android_kernel_samsung_msm8976/fs/proc
Jann Horn 414f6fbc84 ptrace: use fsuid, fsgid, effective creds for fs access checks
commit caaee6234d05a58c5b4d05e7bf766131b810a657 upstream.

By checking the effective credentials instead of the real UID / permitted
capabilities, ensure that the calling process actually intended to use its
credentials.

To ensure that all ptrace checks use the correct caller credentials (e.g.
in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
flag), use two new flags and require one of them to be set.

The problem was that when a privileged task had temporarily dropped its
privileges, e.g.  by calling setreuid(0, user_uid), with the intent to
perform following syscalls with the credentials of a user, it still passed
ptrace access checks that the user would not be able to pass.

While an attacker should not be able to convince the privileged task to
perform a ptrace() syscall, this is a problem because the ptrace access
check is reused for things in procfs.

In particular, the following somewhat interesting procfs entries only rely
on ptrace access checks:

 /proc/$pid/stat - uses the check for determining whether pointers
     should be visible, useful for bypassing ASLR
 /proc/$pid/maps - also useful for bypassing ASLR
 /proc/$pid/cwd - useful for gaining access to restricted
     directories that contain files with lax permissions, e.g. in
     this scenario:
     lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
     drwx------ root root /root
     drwxr-xr-x root root /root/foobar
     -rw-r--r-- root root /root/foobar/secret

Therefore, on a system where a root-owned mode 6755 binary changes its
effective credentials as described and then dumps a user-specified file,
this could be used by an attacker to reveal the memory layout of root's
processes or reveal the contents of files he is not allowed to access
(through /proc/$pid/cwd).

[akpm@linux-foundation.org: fix warning]
Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-02-25 11:57:47 -08:00
..
array.c ptrace: use fsuid, fsgid, effective creds for fs access checks 2016-02-25 11:57:47 -08:00
base.c ptrace: use fsuid, fsgid, effective creds for fs access checks 2016-02-25 11:57:47 -08:00
cmdline.c
consoles.c
cpuinfo.c
devices.c
fd.c procfs: add ability to plug in auxiliary fdinfo providers 2012-12-17 17:15:27 -08:00
fd.h proc: Move proc_fd() to fs/proc/fd.h 2013-05-01 17:29:39 -04:00
generic.c procfs: fix race between symlink removals and traversals 2015-03-18 13:22:32 +01:00
inode.c procfs: fix race between symlink removals and traversals 2015-03-18 13:22:32 +01:00
internal.h procfs: fix race between symlink removals and traversals 2015-03-18 13:22:32 +01:00
interrupts.c
Kconfig
kcore.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-05-01 17:51:54 -07:00
kmsg.c kmsg: honor dmesg_restrict sysctl on /dev/kmsg 2013-06-12 16:29:44 -07:00
loadavg.c
Makefile mm, vmalloc: move get_vmalloc_info() to vmalloc.c 2013-04-29 15:54:33 -07:00
meminfo.c mm, vmalloc: move get_vmalloc_info() to vmalloc.c 2013-04-29 15:54:33 -07:00
namespaces.c ptrace: use fsuid, fsgid, effective creds for fs access checks 2016-02-25 11:57:47 -08:00
nommu.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
page.c mm: close PageTail race 2014-04-03 12:01:05 -07:00
proc_devtree.c proc_devtree: Replace include linux/module.h with linux/export.h 2013-05-04 15:31:01 -04:00
proc_net.c proc: Move PDE_NET() to fs/proc/proc_net.c 2013-05-01 17:29:40 -04:00
proc_sysctl.c fs/proc: clean up printks 2013-02-27 19:10:11 -08:00
proc_tty.c
root.c proc: Restrict mounting the proc filesystem 2013-09-26 17:18:28 -07:00
self.c Include missing linux/slab.h inclusions 2013-04-29 15:42:01 -04:00
softirqs.c
stat.c stat: Use size_t for sizes instead of unsigned 2013-02-01 12:32:08 +02:00
task_mmu.c pagemap: do not leak physical addresses to non-privileged userspace 2015-04-19 10:10:51 +02:00
task_nommu.c new helper: file_inode(file) 2013-02-22 23:31:31 -05:00
uptime.c Merge branch 'sched/core' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into cputime-tip 2011-12-19 19:23:15 +01:00
version.c
vmcore.c proc: Supply a function to remove a proc entry by PDE 2013-05-01 17:29:46 -04:00