From patchwork Mon Sep 18 18:38:29 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9957393 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CF11C60385 for ; Mon, 18 Sep 2017 18:38:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C2AE428D4C for ; Mon, 18 Sep 2017 18:38:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B5FCA28D50; Mon, 18 Sep 2017 18:38:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6705228D4C for ; Mon, 18 Sep 2017 18:38:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752614AbdIRSiz (ORCPT ); Mon, 18 Sep 2017 14:38:55 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:36159 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752116AbdIRSix (ORCPT ); Mon, 18 Sep 2017 14:38:53 -0400 Received: by mail-pf0-f194.google.com with SMTP id f84so517755pfj.3; Mon, 18 Sep 2017 11:38:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=UXN9Rfx0w0iEdN5BhGecgGEW0TJ3SHvpiNaB8wXKpxk=; b=kCQRIsjbuASDXuGBvH4B2FPmyzXoULeipMPdesGHx6rp18x6O1ctUCu5vpLsxVrRjT vFoxho3b8tnsjTqXXtnd+AsrworZPgA1mpHyRfPYcWYi30hyOp6zeRG9Js1kcw9aSL20 JgzAgLwylhY4KHv65jJNKtdkWUr+EpmMputfNIBo+4HA72q9PA7etw4YiEKvGehuRYMf 80yQNwoCJ5wQfHIiDo9XcwrKHYVmq7ihMa1IaSZLqtNVouw8QOQ5sBSehNaO9LXa+QAr aReED3XMzN1IDwBC1858RkC6DKpqY22aElgQqbh+J6TtPZIXVfztqHjZO6Eso6tgGYXh 7zMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=UXN9Rfx0w0iEdN5BhGecgGEW0TJ3SHvpiNaB8wXKpxk=; b=gDXN4PZEwovz81RwRCzwxYe8O1a+bK7CoO+5eE4BGHpde8HcCTDnrSHr8x+qEkBMRo eiC7awUZZ9q2rlprlmhNPfNhhys6U6yybe5pO3HivHsgGykyamrypO225da6biYv2A3p 1SXapuyjM2ndCYgLawQmk0hN210WO4KEPs7ajXhK8JG4YqFJgmF16skc41wCSMRmjhpR hWMjhcjrZaUSG83ivBld+JkPDNv9+ciEEW1vqDepsJt7WY0y4kB9q6U19e/jaUzkKfjB i4+aq+T5NYLaoVPwIojPo7E2WWB9/OPizQVuTo6bs/15RPgAvGSo8zvOWNZMD1T/cOPC MC5g== X-Gm-Message-State: AHPjjUh+hoxojg2XXnnOQvE5aNYOqunSjWRmWUzE3U2Y43/gPWNZryHS wAKbsYlwpgWJkHFPQEk= X-Google-Smtp-Source: AOwi7QBJgytzlXiFtZi3VWcS8nRenmECaxIlENGtobDgMl/ywc33fLW1PXBjNIPgoVhaMCLKqbQzJg== X-Received: by 10.159.246.11 with SMTP id b11mr15236141pls.41.1505759933072; Mon, 18 Sep 2017 11:38:53 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id g5sm107783pfe.94.2017.09.18.11.38.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 18 Sep 2017 11:38:52 -0700 (PDT) From: Eric Biggers To: keyrings@vger.kernel.org Cc: David Howells , Michael Halcrow , linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Biggers Subject: [PATCH] KEYS: restrict /proc/keys by credentials at open time Date: Mon, 18 Sep 2017 11:38:29 -0700 Message-Id: <20170918183829.114384-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.1.690.gbb1197296e-goog Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers When checking for permission to view keys whilst reading from /proc/keys, we should use the credentials with which the /proc/keys file was opened. This is because, in a classic type of exploit, it can be possible to bypass checks for the *current* credentials by passing the file descriptor to a suid program. Following commit 34dbbcdbf633 ("Make file credentials available to the seqfile interfaces") we can finally fix it. So let's do it. Signed-off-by: Eric Biggers --- security/keys/proc.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/security/keys/proc.c b/security/keys/proc.c index bf08d02b6646..de834309d100 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -187,7 +187,7 @@ static int proc_keys_show(struct seq_file *m, void *v) struct keyring_search_context ctx = { .index_key.type = key->type, .index_key.description = key->description, - .cred = current_cred(), + .cred = m->file->f_cred, .match_data.cmp = lookup_user_key_possessed, .match_data.raw_data = key, .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, @@ -207,11 +207,7 @@ static int proc_keys_show(struct seq_file *m, void *v) } } - /* check whether the current task is allowed to view the key (assuming - * non-possession) - * - the caller holds a spinlock, and thus the RCU read lock, making our - * access to __current_cred() safe - */ + /* check whether the current task is allowed to view the key */ rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW); if (rc < 0) return 0;