Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 1:03 PM, John Stultz wrote: > On Fri, Jul 15, 2016 at 12:55 PM, Nick Kralevich wrote: >> This should also have a similar LSM check for reads. For the SELinux >> implementation, this can map to the PROCESS__GETSCHED permission. > > Ok. I'll wire that in as well. > > Would adding both selinux_task_get and set methods in the same patch > be ok? Or would folks prefer they be split into two? I would prefer 1 patch. -- Nick Kralevich | Android Security | n...@google.com | 650.214.4037
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On 7/15/2016 11:56 AM, Kees Cook wrote: > On Fri, Jul 15, 2016 at 11:42 AM, John Stultz wrote: >> On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote: >>> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz >>> wrote: + if (!capable(CAP_SYS_NICE)) + return -EPERM; + >>> Since you're going the LSM route (from your second patch of this >> Well, you suggested it, so I sent out an RFC. I'm not married to it yet. :) >> >> >>> series), the capability check above should be moved to the LSM hook in >>> security/commoncap.c. Only one security call to >>> security_task_settimerslack is needed, which will cover the standard >>> capabilities check as well as the SELinux check. >> Huh. Ok. I was looking at the implementation of nice(), which does: >> >> if (increment < 0 && !can_nice(current, nice)) >> return -EPERM; >> retval = security_task_setnice(current, nice); >> if (retval) >> ... >> >> Which made it seem like standard checks are done first, then finer >> grain lsm checks second. > I'm on the fence about this: it can be argued that if it's a cap check > it should live in the commoncap.c checks, but most of our cap checks > for these kinds of access controls are directly in the function, prior > the the security_* calls. I've added James and Casey who may have a > more well constructed rationale for doing this one way or the other. Let's say that at some point in the future someone wanted to replace POSIX capabilities with some other privilege scheme[1]. Having as much of the capability checking hooked in via the LSM infrastructure would be a big help. On the other hand, there's a lot to be said for locality of reference, and having the capability check off in another place may make it harder to understand what's going on. I don't object to either approach. If I have a recommendation it's to put it in commoncap.c and hook it in on the off chance that the capability model will implode after the next round of "improvements". Or if someone comes up with a really spiffy alternative. [1] Some years ago I offered to make a proposal for a customizable privilege scheme, but failed to deliver. Could it be as simple as providing a replacement for commoncap.c? I don't think so, because the cap calls are not positioned generically, they are placed based on the assumptions of the capability mechanism. On the other hand, A little hard work goes a long way to fixing that sort of problem. > >> (...and now you can guess where my accidental "current" usage in the >> next patch came from :) >> >> p = get_proc_task(inode); if (!p) return -ESRCH; >>> Per your patch #2, you'd call security_task_settimerslack here. This >>> would call into the capability LSM hook you added in >>> security/commoncap.c >> Though I was hoping to keep the CAP_SYS_PTRACE -> CAP_SYS_NICE change >> first, then add the LSM hooks, as it makes the needed ABI change more >> obvious. I worry swapping it around with the LSM hook being added >> first makes it significantly less obvious, as (at least for me) the >> security_task_* functions get indirect and difficult to follow quickly >> ("wait, why are we checking SETSCHED for nice?"). >> >> A side curiosity: why does "git grep PROCESS__SETSCHED" miss the >> definition? Is the av_permissions.h file somehow caught by .gitignore? >> >> thanks >> -john > -Kees >
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 12:55 PM, Nick Kralevich wrote: > On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote: >> + if (!capable(CAP_SYS_NICE)) >> + return -EPERM; >> + >> p = get_proc_task(inode); >> if (!p) >> return -ESRCH; > > The capable(CAP_SYS_NICE) permission check should be moved to this > point, since it doesn't make sense to return EPERM if the task > structure doesn't exist. Ok. Will move it. >> @@ -2300,22 +2300,21 @@ static int timerslack_ns_show(struct seq_file *m, >> void *v) >> { >> struct inode *inode = m->private; >> struct task_struct *p; >> - int err = 0; >> + >> + if (!capable(CAP_SYS_NICE)) >> + return -EPERM; > > This should also have a similar LSM check for reads. For the SELinux > implementation, this can map to the PROCESS__GETSCHED permission. Ok. I'll wire that in as well. Would adding both selinux_task_get and set methods in the same patch be ok? Or would folks prefer they be split into two? Thanks for the feedback! -john
