diff options
| author | Eric Paris <eparis@redhat.com> | 2012-01-03 12:25:15 -0500 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2012-01-05 18:53:00 -0500 |
| commit | 69f594a38967f4540ce7a29b3fd214e68a8330bd (patch) | |
| tree | dff25b5f5ef0736fb63b08729bec4ff57062c13f /kernel | |
| parent | f1c84dae0ecc51aa35c81f19a0ebcd6c0921ddcb (diff) | |
ptrace: do not audit capability check when outputing /proc/pid/stat
Reading /proc/pid/stat of another process checks if one has ptrace permissions
on that process. If one does have permissions it outputs some data about the
process which might have security and attack implications. If the current
task does not have ptrace permissions the read still works, but those fields
are filled with inocuous (0) values. Since this check and a subsequent denial
is not a violation of the security policy we should not audit such denials.
This can be quite useful to removing ptrace broadly across a system without
flooding the logs when ps is run or something which harmlessly walks proc.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/ptrace.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 210bbf045ee9..c890ac9a7962 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c | |||
| @@ -161,6 +161,14 @@ int ptrace_check_attach(struct task_struct *child, bool ignore_state) | |||
| 161 | return ret; | 161 | return ret; |
| 162 | } | 162 | } |
| 163 | 163 | ||
| 164 | static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) | ||
| 165 | { | ||
| 166 | if (mode & PTRACE_MODE_NOAUDIT) | ||
| 167 | return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); | ||
| 168 | else | ||
| 169 | return has_ns_capability(current, ns, CAP_SYS_PTRACE); | ||
| 170 | } | ||
| 171 | |||
| 164 | int __ptrace_may_access(struct task_struct *task, unsigned int mode) | 172 | int __ptrace_may_access(struct task_struct *task, unsigned int mode) |
| 165 | { | 173 | { |
| 166 | const struct cred *cred = current_cred(), *tcred; | 174 | const struct cred *cred = current_cred(), *tcred; |
| @@ -187,7 +195,7 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode) | |||
| 187 | cred->gid == tcred->sgid && | 195 | cred->gid == tcred->sgid && |
| 188 | cred->gid == tcred->gid)) | 196 | cred->gid == tcred->gid)) |
| 189 | goto ok; | 197 | goto ok; |
| 190 | if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE)) | 198 | if (ptrace_has_cap(tcred->user->user_ns, mode)) |
| 191 | goto ok; | 199 | goto ok; |
| 192 | rcu_read_unlock(); | 200 | rcu_read_unlock(); |
| 193 | return -EPERM; | 201 | return -EPERM; |
| @@ -196,7 +204,7 @@ ok: | |||
| 196 | smp_rmb(); | 204 | smp_rmb(); |
| 197 | if (task->mm) | 205 | if (task->mm) |
| 198 | dumpable = get_dumpable(task->mm); | 206 | dumpable = get_dumpable(task->mm); |
| 199 | if (!dumpable && !ns_capable(task_user_ns(task), CAP_SYS_PTRACE)) | 207 | if (!dumpable && !ptrace_has_cap(task_user_ns(task), mode)) |
| 200 | return -EPERM; | 208 | return -EPERM; |
| 201 | 209 | ||
| 202 | return security_ptrace_access_check(task, mode); | 210 | return security_ptrace_access_check(task, mode); |