On Sun, Sep 18, 2016 at 05:05:15PM +0200, Jann Horn wrote:
> This ensures that VFS implementations don't call ptrace_may_access() from
> VFS read or write handlers. In order for file descriptor passing to have
> its intended security properties, VFS read/write handlers must not do any
> kind of privilege checking.
[...]
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -302,6 +302,13 @@ ok:
> bool ptrace_may_access(struct task_struct *task, unsigned int mode)
> {
> int err;
> +
> + /* If you have to check for ptrace access from a VFS method, use
> + * ptrace_may_access_noncurrent() instead.
> + */
> + if (WARN_ON(current->in_unprivileged_vfs != 0))
Shouldn't this be WARN_ON_ONCE(), so that any such bug can't e used
to spam the log?
Ben.
> + return false;
> +
> task_lock(task);
> err = __ptrace_may_access(task, mode, current_cred(),
> ¤t->self_privunit_id);
--
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.
Attachment:
signature.asc
Description: Digital signature
