Re: migrate_pages() of process with same UID in 4.15-rcX

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jan Stancek <jstancek@xxxxxxxxxx> writes:

> Hi,
>
> LTP test migrate_pages02 [1] is failing with 4.15-rcX, presumably as
> consequence of:
>   313674661925 "Unify migrate_pages and move_pages access checks"
>
> The scenario is that privileged parent forks child, both parent
> and child change euid to nobody and then parent tries to migrate
> child to different node. Starting with 4.15-rcX it fails with EPERM.
>
> Can anyone comment on accuracy of this sentence from man-pages
> after commit 313674661925?
>
> quoting man2/migrate_pages.2:
>  "To move pages in another process, the caller must be privileged
>  (CAP_SYS_NICE) or the real or effective user ID of the calling 
>  process must match the real or saved-set user ID of the target
>  process."
>
> Thanks,
> Jan
>
> [1] https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/migrate_pages/migrate_pages02.c

The capability has been changed to CAP_SYS_PTRACE

The privilege check has been changed to the can you ptrace the other
process check (to avoid revealing how your pages are laid out to someone
who would not have known anyway) .  Which is essentially the same test
on uids.

*Scratches my head*

The code is using PTRACE_MODE_READ_REALCREDS which tests if the caller's
uid is the same and the target's uid, euid and suid.

The old code would test to see if either the caller's euid or
uid would match the targets uid or suid.  Which is extremely permissive.

For the LTP test above the fact that the target process does not have
matching uids looks like that will make it fail.


All of that said.  I am wondering if we should have used
PTRACE_MODE_READ_FSCREDS on these permission checks.  Using the caller's
euid would make more sense and if the comments are to be believed
PTRACE_MODE_READ_REALCREDS is only supposed to be used for backwards
compatibility.

Given that we can't be perfectly backwards compatibile I expect the
change should at least make sense.

AKA I think we should do:

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 4ce44d3ff03d..513f68020e9e 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1404,7 +1404,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
         * Check if this process has the right to modify the specified process.
         * Use the regular "ptrace_may_access()" checks.
         */
-       if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
+       if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
                rcu_read_unlock();
                err = -EPERM;
                goto out_put;
diff --git a/mm/migrate.c b/mm/migrate.c
index 4d0be47a322a..51124a0b63eb 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1776,7 +1776,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
         * Check if this process has the right to modify the specified
         * process. Use the regular "ptrace_may_access()" checks.
         */
-       if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
+       if (!ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS)) {
                rcu_read_unlock();
                err = -EPERM;
                goto out;


I know the LTP test case is not a regression and I know this won't fix
it.  I am just thinking since I am looking at it we should change the
permissions to something that makes more sense.

Eric





--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]
  Powered by Linux