]

On Tue, 30 Aug 2016 18:46:23 -0400 Kees Cook <keescook@chromium.org> wrote:

> On Mon, Aug 22, 2016 at 7:01 PM, John Stultz <john.stultz@linaro.org> wrote:
> > In changing from checking ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)
> > to capable(CAP_SYS_NICE), I missed that ptrace_my_access succeeds
> > when p == current, but the CAP_SYS_NICE doesn't.
> >
> > Thus while the previous commit was intended to loosen the needed
> > privledges to modify a processes timerslack, it needlessly restricted
> > a task modifying its own timerslack via the proc/<tid>/timerslack_ns
> > (which is permitted also via the PR_SET_TIMERSLACK method).
> >
> > This patch corrects this by checking if p == current before checking
> > the CAP_SYS_NICE value.
> >
> > This patch applies on top of my two previous patches currently in -mm
> >
> > Cc: Kees Cook <keescook@chromium.org>
> > Cc: "Serge E. Hallyn" <serge@hallyn.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Cc: Thomas Gleixner <tglx@linutronix.de>
> > CC: Arjan van de Ven <arjan@linux.intel.com>
> > Cc: Oren Laadan <orenl@cellrox.com>
> > Cc: Ruchi Kandoi <kandoiruchi@google.com>
> > Cc: Rom Lemarchand <romlem@android.com>
> > Cc: Todd Kjos <tkjos@google.com>
> > Cc: Colin Cross <ccross@android.com>
> > Cc: Nick Kralevich <nnk@google.com>
> > Cc: Dmitry Shmidt <dimitrysh@google.com>
> > Cc: Elliott Hughes <enh@google.com>
> > Cc: Android Kernel Team <kernel-team@android.com>
> > Acked-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: John Stultz <john.stultz@linaro.org>
> 
> Andrew, can you take this for v4.8?

Well, it fixes
proc-relax-proc-tid-timerslack_ns-capability-requirements.patch,
somewhat.  And it textually depends on that.

Do we want all of

proc-relax-proc-tid-timerslack_ns-capability-requirements.patch
proc-add-lsm-hook-checks-to-proc-tid-timerslack_ns.patch
proc-fix-timerslack_ns-cap_sys_nice-check-when-adjusting-self.patch

in 4.8?  If so, why?

Re: [RESEND][PATCH] proc: Fix timerslack_ns CAP_SYS_NICE check when adjusting self

[Kees Cook]

On Tue, Aug 30, 2016 at 7:06 PM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Tue, 30 Aug 2016 18:46:23 -0400 Kees Cook <keescook@chromium.org> wrote:
>
>> On Mon, Aug 22, 2016 at 7:01 PM, John Stultz <john.stultz@linaro.org> wrote:
>> > In changing from checking ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)
>> > to capable(CAP_SYS_NICE), I missed that ptrace_my_access succeeds
>> > when p == current, but the CAP_SYS_NICE doesn't.
>> >
>> > Thus while the previous commit was intended to loosen the needed
>> > privledges to modify a processes timerslack, it needlessly restricted
>> > a task modifying its own timerslack via the proc/<tid>/timerslack_ns
>> > (which is permitted also via the PR_SET_TIMERSLACK method).
>> >
>> > This patch corrects this by checking if p == current before checking
>> > the CAP_SYS_NICE value.
>> >
>> > This patch applies on top of my two previous patches currently in -mm
>> >
>> > Cc: Kees Cook <keescook@chromium.org>
>> > Cc: "Serge E. Hallyn" <serge@hallyn.com>
>> > Cc: Andrew Morton <akpm@linux-foundation.org>
>> > Cc: Thomas Gleixner <tglx@linutronix.de>
>> > CC: Arjan van de Ven <arjan@linux.intel.com>
>> > Cc: Oren Laadan <orenl@cellrox.com>
>> > Cc: Ruchi Kandoi <kandoiruchi@google.com>
>> > Cc: Rom Lemarchand <romlem@android.com>
>> > Cc: Todd Kjos <tkjos@google.com>
>> > Cc: Colin Cross <ccross@android.com>
>> > Cc: Nick Kralevich <nnk@google.com>
>> > Cc: Dmitry Shmidt <dimitrysh@google.com>
>> > Cc: Elliott Hughes <enh@google.com>
>> > Cc: Android Kernel Team <kernel-team@android.com>
>> > Acked-by: Kees Cook <keescook@chromium.org>
>> > Signed-off-by: John Stultz <john.stultz@linaro.org>
>>
>> Andrew, can you take this for v4.8?
>
> Well, it fixes
> proc-relax-proc-tid-timerslack_ns-capability-requirements.patch,
> somewhat.  And it textually depends on that.
>
> Do we want all of
>
> proc-relax-proc-tid-timerslack_ns-capability-requirements.patch
> proc-add-lsm-hook-checks-to-proc-tid-timerslack_ns.patch
> proc-fix-timerslack_ns-cap_sys_nice-check-when-adjusting-self.patch
>
> in 4.8?  If so, why?

