summaryrefslogtreecommitdiffstats
path: root/kernel/capability.c
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2016-10-13 21:23:16 -0500
committerEric W. Biederman <ebiederm@xmission.com>2016-11-22 11:49:48 -0600
commitbfedb589252c01fa505ac9f6f2a3d5d68d707ef4 (patch)
treef4a3b443cc77423d0550c9a21d82175246a0f3d5 /kernel/capability.c
parent9c763584b7c8911106bb77af7e648bef09af9d80 (diff)
downloadlinux-stable-bfedb589252c01fa505ac9f6f2a3d5d68d707ef4.tar.gz
linux-stable-bfedb589252c01fa505ac9f6f2a3d5d68d707ef4.tar.bz2
linux-stable-bfedb589252c01fa505ac9f6f2a3d5d68d707ef4.zip
mm: Add a user_ns owner to mm_struct and fix ptrace permission checks
During exec dumpable is cleared if the file that is being executed is not readable by the user executing the file. A bug in ptrace_may_access allows reading the file if the executable happens to enter into a subordinate user namespace (aka clone(CLONE_NEWUSER), unshare(CLONE_NEWUSER), or setns(fd, CLONE_NEWUSER). This problem is fixed with only necessary userspace breakage by adding a user namespace owner to mm_struct, captured at the time of exec, so it is clear in which user namespace CAP_SYS_PTRACE must be present in to be able to safely give read permission to the executable. The function ptrace_may_access is modified to verify that the ptracer has CAP_SYS_ADMIN in task->mm->user_ns instead of task->cred->user_ns. This ensures that if the task changes it's cred into a subordinate user namespace it does not become ptraceable. The function ptrace_attach is modified to only set PT_PTRACE_CAP when CAP_SYS_PTRACE is held over task->mm->user_ns. The intent of PT_PTRACE_CAP is to be a flag to note that whatever permission changes the task might go through the tracer has sufficient permissions for it not to be an issue. task->cred->user_ns is always the same as or descendent of mm->user_ns. Which guarantees that having CAP_SYS_PTRACE over mm->user_ns is the worst case for the tasks credentials. To prevent regressions mm->dumpable and mm->user_ns are not considered when a task has no mm. As simply failing ptrace_may_attach causes regressions in privileged applications attempting to read things such as /proc/<pid>/stat Cc: stable@vger.kernel.org Acked-by: Kees Cook <keescook@chromium.org> Tested-by: Cyrill Gorcunov <gorcunov@openvz.org> Fixes: 8409cca70561 ("userns: allow ptrace from non-init user namespaces") Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Diffstat (limited to 'kernel/capability.c')
0 files changed, 0 insertions, 0 deletions