yama_lsm.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Yama Linux Security Module
  4. *
  5. * Author: Kees Cook <keescook@chromium.org>
  6. *
  7. * Copyright (C) 2010 Canonical, Ltd.
  8. * Copyright (C) 2011 The Chromium OS Authors.
  9. */
  10. #include <linux/lsm_hooks.h>
  11. #include <linux/sysctl.h>
  12. #include <linux/ptrace.h>
  13. #include <linux/prctl.h>
  14. #include <linux/ratelimit.h>
  15. #include <linux/workqueue.h>
  16. #include <linux/string_helpers.h>
  17. #include <linux/task_work.h>
  18. #include <linux/sched.h>
  19. #include <linux/spinlock.h>
  20. #include <uapi/linux/lsm.h>
  21. #define YAMA_SCOPE_DISABLED 0
  22. #define YAMA_SCOPE_RELATIONAL 1
  23. #define YAMA_SCOPE_CAPABILITY 2
  24. #define YAMA_SCOPE_NO_ATTACH 3
  25. static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
  26. /* describe a ptrace relationship for potential exception */
  27. struct ptrace_relation {
  28. struct task_struct *tracer;
  29. struct task_struct *tracee;
  30. bool invalid;
  31. struct list_head node;
  32. struct rcu_head rcu;
  33. };
  34. static LIST_HEAD(ptracer_relations);
  35. static DEFINE_SPINLOCK(ptracer_relations_lock);
  36. static void yama_relation_cleanup(struct work_struct *work);
  37. static DECLARE_WORK(yama_relation_work, yama_relation_cleanup);
  38. struct access_report_info {
  39. struct callback_head work;
  40. const char *access;
  41. struct task_struct *target;
  42. struct task_struct *agent;
  43. };
  44. static void __report_access(struct callback_head *work)
  45. {
  46. struct access_report_info *info =
  47. container_of(work, struct access_report_info, work);
  48. char *target_cmd, *agent_cmd;
  49. target_cmd = kstrdup_quotable_cmdline(info->target, GFP_KERNEL);
  50. agent_cmd = kstrdup_quotable_cmdline(info->agent, GFP_KERNEL);
  51. pr_notice_ratelimited(
  52. "ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n",
  53. info->access, target_cmd, info->target->pid, agent_cmd,
  54. info->agent->pid);
  55. kfree(agent_cmd);
  56. kfree(target_cmd);
  57. put_task_struct(info->agent);
  58. put_task_struct(info->target);
  59. kfree(info);
  60. }
  61. /* defers execution because cmdline access can sleep */
  62. static void report_access(const char *access, struct task_struct *target,
  63. struct task_struct *agent)
  64. {
  65. struct access_report_info *info;
  66. assert_spin_locked(&target->alloc_lock); /* for target->comm */
  67. if (current->flags & PF_KTHREAD) {
  68. /* I don't think kthreads call task_work_run() before exiting.
  69. * Imagine angry ranting about procfs here.
  70. */
  71. pr_notice_ratelimited(
  72. "ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n",
  73. access, target->comm, target->pid, agent->comm, agent->pid);
  74. return;
  75. }
  76. info = kmalloc_obj(*info, GFP_ATOMIC);
  77. if (!info)
  78. return;
  79. init_task_work(&info->work, __report_access);
  80. get_task_struct(target);
  81. get_task_struct(agent);
  82. info->access = access;
  83. info->target = target;
  84. info->agent = agent;
  85. if (task_work_add(current, &info->work, TWA_RESUME) == 0)
  86. return; /* success */
  87. WARN(1, "report_access called from exiting task");
  88. put_task_struct(target);
  89. put_task_struct(agent);
  90. kfree(info);
  91. }
  92. /**
  93. * yama_relation_cleanup - remove invalid entries from the relation list
  94. * @work: unused
  95. *
  96. */
  97. static void yama_relation_cleanup(struct work_struct *work)
  98. {
  99. struct ptrace_relation *relation;
  100. spin_lock(&ptracer_relations_lock);
  101. rcu_read_lock();
  102. list_for_each_entry_rcu(relation, &ptracer_relations, node) {
  103. if (relation->invalid) {
  104. list_del_rcu(&relation->node);
  105. kfree_rcu(relation, rcu);
  106. }
  107. }
  108. rcu_read_unlock();
  109. spin_unlock(&ptracer_relations_lock);
  110. }
  111. /**
  112. * yama_ptracer_add - add/replace an exception for this tracer/tracee pair
  113. * @tracer: the task_struct of the process doing the ptrace
  114. * @tracee: the task_struct of the process to be ptraced
  115. *
  116. * Each tracee can have, at most, one tracer registered. Each time this
  117. * is called, the prior registered tracer will be replaced for the tracee.
