Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes: > On Thu, Jul 8, 2021 at 8:57 AM Kalesh Singh <kaleshsingh@xxxxxxxxxx> wrote: >> >> The file permissions on the fdinfo dir from were changed from >> S_IRUSR|S_IXUSR to S_IRUGO|S_IXUGO, and a PTRACE_MODE_READ check was >> added for opening the fdinfo files [1]. However, the ptrace permission >> check was not added to the directory, allowing anyone to get the open FD >> numbers by reading the fdinfo directory. >> >> Add the missing ptrace permission check for opening the fdinfo directory. > > The more I look at this, the more I feel like we should look at > instead changing how "get_proc_task()" works. The practical implementation that I can see is to add a exec_id attribute into the proc inode and to modify proc_pid_make_inode to take a new exec_id parameter. There are some directories like /proc/PPP/, /proc/PPP/task/TTT/, /proc/PPP/net where it is both safe and appropriate to allow caching the reference over a suid exec. To handle that I would have a flag somewhere (possibly a special exec_id value) that indicates we don't care about the exec id. Once get_proc_task is taught to handle both cases and the appropriate exec_id is passed to proc_pid_make_inode proc_pid_invalidate works automatically. So I think that is all we really need to do. > That's one of the core functions for /proc, and I wonder if we > couldn't just make it refuse to look up a task that has gone through a > suid execve() since the proc inode was opened. > > I don't think it's basically ever ok to open something for one thread, > and then use it after the thread has gone through a suid thing. > > In fact, I wonder if we could make it even stricter, and go "any exec > at all", but I think a suid exec might be the minimum we should do. > > Then the logic really becomes very simple: we did the permission > checks at open time (like UNIX permission checks should be done), and > "get_proc_task()" basically verifies that "yeah, that open-time > decision is still valid". > > Wouldn't that make a lot of sense? Roughly. I want to use reuse exec_id but that seems a bit strong for have the permissions changed. Checking ->cred is too sensitive. So it is a bit fiddly to get right. Limiting this to suid-exec (and equivalent) seems like the proper filter, because it is when the permissions have fundamentally changed. I just don't think this should be blanket for everything that uses get_prock_task. Eric