Oh, my misunderstanding. I thought those already landed in 4.8. If
not, nevermind on the "rush". :) Thanks for picking it up!

-Kees

-- 
Kees Cook
Nexus Security

Re: [RESEND][PATCH] proc: Fix timerslack_ns CAP_SYS_NICE check when adjusting self

[John Stultz]

On Tue, Aug 30, 2016 at 4:06 PM, Andrew Morton
<akpm@linux-foundation.org> wrote:
> On Tue, 30 Aug 2016 18:46:23 -0400 Kees Cook <keescook@chromium.org> wrote:
>
>> On Mon, Aug 22, 2016 at 7:01 PM, John Stultz <john.stultz@linaro.org> wrote:
>> > In changing from checking ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)
>> > to capable(CAP_SYS_NICE), I missed that ptrace_my_access succeeds
>> > when p == current, but the CAP_SYS_NICE doesn't.
>> >
>> > Thus while the previous commit was intended to loosen the needed
>> > privledges to modify a processes timerslack, it needlessly restricted
>> > a task modifying its own timerslack via the proc/<tid>/timerslack_ns
>> > (which is permitted also via the PR_SET_TIMERSLACK method).
>> >
>> > This patch corrects this by checking if p == current before checking
>> > the CAP_SYS_NICE value.
>> >
>> > This patch applies on top of my two previous patches currently in -mm
>> >
>> > Cc: Kees Cook <keescook@chromium.org>
>> > Cc: "Serge E. Hallyn" <serge@hallyn.com>
>> > Cc: Andrew Morton <akpm@linux-foundation.org>
>> > Cc: Thomas Gleixner <tglx@linutronix.de>
>> > CC: Arjan van de Ven <arjan@linux.intel.com>
>> > Cc: Oren Laadan <orenl@cellrox.com>
>> > Cc: Ruchi Kandoi <kandoiruchi@google.com>
>> > Cc: Rom Lemarchand <romlem@android.com>
>> > Cc: Todd Kjos <tkjos@google.com>
>> > Cc: Colin Cross <ccross@android.com>
>> > Cc: Nick Kralevich <nnk@google.com>
>> > Cc: Dmitry Shmidt <dimitrysh@google.com>
>> > Cc: Elliott Hughes <enh@google.com>
>> > Cc: Android Kernel Team <kernel-team@android.com>
>> > Acked-by: Kees Cook <keescook@chromium.org>
>> > Signed-off-by: John Stultz <john.stultz@linaro.org>
>>
>> Andrew, can you take this for v4.8?
>
> Well, it fixes
> proc-relax-proc-tid-timerslack_ns-capability-requirements.patch,
> somewhat.  And it textually depends on that.
>
> Do we want all of
>
> proc-relax-proc-tid-timerslack_ns-capability-requirements.patch
> proc-add-lsm-hook-checks-to-proc-tid-timerslack_ns.patch
> proc-fix-timerslack_ns-cap_sys_nice-check-when-adjusting-self.patch
>
> in 4.8?  If so, why?

No.. they're fine to wait for the 4.9 merge window. But you picking up
this last fix is appreciated!

thanks
-john

Re: [RESEND][PATCH] proc: Fix timerslack_ns CAP_SYS_NICE check when adjusting self

[Serge E. Hallyn]

On Mon, Aug 29, 2016 at 11:28:47AM -0700, John Stultz wrote:
> On Mon, Aug 22, 2016 at 4:01 PM, John Stultz <john.stultz@linaro.org> wrote:
> > In changing from checking ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)
> > to capable(CAP_SYS_NICE), I missed that ptrace_my_access succeeds
> > when p == current, but the CAP_SYS_NICE doesn't.
> >
> > Thus while the previous commit was intended to loosen the needed
> > privledges to modify a processes timerslack, it needlessly restricted
> > a task modifying its own timerslack via the proc/<tid>/timerslack_ns
> > (which is permitted also via the PR_SET_TIMERSLACK method).
> >
> > This patch corrects this by checking if p == current before checking
> > the CAP_SYS_NICE value.
> >
> > This patch applies on top of my two previous patches currently in -mm
> 
> Ping? Any feedback or comments on this one?

(sorry - no objection from me on this patch, thanks)