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote: > When an interface to allow a task to change another tasks > timerslack was first proposed, it was suggested that something > greater then CAP_SYS_NICE would be needed, as a task could be > delayed further then what normally could be done with nice > adjustments. > > So CAP_SYS_PTRACE was adopted instead for what became the > /proc//timerslack_ns interface. However, for Android (where > this feature originates), giving the system_server > CAP_SYS_PTRACE would allow it to observe and modify all tasks > memory. This is considered too high a privilege level for only > needing to change the timerslack. > > After some discussion, it was realized that a CAP_SYS_NICE > process can set a task as SCHED_FIFO, so they could fork some > spinning processes and set them all SCHED_FIFO 99, in effect > delaying all other tasks for an infinite amount of time. > > So as a CAP_SYS_NICE task can already cause trouble for other > tasks, using it as a required capability for accessing and > modifying /proc//timerslack_ns seems sufficient. > > Thus, this patch loosens the capability requirements to > CAP_SYS_NICE and removes CAP_SYS_PTRACE, simplifying some > of the code flow as well. > > This is technically an ABI change, but as the feature just > landed in 4.6, I suspect no one is yet using it. > > Cc: Kees Cook > Cc: "Serge E. Hallyn" > Cc: Andrew Morton > Cc: Thomas Gleixner > CC: Arjan van de Ven > Cc: Oren Laadan > Cc: Ruchi Kandoi > Cc: Rom Lemarchand > Cc: Todd Kjos > Cc: Colin Cross > Cc: Nick Kralevich > Cc: Dmitry Shmidt > Cc: Elliott Hughes > Cc: Android Kernel Team > Signed-off-by: John Stultz > --- > v2: Removed CAP_SYS_PTRACE check and simplified code flow > > fs/proc/base.c | 33 - > 1 file changed, 16 insertions(+), 17 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index a11eb71..8f4f8d7 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2277,19 +2277,19 @@ static ssize_t timerslack_ns_write(struct file *file, > const char __user *buf, > if (err < 0) > return err; > > + if (!capable(CAP_SYS_NICE)) > + return -EPERM; > + > p = get_proc_task(inode); > if (!p) > return -ESRCH; The capable(CAP_SYS_NICE) permission check should be moved to this point, since it doesn't make sense to return EPERM if the task structure doesn't exist. > > - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) { > - task_lock(p); > - if (slack_ns == 0) > - p->timer_slack_ns = p->default_timer_slack_ns; > - else > - p->timer_slack_ns = slack_ns; > - task_unlock(p); > - } else > - count = -EPERM; > + task_lock(p); > + if (slack_ns == 0) > + p->timer_slack_ns = p->default_timer_slack_ns; > + else > + p->timer_slack_ns = slack_ns; > + task_unlock(p); > > put_task_struct(p); > > @@ -2300,22 +2300,21 @@ static int timerslack_ns_show(struct seq_file *m, > void *v) > { > struct inode *inode = m->private; > struct task_struct *p; > - int err = 0; > + > + if (!capable(CAP_SYS_NICE)) > + return -EPERM; This should also have a similar LSM check for reads. For the SELinux implementation, this can map to the PROCESS__GETSCHED permission. security/selinux/hooks.c: static int selinux_task_gettimerslack(struct task_struct *p) { return current_has_perm(p, PROCESS__GETSCHED); } > > p = get_proc_task(inode); > if (!p) > return -ESRCH; As above, recommend moving the capable(CAP_SYS_NICE) check to this point. > > - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) { > - task_lock(p); > - seq_printf(m, "%llu\n", p->timer_slack_ns); > - task_unlock(p); > - } else > - err = -EPERM; > + task_lock(p); > + seq_printf(m, "%llu\n", p->timer_slack_ns); > + task_unlock(p); > > put_task_struct(p); > > - return err; > + return 0; > } > > static int timerslack_ns_open(struct inode *inode, struct file *filp) > -- > 1.9.1 > -- Nick Kralevich | Android Security | n...@google.com | 650.214.4037
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 11:42 AM, John Stultz wrote: > On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote: >> On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote: >>> + if (!capable(CAP_SYS_NICE)) >>> + return -EPERM; >>> + >> >> Since you're going the LSM route (from your second patch of this > > Well, you suggested it, so I sent out an RFC. I'm not married to it yet. :) > > >> series), the capability check above should be moved to the LSM hook in >> security/commoncap.c. Only one security call to >> security_task_settimerslack is needed, which will cover the standard >> capabilities check as well as the SELinux check. > > Huh. Ok. I was looking at the implementation of nice(), which does: > > if (increment < 0 && !can_nice(current, nice)) > return -EPERM; > retval = security_task_setnice(current, nice); > if (retval) > ... > > Which made it seem like standard checks are done first, then finer > grain lsm checks second. I'm on the fence about this: it can be argued that if it's a cap check it should