SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] proc: prevent changes to overridden credentials
@ 2019-04-19 18:55 Paul Moore
  2019-04-19 18:59 ` Paul Moore
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Paul Moore @ 2019-04-19 18:55 UTC (permalink / raw)
  To: linux-security-module; +Cc: selinux, cj.chengjian, john.johansen, casey

Prevent userspace from changing the the /proc/PID/attr values if the
task's credentials are currently overriden.  This not only makes sense
conceptually, it also prevents some really bizarre error cases caused
when trying to commit credentials to a task with overridden
credentials.

Cc: <stable@vger.kernel.org>
Reported-by: "chengjian (D)" <cj.chengjian@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 fs/proc/base.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index ddef482f1334..87ba007b86db 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2539,6 +2539,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
 		rcu_read_unlock();
 		return -EACCES;
 	}
+	/* Prevent changes to overridden credentials. */
+	if (current_cred() != current_real_cred()) {
+		rcu_read_unlock();
+		return -EBUSY;
+	}
 	rcu_read_unlock();
 
 	if (count > PAGE_SIZE)


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] proc: prevent changes to overridden credentials
  2019-04-19 18:55 [PATCH] proc: prevent changes to overridden credentials Paul Moore
@ 2019-04-19 18:59 ` Paul Moore
  2019-04-19 20:26   ` James Morris
  2019-04-19 19:03 ` John Johansen
  2019-04-21 17:14 ` Casey Schaufler
  2 siblings, 1 reply; 6+ messages in thread
From: Paul Moore @ 2019-04-19 18:59 UTC (permalink / raw)
  To: linux-security-module; +Cc: selinux, cj.chengjian, john.johansen, casey

On Fri, Apr 19, 2019 at 2:55 PM Paul Moore <paul@paul-moore.com> wrote:
> Prevent userspace from changing the the /proc/PID/attr values if the
> task's credentials are currently overriden.  This not only makes sense
> conceptually, it also prevents some really bizarre error cases caused
> when trying to commit credentials to a task with overridden
> credentials.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: "chengjian (D)" <cj.chengjian@huawei.com>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  fs/proc/base.c |    5 +++++
>  1 file changed, 5 insertions(+)

I sent this to the LSM list as I figure it should probably go via
James' linux-security tree since it is cross-LSM and doesn't really
contain any LSM specific code.  That said, if you don't want this
James let me know and I'll send it via the SELinux tree assuming I can
get ACKs from John and Casey (this should only affect SELinux,
AppArmor, and Smack).

> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index ddef482f1334..87ba007b86db 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2539,6 +2539,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
>                 rcu_read_unlock();
>                 return -EACCES;
>         }
> +       /* Prevent changes to overridden credentials. */
> +       if (current_cred() != current_real_cred()) {
> +               rcu_read_unlock();
> +               return -EBUSY;
> +       }
>         rcu_read_unlock();
>
>         if (count > PAGE_SIZE)
>

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] proc: prevent changes to overridden credentials
  2019-04-19 18:55 [PATCH] proc: prevent changes to overridden credentials Paul Moore
  2019-04-19 18:59 ` Paul Moore
@ 2019-04-19 19:03 ` John Johansen
  2019-04-21 17:14 ` Casey Schaufler
  2 siblings, 0 replies; 6+ messages in thread
From: John Johansen @ 2019-04-19 19:03 UTC (permalink / raw)
  To: Paul Moore, linux-security-module; +Cc: selinux, cj.chengjian, casey

On 4/19/19 11:55 AM, Paul Moore wrote:
> Prevent userspace from changing the the /proc/PID/attr values if the
> task's credentials are currently overriden.  This not only makes sense
> conceptually, it also prevents some really bizarre error cases caused
> when trying to commit credentials to a task with overridden
> credentials.
> 
> Cc: <stable@vger.kernel.org>
> Reported-by: "chengjian (D)" <cj.chengjian@huawei.com>
> Signed-off-by: Paul Moore <paul@paul-moore.com>

looks good

Acked-by: John Johansen <john.johansen@canonical.com>

> ---
>  fs/proc/base.c |    5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index ddef482f1334..87ba007b86db 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2539,6 +2539,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
>  		rcu_read_unlock();
>  		return -EACCES;
>  	}
> +	/* Prevent changes to overridden credentials. */
> +	if (current_cred() != current_real_cred()) {
> +		rcu_read_unlock();
> +		return -EBUSY;
> +	}
>  	rcu_read_unlock();
>  
>  	if (count > PAGE_SIZE)
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] proc: prevent changes to overridden credentials
  2019-04-19 18:59 ` Paul Moore
@ 2019-04-19 20:26   ` James Morris
  2019-04-29 13:57     ` Paul Moore
  0 siblings, 1 reply; 6+ messages in thread
From: James Morris @ 2019-04-19 20:26 UTC (permalink / raw)
  To: Paul Moore
  Cc: linux-security-module, selinux, cj.chengjian, john.johansen, casey

