Re: + mm-relax-ptrace-mode-in-process_vm_readv2.patch added to -mm tree

[Kees Cook]

On Tue, Mar 6, 2018 at 10:03 AM, Alexey Dobriyan <adobriyan@xxxxxxxxx> wrote:
> On Tue, Mar 06, 2018 at 08:42:19PM +0300, Alexey Dobriyan wrote:
>> On Mon, Mar 05, 2018 at 05:02:08PM -0800, Kees Cook wrote:
>> > On Mon, Mar 5, 2018 at 4:07 PM,  <akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
>>
>> > > It is more natural to check for read-from-memory permissions in case of
>> > > process_vm_readv() as PTRACE_MODE_ATTACH is equivalent to write
>> > > permissions.
>> >
>> > NAK, this weakens the existing permission model for reading
>>
>> What if existing permission model is overezealous?
>>
>> /proc/*/auxv, /proc/*/environ, /proc*/cmdline, /proc/*/mem opened
>> for reading and process_vm_readv(2) should do PTRACE_MODE_READ and
>> everything else should do PTRACE_MODE_ATTACH.
>
> Or in other words:
>
> what if there should be 3 levels:
> 1) permission to write to address space
> 2) permission to read arbitrarily from adress space
> 3) permission to read auxv, argv and envp
>
> Current code conflates (1) and (2).

There is also:

4) permission to read address layout (e.g. access to /proc/$pid/maps)

1 and 2 require ATTACH
3 and 4 require READ

ATTACH is a higher bar, and I think it is appropriate here, still, for
2, since being able to examine secrets in memory should be considered
a security boundary.

Is there something you're trying from userspace that is being blocked?

-Kees

-- 
Kees Cook
Pixel Security