diff options
-rw-r--r-- | Documentation/sysctl/kernel.txt | 20 | ||||
-rw-r--r-- | fs/exec.c | 23 | ||||
-rw-r--r-- | fs/proc/base.c | 6 | ||||
-rw-r--r-- | include/linux/binfmts.h | 5 | ||||
-rw-r--r-- | include/linux/sched.h | 2 | ||||
-rw-r--r-- | include/linux/sysctl.h | 1 | ||||
-rw-r--r-- | kernel/sys.c | 22 | ||||
-rw-r--r-- | kernel/sysctl.c | 9 | ||||
-rw-r--r-- | security/commoncap.c | 2 | ||||
-rw-r--r-- | security/dummy.c | 2 |
10 files changed, 74 insertions, 18 deletions
diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt index 35159176997..9f11d36a8c1 100644 --- a/Documentation/sysctl/kernel.txt +++ b/Documentation/sysctl/kernel.txt | |||
@@ -49,6 +49,7 @@ show up in /proc/sys/kernel: | |||
49 | - shmmax [ sysv ipc ] | 49 | - shmmax [ sysv ipc ] |
50 | - shmmni | 50 | - shmmni |
51 | - stop-a [ SPARC only ] | 51 | - stop-a [ SPARC only ] |
52 | - suid_dumpable | ||
52 | - sysrq ==> Documentation/sysrq.txt | 53 | - sysrq ==> Documentation/sysrq.txt |
53 | - tainted | 54 | - tainted |
54 | - threads-max | 55 | - threads-max |
@@ -300,6 +301,25 @@ kernel. This value defaults to SHMMAX. | |||
300 | 301 | ||
301 | ============================================================== | 302 | ============================================================== |
302 | 303 | ||
304 | suid_dumpable: | ||
305 | |||
306 | This value can be used to query and set the core dump mode for setuid | ||
307 | or otherwise protected/tainted binaries. The modes are | ||
308 | |||
309 | 0 - (default) - traditional behaviour. Any process which has changed | ||
310 | privilege levels or is execute only will not be dumped | ||
311 | 1 - (debug) - all processes dump core when possible. The core dump is | ||
312 | owned by the current user and no security is applied. This is | ||
313 | intended for system debugging situations only. Ptrace is unchecked. | ||
314 | 2 - (suidsafe) - any binary which normally would not be dumped is dumped | ||
315 | readable by root only. This allows the end user to remove | ||
316 | such a dump but not access it directly. For security reasons | ||
317 | core dumps in this mode will not overwrite one another or | ||
318 | other files. This mode is appropriate when adminstrators are | ||
319 | attempting to debug problems in a normal environment. | ||
320 | |||
321 | ============================================================== | ||
322 | |||
303 | tainted: | 323 | tainted: |
304 | 324 | ||
305 | Non-zero if the kernel has been tainted. Numeric values, which | 325 | Non-zero if the kernel has been tainted. Numeric values, which |
@@ -58,6 +58,9 @@ | |||
58 | 58 | ||
59 | int core_uses_pid; | 59 | int core_uses_pid; |
60 | char core_pattern[65] = "core"; | 60 | char core_pattern[65] = "core"; |
61 | int suid_dumpable = 0; | ||
62 | |||
63 | EXPORT_SYMBOL(suid_dumpable); | ||
61 | /* The maximal length of core_pattern is also specified in sysctl.c */ | 64 | /* The maximal length of core_pattern is also specified in sysctl.c */ |
62 | 65 | ||
63 | static struct linux_binfmt *formats; | 66 | static struct linux_binfmt *formats; |
@@ -864,6 +867,9 @@ int flush_old_exec(struct linux_binprm * bprm) | |||
864 | 867 | ||
865 | if (current->euid == current->uid && current->egid == current->gid) | 868 | if (current->euid == current->uid && current->egid == current->gid) |
866 | current->mm->dumpable = 1; | 869 | current->mm->dumpable = 1; |
870 | else | ||
871 | current->mm->dumpable = suid_dumpable; | ||
872 | |||
867 | name = bprm->filename; | 873 | name = bprm->filename; |
