Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 1:03 PM, John Stultz wrote: > On Fri, Jul 15, 2016 at 12:55 PM, Nick Kralevich wrote: >> This should also have a similar LSM check for reads. For the SELinux >> implementation, this can map to the PROCESS__GETSCHED permission. > > Ok. I'll wire that in as well. > > Would adding both selinux_task_get and set methods in the same patch > be ok? Or would folks prefer they be split into two? I would prefer 1 patch. -- Nick Kralevich | Android Security | n...@google.com | 650.214.4037
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On 7/15/2016 11:56 AM, Kees Cook wrote:
> On Fri, Jul 15, 2016 at 11:42 AM, John Stultz wrote:
>> On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote:
>>> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz
>>> wrote:
+ if (!capable(CAP_SYS_NICE))
+ return -EPERM;
+
>>> Since you're going the LSM route (from your second patch of this
>> Well, you suggested it, so I sent out an RFC. I'm not married to it yet. :)
>>
>>
>>> series), the capability check above should be moved to the LSM hook in
>>> security/commoncap.c. Only one security call to
>>> security_task_settimerslack is needed, which will cover the standard
>>> capabilities check as well as the SELinux check.
>> Huh. Ok. I was looking at the implementation of nice(), which does:
>>
>> if (increment < 0 && !can_nice(current, nice))
>> return -EPERM;
>> retval = security_task_setnice(current, nice);
>> if (retval)
>> ...
>>
>> Which made it seem like standard checks are done first, then finer
>> grain lsm checks second.
> I'm on the fence about this: it can be argued that if it's a cap check
> it should live in the commoncap.c checks, but most of our cap checks
> for these kinds of access controls are directly in the function, prior
> the the security_* calls. I've added James and Casey who may have a
> more well constructed rationale for doing this one way or the other.
Let's say that at some point in the future someone wanted to replace
POSIX capabilities with some other privilege scheme[1]. Having as much
of the capability checking hooked in via the LSM infrastructure would
be a big help. On the other hand, there's a lot to be said for locality
of reference, and having the capability check off in another place may
make it harder to understand what's going on.
I don't object to either approach. If I have a recommendation it's to
put it in commoncap.c and hook it in on the off chance that the capability
model will implode after the next round of "improvements". Or if someone
comes up with a really spiffy alternative.
[1] Some years ago I offered to make a proposal for a customizable
privilege scheme, but failed to deliver. Could it be as simple
as providing a replacement for commoncap.c? I don't think so,
because the cap calls are not positioned generically, they are
placed based on the assumptions of the capability mechanism.
On the other hand, A little hard work goes a long way to fixing
that sort of problem.
>
>> (...and now you can guess where my accidental "current" usage in the
>> next patch came from :)
>>
>>
p = get_proc_task(inode);
if (!p)
return -ESRCH;
>>> Per your patch #2, you'd call security_task_settimerslack here. This
>>> would call into the capability LSM hook you added in
>>> security/commoncap.c
>> Though I was hoping to keep the CAP_SYS_PTRACE -> CAP_SYS_NICE change
>> first, then add the LSM hooks, as it makes the needed ABI change more
>> obvious. I worry swapping it around with the LSM hook being added
>> first makes it significantly less obvious, as (at least for me) the
>> security_task_* functions get indirect and difficult to follow quickly
>> ("wait, why are we checking SETSCHED for nice?").
>>
>> A side curiosity: why does "git grep PROCESS__SETSCHED" miss the
>> definition? Is the av_permissions.h file somehow caught by .gitignore?
>>
>> thanks
>> -john
> -Kees
>
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 12:55 PM, Nick Kralevich wrote:
> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote:
>> + if (!capable(CAP_SYS_NICE))
>> + return -EPERM;
>> +
>> p = get_proc_task(inode);
>> if (!p)
>> return -ESRCH;
>
> The capable(CAP_SYS_NICE) permission check should be moved to this
> point, since it doesn't make sense to return EPERM if the task
> structure doesn't exist.
Ok. Will move it.
