xref: /linux/security/yama/yama_lsm.c (revision 2d7f3d1a5866705be2393150e1ffdf67030ab88d)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Yama Linux Security Module
4  *
5  * Author: Kees Cook <keescook@chromium.org>
6  *
7  * Copyright (C) 2010 Canonical, Ltd.
8  * Copyright (C) 2011 The Chromium OS Authors.
9  */
10 
11 #include <linux/lsm_hooks.h>
12 #include <linux/sysctl.h>
13 #include <linux/ptrace.h>
14 #include <linux/prctl.h>
15 #include <linux/ratelimit.h>
16 #include <linux/workqueue.h>
17 #include <linux/string_helpers.h>
18 #include <linux/task_work.h>
19 #include <linux/sched.h>
20 #include <linux/spinlock.h>
21 #include <uapi/linux/lsm.h>
22 
23 #define YAMA_SCOPE_DISABLED	0
24 #define YAMA_SCOPE_RELATIONAL	1
25 #define YAMA_SCOPE_CAPABILITY	2
26 #define YAMA_SCOPE_NO_ATTACH	3
27 
28 static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
29 
30 /* describe a ptrace relationship for potential exception */
31 struct ptrace_relation {
32 	struct task_struct *tracer;
33 	struct task_struct *tracee;
34 	bool invalid;
35 	struct list_head node;
36 	struct rcu_head rcu;
37 };
38 
39 static LIST_HEAD(ptracer_relations);
40 static DEFINE_SPINLOCK(ptracer_relations_lock);
41 
42 static void yama_relation_cleanup(struct work_struct *work);
43 static DECLARE_WORK(yama_relation_work, yama_relation_cleanup);
44 
45 struct access_report_info {
46 	struct callback_head work;
47 	const char *access;
48 	struct task_struct *target;
49 	struct task_struct *agent;
50 };
51 
52 static void __report_access(struct callback_head *work)
53 {
54 	struct access_report_info *info =
55 		container_of(work, struct access_report_info, work);
56 	char *target_cmd, *agent_cmd;
57 
58 	target_cmd = kstrdup_quotable_cmdline(info->target, GFP_KERNEL);
59 	agent_cmd = kstrdup_quotable_cmdline(info->agent, GFP_KERNEL);
60 
61 	pr_notice_ratelimited(
62 		"ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n",
63 		info->access, target_cmd, info->target->pid, agent_cmd,
64 		info->agent->pid);
65 
66 	kfree(agent_cmd);
67 	kfree(target_cmd);
68 
69 	put_task_struct(info->agent);
70 	put_task_struct(info->target);
71 	kfree(info);
72 }
73 
74 /* defers execution because cmdline access can sleep */
75 static void report_access(const char *access, struct task_struct *target,
76 				struct task_struct *agent)
77 {
78 	struct access_report_info *info;
79 	char agent_comm[sizeof(agent->comm)];
80 
81 	assert_spin_locked(&target->alloc_lock); /* for target->comm */
82 
83 	if (current->flags & PF_KTHREAD) {
84 		/* I don't think kthreads call task_work_run() before exiting.
85 		 * Imagine angry ranting about procfs here.
86 		 */
87 		pr_notice_ratelimited(
88 		    "ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n",
89 		    access, target->comm, target->pid,
90 		    get_task_comm(agent_comm, agent), agent->pid);
91 		return;
92 	}
93 
94 	info = kmalloc(sizeof(*info), GFP_ATOMIC);
95 	if (!info)
96 		return;
97 	init_task_work(&info->work, __report_access);
98 	get_task_struct(target);
99 	get_task_struct(agent);
100 	info->access = access;
101 	info->target = target;
102 	info->agent = agent;
103 	if (task_work_add(current, &info->work, TWA_RESUME) == 0)
104 		return; /* success */
105 
106 	WARN(1, "report_access called from exiting task");
107 	put_task_struct(target);
108 	put_task_struct(agent);
109 	kfree(info);
110 }
111 
112 /**
113  * yama_relation_cleanup - remove invalid entries from the relation list
114  *
115  */
116 static void yama_relation_cleanup(struct work_struct *work)
117 {
118 	struct ptrace_relation *relation;
119 
120 	spin_lock(&ptracer_relations_lock);
121 	rcu_read_lock();
122 	list_for_each_entry_rcu(relation, &ptracer_relations, node) {
123 		if (relation->invalid) {
124 			list_del_rcu(&relation->node);
125 			kfree_rcu(relation, rcu);
126 		}
127 	}
128 	rcu_read_unlock();
129 	spin_unlock(&ptracer_relations_lock);
130 }
131 
132 /**
133  * yama_ptracer_add - add/replace an exception for this tracer/tracee pair
134  * @tracer: the task_struct of the process doing the ptrace
135  * @tracee: the task_struct of the process to be ptraced
136  *
137  * Each tracee can have, at most, one tracer registered. Each time this
138  * is called, the prior registered tracer will be replaced for the tracee.
