From: Christian Brauner <brauner@kernel.org>
To: Mark Wielaard <mark@klomp.org>
Cc: Florian Weimer <fweimer@redhat.com>, libc-alpha@sourceware.org
Subject: Re: [PATCH 3/4] tst-pidfd.c: Test is UNSUPPORTED without PTRACE_MODE_ATTACH_REALCREDS
Date: Mon, 27 Jun 2022 16:25:35 +0200 [thread overview]
Message-ID: <20220627142535.3dkmeavirvnntnx3@wittgenstein> (raw)
In-Reply-To: <Yrm77dsNMR3eIwu1@wildebeest.org>
On Mon, Jun 27, 2022 at 04:17:17PM +0200, Mark Wielaard wrote:
> Hi,
>
> On Mon, Jun 27, 2022 at 01:51:41PM +0200, Christian Brauner wrote:
> > On Mon, Jun 27, 2022 at 01:14:06PM +0200, Florian Weimer via Libc-alpha wrote:
> > > * Mark Wielaard:
> > > > pidfd_getfd is mentioned (and allowed) by the seccomp filter, but the
> > > > syscall also needs the process to have PTRACE_MODE_ATTACH_REALCREDS
> > > > (which is really PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS). Which it
> > > > doesn't have. If the process doesn't then pidfd_getfd is defined as
> > > > failing and setting errno to EPERM.
> > >
> > > But what does it mean for a process to have PTRACE_MODE_REALCREDS?
> >
> > #define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS)
> >
> > PTRACE_MODE_ATTACH_REALCREDS means
> > * PTRACE_MODE_REALCREDS which means cred->{g,u}id of the task are used
> > for permission checking:
> >
> > So it's a bit nasty here but roughly if the ptracer's real {g,u}id match
> > the target task's (ptracee's) effective, save, and real [g,u]id then
> > you'passed the first stage of permission checking.
> >
> > If ptracer's [g,u]id aren't matching the ptracee's effective, saved, and
> > real [g,u]id the ptracer needs CAP_SYS_PTRACE in the ptracee's userns.
> > That will also get you past the first state of permission checking.
> >
> > If both don't apply the request is denied with -EPERM.
> >
> > The second stage of permission checking is:
> > (1) If the task isn't dumpable then you'll need CAP_SYS_PTRACE in the
> > ptracee's mm user namespace. That userns may differ from the
> > ptracee's current userns if the ptracee's userns wasn't privileged
> > over the inode of the file it exec'ed and thus could be an ancestor
> > userns (see would_dump()).
> > (2) The LSMs might deny your request.
>
> Right, it is pretty difficult to determine why you got an EPERM. But
> failing with EPERM is documented behaviour for pidfd_getfd, so IMHO if
> we get EPERM we should simply skip the test whatever the "real" reason
> is.
>
> The ptrace manual page lists the whole (6 step) algorithm under
> "Ptrace access mode checking":
> https://man7.org/linux/man-pages/man2/ptrace.2.html
>
> It also depends on (not) having CAP_SYS_PTRACE and the permission
> might be dependend on /proc/sys/kernel/yama/ptrace_scope
Yeah, to be frank, I consider ptrace_may_access() to be the worst piece
of permission checking code in the kernel. It just takes and shakes so
many core concepts that it's hard to understand and difficult to figure
out what exactly caused it to fail.
next prev parent reply other threads:[~2022-06-27 14:25 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-26 20:59 Handle running make check in a restricted environment Mark Wielaard
2022-06-26 20:59 ` [PATCH 1/4] time/tst-clock2.c: clock_settime CLOCK_MONOTONIC might return EPERM Mark Wielaard
2022-06-26 21:15 ` Florian Weimer
2022-06-27 9:35 ` Mark Wielaard
2022-06-26 20:59 ` [PATCH 2/4] tst-pkey.c: Handle no permission to alloc memory protection keys Mark Wielaard
2022-06-26 21:17 ` Florian Weimer
2022-06-26 21:40 ` Florian Weimer
2022-06-27 9:50 ` Mark Wielaard
2022-06-27 11:39 ` Florian Weimer
2022-06-27 14:08 ` Mark Wielaard
2022-06-26 20:59 ` [PATCH 3/4] tst-pidfd.c: Test is UNSUPPORTED without PTRACE_MODE_ATTACH_REALCREDS Mark Wielaard
2022-06-26 21:20 ` Florian Weimer
2022-06-27 10:01 ` Mark Wielaard
2022-06-27 11:14 ` Florian Weimer
2022-06-27 11:51 ` Christian Brauner
2022-06-27 14:17 ` Mark Wielaard
2022-06-27 14:21 ` Adhemerval Zanella
2022-06-27 14:25 ` Christian Brauner [this message]
2022-06-27 14:42 ` Florian Weimer
2022-06-27 14:57 ` Adhemerval Zanella
2022-06-27 15:08 ` Christian Brauner
2022-06-27 15:14 ` Adhemerval Zanella
2022-06-27 16:48 ` Mark Wielaard
2022-06-27 17:03 ` Adhemerval Zanella
2022-07-01 10:38 ` Mark Wielaard
2022-06-27 15:03 ` Christian Brauner
2022-06-27 14:23 ` Adhemerval Zanella
2022-06-27 16:36 ` Mark Wielaard
2022-06-26 20:59 ` [PATCH 4/4] tst-personality.c: Handle personality failing with errno EPERM Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220627142535.3dkmeavirvnntnx3@wittgenstein \
--to=brauner@kernel.org \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).