diff options
| author | Eric W. Biederman <ebiederm@xmission.com> | 2016-10-13 22:23:16 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-01-06 04:40:13 -0500 |
| commit | 694a95fa6dae4991f16cda333d897ea063021fed (patch) | |
| tree | ac12876552e1b6585013a0e2932cf5da3c91def6 /kernel | |
| parent | cfa2d65b2622d14b2f1368fbc9a6b4ab85141644 (diff) | |
mm: Add a user_ns owner to mm_struct and fix ptrace permission checks
commit bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 upstream.
During exec dumpable is cleared if the file that is being executed is
not readable by the user executing the file. A bug in
ptrace_may_access allows reading the file if the executable happens to
enter into a subordinate user namespace (aka clone(CLONE_NEWUSER),
unshare(CLONE_NEWUSER), or setns(fd, CLONE_NEWUSER).
This problem is fixed with only necessary userspace breakage by adding
a user namespace owner to mm_struct, captured at the time of exec, so
it is clear in which user namespace CAP_SYS_PTRACE must be present in
to be able to safely give read permission to the executable.
The function ptrace_may_access is modified to verify that the ptracer
has CAP_SYS_ADMIN in task->mm->user_ns instead of task->cred->user_ns.
This ensures that if the task changes it's cred into a subordinate
user namespace it does not become ptraceable.
The function ptrace_attach is modified to only set PT_PTRACE_CAP when
CAP_SYS_PTRACE is held over task->mm->user_ns. The intent of
PT_PTRACE_CAP is to be a flag to note that whatever permission changes
the task might go through the tracer has sufficient permissions for
it not to be an issue. task->cred->user_ns is always the same
as or descendent of mm->user_ns. Which guarantees that having
CAP_SYS_PTRACE over mm->user_ns is the worst case for the tasks
credentials.
To prevent regressions mm->dumpable and mm->user_ns are not considered
when a task has no mm. As simply failing ptrace_may_attach causes
regressions in privileged applications attempting to read things
such as /proc/<pid>/stat
Acked-by: Kees Cook <keescook@chromium.org>
Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
Fixes: 8409cca70561 ("userns: allow ptrace from non-init user namespaces")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/fork.c | 9 | ||||
| -rw-r--r-- | kernel/ptrace.c | 26 |
2 files changed, 17 insertions, 18 deletions
diff --git a/kernel/fork.c b/kernel/fork.c index 997ac1d584f7..ba8a01564985 100644 --- a/kernel/fork.c +++ b/kernel/fork.c | |||
| @@ -745,7 +745,8 @@ static void mm_init_owner(struct mm_struct *mm, struct task_struct *p) | |||
| 745 | #endif | 745 | #endif |
| 746 | } | 746 | } |
| 747 | 747 | ||
| 748 | static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p) | 748 | static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p, |
| 749 | struct user_namespace *user_ns) | ||
| 749 | { | 750 | { |
| 750 | mm->mmap = NULL; | 751 | mm->mmap = NULL; |
| 751 | mm->mm_rb = RB_ROOT; | 752 | mm->mm_rb = RB_ROOT; |
| @@ -785,6 +786,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p) | |||
| 785 | if (init_new_context(p, mm)) | 786 | if (init_new_context(p, mm)) |
| 786 | goto fail_nocontext; | 787 | goto fail_nocontext; |
| 787 | 788 | ||
| 789 | mm->user_ns = get_user_ns(user_ns); | ||
| 788 | return mm; | 790 | return mm; |
| 789 | 791 | ||
| 790 | fail_nocontext: | 792 | fail_nocontext: |
| @@ -830,7 +832,7 @@ struct mm_struct *mm_alloc(void) | |||
| 830 | return NULL; | 832 | return NULL; |
| 831 | 833 | ||
| 832 | memset(mm, 0, sizeof(*mm)); | 834 | memset(mm, 0, sizeof(*mm)); |
| 833 | return mm_init(mm, current); | 835 | return mm_init(mm, current, current_user_ns()); |
| 834 | } | 836 | } |
