On 2023-07-13 22:19:04+1000, Aleksa Sarai wrote: > Due to an oversight in commit 1b3044e39a89 ("procfs: fix pthread > cross-thread naming if !PR_DUMPABLE") in switching from REG to NOD, > chmod operations on /proc/thread-self/comm were no longer blocked as > they are on almost all other procfs files. > > A very similar situation with /proc/self/environ was used to as a root > exploit a long time ago, but procfs has SB_I_NOEXEC so this is simply a > correctness issue. > > Ref: https://lwn.net/Articles/191954/ > Ref: 6d76fa58b050 ("Don't allow chmod() on the /proc/<pid>/ files") > Fixes: 1b3044e39a89 ("procfs: fix pthread cross-thread naming if !PR_DUMPABLE") > Cc: stable@xxxxxxxxxxxxxxx # v4.7+ > Signed-off-by: Aleksa Sarai <cyphar@xxxxxxxxxx> > --- > fs/proc/base.c | 3 ++- > tools/testing/selftests/nolibc/nolibc-test.c | 4 ++++ > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/proc/base.c b/fs/proc/base.c > index 05452c3b9872..7394229816f3 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -3583,7 +3583,8 @@ static int proc_tid_comm_permission(struct mnt_idmap *idmap, > } > > static const struct inode_operations proc_tid_comm_inode_operations = { > - .permission = proc_tid_comm_permission, > + .setattr = proc_setattr, > + .permission = proc_tid_comm_permission, > }; Given that this seems to be a recurring theme a more systematic aproach would help. Something like the following (untested) patch: diff --git a/fs/proc/base.c b/fs/proc/base.c index 05452c3b9872..b90f2e9cda66 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2649,6 +2649,7 @@ static struct dentry *proc_pident_instantiate(struct dentry *dentry, set_nlink(inode, 2); /* Use getattr to fix if necessary */ if (p->iop) inode->i_op = p->iop; + WARN_ON(!inode->i_op->setattr); if (p->fop) inode->i_fop = p->fop; ei->op = p->op; > /* > diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c > index 486334981e60..08f0969208eb 100644 > --- a/tools/testing/selftests/nolibc/nolibc-test.c > +++ b/tools/testing/selftests/nolibc/nolibc-test.c > @@ -580,6 +580,10 @@ int run_syscall(int min, int max) > CASE_TEST(chmod_net); EXPECT_SYSZR(proc, chmod("/proc/self/net", 0555)); break; > CASE_TEST(chmod_self); EXPECT_SYSER(proc, chmod("/proc/self", 0555), -1, EPERM); break; > CASE_TEST(chown_self); EXPECT_SYSER(proc, chown("/proc/self", 0, 0), -1, EPERM); break; > + CASE_TEST(chmod_self_comm); EXPECT_SYSER(proc, chmod("/proc/self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_comm); EXPECT_SYSER(proc, chmod("/proc/thread-self/comm", 0777), -1, EPERM); break; > + CASE_TEST(chmod_self_environ);EXPECT_SYSER(proc, chmod("/proc/self/environ", 0777), -1, EPERM); break; > + CASE_TEST(chmod_tid_environ); EXPECT_SYSER(proc, chmod("/proc/thread-self/environ", 0777), -1, EPERM); break; I'm not a big fan of this, it abuses the nolibc testsuite to test core kernel functionality. If this needs to be tested explicitly there is hopefully a better place. Those existing tests focus on testing functionality provided by nolibc. The test chmod_net just got removed because it suffered from the same bug as /proc/thread-self/comm. > CASE_TEST(chroot_root); EXPECT_SYSZR(euid0, chroot("/")); break; > CASE_TEST(chroot_blah); EXPECT_SYSER(1, chroot("/proc/self/blah"), -1, ENOENT); break; > CASE_TEST(chroot_exe); EXPECT_SYSER(proc, chroot("/proc/self/exe"), -1, ENOTDIR); break; > -- > 2.41.0 >