1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Yama Linux Security Module 4 * 5 * Author: Kees Cook <keescook@chromium.org> 6 * 7 * Copyright (C) 2010 Canonical, Ltd. 8 * Copyright (C) 2011 The Chromium OS Authors. 9 */ 10 11 #include <linux/lsm_hooks.h> 12 #include <linux/sysctl.h> 13 #include <linux/ptrace.h> 14 #include <linux/prctl.h> 15 #include <linux/ratelimit.h> 16 #include <linux/workqueue.h> 17 #include <linux/string_helpers.h> 18 #include <linux/task_work.h> 19 #include <linux/sched.h> 20 #include <linux/spinlock.h> 21 #include <uapi/linux/lsm.h> 22 23 #define YAMA_SCOPE_DISABLED 0 24 #define YAMA_SCOPE_RELATIONAL 1 25 #define YAMA_SCOPE_CAPABILITY 2 26 #define YAMA_SCOPE_NO_ATTACH 3 27 28 static int ptrace_scope = YAMA_SCOPE_RELATIONAL; 29 30 /* describe a ptrace relationship for potential exception */ 31 struct ptrace_relation { 32 struct task_struct *tracer; 33 struct task_struct *tracee; 34 bool invalid; 35 struct list_head node; 36 struct rcu_head rcu; 37 }; 38 39 static LIST_HEAD(ptracer_relations); 40 static DEFINE_SPINLOCK(ptracer_relations_lock); 41 42 static void yama_relation_cleanup(struct work_struct *work); 43 static DECLARE_WORK(yama_relation_work, yama_relation_cleanup); 44 45 struct access_report_info { 46 struct callback_head work; 47 const char *access; 48 struct task_struct *target; 49 struct task_struct *agent; 50 }; 51 52 static void __report_access(struct callback_head *work) 53 { 54 struct access_report_info *info = 55 container_of(work, struct access_report_info, work); 56 char *target_cmd, *agent_cmd; 57 58 target_cmd = kstrdup_quotable_cmdline(info->target, GFP_KERNEL); 59 agent_cmd = kstrdup_quotable_cmdline(info->agent, GFP_KERNEL); 60 61 pr_notice_ratelimited( 62 "ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n", 63 info->access, target_cmd, info->target->pid, agent_cmd, 64 info->agent->pid); 65 66 kfree(agent_cmd); 67 kfree(target_cmd); 68 69 put_task_struct(info->agent); 70 put_task_struct(info->target); 71 kfree(info); 72 } 73 74 /* defers execution because cmdline access can sleep */ 75 static void report_access(const char *access, struct task_struct *target, 76 struct task_struct *agent) 77 { 78 struct access_report_info *info; 79 80 assert_spin_locked(&target->alloc_lock); /* for target->comm */ 81 82 if (current->flags & PF_KTHREAD) { 83 /* I don't think kthreads call task_work_run() before exiting. 84 * Imagine angry ranting about procfs here. 85 */ 86 pr_notice_ratelimited( 87 "ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n", 88 access, target->comm, target->pid, agent->comm, agent->pid); 89 return; 90 } 91 92 info = kmalloc(sizeof(*info), GFP_ATOMIC); 93 if (!info) 94 return; 95 init_task_work(&info->work, __report_access); 96 get_task_struct(target); 97 get_task_struct(agent); 98 info->access = access; 99 info->target = target; 100 info->agent = agent; 101 if (task_work_add(current, &info->work, TWA_RESUME) == 0) 102 return; /* success */ 103 104 WARN(1, "report_access called from exiting task"); 105 put_task_struct(target); 106 put_task_struct(agent); 107 kfree(info); 108 } 109 110 /** 111 * yama_relation_cleanup - remove invalid entries from the relation list 112 * @work: unused 113 * 114 */ 115 static void yama_relation_cleanup(struct work_struct *work) 116 { 117 struct ptrace_relation *relation; 118 119 spin_lock(&ptracer_relations_lock); 120 rcu_read_lock(); 121 list_for_each_entry_rcu(relation, &ptracer_relations, node) { 122 if (relation->invalid) { 123 list_del_rcu(&relation->node); 124 kfree_rcu(relation, rcu); 125 } 126 } 127 rcu_read_unlock(); 128 spin_unlock(&ptracer_relations_lock); 129 } 130 131 /** 132 * yama_ptracer_add - add/replace an exception for this tracer/tracee pair 133 * @tracer: the task_struct of the process doing the ptrace 134 * @tracee: the task_struct of the process to be ptraced 135 * 136 * Each tracee can have, at most, one tracer registered. Each time this 137 * is called, the prior registered tracer will be replaced for the tracee. 138 * 139 * Returns 0 if relationship was added, -ve on error. 140 */ 141 static int yama_ptracer_add(struct task_struct *tracer, 142 struct task_struct *tracee) 143 { 144 struct ptrace_relation *relation, *added; 145 146 added = kmalloc(sizeof(*added), GFP_KERNEL); 147 if (!added) 148 return -ENOMEM; 149 150 added->tracee = tracee; 151 added->tracer = tracer; 152 added->invalid = false; 153 154 spin_lock(&ptracer_relations_lock); 155 rcu_read_lock(); 156 list_for_each_entry_rcu(relation, &ptracer_relations, node) { 157 if (relation->invalid) 158 continue; 159 if (relation->tracee == tracee) { 160 list_replace_rcu(&relation->node, &added->node); 161 kfree_rcu(relation, rcu); 162 goto out; 163 } 164 } 165 166 list_add_rcu(&added->node, &ptracer_relations); 167 168 out: 169 rcu_read_unlock(); 170 spin_unlock(&ptracer_relations_lock); 171 return 0; 172 } 173 174 /** 175 * yama_ptracer_del - remove exceptions related to the given tasks 176 * @tracer: remove any relation where tracer task matches 177 * @tracee: remove any relation where tracee task matches 178 */ 179 static void yama_ptracer_del(struct task_struct *tracer, 180 struct task_struct *tracee) 181 { 182 struct ptrace_relation *relation; 183 bool marked = false; 184 185 rcu_read_lock(); 186 list_for_each_entry_rcu(relation, &ptracer_relations, node) { 187 if (relation->invalid) 188 continue; 189 if (relation->tracee == tracee || 190 (tracer && relation->tracer == tracer)) { 191 relation->invalid = true; 192 marked = true; 193 } 194 } 195 rcu_read_unlock(); 196 197 if (marked) 198 schedule_work(&yama_relation_work); 199 } 200 201 /** 202 * yama_task_free - check for task_pid to remove from exception list 203 * @task: task being removed 204 */ 205 static void yama_task_free(struct task_struct *task) 206 { 207 yama_ptracer_del(task, task); 208 } 209 210 /** 211 * yama_task_prctl - check for Yama-specific prctl operations 212 * @option: operation 213 * @arg2: argument 214 * @arg3: argument 215 * @arg4: argument 216 * @arg5: argument 217 * 218 * Return 0 on success, -ve on error. -ENOSYS is returned when Yama 219 * does not handle the given option. 220 */ 221 static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3, 222 unsigned long arg4, unsigned long arg5) 223 { 224 int rc = -ENOSYS; 225 struct task_struct *myself; 226 227 switch (option) { 228 case PR_SET_PTRACER: 229 /* Since a thread can call prctl(), find the group leader 230 * before calling _add() or _del() on it, since we want 231 * process-level granularity of control. The tracer group 232 * leader checking is handled later when walking the ancestry 233 * at the time of PTRACE_ATTACH check. 234 */ 235 myself = current->group_leader; 236 237 if (arg2 == 0) { 238 yama_ptracer_del(NULL, myself); 239 rc = 0; 240 } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) { 241 rc = yama_ptracer_add(NULL, myself); 242 } else { 243 struct task_struct *tracer; 244 245 tracer = find_get_task_by_vpid(arg2); 246 if (!tracer) { 247 rc = -EINVAL; 248 } else { 249 rc = yama_ptracer_add(tracer, myself); 250 put_task_struct(tracer); 251 } 252 } 253 254 break; 255 } 256 257 return rc; 258 } 259 260 /** 261 * task_is_descendant - walk up a process family tree looking for a match 262 * @parent: the process to compare against while walking up from child 263 * @child: the process to start from while looking upwards for parent 264 * 265 * Returns 1 if child is a descendant of parent, 0 if not. 266 */ 267 static int task_is_descendant(struct task_struct *parent, 268 struct task_struct *child) 269 { 270 int rc = 0; 271 struct task_struct *walker = child; 272 273 if (!parent || !child) 274 return 0; 275 276 rcu_read_lock(); 277 if (!thread_group_leader(parent)) 278 parent = rcu_dereference(parent->group_leader); 279 while (walker->pid > 0) { 280 if (!thread_group_leader(walker)) 281 walker = rcu_dereference(walker->group_leader); 282 if (walker == parent) { 283 rc = 1; 284 break; 285 } 286 walker = rcu_dereference(walker->real_parent); 287 } 288 rcu_read_unlock(); 289 290 return rc; 291 } 292 293 /** 294 * ptracer_exception_found - tracer registered as exception for this tracee 295 * @tracer: the task_struct of the process attempting ptrace 296 * @tracee: the task_struct of the process to be ptraced 297 * 298 * Returns 1 if tracer has a ptracer exception ancestor for tracee. 299 */ 300 static int ptracer_exception_found(struct task_struct *tracer, 301 struct task_struct *tracee) 302 { 303 int rc = 0; 304 struct ptrace_relation *relation; 305 struct task_struct *parent = NULL; 306 bool found = false; 307 308 rcu_read_lock(); 309 310 /* 311 * If there's already an active tracing relationship, then make an 312 * exception for the sake of other accesses, like process_vm_rw(). 