Quoting Kees Cook (kees.cook@xxxxxxxxxxxxx):
> This adds the Yama Linux Security Module to collect several security
> features (symlink, hardlink, and PTRACE scope restrictions) that have
> existed in various forms over the years and have been carried outside the
> mainline kernel by other Linux distributions like Openwall and grsecurity.
>
> Signed-off-by: Kees Cook <kees.cook@xxxxxxxxxxxxx>
Acked-by: Serge E. Hallyn <serge@xxxxxxxxxx>
> +==============================================================
> diff --git a/fs/exec.c b/fs/exec.c
> index e19de6a..85092e3 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -55,6 +55,7 @@
> #include <linux/fsnotify.h>
> #include <linux/fs_struct.h>
> #include <linux/pipe_fs_i.h>
> +#include <linux/ctype.h>
>
> #include <asm/uaccess.h>
> #include <asm/mmu_context.h>
Can you explain the fs/exec.c hunk?
...
> +static int yama_ptrace_access_check(struct task_struct *child,
> + unsigned int mode)
> +{
> + int rc;
> +
> + rc = cap_ptrace_access_check(child, mode);
> + if (rc != 0)
> + return rc;
> +
> + /* require ptrace target be a child of ptracer on attach */
> + if (mode == PTRACE_MODE_ATTACH && ptrace_scope &&
> + !capable(CAP_SYS_PTRACE)) {
> + struct task_struct *walker = child;
> +
> + rcu_read_lock();
> + read_lock(&tasklist_lock);
> + while (walker->pid > 0) {
> + if (walker == current)
> + break;
> + walker = walker->real_parent;
> + }
> + if (walker->pid == 0)
> + rc = -EPERM;
Don't recall whether I ended up sending the email addressing this
last time, but task->pid is the global pid, so pid==0 does mean
what you think it does regardless of pid namespaces.
> + read_unlock(&tasklist_lock);
> + rcu_read_unlock();
> + }
> +
> + if (rc) {
> + char name[sizeof(current->comm)];
> + printk_ratelimited(KERN_INFO "ptrace of non-child"
> + " pid %d was attempted by: %s (pid %d)\n",
> + child->pid, get_task_comm(name, current),
> + current->pid);
> + }
> +
> + return rc;
> +}
> +
> +/**
> + * yama_inode_follow_link - check for symlinks in sticky world-writeable dirs
> + * @dentry: The inode/dentry of the symlink
> + * @nameidata: The path data of the symlink
> + *
> + * In the case of the protected_sticky_symlinks sysctl being enabled,
> + * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
> + * in a sticky world-writable directory. This is to protect privileged
> + * processes from failing races against path names that may change out
> + * from under them by way of other users creating malicious symlinks.
> + * It will permit symlinks to only be followed when outside a sticky
> + * world-writable directory, or when the uid of the symlink and follower
> + * match, or when the directory owner matches the symlink's owner.
> + *
> + * Returns 0 if following the symlink is allowed, -ve on error.
> + */
> +static int yama_inode_follow_link(struct dentry *dentry,
> + struct nameidata *nameidata)
> +{
> + int rc = 0;
> + const struct inode *parent;
> + const struct inode *inode;
> + const struct cred *cred;
> +
> + if (!protected_sticky_symlinks)
> + return 0;
> +
> + /* owner and follower match? */
> + cred = current_cred();
> + inode = dentry->d_inode;
> + if (cred->fsuid == inode->i_uid)
> + return 0;
This'll need user-namespace luvin' at some point, but that's my problem,
not yours.
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
