1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
by smtp.lore.kernel.org (Postfix) with ESMTP id 2746BC433F5
for <linux-kernel@archiver.kernel.org>; Thu, 9 Dec 2021 21:47:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232085AbhLIVuw (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
Thu, 9 Dec 2021 16:50:52 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54404 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231216AbhLIVut (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 9 Dec 2021 16:50:49 -0500
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 15ABAC061746
for <linux-kernel@vger.kernel.org>; Thu, 9 Dec 2021 13:47:16 -0800 (PST)
Received: by mail-pl1-x636.google.com with SMTP id u11so4909590plf.3
for <linux-kernel@vger.kernel.org>; Thu, 09 Dec 2021 13:47:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
:mime-version:content-transfer-encoding;
bh=a8swiEXoojgR8fMVEpmKtUWFtMz5ImAG/VTZz39Zgtg=;
b=iK06xmgZWH845WJbjlaSUNXX2witJGET/NOunc7vcXITqaQ+J0OYBlbsrVZWqXmNpq
1ZkdS89uhl9wPRwln+nGOF3CDgn2rOlIZHy5q1hYCjPeXIRqSUNk66eYbMP9k/CE9ofE
4Bq4HI5Zj9L3TaxJgIf5/fGE4YPT74ZH3DlBwA0YH1Mdmxl6bb+jmHmsOxvH8pNxJK2U
Am31x8dqOy61eJi8NizKPzwK6/hjeE+hdG5m1Nmnk5DWCfUUnOtRBxQrB5e0Hbo6JCPQ
kMKE3uw5v51EwhqYJNYnL//1RO98imhrjATlvuqHU0d4v4a1XKlWxqUx16iTYCvsosnF
Mo7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
:in-reply-to:references:mime-version:content-transfer-encoding;
bh=a8swiEXoojgR8fMVEpmKtUWFtMz5ImAG/VTZz39Zgtg=;
b=X87PriTxCChj/TkUhDJr4aE+PHQusR2F4ehhhro6BdZc5SYUMwHjWUuCSK1tY1BEd7
GEtuuXtKD9Db1y31IHETMUDBRRQny9Bq+8CoZXeFfl8e4QU+kXToVAnnqHrTCQ2ixDIO
HvXo4+VYI0Pw2Xa0bBM73tTCOG6eD1vmsgzxHqD8OrvgJjwI+17qwUO+OHj8VDBTkCCK
4RVwKbKbdUXavEkciY+gosUlmFzgA7H7cr259iTbG+HBuR2UKxpGted3TTLX873mLsbr
lIjyLjYxMaH5sJyj3cb18H5JWn1ib9XEtL7iGv8ihZQLHat2kLIepfnH+EdLIiEZ/5ul
Rc+g==
X-Gm-Message-State: AOAM530B/Jym56zUeVEmuQkH/0YbXn40Om9sSgzLwWEWqda400Am/sDL
kt7aQzHmCCChtT5uZ2factg=
X-Google-Smtp-Source: ABdhPJx+0LW9W6RtSgFd704deVCu5AmHhWzYPMKR8HLuTdkfp5ILPOsf/i/FyG1u0yQsz5MqjeYppg==
X-Received: by 2002:a17:90b:1c81:: with SMTP id oo1mr19350534pjb.137.1639086435505;
Thu, 09 Dec 2021 13:47:15 -0800 (PST)
Received: from localhost (2603-800c-1a02-1bae-e24f-43ff-fee6-449f.res6.spectrum.com. [2603:800c:1a02:1bae:e24f:43ff:fee6:449f])
by smtp.gmail.com with ESMTPSA id h5sm673182pfc.113.2021.12.09.13.47.14
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 09 Dec 2021 13:47:15 -0800 (PST)
Sender: Tejun Heo <htejun@gmail.com>
From: Tejun Heo <tj@kernel.org>
To: torvalds@linuxfoundation.org, ebiederm@xmission.com,
mkoutny@suse.com, axboe@kernel.dk, keescook@chromium.org,
oleg@redhat.com, peterz@infradead.org, tglx@linutronix.de,
jnewsome@torproject.org, legion@kernel.org, luto@amacapital.net,
jannh@google.com
Cc: linux-kernel@vger.kernel.org, security@kernel.org,
kernel-team@fb.com, Tejun Heo <tj@kernel.org>
Subject: [PATCH 1/6] cgroup: Use open-time credentials for process migraton perm checks
Date: Thu, 9 Dec 2021 11:47:02 -1000
Message-Id: <20211209214707.805617-2-tj@kernel.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20211209214707.805617-1-tj@kernel.org>
References: <20211209214707.805617-1-tj@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
cgroup process migration permission checks are performed at write time as
whether a given operation is allowed or not is dependent on the content of
the write - the PID. This currently uses current's credentials which is a
potential security weakness as it may allow scenarios where a less
privileged process tricks a more privileged one into writing into a fd that
it created.
This patch makes both cgroup2 and cgroup1 process migration interfaces to
use the credentials saved at the time of open (file->f_cred) instead of
current's.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Cc: Michal Koutný <mkoutny@suse.com>
---
kernel/cgroup/cgroup-v1.c | 7 ++++---
kernel/cgroup/cgroup.c | 9 ++++++++-
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 81c9e0685948..0e7369103ba6 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -504,10 +504,11 @@ static ssize_t __cgroup1_procs_write(struct kernfs_open_file *of,
goto out_unlock;
/*
- * Even if we're attaching all tasks in the thread group, we only
- * need to check permissions on one of them.
+ * Even if we're attaching all tasks in the thread group, we only need
+ * to check permissions on one of them. Check permissions using the
+ * credentials from file open to protect against inherited fd attacks.
*/
- cred = current_cred();
+ cred = of->file->f_cred;
tcred = get_task_cred(task);
if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
!uid_eq(cred->euid, tcred->uid) &&
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 919194de39c8..2632e46da1d4 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -4892,6 +4892,7 @@ static ssize_t __cgroup_procs_write(struct kernfs_open_file *of, char *buf,
{
struct cgroup *src_cgrp, *dst_cgrp;
struct task_struct *task;
+ const struct cred *saved_cred;
ssize_t ret;
bool locked;
@@ -4909,9 +4910,15 @@ static ssize_t __cgroup_procs_write(struct kernfs_open_file *of, char *buf,
src_cgrp = task_cgroup_from_root(task, &cgrp_dfl_root);
spin_unlock_irq(&css_set_lock);
- /* process and thread migrations follow same delegation rule */
+ /*
+ * Process and thread migrations follow same delegation rule. Check
+ * permissions using the credentials from file open to protect against
+ * inherited fd attacks.
+ */
+ saved_cred = override_creds(of->file->f_cred);
ret = cgroup_attach_permissions(src_cgrp, dst_cgrp,
of->file->f_path.dentry->d_sb, threadgroup);
+ revert_creds(saved_cred);
if (ret)
goto out_finish;
--
2.34.1
|