>> @@ -2300,22 +2300,21 @@ static int timerslack_ns_show(struct seq_file *m,
>> void *v)
>> {
>> struct inode *inode = m->private;
>> struct task_struct *p;
>> - int err = 0;
>> +
>> + if (!capable(CAP_SYS_NICE))
>> + return -EPERM;
>
> This should also have a similar LSM check for reads. For the SELinux
> implementation, this can map to the PROCESS__GETSCHED permission.
Ok. I'll wire that in as well.
Would adding both selinux_task_get and set methods in the same patch
be ok? Or would folks prefer they be split into two?
Thanks for the feedback!
-john
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote:
> When an interface to allow a task to change another tasks
> timerslack was first proposed, it was suggested that something
> greater then CAP_SYS_NICE would be needed, as a task could be
> delayed further then what normally could be done with nice
> adjustments.
>
> So CAP_SYS_PTRACE was adopted instead for what became the
> /proc//timerslack_ns interface. However, for Android (where
> this feature originates), giving the system_server
> CAP_SYS_PTRACE would allow it to observe and modify all tasks
> memory. This is considered too high a privilege level for only
> needing to change the timerslack.
>
> After some discussion, it was realized that a CAP_SYS_NICE
> process can set a task as SCHED_FIFO, so they could fork some
> spinning processes and set them all SCHED_FIFO 99, in effect
> delaying all other tasks for an infinite amount of time.
>
> So as a CAP_SYS_NICE task can already cause trouble for other
> tasks, using it as a required capability for accessing and
> modifying /proc//timerslack_ns seems sufficient.
>
> Thus, this patch loosens the capability requirements to
> CAP_SYS_NICE and removes CAP_SYS_PTRACE, simplifying some
> of the code flow as well.
>
> This is technically an ABI change, but as the feature just
> landed in 4.6, I suspect no one is yet using it.
>
> Cc: Kees Cook
> Cc: "Serge E. Hallyn"
> Cc: Andrew Morton
> Cc: Thomas Gleixner
> CC: Arjan van de Ven
> Cc: Oren Laadan
> Cc: Ruchi Kandoi
> Cc: Rom Lemarchand
> Cc: Todd Kjos
> Cc: Colin Cross
> Cc: Nick Kralevich
> Cc: Dmitry Shmidt
> Cc: Elliott Hughes
> Cc: Android Kernel Team
> Signed-off-by: John Stultz
> ---
> v2: Removed CAP_SYS_PTRACE check and simplified code flow
>
> fs/proc/base.c | 33 -
> 1 file changed, 16 insertions(+), 17 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index a11eb71..8f4f8d7 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2277,19 +2277,19 @@ static ssize_t timerslack_ns_write(struct file *file,
> const char __user *buf,
> if (err < 0)
> return err;
>
> + if (!capable(CAP_SYS_NICE))
> + return -EPERM;
> +
> p = get_proc_task(inode);
> if (!p)
> return -ESRCH;
The capable(CAP_SYS_NICE) permission check should be moved to this
point, since it doesn't make sense to return EPERM if the task
structure doesn't exist.
>
> - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) {
> - task_lock(p);
> - if (slack_ns == 0)
> - p->timer_slack_ns = p->default_timer_slack_ns;
> - else
> - p->timer_slack_ns = slack_ns;
> - task_unlock(p);
> - } else
> - count = -EPERM;
> + task_lock(p);
> + if (slack_ns == 0)
> + p->timer_slack_ns = p->default_timer_slack_ns;
> + else
> + p->timer_slack_ns = slack_ns;
> + task_unlock(p);
>
> put_task_struct(p);
>
> @@ -2300,22 +2300,21 @@ static int timerslack_ns_show(struct seq_file *m,
> void *v)
> {
> struct inode *inode = m->private;
> struct task_struct *p;
> - int err = 0;
> +
> + if (!capable(CAP_SYS_NICE))
> + return -EPERM;
This should also have a similar LSM check for reads. For the SELinux
implementation, this can map to the PROCESS__GETSCHED permission.
security/selinux/hooks.c:
static int selinux_task_gettimerslack(struct task_struct *p)
{
return current_has_perm(p, PROCESS__GETSCHED);
}
>
> p = get_proc_task(inode);
> if (!p)
> return -ESRCH;
As above, recommend moving the capable(CAP_SYS_NICE) check to this point.