868 | 874 | ||
869 | /* Copies the binary name from after last slash */ | 875 | /* Copies the binary name from after last slash */ |
@@ -884,7 +890,7 @@ int flush_old_exec(struct linux_binprm * bprm) | |||
884 | permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) || | 890 | permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) || |
885 | (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { | 891 | (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { |
886 | suid_keys(current); | 892 | suid_keys(current); |
887 | current->mm->dumpable = 0; | 893 | current->mm->dumpable = suid_dumpable; |
888 | } | 894 | } |
889 | 895 | ||
890 | /* An exec changes our domain. We are no longer part of the thread | 896 | /* An exec changes our domain. We are no longer part of the thread |
@@ -1432,6 +1438,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) | |||
1432 | struct inode * inode; | 1438 | struct inode * inode; |
1433 | struct file * file; | 1439 | struct file * file; |
1434 | int retval = 0; | 1440 | int retval = 0; |
1441 | int fsuid = current->fsuid; | ||
1442 | int flag = 0; | ||
1435 | 1443 | ||
1436 | binfmt = current->binfmt; | 1444 | binfmt = current->binfmt; |
1437 | if (!binfmt || !binfmt->core_dump) | 1445 | if (!binfmt || !binfmt->core_dump) |
@@ -1441,6 +1449,16 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) | |||
1441 | up_write(&mm->mmap_sem); | 1449 | up_write(&mm->mmap_sem); |
1442 | goto fail; | 1450 | goto fail; |
1443 | } | 1451 | } |
1452 | |||
1453 | /* | ||
1454 | * We cannot trust fsuid as being the "true" uid of the | ||
1455 | * process nor do we know its entire history. We only know it | ||
1456 | * was tainted so we dump it as root in mode 2. | ||
1457 | */ | ||
1458 | if (mm->dumpable == 2) { /* Setuid core dump mode */ | ||
1459 | flag = O_EXCL; /* Stop rewrite attacks */ | ||
1460 | current->fsuid = 0; /* Dump root private */ | ||
1461 | } | ||
1444 | mm->dumpable = 0; | 1462 | mm->dumpable = 0; |
1445 | init_completion(&mm->core_done); | 1463 | init_completion(&mm->core_done); |
1446 | spin_lock_irq(¤t->sighand->siglock); | 1464 | spin_lock_irq(¤t->sighand->siglock); |
@@ -1466,7 +1484,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) | |||
1466 | lock_kernel(); | 1484 | lock_kernel(); |
1467 | format_corename(corename, core_pattern, signr); | 1485 | format_corename(corename, core_pattern, signr); |
1468 | unlock_kernel(); | 1486 | unlock_kernel(); |
1469 | file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600); | 1487 | file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600); |
1470 | if (IS_ERR(file)) | 1488 | if (IS_ERR(file)) |
1471 | goto fail_unlock; | 1489 | goto fail_unlock; |
1472 | inode = file->f_dentry->d_inode; | 1490 | inode = file->f_dentry->d_inode; |
@@ -1491,6 +1509,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) | |||
1491 | close_fail: | 1509 | close_fail: |
1492 | filp_close(file, NULL); | 1510 | filp_close(file, NULL); |
1493 | fail_unlock: | 1511 | fail_unlock: |
1512 | current->fsuid = fsuid; | ||
1494 | complete_all(&mm->core_done); | 1513 | complete_all(&mm->core_done); |
1495 | fail: | 1514 | fail: |
1496 | return retval; | 1515 | return retval; |
diff --git a/fs/proc/base.c b/fs/proc/base.c index e31903aadd9..ace151fa487 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c | |||
@@ -314,7 +314,7 @@ static int may_ptrace_attach(struct task_struct *task) | |||
