On Wed, Jan 20, 2021 at 8:57 AM Suren Baghdasaryan surenb@google.com wrote:
On Wed, Jan 20, 2021 at 5:18 AM Jann Horn jannh@google.com wrote:
On Wed, Jan 13, 2021 at 3:22 PM Michal Hocko mhocko@suse.com wrote:
On Tue 12-01-21 09:51:24, Suren Baghdasaryan wrote:
On Tue, Jan 12, 2021 at 9:45 AM Oleg Nesterov oleg@redhat.com wrote:
On 01/12, Michal Hocko wrote:
On Mon 11-01-21 09:06:22, Suren Baghdasaryan wrote:
> What we want is the ability for one process to influence another process > in order to optimize performance across the entire system while leaving > the security boundary intact. > Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ > and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata > and CAP_SYS_NICE for influencing process performance.
I have to say that ptrace modes are rather obscure to me. So I cannot really judge whether MODE_READ is sufficient. My understanding has always been that this is requred to RO access to the address space. But this operation clearly has a visible side effect. Do we have any actual documentation for the existing modes?
I would be really curious to hear from Jann and Oleg (now Cced).
Can't comment, sorry. I never understood these security checks and never tried. IIUC only selinux/etc can treat ATTACH/READ differently and I have no idea what is the difference.
Yama in particular only does its checks on ATTACH and ignores READ, that's the difference you're probably most likely to encounter on a normal desktop system, since some distros turn Yama on by default. Basically the idea there is that running "gdb -p $pid" or "strace -p $pid" as a normal user will usually fail, but reading /proc/$pid/maps still works; so you can see things like detailed memory usage information and such, but you're not supposed to be able to directly peek into a running SSH client and inject data into the existing SSH connection, or steal the cryptographic keys for the current connection, or something like that.
I haven't seen a written explanation on ptrace modes but when I consulted Jann his explanation was:
PTRACE_MODE_READ means you can inspect metadata about processes with the specified domain, across UID boundaries. PTRACE_MODE_ATTACH means you can fully impersonate processes with the specified domain, across UID boundaries.
Maybe this would be a good start to document expectations. Some more practical examples where the difference is visible would be great as well.
Before documenting the behavior, it would be a good idea to figure out what to do with perf_event_open(). That one's weird in that it only requires PTRACE_MODE_READ, but actually allows you to sample stuff like userspace stack and register contents (if perf_event_paranoid is 1 or 2). Maybe for SELinux things (and maybe also for Yama), there should be a level in between that allows fully inspecting the process (for purposes like profiling) but without the ability to corrupt its memory or registers or things like that. Or maybe perf_event_open() should just use the ATTACH mode.
Thanks for additional clarifications, Jann! Just to clarify, the documentation I'm preparing is a man page for process_madvise(2) which will list the required capabilities but won't dive into all the security details. I believe the above suggestions are for documenting different PTRACE modes and will not be included in that man page. Maybe a separate document could do that but I'm definitely not qualified to write it.
Folks, I posted the man page here: https://lore.kernel.org/linux-mm/20210120202337.1481402-1-surenb@google.com/
Also I realized that this patch is not changing at all and if I send a new version, the only difference would be CC'ing it to stable and linux-security-module. I'm CC'ing stable (James already CC'ed LSM), but if I should re-post it please let me know.
Cc: stable@vger.kernel.org # 5.10+
linux-stable-mirror@lists.linaro.org
-
Suren Baghdasaryan