139  *
140  * Returns 0 if relationship was added, -ve on error.
141  */
142 static int yama_ptracer_add(struct task_struct *tracer,
143 			    struct task_struct *tracee)
144 {
145 	struct ptrace_relation *relation, *added;
146 
147 	added = kmalloc(sizeof(*added), GFP_KERNEL);
148 	if (!added)
149 		return -ENOMEM;
150 
151 	added->tracee = tracee;
152 	added->tracer = tracer;
153 	added->invalid = false;
154 
155 	spin_lock(&ptracer_relations_lock);
156 	rcu_read_lock();
157 	list_for_each_entry_rcu(relation, &ptracer_relations, node) {
158 		if (relation->invalid)
159 			continue;
160 		if (relation->tracee == tracee) {
161 			list_replace_rcu(&relation->node, &added->node);
162 			kfree_rcu(relation, rcu);
163 			goto out;
164 		}
165 	}
166 
167 	list_add_rcu(&added->node, &ptracer_relations);
168 
169 out:
170 	rcu_read_unlock();
171 	spin_unlock(&ptracer_relations_lock);
172 	return 0;
173 }
174 
175 /**
176  * yama_ptracer_del - remove exceptions related to the given tasks
177  * @tracer: remove any relation where tracer task matches
178  * @tracee: remove any relation where tracee task matches
179  */
180 static void yama_ptracer_del(struct task_struct *tracer,
181 			     struct task_struct *tracee)
182 {
183 	struct ptrace_relation *relation;
184 	bool marked = false;
185 
186 	rcu_read_lock();
187 	list_for_each_entry_rcu(relation, &ptracer_relations, node) {
188 		if (relation->invalid)
189 			continue;
190 		if (relation->tracee == tracee ||
191 		    (tracer && relation->tracer == tracer)) {
192 			relation->invalid = true;
193 			marked = true;
194 		}
195 	}
196 	rcu_read_unlock();
197 
198 	if (marked)
199 		schedule_work(&yama_relation_work);
200 }
201 
202 /**
203  * yama_task_free - check for task_pid to remove from exception list
204  * @task: task being removed
205  */
206 static void yama_task_free(struct task_struct *task)
207 {
208 	yama_ptracer_del(task, task);
209 }
210 
211 /**
212  * yama_task_prctl - check for Yama-specific prctl operations
213  * @option: operation
214  * @arg2: argument
215  * @arg3: argument
216  * @arg4: argument
217  * @arg5: argument
218  *
219  * Return 0 on success, -ve on error.  -ENOSYS is returned when Yama
220  * does not handle the given option.
221  */
222 static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
223 			   unsigned long arg4, unsigned long arg5)
224 {
225 	int rc = -ENOSYS;
226 	struct task_struct *myself = current;
227 
228 	switch (option) {
229 	case PR_SET_PTRACER:
230 		/* Since a thread can call prctl(), find the group leader
231 		 * before calling _add() or _del() on it, since we want
232 		 * process-level granularity of control. The tracer group
233 		 * leader checking is handled later when walking the ancestry
234 		 * at the time of PTRACE_ATTACH check.
235 		 */
236 		rcu_read_lock();
237 		if (!thread_group_leader(myself))
238 			myself = rcu_dereference(myself->group_leader);
239 		get_task_struct(myself);
240 		rcu_read_unlock();
241 
242 		if (arg2 == 0) {
243 			yama_ptracer_del(NULL, myself);
244 			rc = 0;
245 		} else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) {
246 			rc = yama_ptracer_add(NULL, myself);
247 		} else {
248 			struct task_struct *tracer;
249 
250 			tracer = find_get_task_by_vpid(arg2);
251 			if (!tracer) {
252 				rc = -EINVAL;
253 			} else {
254 				rc = yama_ptracer_add(tracer, myself);
255 				put_task_struct(tracer);
256 			}
257 		}
258 
259 		put_task_struct(myself);
260 		break;
261 	}
262 
263 	return rc;
264 }
265 
266 /**
267  * task_is_descendant - walk up a process family tree looking for a match
268  * @parent: the process to compare against while walking up from child
269  * @child: the process to start from while looking upwards for parent
270  *
271  * Returns 1 if child is a descendant of parent, 0 if not.
272  */
273 static int task_is_descendant(struct task_struct *parent,
274 			      struct task_struct *child)
275 {
276 	int rc = 0;
277 	struct task_struct *walker = child;
278 
279 	if (!parent || !child)
280 		return 0;
281 
282 	rcu_read_lock();
283 	if (!thread_group_leader(parent))
284 		parent = rcu_dereference(parent->group_leader);
285 	while (walker->pid > 0) {
286 		if (!thread_group_leader(walker))
287 			walker = rcu_dereference(walker->group_leader);
288 		if (walker == parent) {
289 			rc = 1;
290 			break;
291 		}
292 		walker = rcu_dereference(walker->real_parent);
293 	}
294 	rcu_read_unlock();
295 
296 	return rc;
297 }
298 
299 /**
300  * ptracer_exception_found - tracer registered as exception for this tracee
301  * @tracer: the task_struct of the process attempting ptrace
302  * @tracee: the task_struct of the process to be ptraced
303  *
304  * Returns 1 if tracer has a ptracer exception ancestor for tracee.
305  */
306 static int ptracer_exception_found(struct task_struct *tracer,
307 				   struct task_struct *tracee)
308 {
309 	int rc = 0;
310 	struct ptrace_relation *relation;
311 	struct task_struct *parent = NULL;
312 	bool found = false;
313 
314 	rcu_read_lock();
315 
316 	/*
317 	 * If there's already an active tracing relationship, then make an
318 	 * exception for the sake of other accesses, like process_vm_rw().
319 	 */
320 	parent = ptrace_parent(tracee);
321 	if (parent != NULL && same_thread_group(parent, tracer)) {
322 		rc = 1;
323 		goto unlock;
324 	}
325 
326 	/* Look for a PR_SET_PTRACER relationship. */
327 	if (!thread_group_leader(tracee))
328 		tracee = rcu_dereference(tracee->group_leader);
329 	list_for_each_entry_rcu(relation, &ptracer_relations, node) {
330 		if (relation->invalid)
331 			continue;
332 		if (relation->tracee == tracee) {
333 			parent = relation->tracer;
334 			found = true;
335 			break;
336 		}
337 	}
338 
339 	if (found && (parent == NULL || task_is_descendant(parent, tracer)))
340 		rc = 1;
341 
342 unlock:
343 	rcu_read_unlock();
344 
345 	return rc;
346 }
347 
348 /**
349  * yama_ptrace_access_check - validate PTRACE_ATTACH calls
350  * @child: task that current task is attempting to ptrace
351  * @mode: ptrace attach mode
352  *
353  * Returns 0 if following the ptrace is allowed, -ve on error.
354  */
355 static int yama_ptrace_access_check(struct task_struct *child,
356 				    unsigned int mode)
357 {
358 	int rc = 0;
359 
360 	/* require ptrace target be a child of ptracer on attach */
361 	if (mode & PTRACE_MODE_ATTACH) {
362 		switch (ptrace_scope) {
363 		case YAMA_SCOPE_DISABLED:
364 			/* No additional restrictions. */
365 			break;
366 		case YAMA_SCOPE_RELATIONAL:
367 			rcu_read_lock();
368 			if (!pid_alive(child))
369 				rc = -EPERM;
370 			if (!rc && !task_is_descendant(current, child) &&
371 			    !ptracer_exception_found(current, child) &&
372 			    !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
373 				rc = -EPERM;
374 			rcu_read_unlock();
375 			break;
376 		case YAMA_SCOPE_CAPABILITY:
377 			rcu_read_lock();
378 			if (!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
379 				rc = -EPERM;
380 			rcu_read_unlock();
381 			break;
382 		case YAMA_SCOPE_NO_ATTACH:
383 		default:
384 			rc = -EPERM;
385 			break;
386 		}
387 	}
388 
389 	if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0)
390 		report_access("attach", child, current);
391 
392 	return rc;
393 }
394 
395 /**
396  * yama_ptrace_traceme - validate PTRACE_TRACEME calls
397  * @parent: task that will become the ptracer of the current task
398  *
399  * Returns 0 if following the ptrace is allowed, -ve on error.
400  */
401 static int yama_ptrace_traceme(struct task_struct *parent)
402 {
403 	int rc = 0;
404 
405 	/* Only disallow PTRACE_TRACEME on more aggressive settings. */
406 	switch (ptrace_scope) {
407 	case YAMA_SCOPE_CAPABILITY:
408 		if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE))
409 			rc = -EPERM;
410 		break;
411 	case YAMA_SCOPE_NO_ATTACH:
412 		rc = -EPERM;
413 		break;
414 	}
415 
416 	if (rc) {
417 		task_lock(current);
418 		report_access("traceme", current, parent);
419 		task_unlock(current);
420 	}
421 
422 	return rc;
423 }
424 
425 static const struct lsm_id yama_lsmid = {
426 	.name = "yama",
427 	.id = LSM_ID_YAMA,
428 };
429 
430 static struct security_hook_list yama_hooks[] __ro_after_init = {
431 	LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
432 	LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
433 	LSM_HOOK_INIT(task_prctl, yama_task_prctl),
434 	LSM_HOOK_INIT(task_free, yama_task_free),
435 };
436 
437 #ifdef CONFIG_SYSCTL
438 static int yama_dointvec_minmax(struct ctl_table *table, int write,
439 				void *buffer, size_t *lenp, loff_t *ppos)
440 {
441 	struct ctl_table table_copy;
442 
443 	if (write && !capable(CAP_SYS_PTRACE))
444 		return -EPERM;
445 
446 	/* Lock the max value if it ever gets set. */
447 	table_copy = *table;
448 	if (*(int *)table_copy.data == *(int *)table_copy.extra2)
449 		table_copy.extra1 = table_copy.extra2;
450 
451 	return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos);
452 }
453 
454 static int max_scope = YAMA_SCOPE_NO_ATTACH;
455 
456 static struct ctl_table yama_sysctl_table[] = {
457 	{
458 		.procname       = "ptrace_scope",
459 		.data           = &ptrace_scope,
460 		.maxlen         = sizeof(int),
461 		.mode           = 0644,
462 		.proc_handler   = yama_dointvec_minmax,
463 		.extra1         = SYSCTL_ZERO,
464 		.extra2         = &max_scope,
465 	},
466 	{ }
467 };
468 static void __init yama_init_sysctl(void)
469 {
470 	if (!register_sysctl("kernel/yama", yama_sysctl_table))
471 		panic("Yama: sysctl registration failed.\n");
472 }
473 #else
474 static inline void yama_init_sysctl(void) { }
475 #endif /* CONFIG_SYSCTL */
476 
477 static int __init yama_init(void)
478 {
479 	pr_info("Yama: becoming mindful.\n");
480 	security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid);
481 	yama_init_sysctl();
482 	return 0;
483 }
484 
485 DEFINE_LSM(yama) = {
486 	.name = "yama",
487 	.init = yama_init,
488 };
489