314 | (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE)) | 314 | (current->gid != task->gid)) && !capable(CAP_SYS_PTRACE)) |
315 | goto out; | 315 | goto out; |
316 | rmb(); | 316 | rmb(); |
317 | if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE)) | 317 | if (task->mm->dumpable != 1 && !capable(CAP_SYS_PTRACE)) |
318 | goto out; | 318 | goto out; |
319 | if (security_ptrace(current, task)) | 319 | if (security_ptrace(current, task)) |
320 | goto out; | 320 | goto out; |
@@ -1113,7 +1113,9 @@ static int task_dumpable(struct task_struct *task) | |||
1113 | if (mm) | 1113 | if (mm) |
1114 | dumpable = mm->dumpable; | 1114 | dumpable = mm->dumpable; |
1115 | task_unlock(task); | 1115 | task_unlock(task); |
1116 | return dumpable; | 1116 | if(dumpable == 1) |
1117 | return 1; | ||
1118 | return 0; | ||
1117 | } | 1119 | } |
1118 | 1120 | ||
1119 | 1121 | ||
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 7e736e201c4..c1e82c51444 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h | |||
@@ -69,6 +69,11 @@ extern void remove_arg_zero(struct linux_binprm *); | |||
69 | extern int search_binary_handler(struct linux_binprm *,struct pt_regs *); | 69 | extern int search_binary_handler(struct linux_binprm *,struct pt_regs *); |
70 | extern int flush_old_exec(struct linux_binprm * bprm); | 70 | extern int flush_old_exec(struct linux_binprm * bprm); |
71 | 71 | ||
72 | extern int suid_dumpable; | ||
73 | #define SUID_DUMP_DISABLE 0 /* No setuid dumping */ | ||
74 | #define SUID_DUMP_USER 1 /* Dump as user of process */ | ||
75 | #define SUID_DUMP_ROOT 2 /* Dump as root */ | ||
76 | |||
72 | /* Stack area protections */ | 77 | /* Stack area protections */ |
73 | #define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */ | 78 | #define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */ |
74 | #define EXSTACK_DISABLE_X 1 /* Disable executable stacks */ | 79 | #define EXSTACK_DISABLE_X 1 /* Disable executable stacks */ |
diff --git a/include/linux/sched.h b/include/linux/sched.h index b58afd97a18..901742f9238 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h | |||
@@ -246,7 +246,7 @@ struct mm_struct { | |||
246 | 246 | ||
247 | unsigned long saved_auxv[42]; /* for /proc/PID/auxv */ | 247 | unsigned long saved_auxv[42]; /* for /proc/PID/auxv */ |
248 | 248 | ||
249 | unsigned dumpable:1; | 249 | unsigned dumpable:2; |
250 | cpumask_t cpu_vm_mask; | 250 | cpumask_t cpu_vm_mask; |
251 | 251 | ||
252 | /* Architecture-specific MM context */ | 252 | /* Architecture-specific MM context */ |
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index a17745c80a9..614e939c78a 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h | |||
@@ -136,6 +136,7 @@ enum | |||
136 | KERN_UNKNOWN_NMI_PANIC=66, /* int: unknown nmi panic flag */ | 136 | KERN_UNKNOWN_NMI_PANIC=66, /* int: unknown nmi panic flag */ |
137 | KERN_BOOTLOADER_TYPE=67, /* int: boot loader type */ | 137 | KERN_BOOTLOADER_TYPE=67, /* int: boot loader type */ |
138 | KERN_RANDOMIZE=68, /* int: randomize virtual address space */ | 138 | KERN_RANDOMIZE=68, /* int: randomize virtual address space */ |
139 | KERN_SETUID_DUMPABLE=69, /* int: behaviour of dumps for setuid core */ | ||
139 | }; | 140 | }; |
140 | 141 | ||
141 | 142 | ||
diff --git a/kernel/sys.c b/kernel/sys.c index f006632c2ba..0a2c8cda963 100644 --- a/kernel/sys.c +++ b/kernel/sys.c | |||
@@ -525,7 +525,7 @@ asmlinkage long sys_setregid(gid_t rgid, gid_t egid) | |||
525 | } | 525 | } |
526 | if (new_egid != old_egid) | 526 | if (new_egid != old_egid) |
527 | { | 527 | { |
