RE: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve

From: James Morris
Date: Fri Jun 14 2019 - 23:59:13 EST

Next message: Linus Torvalds: "Re: pagecache locking (was: bcachefs status update) merged)"
Previous message: Dexuan Cui: "RE: [PATCH net] hvsock: fix epollout hang from race condition"
In reply to: Lubashev, Igor: "RE: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 15 Jun 2019, Lubashev, Igor wrote:

> > On Friday, June 14, 2019, James Morris wrote:

> Unfortunately, perf is using uid==0 and euid==0 as a "capability bits".
>
>
> In tools/perf/util/evsel.c:
> static bool perf_event_can_profile_kernel(void)
> {
> return geteuid() == 0 || perf_event_paranoid() == -1;
> }
>
> In tools/perf/util/symbol.c:
> static bool symbol__read_kptr_restrict(void)
> {
> ...
> value = ((geteuid() != 0) || (getuid() != 0)) ?
> (atoi(line) != 0) :
> (atoi(line) == 2);
> ...
> }

These are bugs. They should be checking for CAP_SYS_ADMIN.

>
> > Have you considered the example security configuration in
> > Documentation/admin-guide/perf-security.rst ?
>
> Unfortunately, this configuration does not work, unless you reset
> /proc/sys/kernel/perf_event_paranoid to a permissive level (see code
> above). We have perf_event_paranoid set to 2. If it worked, we could had
> implemented the same capability-based policy in the wrapper.

This is not necessary for a process which has CAP_SYS_ADMIN.

--
James Morris
<jmorris@xxxxxxxxx>

Next message: Linus Torvalds: "Re: pagecache locking (was: bcachefs status update) merged)"
Previous message: Dexuan Cui: "RE: [PATCH net] hvsock: fix epollout hang from race condition"
In reply to: Lubashev, Igor: "RE: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]