ptrace: use fsuid, fsgid, effective creds for fs access checks
commit caaee6234d05a58c5b4d05e7bf766131b810a657 upstream.
By checking the effective credentials instead of the real UID / permitted
capabilities, ensure that the calling process actually intended to use its
credentials.
To ensure that all ptrace checks use the correct caller credentials (e.g.
in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
flag), use two new flags and require one of them to be set.
The problem was that when a privileged task had temporarily dropped its
privileges, e.g. by calling setreuid(0, user_uid), with the intent to
perform following syscalls with the credentials of a user, it still passed
ptrace access checks that the user would not be able to pass.
While an attacker should not be able to convince the privileged task to
perform a ptrace() syscall, this is a problem because the ptrace access
check is reused for things in procfs.
In particular, the following somewhat interesting procfs entries only rely
on ptrace access checks:
/proc/$pid/stat - uses the check for determining whether pointers
should be visible, useful for bypassing ASLR
/proc/$pid/maps - also useful for bypassing ASLR
/proc/$pid/cwd - useful for gaining access to restricted
directories that contain files with lax permissions, e.g. in
this scenario:
lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
drwx------ root root /root
drwxr-xr-x root root /root/foobar
-rw-r--r-- root root /root/foobar/secret
Therefore, on a system where a root-owned mode 6755 binary changes its
effective credentials as described and then dumps a user-specified file,
this could be used by an attacker to reveal the memory layout of root's
processes or reveal the contents of files he is not allowed to access
(through /proc/$pid/cwd).
[akpm@linux-foundation.org: fix warning]
Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Jann Horn
Greg Kroah-Hartman
parent
05c5582559
commit
414f6fbc84
|
|
@ -398,7 +398,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
|
|||
|
||||
state = *get_task_state(task);
|
||||
vsize = eip = esp = 0;
|
||||
permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
|
||||
permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT);
|
||||
mm = get_task_mm(task);
|
||||
if (mm) {
|
||||
vsize = task_vsize(mm);
|
||||
|
|
|
|||
|
|
@ -239,7 +239,7 @@ out:
|
|||
|
||||
static int proc_pid_auxv(struct task_struct *task, char *buffer)
|
||||
{
|
||||
struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);
|
||||
struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
|
||||
int res = PTR_ERR(mm);
|
||||
if (mm && !IS_ERR(mm)) {
|
||||
unsigned int nwords = 0;
|
||||
|
|
@ -269,7 +269,7 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer)
|
|||
wchan = get_wchan(task);
|
||||
|
||||
if (lookup_symbol_name(wchan, symname) < 0)
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
|
||||
return 0;
|
||||
else
|
||||
return sprintf(buffer, "%lu", wchan);
|
||||
|
|
@ -283,7 +283,7 @@ static int lock_trace(struct task_struct *task)
|
|||
int err = mutex_lock_killable(&task->signal->cred_guard_mutex);
|
||||
if (err)
|
||||
return err;
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) {
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_FSCREDS)) {
|
||||
mutex_unlock(&task->signal->cred_guard_mutex);
|
||||
return -EPERM;
|
||||
}
|
||||
|
|
@ -557,7 +557,7 @@ static int proc_fd_access_allowed(struct inode *inode)
|
|||
*/
|
||||
task = get_proc_task(inode);
|
||||
if (task) {
|
||||
allowed = ptrace_may_access(task, PTRACE_MODE_READ);
|
||||
allowed = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
|
||||
put_task_struct(task);
|
||||
}
|
||||
return allowed;
|
||||
|
|
@ -592,7 +592,7 @@ static bool has_pid_permissions(struct pid_namespace *pid,
|
|||
return true;
|
||||
if (in_group_p(pid->pid_gid))
|
||||
return true;
|
||||
return ptrace_may_access(task, PTRACE_MODE_READ);
|
||||
return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -707,7 +707,7 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
|
|||
if (!task)
|
||||
return -ESRCH;
|
||||
|
||||
mm = mm_access(task, mode);
|
||||
mm = mm_access(task, mode | PTRACE_MODE_FSCREDS);
|
||||
put_task_struct(task);
|
||||
|
||||
if (IS_ERR(mm))
|
||||
|
|
@ -1761,7 +1761,7 @@ static int map_files_d_revalidate(struct dentry *dentry, unsigned int flags)
|
|||
if (!task)
|
||||
goto out_notask;
|
||||
|
||||
mm = mm_access(task, PTRACE_MODE_READ);
|
||||
mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
|
||||
if (IS_ERR_OR_NULL(mm))
|
||||
goto out;
|
||||
|
||||
|
|
@ -1896,7 +1896,7 @@ static struct dentry *proc_map_files_lookup(struct inode *dir,
|
