Andy Lutomirski <luto@xxxxxxxxxxxxxx> writes: > On Thu, Nov 17, 2016 at 9:05 AM, Eric W. Biederman > <ebiederm@xxxxxxxxxxxx> wrote: >> >> When the flag PT_PTRACE_CAP was added the PTRACE_TRACEME path was >> overlooked. This can result in incorrect behavior when an application >> like strace traces an exec of a setuid executable. >> >> Further PT_PTRACE_CAP does not have enough information for making good >> security decisions as it does not report which user namespace the >> capability is in. This has already allowed one mistake through >> insufficient granulariy. >> >> I found this issue when I was testing another corner case of exec and >> discovered that I could not get strace to set PT_PTRACE_CAP even when >> running strace as root with a full set of caps. >> >> This change fixes the above issue with strace allowing stracing as >> root a setuid executable without disabling setuid. More fundamentaly >> this change allows what is allowable at all times, by using the correct >> information in it's decision. >> >> Cc: stable@xxxxxxxxxxxxxxx >> Fixes: 4214e42f96d4 ("v2.4.9.11 -> v2.4.9.12") >> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> >> --- >> fs/exec.c | 2 +- >> include/linux/capability.h | 1 + >> include/linux/ptrace.h | 1 - >> include/linux/sched.h | 1 + >> kernel/capability.c | 20 ++++++++++++++++++++ >> kernel/ptrace.c | 12 +++++++----- >> 6 files changed, 30 insertions(+), 7 deletions(-) >> >> diff --git a/fs/exec.c b/fs/exec.c >> index 6fcfb3f7b137..fdec760bfac3 100644 >> --- a/fs/exec.c >> +++ b/fs/exec.c >> @@ -1401,7 +1401,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) >> unsigned n_fs; >> >> if (p->ptrace) { >> - if (p->ptrace & PT_PTRACE_CAP) >> + if (ptracer_capable(p, current_user_ns())) > > IIRC PT_PTRACE_CAP was added to prevent TOCTOU races. What prevents > that type of race now? For that matter, what guarantees that we've > already switched to new creds here and will continue to do so in the > future? Because instead of capturing a single bit we now capture tracers entire credentials in tsk->ptracer_cred. As such tsk->ptracer_cred never changes except when ptracing begins or ends, and we remain safe for TOCTOU races. We do hold cred_guard_mutex here so that guarantees we get a new ptracer. So the worst that can happen here is our tracer detaches and ptracer_capable will uncondintionally return true. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html