528 | current->mm->dumpable = 0; | 528 | current->mm->dumpable = suid_dumpable; |
529 | smp_wmb(); | 529 | smp_wmb(); |
530 | } | 530 | } |
531 | if (rgid != (gid_t) -1 || | 531 | if (rgid != (gid_t) -1 || |
@@ -556,7 +556,7 @@ asmlinkage long sys_setgid(gid_t gid) | |||
556 | { | 556 | { |
557 | if(old_egid != gid) | 557 | if(old_egid != gid) |
558 | { | 558 | { |
559 | current->mm->dumpable=0; | 559 | current->mm->dumpable = suid_dumpable; |
560 | smp_wmb(); | 560 | smp_wmb(); |
561 | } | 561 | } |
562 | current->gid = current->egid = current->sgid = current->fsgid = gid; | 562 | current->gid = current->egid = current->sgid = current->fsgid = gid; |
@@ -565,7 +565,7 @@ asmlinkage long sys_setgid(gid_t gid) | |||
565 | { | 565 | { |
566 | if(old_egid != gid) | 566 | if(old_egid != gid) |
567 | { | 567 | { |
568 | current->mm->dumpable=0; | 568 | current->mm->dumpable = suid_dumpable; |
569 | smp_wmb(); | 569 | smp_wmb(); |
570 | } | 570 | } |
571 | current->egid = current->fsgid = gid; | 571 | current->egid = current->fsgid = gid; |
@@ -596,7 +596,7 @@ static int set_user(uid_t new_ruid, int dumpclear) | |||
596 | 596 | ||
597 | if(dumpclear) | 597 | if(dumpclear) |
598 | { | 598 | { |
599 | current->mm->dumpable = 0; | 599 | current->mm->dumpable = suid_dumpable; |
600 | smp_wmb(); | 600 | smp_wmb(); |
601 | } | 601 | } |
602 | current->uid = new_ruid; | 602 | current->uid = new_ruid; |
@@ -653,7 +653,7 @@ asmlinkage long sys_setreuid(uid_t ruid, uid_t euid) | |||
653 | 653 | ||
654 | if (new_euid != old_euid) | 654 | if (new_euid != old_euid) |
655 | { | 655 | { |
656 | current->mm->dumpable=0; | 656 | current->mm->dumpable = suid_dumpable; |
657 | smp_wmb(); | 657 | smp_wmb(); |
658 | } | 658 | } |
659 | current->fsuid = current->euid = new_euid; | 659 | current->fsuid = current->euid = new_euid; |
@@ -703,7 +703,7 @@ asmlinkage long sys_setuid(uid_t uid) | |||
703 | 703 | ||
704 | if (old_euid != uid) | 704 | if (old_euid != uid) |
705 | { | 705 | { |
706 | current->mm->dumpable = 0; | 706 | current->mm->dumpable = suid_dumpable; |
707 | smp_wmb(); | 707 | smp_wmb(); |
708 | } | 708 | } |
709 | current->fsuid = current->euid = uid; | 709 | current->fsuid = current->euid = uid; |
@@ -748,7 +748,7 @@ asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid) | |||
748 | if (euid != (uid_t) -1) { | 748 | if (euid != (uid_t) -1) { |
749 | if (euid != current->euid) | 749 | if (euid != current->euid) |
750 | { | 750 | { |
751 | current->mm->dumpable = 0; | 751 | current->mm->dumpable = suid_dumpable; |
752 | smp_wmb(); | 752 | smp_wmb(); |
753 | } | 753 | } |
754 | current->euid = euid; | 754 | current->euid = euid; |
@@ -798,7 +798,7 @@ asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid) | |||
798 | if (egid != (gid_t) -1) { | 798 | if (egid != (gid_t) -1) { |
799 | if (egid != current->egid) | 799 | if (egid != current->egid) |
800 | { | 800 | { |
801 | current->mm->dumpable = 0; | 801 | current->mm->dumpable = suid_dumpable; |
802 | smp_wmb(); | 802 | smp_wmb(); |
803 | } | 803 | } |
804 | current->egid = egid; | 804 | current->egid = egid; |
@@ -845,7 +845,7 @@ asmlinkage long sys_setfsuid(uid_t uid) | |||
845 | { | 845 | { |
846 | if (uid != old_fsuid) | 846 | if (uid != old_fsuid) |
847 | { | 847 | { |
848 | current->mm->dumpable = 0; | 848 | current->mm->dumpable = suid_dumpable; |
849 | smp_wmb(); | 849 | smp_wmb(); |
850 | } | 850 | } |
851 | current->fsuid = uid; | 851 | current->fsuid = uid; |
