]> Git Repo - linux.git/commit - mm/process_vm_access.c
projects / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3dfb7d8) | patch
ptrace: use fsuid, fsgid, effective creds for fs access checks
authorJann Horn <[email protected]>
Wed, 20 Jan 2016 23:00:04 +0000 (15:00 -0800)
committerLinus Torvalds <[email protected]>
Thu, 21 Jan 2016 01:09:18 +0000 (17:09 -0800)
commitcaaee6234d05a58c5b4d05e7bf766131b810a657
tree6227530109dd91ab5447fbd2211f09bc636845a7tree | snapshot
parent3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69commit | diff
ptrace: use fsuid, fsgid, effective creds for fs access checks

By checking the effective credentials instead of the real UID / permitted
capabilities, ensure that the calling process actually intended to use its
credentials.

To ensure that all ptrace checks use the correct caller credentials (e.g.
in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
flag), use two new flags and require one of them to be set.

The problem was that when a privileged task had temporarily dropped its
privileges, e.g.  by calling setreuid(0, user_uid), with the intent to
perform following syscalls with the credentials of a user, it still passed
ptrace access checks that the user would not be able to pass.

While an attacker should not be able to convince the privileged task to
perform a ptrace() syscall, this is a problem because the ptrace access
check is reused for things in procfs.

In particular, the following somewhat interesting procfs entries only rely
on ptrace access checks:

 /proc/$pid/stat - uses the check for determining whether pointers
     should be visible, useful for bypassing ASLR
 /proc/$pid/maps - also useful for bypassing ASLR
 /proc/$pid/cwd - useful for gaining access to restricted
     directories that contain files with lax permissions, e.g. in
     this scenario:
     lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
     drwx------ root root /root
     drwxr-xr-x root root /root/foobar
     -rw-r--r-- root root /root/foobar/secret

Therefore, on a system where a root-owned mode 6755 binary changes its
effective credentials as described and then dumps a user-specified file,
this could be used by an attacker to reveal the memory layout of root's
processes or reveal the contents of files he is not allowed to access
(through /proc/$pid/cwd).

[[email protected]: fix warning]
Signed-off-by: Jann Horn <[email protected]>
Acked-by: Kees Cook <[email protected]>
Cc: Casey Schaufler <[email protected]>
Cc: Oleg Nesterov <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: James Morris <[email protected]>
Cc: "Serge E. Hallyn" <[email protected]>
Cc: Andy Shevchenko <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Al Viro <[email protected]>
Cc: "Eric W. Biederman" <[email protected]>
Cc: Willy Tarreau <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
fs/proc/array.c diff | blob | blame | history
fs/proc/base.c diff | blob | blame | history
fs/proc/namespaces.c diff | blob | blame | history
include/linux/ptrace.h diff | blob | blame | history
kernel/events/core.c diff | blob | blame | history
kernel/futex.c diff | blob | blame | history
kernel/futex_compat.c diff | blob | blame | history
kernel/kcmp.c diff | blob | blame | history
kernel/ptrace.c diff | blob | blame | history
mm/process_vm_access.c diff | blob | blame | history
security/commoncap.c diff | blob | blame | history
Empty description
This page took 0.058401 seconds and 4 git commands to generate.