On Thu, Jul 8, 2021 at 8:57 AM Kalesh Singh <kaleshsingh@xxxxxxxxxx> wrote:
>
> The file permissions on the fdinfo dir from were changed from
> S_IRUSR|S_IXUSR to S_IRUGO|S_IXUGO, and a PTRACE_MODE_READ check was
> added for opening the fdinfo files [1]. However, the ptrace permission
> check was not added to the directory, allowing anyone to get the open FD
> numbers by reading the fdinfo directory.
>
> Add the missing ptrace permission check for opening the fdinfo directory.
The more I look at this, the more I feel like we should look at
instead changing how "get_proc_task()" works.
That's one of the core functions for /proc, and I wonder if we
couldn't just make it refuse to look up a task that has gone through a
suid execve() since the proc inode was opened.
I don't think it's basically ever ok to open something for one thread,
and then use it after the thread has gone through a suid thing.
In fact, I wonder if we could make it even stricter, and go "any exec
at all", but I think a suid exec might be the minimum we should do.
Then the logic really becomes very simple: we did the permission
checks at open time (like UNIX permission checks should be done), and
"get_proc_task()" basically verifies that "yeah, that open-time
decision is still valid".
Wouldn't that make a lot of sense?
Linus