live in the commoncap.c checks, but most of our cap checks for these kinds of access controls are directly in the function, prior the the security_* calls. I've added James and Casey who may have a more well constructed rationale for doing this one way or the other. > (...and now you can guess where my accidental "current" usage in the > next patch came from :) > > >> >>> p = get_proc_task(inode); >>> if (!p) >>> return -ESRCH; >>> >> >> Per your patch #2, you'd call security_task_settimerslack here. This >> would call into the capability LSM hook you added in >> security/commoncap.c > > Though I was hoping to keep the CAP_SYS_PTRACE -> CAP_SYS_NICE change > first, then add the LSM hooks, as it makes the needed ABI change more > obvious. I worry swapping it around with the LSM hook being added > first makes it significantly less obvious, as (at least for me) the > security_task_* functions get indirect and difficult to follow quickly > ("wait, why are we checking SETSCHED for nice?"). > > A side curiosity: why does "git grep PROCESS__SETSCHED" miss the > definition? Is the av_permissions.h file somehow caught by .gitignore? > > thanks > -john -Kees -- Kees Cook Chrome OS & Brillo Security
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 10:51 AM, Nick Kralevich wrote: > On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote: >> + if (!capable(CAP_SYS_NICE)) >> + return -EPERM; >> + > > Since you're going the LSM route (from your second patch of this Well, you suggested it, so I sent out an RFC. I'm not married to it yet. :) > series), the capability check above should be moved to the LSM hook in > security/commoncap.c. Only one security call to > security_task_settimerslack is needed, which will cover the standard > capabilities check as well as the SELinux check. Huh. Ok. I was looking at the implementation of nice(), which does: if (increment < 0 && !can_nice(current, nice)) return -EPERM; retval = security_task_setnice(current, nice); if (retval) ... Which made it seem like standard checks are done first, then finer grain lsm checks second. (...and now you can guess where my accidental "current" usage in the next patch came from :) > >> p = get_proc_task(inode); >> if (!p) >> return -ESRCH; >> > > Per your patch #2, you'd call security_task_settimerslack here. This > would call into the capability LSM hook you added in > security/commoncap.c Though I was hoping to keep the CAP_SYS_PTRACE -> CAP_SYS_NICE change first, then add the LSM hooks, as it makes the needed ABI change more obvious. I worry swapping it around with the LSM hook being added first makes it significantly less obvious, as (at least for me) the security_task_* functions get indirect and difficult to follow quickly ("wait, why are we checking SETSCHED for nice?"). A side curiosity: why does "git grep PROCESS__SETSCHED" miss the definition? Is the av_permissions.h file somehow caught by .gitignore? thanks -john
Re: [RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
On Fri, Jul 15, 2016 at 10:24 AM, John Stultz wrote: > When an interface to allow a task to change another tasks > timerslack was first proposed, it was suggested that something > greater then CAP_SYS_NICE would be needed, as a task could be > delayed further then what normally could be done with nice > adjustments. > > So CAP_SYS_PTRACE was adopted instead for what became the > /proc//timerslack_ns interface. However, for Android (where > this feature originates), giving the system_server > CAP_SYS_PTRACE would allow it to observe and modify all tasks > memory. This is considered too high a privilege level for only > needing to change the timerslack. > > After some discussion, it was realized that a CAP_SYS_NICE > process can set a task as SCHED_FIFO, so they could fork some > spinning processes and set them all SCHED_FIFO 99, in effect > delaying all other tasks for an infinite amount of time. > > So as a CAP_SYS_NICE task can already cause trouble for other > tasks, using it as a required capability for accessing and > modifying /proc//timerslack_ns seems sufficient. > > Thus, this patch loosens the capability requirements to > CAP_SYS_NICE and removes CAP_SYS_PTRACE, simplifying some > of the code flow as well. > > This is technically an ABI change, but as the feature just > landed in 4.6, I suspect no one is yet using it. > > Cc: Kees Cook > Cc: "Serge E. Hallyn" > Cc: Andrew Morton > Cc: Thomas Gleixner > CC: Arjan van de Ven > Cc: Oren Laadan > Cc: Ruchi Kandoi > Cc: Rom Lemarchand > Cc: Todd Kjos > Cc: Colin Cross > Cc: Nick Kralevich > Cc: Dmitry Shmidt > Cc: Elliott Hughes > Cc: Android Kernel Team > Signed-off-by: John Stultz > --- > v2: Removed CAP_SYS_PTRACE check and simplified code flow > > fs/proc/base.c | 33 - > 1 file changed, 16 insertions(+), 17 deletions(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index a11eb71..8f4f8d7 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -2277,19 +2277,19 @@ static ssize_t timerslack_ns_write(struct file *file, > const char __user *buf, > if (err < 0) > return err; > > + if (!capable(CAP_SYS_NICE)) > + return -EPERM; > + Since you're going the LSM route (from your second patch of this series), the capability check above should be moved to the LSM hook in security/commoncap.c. Only one security call to security_task_settimerslack is needed, which will cover the standard capabilities check as well as the SELinux check. > p = get_proc_task(inode); > if (!p) > return -ESRCH; > Per your patch #2, you'd call security_task_settimerslack here. This would call into the capability LSM hook you added in security/commoncap.c > - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) { > - task_lock(p); > - if (slack_ns == 0) > - p->timer_slack_ns = p->default_timer_slack_ns; > - else > - p->timer_slack_ns = slack_ns; > - task_unlock(p); > - } else > - count = -EPERM; > + task_lock(p); > + if (slack_ns == 0) > + p->timer_slack_ns = p->default_timer_slack_ns; > + else > + p->timer_slack_ns = slack_ns; > + task_unlock(p); > > put_task_struct(p); > > @@ -2300,22 +2300,21 @@ static int timerslack_ns_show(struct seq_file *m, > void *v) > { > struct inode *inode = m->private; > struct task_struct *p; > - int err = 0; > + > + if (!capable(CAP_SYS_NICE)) > + return -EPERM; > > p = get_proc_task(inode); > if (!p) > return -ESRCH; > > - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) { > - task_lock(p); > - seq_printf(m, "%llu\n", p->timer_slack_ns); > - task_unlock(p); > - } else > - err = -EPERM; > + task_lock(p); > + seq_printf(m, "%llu\n", p->timer_slack_ns); > + task_unlock(p); > > put_task_struct(p); > > - return err; > + return 0; > } > > static int timerslack_ns_open(struct inode *inode, struct file *filp) > -- > 1.9.1 > -- Nick Kralevich | Android Security | n...@google.com | 650.214.4037
[RFC][PATCH 1/2 v2] proc: Relax /proc//timerslack_ns capability requirements
When an interface to allow a task to change another tasks timerslack was first proposed, it was suggested that something greater then CAP_SYS_NICE would be needed, as a task could be delayed further then what normally could be done with nice adjustments. So CAP_SYS_PTRACE was adopted instead for what became the /proc//timerslack_ns interface. However, for Android (where this feature originates), giving the system_server CAP_SYS_PTRACE would allow it to observe and modify all tasks memory. This is considered too high a privilege level for only needing to change the timerslack. After some discussion, it was realized that a CAP_SYS_NICE process can set a task as SCHED_FIFO, so they could fork some spinning processes and set them all SCHED_FIFO 99, in effect delaying all other tasks for an infinite amount of time. So as a CAP_SYS_NICE task can already cause trouble for other tasks, using it as a required capability for accessing and modifying /proc//timerslack_ns seems sufficient. Thus, this patch loosens the capability requirements to CAP_SYS_NICE and removes CAP_SYS_PTRACE, simplifying some of the code flow as well. This is technically an ABI change, but as the feature just landed in 4.6, I suspect no one is yet using it. Cc: Kees Cook Cc: "Serge E. Hallyn" Cc: Andrew Morton Cc: Thomas Gleixner CC: Arjan van de Ven Cc: Oren Laadan Cc: Ruchi Kandoi Cc: Rom Lemarchand Cc: Todd Kjos Cc: Colin Cross Cc: Nick Kralevich Cc: Dmitry Shmidt Cc: Elliott Hughes Cc: Android Kernel Team Signed-off-by: John Stultz --- v2: Removed CAP_SYS_PTRACE check and simplified code flow fs/proc/base.c | 33 - 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index a11eb71..8f4f8d7 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2277,19 +2277,19 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, if (err < 0) return err; + if (!capable(CAP_SYS_NICE)) + return -EPERM; + p = get_proc_task(inode); if (!p) return -ESRCH; - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) { - task_lock(p); - if (slack_ns == 0) - p->timer_slack_ns = p->default_timer_slack_ns; - else - p->timer_slack_ns = slack_ns; - task_unlock(p); - } else - count = -EPERM; + task_lock(p); + if (slack_ns == 0) + p->timer_slack_ns = p->default_timer_slack_ns; + else + p->timer_slack_ns = slack_ns; + task_unlock(p); put_task_struct(p); @@ -2300,22 +2300,21 @@ static int timerslack_ns_show(struct seq_file *m, void *v) { struct inode *inode = m->private; struct task_struct *p; - int err = 0; + + if (!capable(CAP_SYS_NICE)) + return -EPERM; p = get_proc_task(inode); if (!p) return -ESRCH; - if (ptrace_may_access(p, PTRACE_MODE_ATTACH_FSCREDS)) { - task_lock(p); - seq_printf(m, "%llu\n", p->timer_slack_ns); - task_unlock(p); - } else - err = -EPERM; + task_lock(p); + seq_printf(m, "%llu\n", p->timer_slack_ns); + task_unlock(p); put_task_struct(p); - return err; + return 0; } static int timerslack_ns_open(struct inode *inode, struct file *filp) -- 1.9.1