  118. *
  119. * Returns 0 if relationship was added, -ve on error.
  120. */
  121. static int yama_ptracer_add(struct task_struct *tracer,
  122. struct task_struct *tracee)
  123. {
  124. struct ptrace_relation *relation, *added;
  125. added = kmalloc_obj(*added);
  126. if (!added)
  127. return -ENOMEM;
  128. added->tracee = tracee;
  129. added->tracer = tracer;
  130. added->invalid = false;
  131. spin_lock(&ptracer_relations_lock);
  132. rcu_read_lock();
  133. list_for_each_entry_rcu(relation, &ptracer_relations, node) {
  134. if (relation->invalid)
  135. continue;
  136. if (relation->tracee == tracee) {
  137. list_replace_rcu(&relation->node, &added->node);
  138. kfree_rcu(relation, rcu);
  139. goto out;
  140. }
  141. }
  142. list_add_rcu(&added->node, &ptracer_relations);
  143. out:
  144. rcu_read_unlock();
  145. spin_unlock(&ptracer_relations_lock);
  146. return 0;
  147. }
  148. /**
  149. * yama_ptracer_del - remove exceptions related to the given tasks
  150. * @tracer: remove any relation where tracer task matches
  151. * @tracee: remove any relation where tracee task matches
  152. */
  153. static void yama_ptracer_del(struct task_struct *tracer,
  154. struct task_struct *tracee)
  155. {
  156. struct ptrace_relation *relation;
  157. bool marked = false;
  158. rcu_read_lock();
  159. list_for_each_entry_rcu(relation, &ptracer_relations, node) {
  160. if (relation->invalid)
  161. continue;
  162. if (relation->tracee == tracee ||
  163. (tracer && relation->tracer == tracer)) {
  164. relation->invalid = true;
  165. marked = true;
  166. }
  167. }
  168. rcu_read_unlock();
  169. if (marked)
  170. schedule_work(&yama_relation_work);
  171. }
  172. /**
  173. * yama_task_free - check for task_pid to remove from exception list
  174. * @task: task being removed
  175. */
  176. static void yama_task_free(struct task_struct *task)
  177. {
  178. yama_ptracer_del(task, task);
  179. }
  180. /**
  181. * yama_task_prctl - check for Yama-specific prctl operations
  182. * @option: operation
  183. * @arg2: argument
  184. * @arg3: argument
  185. * @arg4: argument
  186. * @arg5: argument
  187. *
  188. * Return 0 on success, -ve on error. -ENOSYS is returned when Yama
  189. * does not handle the given option.
  190. */
  191. static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
  192. unsigned long arg4, unsigned long arg5)
  193. {
  194. int rc = -ENOSYS;
  195. struct task_struct *myself;
  196. switch (option) {
  197. case PR_SET_PTRACER:
  198. /* Since a thread can call prctl(), find the group leader
  199. * before calling _add() or _del() on it, since we want
  200. * process-level granularity of control. The tracer group
  201. * leader checking is handled later when walking the ancestry
  202. * at the time of PTRACE_ATTACH check.
  203. */
  204. myself = current->group_leader;
  205. if (arg2 == 0) {
  206. yama_ptracer_del(NULL, myself);
  207. rc = 0;
  208. } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) {
  209. rc = yama_ptracer_add(NULL, myself);
  210. } else {
  211. struct task_struct *tracer;
  212. tracer = find_get_task_by_vpid(arg2);
  213. if (!tracer) {
  214. rc = -EINVAL;
  215. } else {
  216. rc = yama_ptracer_add(tracer, myself);
  217. put_task_struct(tracer);
  218. }
  219. }
  220. break;
  221. }
  222. return rc;
  223. }
  224. /**
  225. * task_is_descendant - walk up a process family tree looking for a match
  226. * @parent: the process to compare against while walking up from child
  227. * @child: the process to start from while looking upwards for parent
  228. *
  229. * Returns 1 if child is a descendant of parent, 0 if not.
  230. */
  231. static int task_is_descendant(struct task_struct *parent,
  232. struct task_struct *child)
  233. {
  234. int rc = 0;
  235. struct task_struct *walker = child;
  236. if (!parent || !child)
  237. return 0;
  238. rcu_read_lock();
  239. if (!thread_group_leader(parent))
  240. parent = rcu_dereference(parent->group_leader);
  241. while (walker->pid > 0) {
  242. if (!thread_group_leader(walker))
  243. walker = rcu_dereference(walker->group_leader);
  244. if (walker == parent) {
  245. rc = 1;
  246. break;
  247. }
  248. walker = rcu_dereference(walker->real_parent);
  249. }
  250. rcu_read_unlock();
  251. return rc;
  252. }
  253. /**
  254. * ptracer_exception_found - tracer registered as exception for this tracee
  255. * @tracer: the task_struct of the process attempting ptrace
  256. * @tracee: the task_struct of the process to be ptraced
  257. *
  258. * Returns 1 if tracer has a ptracer exception ancestor for tracee.
  259. */
  260. static int ptracer_exception_found(struct task_struct *tracer,
  261. struct task_struct *tracee)
  262. {
  263. int rc = 0;
  264. struct ptrace_relation *relation;
  265. struct task_struct *parent = NULL;
  266. bool found = false;
  267. rcu_read_lock();
  268. /*
  269. * If there's already an active tracing relationship, then make an
  270. * exception for the sake of other accesses, like process_vm_rw().
  271. */
  272. parent = ptrace_parent(tracee);
  273. if (parent != NULL && same_thread_group(parent, tracer)) {
  274. rc = 1;
  275. goto unlock;
  276. }
  277. /* Look for a PR_SET_PTRACER relationship. */
  278. if (!thread_group_leader(tracee))
  279. tracee = rcu_dereference(tracee->group_leader);
  280. list_for_each_entry_rcu(relation, &ptracer_relations, node) {
  281. if (relation->invalid)
  282. continue;
  283. if (relation->tracee == tracee) {
  284. parent = relation->tracer;
  285. found = true;
  286. break;
  287. }
  288. }
  289. if (found && (parent == NULL || task_is_descendant(parent, tracer)))
  290. rc = 1;
  291. unlock:
  292. rcu_read_unlock();
  293. return rc;
  294. }
  295. /**
  296. * yama_ptrace_access_check - validate PTRACE_ATTACH calls
  297. * @child: task that current task is attempting to ptrace
  298. * @mode: ptrace attach mode
  299. *
  300. * Returns 0 if following the ptrace is allowed, -ve on error.
  301. */
  302. static int yama_ptrace_access_check(struct task_struct *child,
  303. unsigned int mode)
  304. {
  305. int rc = 0;
  306. /* require ptrace target be a child of ptracer on attach */
  307. if (mode & PTRACE_MODE_ATTACH) {
  308. switch (ptrace_scope) {
  309. case YAMA_SCOPE_DISABLED:
  310. /* No additional restrictions. */
  311. break;
  312. case YAMA_SCOPE_RELATIONAL:
  313. rcu_read_lock();
  314. if (!pid_alive(child))
  315. rc = -EPERM;
  316. if (!rc && !task_is_descendant(current, child) &&
  317. !ptracer_exception_found(current, child) &&
  318. !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
  319. rc = -EPERM;
  320. rcu_read_unlock();
  321. break;
  322. case YAMA_SCOPE_CAPABILITY:
  323. rcu_read_lock();
  324. if (!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
  325. rc = -EPERM;
  326. rcu_read_unlock();
  327. break;
  328. case YAMA_SCOPE_NO_ATTACH:
  329. default:
  330. rc = -EPERM;
  331. break;
  332. }
  333. }
  334. if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0)
  335. report_access("attach", child, current);
  336. return rc;
  337. }
  338. /**
  339. * yama_ptrace_traceme - validate PTRACE_TRACEME calls
  340. * @parent: task that will become the ptracer of the current task
  341. *
  342. * Returns 0 if following the ptrace is allowed, -ve on error.
  343. */
  344. static int yama_ptrace_traceme(struct task_struct *parent)
  345. {
  346. int rc = 0;
  347. /* Only disallow PTRACE_TRACEME on more aggressive settings. */
  348. switch (ptrace_scope) {
  349. case YAMA_SCOPE_CAPABILITY:
  350. if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))
  351. rc = -EPERM;
  352. break;
  353. case YAMA_SCOPE_NO_ATTACH:
  354. rc = -EPERM;
  355. break;
  356. }
  357. if (rc) {
  358. task_lock(current);
  359. report_access("traceme", current, parent);
  360. task_unlock(current);
  361. }
  362. return rc;
  363. }
  364. static const struct lsm_id yama_lsmid = {
  365. .name = "yama",
  366. .id = LSM_ID_YAMA,
  367. };
  368. static struct security_hook_list yama_hooks[] __ro_after_init = {
  369. LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
  370. LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
  371. LSM_HOOK_INIT(task_prctl, yama_task_prctl),
  372. LSM_HOOK_INIT(task_free, yama_task_free),
  373. };
  374. #ifdef CONFIG_SYSCTL
  375. static int yama_dointvec_minmax(const struct ctl_table *table, int write,
  376. void *buffer, size_t *lenp, loff_t *ppos)
  377. {
  378. struct ctl_table table_copy;
  379. if (write && !capable(CAP_SYS_PTRACE))
  380. return -EPERM;
  381. /* Lock the max value if it ever gets set. */
  382. table_copy = *table;
  383. if (*(int *)table_copy.data == *(int *)table_copy.extra2)
  384. table_copy.extra1 = table_copy.extra2;
  385. return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
  386. }
  387. static int max_scope = YAMA_SCOPE_NO_ATTACH;
  388. static const struct ctl_table yama_sysctl_table[] = {
  389. {
  390. .procname = "ptrace_scope",
  391. .data = &ptrace_scope,
  392. .maxlen = sizeof(int),
  393. .mode = 0644,
  394. .proc_handler = yama_dointvec_minmax,
  395. .extra1 = SYSCTL_ZERO,
  396. .extra2 = &max_scope,
  397. },
  398. };
  399. static void __init yama_init_sysctl(void)
  400. {
  401. if (!register_sysctl("kernel/yama", yama_sysctl_table))
  402. panic("Yama: sysctl registration failed.\n");
  403. }
  404. #else
  405. static inline void yama_init_sysctl(void) { }
  406. #endif /* CONFIG_SYSCTL */
  407. static int __init yama_init(void)
  408. {
  409. pr_info("Yama: becoming mindful.\n");
  410. security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid);
  411. yama_init_sysctl();
  412. return 0;
  413. }
  414. DEFINE_LSM(yama) = {
  415. .id = &yama_lsmid,
  416. .init = yama_init,
  417. };