@@ -875,7 +875,7 @@ asmlinkage long sys_setfsgid(gid_t gid) | |||
875 | { | 875 | { |
876 | if (gid != old_fsgid) | 876 | if (gid != old_fsgid) |
877 | { | 877 | { |
878 | current->mm->dumpable = 0; | 878 | current->mm->dumpable = suid_dumpable; |
879 | smp_wmb(); | 879 | smp_wmb(); |
880 | } | 880 | } |
881 | current->fsgid = gid; | 881 | current->fsgid = gid; |
@@ -1652,7 +1652,7 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
1652 | error = 1; | 1652 | error = 1; |
1653 | break; | 1653 | break; |
1654 | case PR_SET_DUMPABLE: | 1654 | case PR_SET_DUMPABLE: |
1655 | if (arg2 != 0 && arg2 != 1) { | 1655 | if (arg2 < 0 || arg2 > 2) { |
1656 | error = -EINVAL; | 1656 | error = -EINVAL; |
1657 | break; | 1657 | break; |
1658 | } | 1658 | } |
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 701d12c6306..24a4d12d5aa 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c | |||
@@ -58,6 +58,7 @@ extern int sysctl_overcommit_ratio; | |||
58 | extern int max_threads; | 58 | extern int max_threads; |
59 | extern int sysrq_enabled; | 59 | extern int sysrq_enabled; |
60 | extern int core_uses_pid; | 60 | extern int core_uses_pid; |
61 | extern int suid_dumpable; | ||
61 | extern char core_pattern[]; | 62 | extern char core_pattern[]; |
62 | extern int cad_pid; | 63 | extern int cad_pid; |
63 | extern int pid_max; | 64 | extern int pid_max; |
@@ -950,6 +951,14 @@ static ctl_table fs_table[] = { | |||
950 | .proc_handler = &proc_dointvec, | 951 | .proc_handler = &proc_dointvec, |
951 | }, | 952 | }, |
952 | #endif | 953 | #endif |
954 | { | ||
955 | .ctl_name = KERN_SETUID_DUMPABLE, | ||
956 | .procname = "suid_dumpable", | ||
957 | .data = &suid_dumpable, | ||
958 | .maxlen = sizeof(int), | ||
959 | .mode = 0644, | ||
960 | .proc_handler = &proc_dointvec, | ||
961 | }, | ||
953 | { .ctl_name = 0 } | 962 | { .ctl_name = 0 } |
954 | }; | 963 | }; |
955 | 964 | ||
diff --git a/security/commoncap.c b/security/commoncap.c index 849b8c338ee..04c12f58d65 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -149,7 +149,7 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | |||
149 | 149 | ||
150 | if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || | 150 | if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || |
151 | !cap_issubset (new_permitted, current->cap_permitted)) { | 151 | !cap_issubset (new_permitted, current->cap_permitted)) { |
152 | current->mm->dumpable = 0; | 152 | current->mm->dumpable = suid_dumpable; |
153 | 153 | ||
154 | if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { | 154 | if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) { |
155 | if (!capable(CAP_SETUID)) { | 155 | if (!capable(CAP_SETUID)) { |
diff --git a/security/dummy.c b/security/dummy.c index b32eff14654..6ff88758647 100644 --- a/security/dummy.c +++ b/security/dummy.c | |||
@@ -130,7 +130,7 @@ static void dummy_bprm_free_security (struct linux_binprm *bprm) | |||
130 | static void dummy_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | 130 | static void dummy_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) |
131 | { | 131 | { |
132 | if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) { | 132 | if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) { |
133 | current->mm->dumpable = 0; | 133 | current->mm->dumpable = suid_dumpable; |
134 | 134 | ||
135 | if ((unsafe & ~LSM_UNSAFE_PTRACE_CAP) && !capable(CAP_SETUID)) { | 135 | if ((unsafe & ~LSM_UNSAFE_PTRACE_CAP) && !capable(CAP_SETUID)) { |
136 | bprm->e_uid = current->uid; | 136 | bprm->e_uid = current->uid; |