Re: [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access()

From: Jann Horn
Date: Mon Jul 29 2024 - 09:50:23 EST


On Mon, Jul 29, 2024 at 2:59 PM Mickaël Salaün <mic@xxxxxxxxxxx> wrote:
> A process can modify its parent's credentials with
> KEYCTL_SESSION_TO_PARENT when their EUID and EGID are the same. This
> doesn't take into account all possible access controls.
>
> Enforce the same access checks as for impersonating a process.
>
> The current credentials checks are untouch because they check against
> EUID and EGID, whereas ptrace_may_access() checks against UID and GID.

FWIW, my understanding is that the intended usecase of
KEYCTL_SESSION_TO_PARENT is that command-line tools (like "keyctl
new_session" and "e4crypt new_session") want to be able to change the
keyring of the parent process that spawned them (which I think is
usually a shell?); and Yama LSM, which I think is fairly widely used
at this point, by default prevents a child process from using
PTRACE_MODE_ATTACH on its parent.

I think KEYCTL_SESSION_TO_PARENT is not a great design, but I'm not
sure if we can improve it much without risking some breakage.