|||
goto out;
|
||||
|
||||
result = ERR_PTR(-EACCES);
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
|
||||
goto out_put_task;
|
||||
|
||||
result = ERR_PTR(-ENOENT);
|
||||
|
|
@ -1952,7 +1952,7 @@ proc_map_files_readdir(struct file *filp, void *dirent, filldir_t filldir)
|
|||
goto out;
|
||||
|
||||
ret = -EACCES;
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
|
||||
goto out_put_task;
|
||||
|
||||
ret = 0;
|
||||
|
|
@ -2488,7 +2488,7 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole)
|
|||
if (result)
|
||||
return result;
|
||||
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ)) {
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
|
||||
result = -EACCES;
|
||||
goto out_unlock;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -125,7 +125,7 @@ static void *proc_ns_follow_link(struct dentry *dentry, struct nameidata *nd)
|
|||
if (!task)
|
||||
goto out;
|
||||
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
|
||||
goto out_put_task;
|
||||
|
||||
ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns.ns_ops);
|
||||
|
|
@ -158,7 +158,7 @@ static int proc_ns_readlink(struct dentry *dentry, char __user *buffer, int bufl
|
|||
if (!task)
|
||||
goto out;
|
||||
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS))
|
||||
goto out_put_task;
|
||||
|
||||
len = -ENOENT;
|
||||
|
|
|
|||
|
|
@ -56,7 +56,29 @@ extern void exit_ptrace(struct task_struct *tracer);
|
|||
#define PTRACE_MODE_READ 0x01
|
||||
#define PTRACE_MODE_ATTACH 0x02
|
||||
#define PTRACE_MODE_NOAUDIT 0x04
|
||||
/* Returns true on success, false on denial. */
|
||||
#define PTRACE_MODE_FSCREDS 0x08
|
||||
#define PTRACE_MODE_REALCREDS 0x10
|
||||
|
||||
/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */
|
||||
#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS)
|
||||
#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS)
|
||||
#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS)
|
||||
#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS)
|
||||
|
||||
/**
|
||||
* ptrace_may_access - check whether the caller is permitted to access
|
||||
* a target task.
|
||||
* @task: target task
|
||||
* @mode: selects type of access and caller credentials
|
||||
*
|
||||
* Returns true on success, false on denial.
|
||||
*
|
||||
* One of the flags PTRACE_MODE_FSCREDS and PTRACE_MODE_REALCREDS must
|
||||
* be set in @mode to specify whether the access was requested through
|
||||
* a filesystem syscall (should use effective capabilities and fsuid
|
||||
* of the caller) or through an explicit syscall such as
|
||||
* process_vm_writev or ptrace (and should use the real credentials).
|
||||
*/
|
||||
extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
|
||||
|
||||
static inline int ptrace_reparented(struct task_struct *child)
|
||||
|
|
|
|||
|
|
@ -2938,7 +2938,7 @@ find_lively_task_by_vpid(pid_t vpid)
|
|||
|
||||
/* Reuse ptrace permission checks for now. */
|
||||
err = -EACCES;
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
|
||||
goto errout;
|
||||
|
||||
return task;
|
||||
|
|
|
|||
|
|
@ -2620,7 +2620,7 @@ SYSCALL_DEFINE3(get_robust_list, int, pid,
|
|||
}
|
||||
|
||||
ret = -EPERM;
|
||||
if (!ptrace_may_access(p, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
|
||||
goto err_unlock;
|
||||
|
||||
head = p->robust_list;
|
||||
|
|
|
|||
|
|
@ -155,7 +155,7 @@ COMPAT_SYSCALL_DEFINE3(get_robust_list, int, pid,
|
|||
}
|
||||
|
||||
ret = -EPERM;
|
||||
if (!ptrace_may_access(p, PTRACE_MODE_READ))
|
||||
if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS))
|
||||
goto err_unlock;
|
||||
|
||||
head = p->compat_robust_list;
|
||||
|
|
|
|||
|
|
@ -122,8 +122,8 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
|
|||
&task2->signal->cred_guard_mutex);
|
||||
if (ret)
|
||||
goto err;
|
||||
if (!ptrace_may_access(task1, PTRACE_MODE_READ) ||
|
||||
!ptrace_may_access(task2, PTRACE_MODE_READ)) {
|
||||
if (!ptrace_may_access(task1, PTRACE_MODE_READ_REALCREDS) ||
|
||||
!ptrace_may_access(task2, PTRACE_MODE_READ_REALCREDS)) {
|
||||
ret = -EPERM;
|
||||
goto err_unlock;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -225,6 +225,14 @@ static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
|
|||
static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
||||
{
|
||||
const struct cred *cred = current_cred(), *tcred;
|
||||
int dumpable = 0;
|
||||
kuid_t caller_uid;
|
||||
kgid_t caller_gid;
|
||||
|
||||
if (!(mode & PTRACE_MODE_FSCREDS) == !(mode & PTRACE_MODE_REALCREDS)) {
|
||||
WARN(1, "denying ptrace access check without PTRACE_MODE_*CREDS\n");
|
||||
return -EPERM;
|
||||
}
|
||||
|
||||
/* May we inspect the given task?
