From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <brauner@kernel.org>
Received: from dfw.source.kernel.org (dfw.source.kernel.org
 [IPv6:2604:1380:4641:c500::1])
 by sourceware.org (Postfix) with ESMTPS id C0B06386F0EA
 for <libc-alpha@sourceware.org>; Mon, 27 Jun 2022 11:51:46 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C0B06386F0EA
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dfw.source.kernel.org (Postfix) with ESMTPS id 5CA016146E;
 Mon, 27 Jun 2022 11:51:46 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 814CAC3411D;
 Mon, 27 Jun 2022 11:51:44 +0000 (UTC)
Date: Mon, 27 Jun 2022 13:51:41 +0200
From: Christian Brauner <brauner@kernel.org>
To: Florian Weimer <fweimer@redhat.com>
Cc: Mark Wielaard <mark@klomp.org>, libc-alpha@sourceware.org
Subject: Re: [PATCH 3/4] tst-pidfd.c: Test is UNSUPPORTED without
 PTRACE_MODE_ATTACH_REALCREDS
Message-ID: <20220627115141.s4zjaac7ixceq7rs@wittgenstein>
References: <20220626205915.33201-1-mark@klomp.org>
 <20220626205915.33201-4-mark@klomp.org>
 <87h747nmud.fsf@mid.deneb.enyo.de>
 <c5fb5afcd90281887349c726a462e5049592c0e7.camel@klomp.org>
 <874k06cq9t.fsf@oldenburg.str.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <874k06cq9t.fsf@oldenburg.str.redhat.com>
X-Spam-Status: No, score=-12.2 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 SPF_HELO_NONE, SPF_PASS, TXREP,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 11:51:48 -0000

On Mon, Jun 27, 2022 at 01:14:06PM +0200, Florian Weimer via Libc-alpha wrote:
> * Mark Wielaard:
> 
> > Hi Florian,
> >
> > On Sun, 2022-06-26 at 23:20 +0200, Florian Weimer wrote:
> >> * Mark Wielaard:
> >> 
> >> > pidfd_getfd will fail with errno EPERM if the calling process did
> >> > not
> >> > have PTRACE_MODE_ATTACH_REALCREDS permissions. Use FAIL_UNSUPPORTED
> >> > in that case.
> >> > ---
> >> >  sysdeps/unix/sysv/linux/tst-pidfd.c | 6 ++++--
> >> >  1 file changed, 4 insertions(+), 2 deletions(-)
> >> > 
> >> > diff --git a/sysdeps/unix/sysv/linux/tst-pidfd.c
> >> > b/sysdeps/unix/sysv/linux/tst-pidfd.c
> >> > index d93b6faa6f..28349b2f91 100644
> >> > --- a/sysdeps/unix/sysv/linux/tst-pidfd.c
> >> > +++ b/sysdeps/unix/sysv/linux/tst-pidfd.c
> >> > @@ -95,8 +95,10 @@ do_test (void)
> >> >         kernel has pidfd support that we can test.  */
> >> >      int r = pidfd_getfd (0, 0, 1);
> >> >      TEST_VERIFY_EXIT (r == -1);
> >> > -    if (errno == ENOSYS)
> >> > -      FAIL_UNSUPPORTED ("kernel does not support pidfd_getfd,
> >> > skipping test");
> >> > +    if (errno == ENOSYS || errno == EPERM)
> >> > +      FAIL_UNSUPPORTED ("kernel does not support pidfd_getfd,"
> >> > +			" or we don't have
> >> > PTRACE_MODE_ATTACH_REALCREDS"
> >> > +			" permissions, skipping test");
> >> >    }
> >> 
> >> This also hints towards a broken seccomp filter.
> >
> > pidfd_getfd is mentioned (and allowed) by the seccomp filter, but the
> > syscall also needs the process to have PTRACE_MODE_ATTACH_REALCREDS
> > (which is really PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS). Which it
> > doesn't have. If the process doesn't then pidfd_getfd is defined as
> > failing and setting errno to EPERM.
> 
> But what does it mean for a process to have PTRACE_MODE_REALCREDS?

#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS)

PTRACE_MODE_ATTACH_REALCREDS means
* PTRACE_MODE_REALCREDS which means cred->{g,u}id of the task are used
  for permission checking:

So it's a bit nasty here but roughly if the ptracer's real {g,u}id match
the target task's (ptracee's) effective, save, and real [g,u]id then
you'passed the first stage of permission checking.

If ptracer's [g,u]id aren't matching the ptracee's effective, saved, and
real [g,u]id the ptracer needs CAP_SYS_PTRACE in the ptracee's userns.
That will also get you past the first state of permission checking.

If both don't apply the request is denied with -EPERM.

The second stage of permission checking is:
(1) If the task isn't dumpable then you'll need CAP_SYS_PTRACE in the
    ptracee's mm user namespace. That userns may differ from the
    ptracee's current userns if the ptracee's userns wasn't privileged
    over the inode of the file it exec'ed and thus could be an ancestor
    userns (see would_dump()).
(2) The LSMs might deny your request.

Christian