Re: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC

From: Oleg Nesterov
Date: Wed Jun 25 2014 - 10:23:46 EST

Next message: Marc Zyngier: "Re: [RFC PATCH 3/9] irqchip: GIC: Convert to EOImode == 1"
Previous message: Josef Gajdusek: "[PATCH] hwmon: (emc1403) Fix missing 'select REGMAP_I2C' in Kconfig"
In reply to: Kees Cook: "[PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC"
Next in thread: Kees Cook: "Re: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 06/24, Kees Cook wrote:
>
> +static void seccomp_sync_threads(void)
> +{
> + struct task_struct *thread, *caller;
> +
> + BUG_ON(!spin_is_locked(&current->sighand->siglock));
> +
> + /* Synchronize all threads. */
> + caller = current;
> + for_each_thread(caller, thread) {
> + /* Get a task reference for the new leaf node. */
> + get_seccomp_filter(caller);
> + /*
> + * Drop the task reference to the shared ancestor since
> + * current's path will hold a reference. (This also
> + * allows a put before the assignment.)
> + */
> + put_seccomp_filter(thread);
> + thread->seccomp.filter = caller->seccomp.filter;
> + /* Opt the other thread into seccomp if needed.
> + * As threads are considered to be trust-realm
> + * equivalent (see ptrace_may_access), it is safe to
> + * allow one thread to transition the other.
> + */
> + if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) {
> + /*
> + * Don't let an unprivileged task work around
> + * the no_new_privs restriction by creating
> + * a thread that sets it up, enters seccomp,
> + * then dies.
> + */
> + if (task_no_new_privs(caller))
> + task_set_no_new_privs(thread);
> +
> + seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
> + }
> + }
> +}

OK, personally I think this all make sense. I even think that perhaps
SECCOMP_FILTER_FLAG_TSYNC should allow filter == NULL, a thread might
want to "sync" without adding the new filter, but this is minor/offtopic.

But. Doesn't this change add the new security hole?

Obviously, we should not allow to install a filter and then (say) exec
a suid binary, that is why we have no_new_privs/LSM_UNSAFE_NO_NEW_PRIVS.

But what if "thread->seccomp.filter = caller->seccomp.filter" races with
any user of task_no_new_privs() ? Say, suppose this thread has already
passed check_unsafe_exec/etc and it is going to exec the suid binary?

Oleg.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Marc Zyngier: "Re: [RFC PATCH 3/9] irqchip: GIC: Convert to EOImode == 1"
Previous message: Josef Gajdusek: "[PATCH] hwmon: (emc1403) Fix missing 'select REGMAP_I2C' in Kconfig"
In reply to: Kees Cook: "[PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC"
Next in thread: Kees Cook: "Re: [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]