session daemon should validate credentials received from application (lttng-ust)
Looking at ustctl_recv_reg_msg() , I notice that the session daemon fails to validate the pid and uid credentials it receives from the application, thus trusting them blindly. This means a non-root application could theoretically impersonate a root application from a tracing perspective, and thus access root tracing buffers in a per-uid configuration, which is unwanted. I remember that initially we had no validation of the pid provided by the application because original lttng 2.0 only supported per-pid buffers and had per application tracing buffers only, so it did not cause any issue other than mislabeling the trace directory. However, now that the buffers can be shared between processes belonging to the same uid, this needs to be validated by the session daemon, and it's not.
So the quick fix here would be to validate on the session daemon side that the credentials provided by the application match those from a sessiond perspective through unix socket credentials (getsockopt(2) SO_PEERCRED on Linux and LOCAL_PEERCRED on BSD). That would however mean that sessiond would refuse applications that come from separate namespaces if the credentials don't match.
Tweaking liblttng-ust-comm/lttng-ust-comm.c:ustcomm_send_reg_msg() to send dummy credentials shows that the session daemon indeed trusts the application blindly.
Updated by Mathieu Desnoyers about 1 month ago
- Assignee set to Mathieu Desnoyers
- Status changed from New to In Progress
- File 0001-Fix-Use-unix-socket-peercred-for-pid-uid-gid-credent.patch 0001-Fix-Use-unix-socket-peercred-for-pid-uid-gid-credent.patch added