On Fri, 19 Apr 2019, Paul Moore wrote:

> On Fri, Apr 19, 2019 at 2:55 PM Paul Moore <paul@paul-moore.com> wrote:
> > Prevent userspace from changing the the /proc/PID/attr values if the
> > task's credentials are currently overriden.  This not only makes sense
> > conceptually, it also prevents some really bizarre error cases caused
> > when trying to commit credentials to a task with overridden
> > credentials.
> >
> > Cc: <stable@vger.kernel.org>
> > Reported-by: "chengjian (D)" <cj.chengjian@huawei.com>
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > ---
> >  fs/proc/base.c |    5 +++++
> >  1 file changed, 5 insertions(+)
> 
> I sent this to the LSM list as I figure it should probably go via
> James' linux-security tree since it is cross-LSM and doesn't really
> contain any LSM specific code.  That said, if you don't want this
> James let me know and I'll send it via the SELinux tree assuming I can
> get ACKs from John and Casey (this should only affect SELinux,
> AppArmor, and Smack).

This is fine to go via your tree.


Acked-by: James Morris <james.morris@microsoft.com>


-- 
James Morris
<jmorris@namei.org>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] proc: prevent changes to overridden credentials
  2019-04-19 18:55 [PATCH] proc: prevent changes to overridden credentials Paul Moore
  2019-04-19 18:59 ` Paul Moore
  2019-04-19 19:03 ` John Johansen
@ 2019-04-21 17:14 ` Casey Schaufler
  2 siblings, 0 replies; 6+ messages in thread
From: Casey Schaufler @ 2019-04-21 17:14 UTC (permalink / raw)
  To: Paul Moore, linux-security-module; +Cc: selinux, cj.chengjian, john.johansen

On 4/19/2019 11:55 AM, Paul Moore wrote:
> Prevent userspace from changing the the /proc/PID/attr values if the
> task's credentials are currently overriden.  This not only makes sense
> conceptually, it also prevents some really bizarre error cases caused
> when trying to commit credentials to a task with overridden
> credentials.
>
> Cc: <stable@vger.kernel.org>
> Reported-by: "chengjian (D)" <cj.chengjian@huawei.com>
> Signed-off-by: Paul Moore <paul@paul-moore.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

> ---
>   fs/proc/base.c |    5 +++++
>   1 file changed, 5 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index ddef482f1334..87ba007b86db 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2539,6 +2539,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
>   		rcu_read_unlock();
>   		return -EACCES;
>   	}
> +	/* Prevent changes to overridden credentials. */
> +	if (current_cred() != current_real_cred()) {
> +		rcu_read_unlock();
> +		return -EBUSY;
> +	}
>   	rcu_read_unlock();
>   
>   	if (count > PAGE_SIZE)
>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] proc: prevent changes to overridden credentials
  2019-04-19 20:26   ` James Morris
@ 2019-04-29 13:57     ` Paul Moore
  0 siblings, 0 replies; 6+ messages in thread
From: Paul Moore @ 2019-04-29 13:57 UTC (permalink / raw)
  To: James Morris
  Cc: linux-security-module, selinux, cj.chengjian, john.johansen, casey

On Fri, Apr 19, 2019 at 4:27 PM James Morris <jmorris@namei.org> wrote:
> On Fri, 19 Apr 2019, Paul Moore wrote:
> > On Fri, Apr 19, 2019 at 2:55 PM Paul Moore <paul@paul-moore.com> wrote:
> > > Prevent userspace from changing the the /proc/PID/attr values if the
> > > task's credentials are currently overriden.  This not only makes sense
> > > conceptually, it also prevents some really bizarre error cases caused
> > > when trying to commit credentials to a task with overridden
> > > credentials.
> > >
> > > Cc: <stable@vger.kernel.org>
> > > Reported-by: "chengjian (D)" <cj.chengjian@huawei.com>
> > > Signed-off-by: Paul Moore <paul@paul-moore.com>
> > > ---
> > >  fs/proc/base.c |    5 +++++
> > >  1 file changed, 5 insertions(+)
> >
> > I sent this to the LSM list as I figure it should probably go via
> > James' linux-security tree since it is cross-LSM and doesn't really
> > contain any LSM specific code.  That said, if you don't want this
> > James let me know and I'll send it via the SELinux tree assuming I can
> > get ACKs from John and Casey (this should only affect SELinux,
> > AppArmor, and Smack).
>
> This is fine to go via your tree.

Okay.  I just merged this into selinux/next.  I was sitting on this
patch to see how the other thread developed, but that doesn't really
seem to be reaching any conclusion and I really want this to get at
least one week in -next before the merge window opens.

Thanks everyone.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-19 18:55 [PATCH] proc: prevent changes to overridden credentials Paul Moore
2019-04-19 18:59 ` Paul Moore
2019-04-19 20:26   ` James Morris
2019-04-29 13:57     ` Paul Moore
2019-04-19 19:03 ` John Johansen
2019-04-21 17:14 ` Casey Schaufler

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox