[PATCH v1] keys: Restrict KEYCTL_SESSION_TO_PARENT according to ptrace_may_access()

[Mickaël Salaün]

On Mon, Jul 29, 2024 at 03:49:29PM +0200, Jann Horn wrote:
> On Mon, Jul 29, 2024 at 2:59 PM Mickaël Salaün <mic at digikod.net> wrote:
> > A process can modify its parent's credentials with
> > KEYCTL_SESSION_TO_PARENT when their EUID and EGID are the same.  This
> > doesn't take into account all possible access controls.
> >
> > Enforce the same access checks as for impersonating a process.
> >
> > The current credentials checks are untouch because they check against
> > EUID and EGID, whereas ptrace_may_access() checks against UID and GID.
> 
> FWIW, my understanding is that the intended usecase of
> KEYCTL_SESSION_TO_PARENT is that command-line tools (like "keyctl
> new_session" and "e4crypt new_session") want to be able to change the
> keyring of the parent process that spawned them (which I think is
> usually a shell?); and Yama LSM, which I think is fairly widely used
> at this point, by default prevents a child process from using
> PTRACE_MODE_ATTACH on its parent.

About Yama, the patched keyctl_session_to_parent() function already
check if the current's and the parent's credentials are the same before
this new ptrace_may_access() check.  So this change should be OK with
Yama and most use cases.

> 
> I think KEYCTL_SESSION_TO_PARENT is not a great design, but I'm not
> sure if we can improve it much without risking some breakage.
> 

I think this is a security issue that a process can change another
process's credentials.  If the main use cases is for shell commands, it
should be OK.

The alternative would be to restore the key_session_to_parent LSM hook
[1], and update most LSMs to block this kind of credential tampering,
which will lead to the same result but with only partial users being
protected.

[1] commit 3011a344cdcd ("security: remove dead hook key_session_to_parent")