313 */ 314 parent = ptrace_parent(tracee); 315 if (parent != NULL && same_thread_group(parent, tracer)) { 316 rc = 1; 317 goto unlock; 318 } 319 320 /* Look for a PR_SET_PTRACER relationship. */ 321 if (!thread_group_leader(tracee)) 322 tracee = rcu_dereference(tracee->group_leader); 323 list_for_each_entry_rcu(relation, &ptracer_relations, node) { 324 if (relation->invalid) 325 continue; 326 if (relation->tracee == tracee) { 327 parent = relation->tracer; 328 found = true; 329 break; 330 } 331 } 332 333 if (found && (parent == NULL || task_is_descendant(parent, tracer))) 334 rc = 1; 335 336 unlock: 337 rcu_read_unlock(); 338 339 return rc; 340 } 341 342 /** 343 * yama_ptrace_access_check - validate PTRACE_ATTACH calls 344 * @child: task that current task is attempting to ptrace 345 * @mode: ptrace attach mode 346 * 347 * Returns 0 if following the ptrace is allowed, -ve on error. 348 */ 349 static int yama_ptrace_access_check(struct task_struct *child, 350 unsigned int mode) 351 { 352 int rc = 0; 353 354 /* require ptrace target be a child of ptracer on attach */ 355 if (mode & PTRACE_MODE_ATTACH) { 356 switch (ptrace_scope) { 357 case YAMA_SCOPE_DISABLED: 358 /* No additional restrictions. */ 359 break; 360 case YAMA_SCOPE_RELATIONAL: 361 rcu_read_lock(); 362 if (!pid_alive(child)) 363 rc = -EPERM; 364 if (!rc && !task_is_descendant(current, child) && 365 !ptracer_exception_found(current, child) && 366 !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) 367 rc = -EPERM; 368 rcu_read_unlock(); 369 break; 370 case YAMA_SCOPE_CAPABILITY: 371 rcu_read_lock(); 372 if (!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) 373 rc = -EPERM; 374 rcu_read_unlock(); 375 break; 376 case YAMA_SCOPE_NO_ATTACH: 377 default: 378 rc = -EPERM; 379 break; 380 } 381 } 382 383 if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0) 384 report_access("attach", child, current); 385 386 return rc; 387 } 388 389 /** 390 * yama_ptrace_traceme - validate PTRACE_TRACEME calls 391 * @parent: task that will become the ptracer of the current task 392 * 393 * Returns 0 if following the ptrace is allowed, -ve on error. 394 */ 395 static int yama_ptrace_traceme(struct task_struct *parent) 396 { 397 int rc = 0; 398 399 /* Only disallow PTRACE_TRACEME on more aggressive settings. */ 400 switch (ptrace_scope) { 401 case YAMA_SCOPE_CAPABILITY: 402 if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE)) 403 rc = -EPERM; 404 break; 405 case YAMA_SCOPE_NO_ATTACH: 406 rc = -EPERM; 407 break; 408 } 409 410 if (rc) { 411 task_lock(current); 412 report_access("traceme", current, parent); 413 task_unlock(current); 414 } 415 416 return rc; 417 } 418 419 static const struct lsm_id yama_lsmid = { 420 .name = "yama", 421 .id = LSM_ID_YAMA, 422 }; 423 424 static struct security_hook_list yama_hooks[] __ro_after_init = { 425 LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check), 426 LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme), 427 LSM_HOOK_INIT(task_prctl, yama_task_prctl), 428 LSM_HOOK_INIT(task_free, yama_task_free), 429 }; 430 431 #ifdef CONFIG_SYSCTL 432 static int yama_dointvec_minmax(const struct ctl_table *table, int write, 433 void *buffer, size_t *lenp, loff_t *ppos) 434 { 435 struct ctl_table table_copy; 436 437 if (write && !capable(CAP_SYS_PTRACE)) 438 return -EPERM; 439 440 /* Lock the max value if it ever gets set. */ 441 table_copy = *table; 442 if (*(int *)table_copy.data == *(int *)table_copy.extra2) 443 table_copy.extra1 = table_copy.extra2; 444 445 return proc_dointvec_minmax(&table_copy, write, buffer, lenp, ppos); 446 } 447 448 static int max_scope = YAMA_SCOPE_NO_ATTACH; 449 450 static const struct ctl_table yama_sysctl_table[] = { 451 { 452 .procname = "ptrace_scope", 453 .data = &ptrace_scope, 454 .maxlen = sizeof(int), 455 .mode = 0644, 456 .proc_handler = yama_dointvec_minmax, 457 .extra1 = SYSCTL_ZERO, 458 .extra2 = &max_scope, 459 }, 460 }; 461 static void __init yama_init_sysctl(void) 462 { 463 if (!register_sysctl("kernel/yama", yama_sysctl_table)) 464 panic("Yama: sysctl registration failed.\n"); 465 } 466 #else 467 static inline void yama_init_sysctl(void) { } 468 #endif /* CONFIG_SYSCTL */ 469 470 static int __init yama_init(void) 471 { 472 pr_info("Yama: becoming mindful.\n"); 473 security_add_hooks(yama_hooks, ARRAY_SIZE(yama_hooks), &yama_lsmid); 474 yama_init_sysctl(); 475 return 0; 476 } 477 478 DEFINE_LSM(yama) = { 479 .name = "yama", 480 .init = yama_init, 481 }; 482