[CRIU] [PATCH] security: check_ids - return true if [se]?[ug]id is the same as task id

Pavel Emelyanov xemul at parallels.com
Mon Jun 16 04:23:45 PDT 2014


On 06/16/2014 09:55 AM, Ruslan Kuprieiev wrote:
> And again sorry for necromailing=).
> 
> After a bit more thinking, here is what I figured out.
> 
> Current check if(crid == id && crid == eid && crid == sid) doesn't work 
> right.
> Andrew was able to show it in "[CRIU] RPC support for --shell-job 
> missing on restore"
> thread.
> I wasn't able to make it work only with crid available.
> 
> Andrew also suggested that we should be able to dump/restore task if we 
> are able to kill it. He also attached a function from the kernel:
> 
> static int kill_ok_by_cred(struct task_struct *t)
> {
>          const struct cred *cred = current_cred();
>          const struct cred *tcred = __task_cred(t);
> 
>          if (uid_eq(cred->euid, tcred->suid) ||
>              uid_eq(cred->euid, tcred->uid)  ||
>              uid_eq(cred->uid,  tcred->suid) ||
>              uid_eq(cred->uid,  tcred->uid))
>                  return 1;
> 
>          if (ns_capable(tcred->user_ns, CAP_KILL))
>                  return 1;
> 
>          return 0;
> }

Not sure this would work for us. If I'm user 12 dump a task, then
edit its creds to have id == 12, suid == 0 and caps == <all>, then
I'm effectively allowed to restore a process with root caps.

This is bad.

AFAIU the problem we're trying to fix is called "we cannot dump and
restore the suid-ed process", isn't it?

> Maybe we should add gete(u/g)id,gets(u/g)id and use check from 
> kill_ok_by_cred?
> It looks easy to implement with cmdline usage of criu, but with service 
> we can't get all
> id's(id, eid, sid) through the socket. But, maybe we could parse 
> /proc/pid/status to get all of them?
> What do you all think about that?


More information about the CRIU mailing list