>
> - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) {
> - task_lock(p);
> - seq_printf(m, "%llu\n", p->timer_slack_ns);
> - task_unlock(p);
> - } else
> - err = -EPERM;
> + task_lock(p);
> + seq_printf(m, "%llu\n", p->timer_slack_ns);
> + task_unlock(p);
>
> put_task_struct(p);
>
> - return err;
> + return 0;
> }
>
> static int timerslack_ns_open(struct inode *inode, struct file *filp)
> --
> 1.9.1
>
--
Nick Kralevich | Android Security | n...@google.com | 650.214.4037
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 11:42 AM, John Stultz wrote:
> On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote:
>> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote:
>>> + if (!capable(CAP_SYS_NICE))
>>> + return -EPERM;
>>> +
>>
>> Since you're going the LSM route (from your second patch of this
>
> Well, you suggested it, so I sent out an RFC. I'm not married to it yet. :)
>
>
>> series), the capability check above should be moved to the LSM hook in
>> security/commoncap.c. Only one security call to
>> security_task_settimerslack is needed, which will cover the standard
>> capabilities check as well as the SELinux check.
>
> Huh. Ok. I was looking at the implementation of nice(), which does:
>
> if (increment < 0 && !can_nice(current, nice))
> return -EPERM;
> retval = security_task_setnice(current, nice);
> if (retval)
> ...
>
> Which made it seem like standard checks are done first, then finer
> grain lsm checks second.
I'm on the fence about this: it can be argued that if it's a cap check
it should live in the commoncap.c checks, but most of our cap checks
for these kinds of access controls are directly in the function, prior
the the security_* calls. I've added James and Casey who may have a
more well constructed rationale for doing this one way or the other.
> (...and now you can guess where my accidental "current" usage in the
> next patch came from :)
>
>
>>
>>> p = get_proc_task(inode);
>>> if (!p)
>>> return -ESRCH;
>>>
>>
>> Per your patch #2, you'd call security_task_settimerslack here. This
>> would call into the capability LSM hook you added in
>> security/commoncap.c
>
> Though I was hoping to keep the CAP_SYS_PTRACE -> CAP_SYS_NICE change
> first, then add the LSM hooks, as it makes the needed ABI change more
> obvious. I worry swapping it around with the LSM hook being added
> first makes it significantly less obvious, as (at least for me) the
> security_task_* functions get indirect and difficult to follow quickly
> ("wait, why are we checking SETSCHED for nice?").
>
> A side curiosity: why does "git grep PROCESS__SETSCHED" miss the
> definition? Is the av_permissions.h file somehow caught by .gitignore?
>
> thanks
> -john
-Kees
--
Kees Cook
Chrome OS & Brillo Security
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote:
> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote:
>> + if (!capable(CAP_SYS_NICE))
>> + return -EPERM;
>> +
>
> Since you're going the LSM route (from your second patch of this
Well, you suggested it, so I sent out an RFC. I'm not married to it yet. :)
> series), the capability check above should be moved to the LSM hook in
> security/commoncap.c. Only one security call to
> security_task_settimerslack is needed, which will cover the standard
> capabilities check as well as the SELinux check.
Huh. Ok. I was looking at the implementation of nice(), which does:
if (increment < 0 && !can_nice(current, nice))
return -EPERM;
retval = security_task_setnice(current, nice);
if (retval)
...
Which made it seem like standard checks are done first, then finer
grain lsm checks second.
(...and now you can guess where my accidental "current" usage in the
next patch came from :)
>
>> p = get_proc_task(inode);
>> if (!p)
>> return -ESRCH;
>>
>
> Per your patch #2, you'd call security_task_settimerslack here. This
> would call into the capability LSM hook you added in
> security/commoncap.c
Though I was hoping to keep the CAP_SYS_PTRACE -> CAP_SYS_NICE change
first, then add the LSM hooks, as it makes the needed ABI change more
obvious. I worry swapping it around with the LSM hook being added
first makes it significantly less obvious, as (at least for me) the
security_task_* functions get indirect and difficult to follow quickly
("wait, why are we checking SETSCHED for nice?").
