From patchwork Mon Jul 29 12:58:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13744871 Received: from smtp-bc09.mail.infomaniak.ch (smtp-bc09.mail.infomaniak.ch [45.157.188.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D436414901B for ; Mon, 29 Jul 2024 12:59:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722257955; cv=none; b=MYLBJiwI1vFbPRgJYevks0N5fOWN6QENjwhfesmGrSvUlZypd1GxBYJSFN70MxkWbmSOF1Iu4iGi6Gz7QXRL4uPLWrSIVfgrPgneow29MKxlDBUwrM5jgkEVwGBljbBsHiAin+2a0QMzZVajwyR7iu/YLif6vEfYgCXfjS38HtM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722257955; c=relaxed/simple; bh=XKlc+8CoEMY68SA5HD1dhDI2QZ6bqbXTxL8bJTXP9hQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=FX7mRJg0zdY7fI2vbNHXzkv+KuRUXCQkA+PHK2m1GsoDTYUjLmfmwKvUbqCggM3PvaquW72vLkJcuxh9/daRw08d6Z+yWEJhaD5GFHb017DZ+6aFJHf/cX++V/4lhmC3764mYYjJ0pynTG2Uou1dYNIT4ks79zQ8pqn0Y75ycGU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=AhqHR+ii; arc=none smtp.client-ip=45.157.188.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="AhqHR+ii" Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4WXdj422JYzVL3; Mon, 29 Jul 2024 14:59:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1722257944; bh=8o4uEwOWvS/IvVBdL4/r7RNFUAox5TLdYs6gG1vGhNw=; h=From:To:Cc:Subject:Date:From; b=AhqHR+iibp0LjZzsZbjZq375eAvCBEWiV3MnaYwIGbug0amZd59JD84Ntcj6rtjQz qSVEnep2nrA3Itccm29AHZr44fbnQnQmNT3yaX/sJYAn8T0/3+XodIcOCXff76icHI zmY+6iczo5/F5ewctOx87Bz8GUrfW+gk8t2XAr3A= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4WXdj33Z78zB8T; Mon, 29 Jul 2024 14:59:03 +0200 (CEST) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: David Howells , Jarkko Sakkinen Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , =?utf-8?q?G?= =?utf-8?q?=C3=BCnther_Noack?= , James Morris , Jann Horn , Kees Cook , Paul Moore , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access() Date: Mon, 29 Jul 2024 14:58:46 +0200 Message-ID: <20240729125846.1043211-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha A process can modify its parent's credentials with KEYCTL_SESSION_TO_PARENT when their EUID and EGID are the same. This doesn't take into account all possible access controls. Enforce the same access checks as for impersonating a process. The current credentials checks are untouch because they check against EUID and EGID, whereas ptrace_may_access() checks against UID and GID. Cc: David Howells Cc: Günther Noack Cc: James Morris Cc: Jann Horn Cc: Jarkko Sakkinen Cc: Kees Cook Cc: Paul Moore Fixes: ee18d64c1f63 ("KEYS: Add a keyctl to install a process's session keyring on its parent [try #6]") Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240729125846.1043211-1-mic@digikod.net --- security/keys/keyctl.c | 5 +++++ 1 file changed, 5 insertions(+) base-commit: 8400291e289ee6b2bf9779ff1c83a291501f017b diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index ab927a142f51..511bf79fa14c 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include "internal.h" @@ -1687,6 +1688,10 @@ long keyctl_session_to_parent(void) !gid_eq(pcred->sgid, mycred->egid)) goto unlock; + /* The child must be allowed to impersonate its parent process. */ + if (!ptrace_may_access(parent, PTRACE_MODE_ATTACH_REALCREDS)) + goto unlock; + /* the keyrings must have the same UID */ if ((pcred->session_keyring && !uid_eq(pcred->session_keyring->uid, mycred->euid)) ||