| 835 | 837 | ||
| 836 | /* | 838 | /* |
| @@ -845,6 +847,7 @@ void __mmdrop(struct mm_struct *mm) | |||
| 845 | destroy_context(mm); | 847 | destroy_context(mm); |
| 846 | mmu_notifier_mm_destroy(mm); | 848 | mmu_notifier_mm_destroy(mm); |
| 847 | check_mm(mm); | 849 | check_mm(mm); |
| 850 | put_user_ns(mm->user_ns); | ||
| 848 | free_mm(mm); | 851 | free_mm(mm); |
| 849 | } | 852 | } |
| 850 | EXPORT_SYMBOL_GPL(__mmdrop); | 853 | EXPORT_SYMBOL_GPL(__mmdrop); |
| @@ -1126,7 +1129,7 @@ static struct mm_struct *dup_mm(struct task_struct *tsk) | |||
| 1126 | 1129 | ||
| 1127 | memcpy(mm, oldmm, sizeof(*mm)); | 1130 | memcpy(mm, oldmm, sizeof(*mm)); |
| 1128 | 1131 | ||
| 1129 | if (!mm_init(mm, tsk)) | 1132 | if (!mm_init(mm, tsk, mm->user_ns)) |
| 1130 | goto fail_nomem; | 1133 | goto fail_nomem; |
| 1131 | 1134 | ||
| 1132 | err = dup_mmap(mm, oldmm); | 1135 | err = dup_mmap(mm, oldmm); |
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index e6474f7272ec..282821557183 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c | |||
| @@ -220,7 +220,7 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) | |||
| 220 | static int __ptrace_may_access(struct task_struct *task, unsigned int mode) | 220 | static int __ptrace_may_access(struct task_struct *task, unsigned int mode) |
| 221 | { | 221 | { |
| 222 | const struct cred *cred = current_cred(), *tcred; | 222 | const struct cred *cred = current_cred(), *tcred; |
| 223 | int dumpable = 0; | 223 | struct mm_struct *mm; |
| 224 | kuid_t caller_uid; | 224 | kuid_t caller_uid; |
| 225 | kgid_t caller_gid; | 225 | kgid_t caller_gid; |
| 226 | 226 | ||
| @@ -271,16 +271,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) | |||
| 271 | return -EPERM; | 271 | return -EPERM; |
| 272 | ok: | 272 | ok: |
| 273 | rcu_read_unlock(); | 273 | rcu_read_unlock(); |
| 274 | smp_rmb(); | 274 | mm = task->mm; |
| 275 | if (task->mm) | 275 | if (mm && |
| 276 | dumpable = get_dumpable(task->mm); | 276 | ((get_dumpable(mm) != SUID_DUMP_USER) && |
| 277 | rcu_read_lock(); | 277 | !ptrace_has_cap(mm->user_ns, mode))) |
| 278 | if (dumpable != SUID_DUMP_USER && | 278 | return -EPERM; |
| 279 | !ptrace_has_cap(__task_cred(task)->user_ns, mode)) { | ||
| 280 | rcu_read_unlock(); | ||
| 281 | return -EPERM; | ||
| 282 | } | ||
| 283 | rcu_read_unlock(); | ||
| 284 | 279 | ||
| 285 | return security_ptrace_access_check(task, mode); | 280 | return security_ptrace_access_check(task, mode); |
| 286 | } | 281 | } |
| @@ -331,6 +326,11 @@ static int ptrace_attach(struct task_struct *task, long request, | |||
| 331 | 326 | ||
| 332 | task_lock(task); | 327 | task_lock(task); |
| 333 | retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); | 328 | retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS); |
| 329 | if (!retval) { | ||
| 330 | struct mm_struct *mm = task->mm; | ||
| 331 | if (mm && ns_capable(mm->user_ns, CAP_SYS_PTRACE)) | ||
| 332 | flags |= PT_PTRACE_CAP; | ||
| 333 | } | ||
| 334 | task_unlock(task); | 334 | task_unlock(task); |
| 335 | if (retval) | 335 | if (retval) |
| 336 | goto unlock_creds; | 336 | goto unlock_creds; |
| @@ -344,10 +344,6 @@ static int ptrace_attach(struct task_struct *task, long request, | |||
| 344 | 344 | ||
| 345 | if (seize) | 345 | if (seize) |
| 346 | flags |= PT_SEIZED; | 346 | flags |= PT_SEIZED; |
| 347 | rcu_read_lock(); | ||
| 348 | if (ns_capable(__task_cred(task)->user_ns, CAP_SYS_PTRACE)) | ||
| 349 | flags |= PT_PTRACE_CAP; | ||
| 350 | rcu_read_unlock(); | ||
| 351 | task->ptrace = flags; | 347 | task->ptrace = flags; |
| 352 | 348 | ||
| 353 | __ptrace_link(task, current); | 349 | __ptrace_link(task, current); |