|
||||
* This check is used both for attaching with ptrace
|
||||
|
|
@ -234,18 +242,33 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
|
|||
* because setting up the necessary parent/child relationship
|
||||
* or halting the specified task is impossible.
|
||||
*/
|
||||
int dumpable = 0;
|
||||
|
||||
/* Don't let security modules deny introspection */
|
||||
if (same_thread_group(task, current))
|
||||
return 0;
|
||||
rcu_read_lock();
|
||||
if (mode & PTRACE_MODE_FSCREDS) {
|
||||
caller_uid = cred->fsuid;
|
||||
caller_gid = cred->fsgid;
|
||||
} else {
|
||||
/*
|
||||
* Using the euid would make more sense here, but something
|
||||
* in userland might rely on the old behavior, and this
|
||||
* shouldn't be a security problem since
|
||||
* PTRACE_MODE_REALCREDS implies that the caller explicitly
|
||||
* used a syscall that requests access to another process
|
||||
* (and not a filesystem syscall to procfs).
|
||||
*/
|
||||
caller_uid = cred->uid;
|
||||
caller_gid = cred->gid;
|
||||
}
|
||||
tcred = __task_cred(task);
|
||||
if (uid_eq(cred->uid, tcred->euid) &&
|
||||
uid_eq(cred->uid, tcred->suid) &&
|
||||
uid_eq(cred->uid, tcred->uid) &&
|
||||
gid_eq(cred->gid, tcred->egid) &&
|
||||
gid_eq(cred->gid, tcred->sgid) &&
|
||||
gid_eq(cred->gid, tcred->gid))
|
||||
if (uid_eq(caller_uid, tcred->euid) &&
|
||||
uid_eq(caller_uid, tcred->suid) &&
|
||||
uid_eq(caller_uid, tcred->uid) &&
|
||||
gid_eq(caller_gid, tcred->egid) &&
|
||||
gid_eq(caller_gid, tcred->sgid) &&
|
||||
gid_eq(caller_gid, tcred->gid))
|
||||
goto ok;
|
||||
if (ptrace_has_cap(tcred->user_ns, mode))
|
||||
goto ok;
|
||||
|
|
@ -312,7 +335,7 @@ static int ptrace_attach(struct task_struct *task, long request,
|
|||
goto out;
|
||||
|
||||
task_lock(task);
|
||||
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
|
||||
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
|
||||
task_unlock(task);
|
||||
if (retval)
|
||||
goto unlock_creds;
|
||||
|
|
|
|||
|
|
@ -298,7 +298,7 @@ static ssize_t process_vm_rw_core(pid_t pid, const struct iovec *lvec,
|
|||
goto free_proc_pages;
|
||||
}
|
||||
|
||||
mm = mm_access(task, PTRACE_MODE_ATTACH);
|
||||
mm = mm_access(task, PTRACE_MODE_ATTACH_REALCREDS);
|
||||
if (!mm || IS_ERR(mm)) {
|
||||
rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -142,12 +142,17 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
|
|||
{
|
||||
int ret = 0;
|
||||
const struct cred *cred, *child_cred;
|
||||
const kernel_cap_t *caller_caps;
|
||||
|
||||
rcu_read_lock();
|
||||
cred = current_cred();
|
||||
child_cred = __task_cred(child);
|
||||
if (mode & PTRACE_MODE_FSCREDS)
|
||||
caller_caps = &cred->cap_effective;
|
||||
else
|
||||
caller_caps = &cred->cap_permitted;
|
||||
if (cred->user_ns == child_cred->user_ns &&
|
||||
cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
|
||||
cap_issubset(child_cred->cap_permitted, *caller_caps))
|
||||
goto out;
|
||||
if (ns_capable(child_cred->user_ns, CAP_SYS_PTRACE))
|
||||
goto out;
|
||||
|
|
|
|||
Loading…
Reference in New Issue