Re: [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH

[RFC PATCHv2 00/11] Adding FreeBSD's Capsicum security framework · David Drysdale <hidden> · 2014-07-25
[PATCH 01/11] fs: add O_BENEATH flag to openat(2) · David Drysdale <hidden> · 2014-07-25
[PATCH 02/11] selftests: Add test of O_BENEATH & openat(2) · David Drysdale <hidden> · 2014-07-25
[PATCH 06/11] capsicum: implement sockfd_lookupr() · David Drysdale <hidden> · 2014-07-25
[PATCH 05/11] capsicum: convert callers to use fgetr() etc · David Drysdale <hidden> · 2014-07-25
[PATCH 2/6] capsicum.7: describe Capsicum capability framework · David Drysdale <hidden> · 2014-07-25
[PATCH 5/6] cap_rights_get.2: retrieve Capsicum fd rights · David Drysdale <hidden> · 2014-07-25
[PATCH 6/6] prctl.2: describe PR_SET_OPENAT_BENEATH/PR_GET_OPENAT_BENEATH · David Drysdale <hidden> · 2014-07-25
[PATCH 4/6] cap_rights_limit.2: limit FD rights for Capsicum · David Drysdale <hidden> · 2014-07-25
[PATCH 3/6] rights.7: Describe Capsicum primary rights · David Drysdale <hidden> · 2014-07-25
[PATCH 1/6] open.2: describe O_BENEATH flag · David Drysdale <hidden> · 2014-07-25
[PATCH 11/11] seccomp: Add tgid and tid into seccomp_data · David Drysdale <hidden> · 2014-07-25
Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data · Andy Lutomirski <luto@amacapital.net> · 2014-07-25
Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data · Kees Cook <hidden> · 2014-07-25
Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data · Andy Lutomirski <luto@amacapital.net> · 2014-07-25
Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data · Kees Cook <hidden> · 2014-07-25
Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data · Julien Tinnes <hidden> · 2014-07-25
Re: [PATCH 11/11] seccomp: Add tgid and tid into seccomp_data · David Drysdale <hidden> · 2014-07-27
[PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH · David Drysdale <hidden> · 2014-07-25
Re: [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH · Paolo Bonzini <pbonzini@redhat.com> · 2014-07-25
Re: [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH · Andy Lutomirski <luto@amacapital.net> · 2014-07-25
Re: [PATCH 10/11] capsicum: prctl(2) to force use of O_BENEATH · David Drysdale <hidden> · 2014-07-27
[PATCH 09/11] capsicum: add syscalls to limit FD rights · David Drysdale <hidden> · 2014-07-25
[PATCH 08/11] capsicum: invoke Capsicum on FD/file conversion · David Drysdale <hidden> · 2014-07-25
[PATCH 07/11] capsicum: convert callers to use sockfd_lookupr() etc · David Drysdale <hidden> · 2014-07-25
[PATCH 03/11] capsicum: rights values and structure definitions · David Drysdale <hidden> · 2014-07-25
[PATCH 04/11] capsicum: implement fgetr() and friends · David Drysdale <hidden> · 2014-07-25

From: David Drysdale <hidden>
Date: 2014-07-27 12:08:35
Also in: lkml

On Fri, Jul 25, 2014 at 5:00 PM, Andy Lutomirski [off-list ref] wrote:

On Jul 25, 2014 7:02 AM, "Paolo Bonzini" [off-list ref] wrote:

quoted

Il 25/07/2014 15:47, David Drysdale ha scritto:

quoted

@@ -1996,6 +2013,17 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
              if (arg2 || arg3 || arg4 || arg5)
                      return -EINVAL;
              return current->no_new_privs ? 1 : 0;
+     case PR_SET_OPENAT_BENEATH:
+             if (arg2 != 1 || arg4 || arg5)
+                     return -EINVAL;
+             if ((arg3 & ~(PR_SET_OPENAT_BENEATH_TSYNC)) != 0)
+                     return -EINVAL;
+             error = prctl_set_openat_beneath(me, arg3);
+             break;
+     case PR_GET_OPENAT_BENEATH:
+             if (arg2 || arg3 || arg4 || arg5)
+                     return -EINVAL;
+             return me->openat_beneath;
      case PR_GET_THP_DISABLE:
              if (arg2 || arg3 || arg4 || arg5)
                      return -EINVAL;

Why are you always forbidding a change of prctl from 1 to 0?  It should
be safe if current->no_new_privs is clear.

I don't immediately see why you're forbidding unsettling it at all.
If you need it to be sticky, then use seccomp or Capsicum to make it
sticky.

Good point, that would make the function more generic -- needing to
latch is specific to Capsicum's use of it.

Also, the way implementation is dangerously racy -- if anyone pokes at
adjacent bitfields without the lock, they can get corrupted.  Try
basing on Kees' seccomp tree or security-next and using the new atomic
flags field.

Ah yes, sorry -- I hadn't yet shifted the implementation to line up with
the work you and Kees have put into the seccomp stuff.


--Andy

quoted

Do new threads inherit from the parent?

Also, I wonder if you need something like this check:

        /*
         * Installing a seccomp filter requires that the task has
         * CAP_SYS_ADMIN in its namespace or be running with no_new_privs.
         * This avoids scenarios where unprivileged tasks can affect the
         * behavior of privileged children.
         */
        if (!current->no_new_privs &&
            security_capable_noaudit(current_cred(), current_user_ns(),
                                     CAP_SYS_ADMIN) != 0)
                return -EACCES;

Paolo

Yes, new threads inherit the flag from the parent so the
NNP||CAP_SYS_ADMIN check is probably needed.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help