On Sun, Sep 18, 2016 at 07:38:48PM +0100, Ben Hutchings wrote:
> On Sun, Sep 18, 2016 at 05:05:15PM +0200, Jann Horn wrote:
> > This ensures that VFS implementations don't call ptrace_may_access() from
> > VFS read or write handlers. In order for file descriptor passing to have
> > its intended security properties, VFS read/write handlers must not do any
> > kind of privilege checking.
> [...]
> > --- a/kernel/ptrace.c
> > +++ b/kernel/ptrace.c
> > @@ -302,6 +302,13 @@ ok:
> > bool ptrace_may_access(struct task_struct *task, unsigned int mode)
> > {
> > int err;
> > +
> > + /* If you have to check for ptrace access from a VFS method, use
> > + * ptrace_may_access_noncurrent() instead.
> > + */
> > + if (WARN_ON(current->in_unprivileged_vfs != 0))
>
> Shouldn't this be WARN_ON_ONCE(), so that any such bug can't e used
> to spam the log?
Hm, makes sense. I'll change it in v2.
Attachment:
signature.asc
Description: Digital signature