A side curiosity: why does "git grep PROCESS__SETSCHED" miss the
definition? Is the av_permissions.h file somehow caught by .gitignore?
thanks
-john
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote:
> When an interface to allow a task to change another tasks
> timerslack was first proposed, it was suggested that something
> greater then CAP_SYS_NICE would be needed, as a task could be
> delayed further then what normally could be done with nice
> adjustments.
>
> So CAP_SYS_PTRACE was adopted instead for what became the
> /proc//timerslack_ns interface. However, for Android (where
> this feature originates), giving the system_server
> CAP_SYS_PTRACE would allow it to observe and modify all tasks
> memory. This is considered too high a privilege level for only
> needing to change the timerslack.
>
> After some discussion, it was realized that a CAP_SYS_NICE
> process can set a task as SCHED_FIFO, so they could fork some
> spinning processes and set them all SCHED_FIFO 99, in effect
> delaying all other tasks for an infinite amount of time.
>
> So as a CAP_SYS_NICE task can already cause trouble for other
> tasks, using it as a required capability for accessing and
> modifying /proc//timerslack_ns seems sufficient.
>
> Thus, this patch loosens the capability requirements to
> CAP_SYS_NICE and removes CAP_SYS_PTRACE, simplifying some
> of the code flow as well.
>
> This is technically an ABI change, but as the feature just
> landed in 4.6, I suspect no one is yet using it.
>
> Cc: Kees Cook
> Cc: "Serge E. Hallyn"
> Cc: Andrew Morton
> Cc: Thomas Gleixner
> CC: Arjan van de Ven
> Cc: Oren Laadan
> Cc: Ruchi Kandoi
> Cc: Rom Lemarchand
> Cc: Todd Kjos
> Cc: Colin Cross
> Cc: Nick Kralevich
> Cc: Dmitry Shmidt
> Cc: Elliott Hughes
> Cc: Android Kernel Team
> Signed-off-by: John Stultz
> ---
> v2: Removed CAP_SYS_PTRACE check and simplified code flow
>
> fs/proc/base.c | 33 -
> 1 file changed, 16 insertions(+), 17 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index a11eb71..8f4f8d7 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2277,19 +2277,19 @@ static ssize_t timerslack_ns_write(struct file *file,
> const char __user *buf,
> if (err < 0)
> return err;
>
> + if (!capable(CAP_SYS_NICE))
> + return -EPERM;
> +
Since you're going the LSM route (from your second patch of this
series), the capability check above should be moved to the LSM hook in
security/commoncap.c. Only one security call to
security_task_settimerslack is needed, which will cover the standard
capabilities check as well as the SELinux check.
> p = get_proc_task(inode);
> if (!p)
> return -ESRCH;
>
Per your patch #2, you'd call security_task_settimerslack here. This
would call into the capability LSM hook you added in
security/commoncap.c
> - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) {
> - task_lock(p);
> - if (slack_ns == 0)
> - p->timer_slack_ns = p->default_timer_slack_ns;
> - else
> - p->timer_slack_ns = slack_ns;
> - task_unlock(p);
> - } else
> - count = -EPERM;
> + task_lock(p);
> + if (slack_ns == 0)
> + p->timer_slack_ns = p->default_timer_slack_ns;
> + else
> + p->timer_slack_ns = slack_ns;
> + task_unlock(p);
>
> put_task_struct(p);
>
> @@ -2300,22 +2300,21 @@ static int timerslack_ns_show(struct seq_file *m,
> void *v)
> {
> struct inode *inode = m->private;
> struct task_struct *p;
> - int err = 0;
> +
> + if (!capable(CAP_SYS_NICE))
> + return -EPERM;
>
> p = get_proc_task(inode);
> if (!p)
> return -ESRCH;
>
> - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) {
> - task_lock(p);
> - seq_printf(m, "%llu\n", p->timer_slack_ns);
> - task_unlock(p);
> - } else
> - err = -EPERM;
> + task_lock(p);
> + seq_printf(m, "%llu\n", p->timer_slack_ns);
> + task_unlock(p);
>
> put_task_struct(p);
>
> - return err;
> + return 0;
> }
>
> static int timerslack_ns_open(struct inode *inode, struct file *filp)
> --
> 1.9.1
>
--
Nick Kralevich | Android Security | n...@google.com | 650.214.4037
[RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
When an interface to allow a task to change another tasks
timerslack was first proposed, it was suggested that something
greater then CAP_SYS_NICE would be needed, as a task could be
delayed further then what normally could be done with nice
adjustments.
