subject:"\[PATCH v2\] fs\: exec\: apply CLOEXEC before changing dumpable task flags"

Re: [PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags

2016-12-22 Thread Eric W. Biederman

Aleksa Sarai  writes:

> If you have a process that has set itself to be non-dumpable, and it
> then undergoes exec(2), any CLOEXEC file descriptors it has open are
> "exposed" during a race window between the dumpable flags of the process
> being reset for exec(2) and CLOEXEC being applied to the file
> descriptors. This can be exploited by a process by attempting to access
> /proc//fd/... during this window, without requiring CAP_SYS_PTRACE.
>
> The race in question is after set_dumpable has been (for get_link,
> though the trace is basically the same for readlink):
>
> [vfs]
> -> proc_pid_link_inode_operations.get_link
>-> proc_pid_get_link
>   -> proc_fd_access_allowed
>  -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
>
> Which will return 0, during the race window and CLOEXEC file descriptors
> will still be open during this window because do_close_on_exec has not
> been called yet. As a result, the ordering of these calls should be
> reversed to avoid this race window.
>
> This is of particular concern to container runtimes, where joining a
> PID namespace with file descriptors referring to the host filesystem
> can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
> against access of CLOEXEC file descriptors -- file descriptors which may
> reference filesystem objects the container shouldn't have access to).

That seems reasonable.  I was thinking cred_guard_mutex should handle
this case, but it obviously won't because only ptrace_attach takes that.
Sigh with enough cleanups the code might even become comprehensible and
correct in there.

I have dropped this onto my for-testing branch for now (so I don't
forget it) and after the chaos of the merge window ends I will forward
this along.

Eric


> Cc: d...@opencontainers.org
> Cc:  # v3.2+
> Reported-by: Michael Crosby 
> Signed-off-by: Aleksa Sarai 
> ---
>  fs/exec.c | 10 --
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 4e497b9ee71e..b0a98ef03253 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -19,7 +19,7 @@
>   * current->executable is only used by the procfs.  This allows a dispatch
>   * table to check for several different types  of binary formats.  We keep
>   * trying until we recognize the file or we run out of supported binary
> - * formats. 
> + * formats.
>   */
>  
>  #include 
> @@ -1266,6 +1266,13 @@ int flush_old_exec(struct linux_binprm * bprm)
>   flush_thread();
>   current->personality &= ~bprm->per_clear;
>  
> + /*
> +  * We have to apply CLOEXEC before we change whether the process is
> +  * dumpable (in setup_new_exec) to avoid a race with a process in 
> userspace
> +  * trying to access the should-be-closed file descriptors of a process
> +  * undergoing exec(2).
> +  */
> + do_close_on_exec(current->files);
>   return 0;
>  
>  out:
> @@ -1315,7 +1322,6 @@ void setup_new_exec(struct linux_binprm * bprm)
>  group */
>   current->self_exec_id++;
>   flush_signal_handlers(current, 0);
> - do_close_on_exec(current->files);
>  }
>  EXPORT_SYMBOL(setup_new_exec);

Re: [PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags

2016-12-22 Thread Eric W. Biederman

Aleksa Sarai  writes:

> If you have a process that has set itself to be non-dumpable, and it
> then undergoes exec(2), any CLOEXEC file descriptors it has open are
> "exposed" during a race window between the dumpable flags of the process
> being reset for exec(2) and CLOEXEC being applied to the file
> descriptors. This can be exploited by a process by attempting to access
> /proc//fd/... during this window, without requiring CAP_SYS_PTRACE.
>
> The race in question is after set_dumpable has been (for get_link,
> though the trace is basically the same for readlink):
>
> [vfs]
> -> proc_pid_link_inode_operations.get_link
>-> proc_pid_get_link
>   -> proc_fd_access_allowed
>  -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
>
> Which will return 0, during the race window and CLOEXEC file descriptors
> will still be open during this window because do_close_on_exec has not
> been called yet. As a result, the ordering of these calls should be
> reversed to avoid this race window.
>
> This is of particular concern to container runtimes, where joining a
> PID namespace with file descriptors referring to the host filesystem
> can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
> against access of CLOEXEC file descriptors -- file descriptors which may
> reference filesystem objects the container shouldn't have access to).

That seems reasonable.  I was thinking cred_guard_mutex should handle
this case, but it obviously won't because only ptrace_attach takes that.
Sigh with enough cleanups the code might even become comprehensible and
correct in there.

I have dropped this onto my for-testing branch for now (so I don't
forget it) and after the chaos of the merge window ends I will forward
this along.

Eric


> Cc: d...@opencontainers.org
> Cc:  # v3.2+
> Reported-by: Michael Crosby 
> Signed-off-by: Aleksa Sarai 
> ---
>  fs/exec.c | 10 --
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 4e497b9ee71e..b0a98ef03253 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -19,7 +19,7 @@
>   * current->executable is only used by the procfs.  This allows a dispatch
>   * table to check for several different types  of binary formats.  We keep
>   * trying until we recognize the file or we run out of supported binary
> - * formats. 
> + * formats.
>   */
>  
>  #include 
> @@ -1266,6 +1266,13 @@ int flush_old_exec(struct linux_binprm * bprm)
>   flush_thread();
>   current->personality &= ~bprm->per_clear;
>  
> + /*
> +  * We have to apply CLOEXEC before we change whether the process is
> +  * dumpable (in setup_new_exec) to avoid a race with a process in 
> userspace
> +  * trying to access the should-be-closed file descriptors of a process
> +  * undergoing exec(2).
> +  */
> + do_close_on_exec(current->files);
>   return 0;
>  
>  out:
> @@ -1315,7 +1322,6 @@ void setup_new_exec(struct linux_binprm * bprm)
>  group */
>   current->self_exec_id++;
>   flush_signal_handlers(current, 0);
> - do_close_on_exec(current->files);
>  }
>  EXPORT_SYMBOL(setup_new_exec);

[PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags

2016-12-20 Thread Aleksa Sarai

If you have a process that has set itself to be non-dumpable, and it
then undergoes exec(2), any CLOEXEC file descriptors it has open are
"exposed" during a race window between the dumpable flags of the process
being reset for exec(2) and CLOEXEC being applied to the file
descriptors. This can be exploited by a process by attempting to access
/proc//fd/... during this window, without requiring CAP_SYS_PTRACE.

The race in question is after set_dumpable has been (for get_link,
though the trace is basically the same for readlink):

[vfs]
-> proc_pid_link_inode_operations.get_link
   -> proc_pid_get_link
  -> proc_fd_access_allowed
 -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);

Which will return 0, during the race window and CLOEXEC file descriptors
will still be open during this window because do_close_on_exec has not
been called yet. As a result, the ordering of these calls should be
reversed to avoid this race window.

This is of particular concern to container runtimes, where joining a
PID namespace with file descriptors referring to the host filesystem
can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
against access of CLOEXEC file descriptors -- file descriptors which may
reference filesystem objects the container shouldn't have access to).

Cc: d...@opencontainers.org
Cc:  # v3.2+
Reported-by: Michael Crosby 
Signed-off-by: Aleksa Sarai 
---
 fs/exec.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 4e497b9ee71e..b0a98ef03253 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -19,7 +19,7 @@
  * current->executable is only used by the procfs.  This allows a dispatch
  * table to check for several different types  of binary formats.  We keep
  * trying until we recognize the file or we run out of supported binary
- * formats. 
+ * formats.
  */
 
 #include 
@@ -1266,6 +1266,13 @@ int flush_old_exec(struct linux_binprm * bprm)
flush_thread();
current->personality &= ~bprm->per_clear;
 
+   /*
+* We have to apply CLOEXEC before we change whether the process is
+* dumpable (in setup_new_exec) to avoid a race with a process in 
userspace
+* trying to access the should-be-closed file descriptors of a process
+* undergoing exec(2).
+*/
+   do_close_on_exec(current->files);
return 0;
 
 out:
@@ -1315,7 +1322,6 @@ void setup_new_exec(struct linux_binprm * bprm)
   group */
current->self_exec_id++;
flush_signal_handlers(current, 0);
-   do_close_on_exec(current->files);
 }
 EXPORT_SYMBOL(setup_new_exec);
 
-- 
2.11.0

[PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags

2016-12-20 Thread Aleksa Sarai

If you have a process that has set itself to be non-dumpable, and it
then undergoes exec(2), any CLOEXEC file descriptors it has open are
"exposed" during a race window between the dumpable flags of the process
being reset for exec(2) and CLOEXEC being applied to the file
descriptors. This can be exploited by a process by attempting to access
/proc//fd/... during this window, without requiring CAP_SYS_PTRACE.

The race in question is after set_dumpable has been (for get_link,
though the trace is basically the same for readlink):

[vfs]
-> proc_pid_link_inode_operations.get_link
   -> proc_pid_get_link
  -> proc_fd_access_allowed
 -> ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);

Which will return 0, during the race window and CLOEXEC file descriptors
will still be open during this window because do_close_on_exec has not
been called yet. As a result, the ordering of these calls should be
reversed to avoid this race window.

This is of particular concern to container runtimes, where joining a
PID namespace with file descriptors referring to the host filesystem
can result in security issues (since PRCTL_SET_DUMPABLE doesn't protect
against access of CLOEXEC file descriptors -- file descriptors which may
reference filesystem objects the container shouldn't have access to).

Cc: d...@opencontainers.org
Cc:  # v3.2+
Reported-by: Michael Crosby 
Signed-off-by: Aleksa Sarai 
---
 fs/exec.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 4e497b9ee71e..b0a98ef03253 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -19,7 +19,7 @@
  * current->executable is only used by the procfs.  This allows a dispatch
  * table to check for several different types  of binary formats.  We keep
  * trying until we recognize the file or we run out of supported binary
- * formats. 
+ * formats.
  */
 
 #include 
@@ -1266,6 +1266,13 @@ int flush_old_exec(struct linux_binprm * bprm)
flush_thread();
current->personality &= ~bprm->per_clear;
 
+   /*
+* We have to apply CLOEXEC before we change whether the process is
+* dumpable (in setup_new_exec) to avoid a race with a process in 
userspace
+* trying to access the should-be-closed file descriptors of a process
+* undergoing exec(2).
+*/
+   do_close_on_exec(current->files);
return 0;
 
 out:
@@ -1315,7 +1322,6 @@ void setup_new_exec(struct linux_binprm * bprm)
   group */
current->self_exec_id++;
flush_signal_handlers(current, 0);
-   do_close_on_exec(current->files);
 }
 EXPORT_SYMBOL(setup_new_exec);
 
-- 
2.11.0

Re: [PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags

Re: [PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags

[PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags

[PATCH v2] fs: exec: apply CLOEXEC before changing dumpable task flags

4 matches

Site Navigation

Mail list logo

Footer information