Re: [PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-12-07 Thread Kees Cook
On Sat, Dec 5, 2015 at 6:04 PM, Jann Horn wrote: > By checking the effective credentials instead of the real UID / > permitted capabilities, ensure that the calling process actually > intended to use its credentials. > > To ensure that all ptrace checks use the correct caller >

Re: [PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-12-07 Thread Jann Horn
On Mon, Dec 07, 2015 at 12:32:06PM -0800, Kees Cook wrote: > On Sat, Dec 5, 2015 at 6:04 PM, Jann Horn wrote: [...] > > - if (ptrace_may_access(task, PTRACE_MODE_READ)) { > > + if (ptrace_may_access(task, PTRACE_MODE_READ | > > PTRACE_MODE_FSCREDS)) { > > This should

Re: [PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-12-07 Thread Jann Horn
Whoops. After Kees pointed out my last mistake, I decided to grep around a bit to make sure I didn't miss anything else and noticed that apparently, Yama and Smack aren't completely aware that the ptrace access mode can have flags ORed in? Until now, it was just the NOAUDIT flag for

[PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-12-05 Thread Jann Horn
By checking the effective credentials instead of the real UID / permitted capabilities, ensure that the calling process actually intended to use its credentials. To ensure that all ptrace checks use the correct caller credentials (e.g. in case out-of-tree code or newly added code omits the

Re: [PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-11-09 Thread Willy Tarreau
On Mon, Nov 09, 2015 at 12:55:54PM -0800, Andrew Morton wrote: > > --- a/fs/proc/array.c > > +++ b/fs/proc/array.c > > @@ -395,7 +395,8 @@ static int do_task_stat(struct seq_file *m, struct > > pid_namespace *ns, > > > > state = *get_task_state(task); > > vsize = eip = esp = 0; > > -

Re: [PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-11-09 Thread Jann Horn
On Mon, Nov 09, 2015 at 12:55:54PM -0800, Andrew Morton wrote: > On Sun, 8 Nov 2015 13:08:36 +0100 Jann Horn wrote: > > > By checking the effective credentials instead of the real UID / > > permitted capabilities, ensure that the calling process actually > > intended to use its

Re: [PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-11-09 Thread Andrew Morton
On Mon, 9 Nov 2015 22:12:09 +0100 Jann Horn wrote: > > > Can we do > > > > #define PTRACE_foo (PTRACE_MODE_READ|PTRACE_MODE_FSCREDS) > > > > to avoid all that? > > Hm. All combinations of the PTRACE_MODE_*CREDS flags with > PTRACE_MODE_{READ,ATTACH} plus optionally

Re: [PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-11-09 Thread Andrew Morton
On Sun, 8 Nov 2015 13:08:36 +0100 Jann Horn wrote: > By checking the effective credentials instead of the real UID / > permitted capabilities, ensure that the calling process actually > intended to use its credentials. > > To ensure that all ptrace checks use the correct caller

[PATCH] ptrace: use fsuid, fsgid, effective creds for fs access checks

2015-11-08 Thread Jann Horn
By checking the effective credentials instead of the real UID / permitted capabilities, ensure that the calling process actually intended to use its credentials. To ensure that all ptrace checks use the correct caller credentials (e.g. in case out-of-tree code or newly added code omits the