So CAP_SYS_PTRACE was adopted instead for what became the
/proc//timerslack_ns interface. However, for Android (where
this feature originates), giving the system_server
CAP_SYS_PTRACE would allow it to observe and modify all tasks
memory. This is considered too high a privilege level for only
needing to change the timerslack.
After some discussion, it was realized that a CAP_SYS_NICE
process can set a task as SCHED_FIFO, so they could fork some
spinning processes and set them all SCHED_FIFO 99, in effect
delaying all other tasks for an infinite amount of time.
So as a CAP_SYS_NICE task can already cause trouble for other
tasks, using it as a required capability for accessing and
modifying /proc//timerslack_ns seems sufficient.
Thus, this patch loosens the capability requirements to
CAP_SYS_NICE and removes CAP_SYS_PTRACE, simplifying some
of the code flow as well.
This is technically an ABI change, but as the feature just
landed in 4.6, I suspect no one is yet using it.
Cc: Kees Cook
Cc: "Serge E. Hallyn"
Cc: Andrew Morton
Cc: Thomas Gleixner
CC: Arjan van de Ven
Cc: Oren Laadan
Cc: Ruchi Kandoi
Cc: Rom Lemarchand
Cc: Todd Kjos
Cc: Colin Cross
Cc: Nick Kralevich
Cc: Dmitry Shmidt
Cc: Elliott Hughes
Cc: Android Kernel Team
Signed-off-by: John Stultz
---
v2: Removed CAP_SYS_PTRACE check and simplified code flow
fs/proc/base.c | 33 -
1 file changed, 16 insertions(+), 17 deletions(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index a11eb71..8f4f8d7 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -2277,19 +2277,19 @@ static ssize_t timerslack_ns_write(struct file *file,
const char __user *buf,
if (err < 0)
return err;
+ if (!capable(CAP_SYS_NICE))
+ return -EPERM;
+
p = get_proc_task(inode);
if (!p)
return -ESRCH;
- if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) {
- task_lock(p);
- if (slack_ns == 0)
- p->timer_slack_ns = p->default_timer_slack_ns;
- else
- p->timer_slack_ns = slack_ns;
- task_unlock(p);
- } else
- count = -EPERM;
+ task_lock(p);
+ if (slack_ns == 0)
+ p->timer_slack_ns = p->default_timer_slack_ns;
+ else
+ p->timer_slack_ns = slack_ns;
+ task_unlock(p);
put_task_struct(p);
@@ -2300,22 +2300,21 @@ static int timerslack_ns_show(struct seq_file *m, void
*v)
{
struct inode *inode = m->private;
struct task_struct *p;
- int err = 0;
+
+ if (!capable(CAP_SYS_NICE))
+ return -EPERM;
p = get_proc_task(inode);
if (!p)
return -ESRCH;
- if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) {
- task_lock(p);
- seq_printf(m, "%llu\n", p->timer_slack_ns);
- task_unlock(p);
- } else
- err = -EPERM;
+ task_lock(p);
+ seq_printf(m, "%llu\n", p->timer_slack_ns);
+ task_unlock(p);
put_task_struct(p);
- return err;
+ return 0;
}
static int timerslack_ns_open(struct inode *inode, struct file *filp)
--
1.9.1
