The patch titled
proc: Cleanup proc_fd_access_allowed
has been removed from the -mm tree. Its filename is
proc-cleanup-proc_fd_access_allowed.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
Subject: proc: Cleanup proc_fd_access_allowed
From: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
In process of getting proc_fd_access_allowed to work it has developed a few
warts. In particular the special case that always allows introspection and
the special case to allow inspection of kernel threads.
The special case for introspection is needed for /proc/self/mem.
The special case for kernel threads really should be overridable
by security modules.
So consolidate these checks into ptrace.c:may_attach().
The check to always allow introspection is trivial.
The check to allow access to kernel threads, and zombies is a little
trickier. mem_read and mem_write already verify an mm exists so it isn't
needed twice. proc_fd_access_allowed only doesn't want a check to verify
task->mm exits, s it prevents all access to kernel threads. So just move
the task->mm check into ptrace_attach where it is needed for practical
reasons.
I did a quick audit and none of the security modules in the kernel seem to
care if they are passed a task without an mm into security_ptrace. So the
above move should be safe and it allows security modules to come up with
more restrictive policy.
Signed-off-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
Cc: Stephen Smalley <sds@xxxxxxxxxxxxx>
Cc: Chris Wright <chrisw@xxxxxxxxxxxx>
Cc: James Morris <jmorris@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
fs/proc/base.c | 26 ++++++--------------------
kernel/ptrace.c | 20 +++++++++++++++++---
2 files changed, 23 insertions(+), 23 deletions(-)
diff -puN fs/proc/base.c~proc-cleanup-proc_fd_access_allowed fs/proc/base.c
--- a/fs/proc/base.c~proc-cleanup-proc_fd_access_allowed
+++ a/fs/proc/base.c
@@ -536,29 +536,15 @@ static int proc_fd_access_allowed(struct
{
struct task_struct *task;
int allowed = 0;
- /* Allow access to a task's file descriptors if either we may
- * use ptrace attach to the process and find out that
- * information, or if the task cannot possibly be ptraced
- * allow access if we have the proper capability.
+ /* Allow access to a task's file descriptors if it is us or we
+ * may use ptrace attach to the process and find out that
+ * information.
*/
task = get_proc_task(inode);
- if (task == current)
- allowed = 1;
- if (task && !allowed) {
- int alive;
-
- task_lock(task);
- alive = !!task->mm;
- task_unlock(task);
- if (alive)
- /* For a living task obey ptrace_may_attach */
- allowed = ptrace_may_attach(task);
- else
- /* For a special task simply check the capability */
- allowed = capable(CAP_SYS_PTRACE);
- }
- if (task)
+ if (task) {
+ allowed = ptrace_may_attach(task);
put_task_struct(task);
+ }
return allowed;
}
diff -puN kernel/ptrace.c~proc-cleanup-proc_fd_access_allowed kernel/ptrace.c
--- a/kernel/ptrace.c~proc-cleanup-proc_fd_access_allowed
+++ a/kernel/ptrace.c
@@ -120,8 +120,18 @@ int ptrace_check_attach(struct task_stru
static int may_attach(struct task_struct *task)
{
- if (!task->mm)
- return -EPERM;
+ /* May we inspect the given task?
+ * This check is used both for attaching with ptrace
+ * and for allowing access to sensitive information in /proc.
+ *
+ * ptrace_attach denies several cases that /proc allows
+ * because setting up the necessary parent/child relationship
+ * or halting the specified task is impossible.
+ */
+ int dumpable = 0;
+ /* Don't let security modules deny introspection */
+ if (task == current)
+ return 0;
if (((current->uid != task->euid) ||
(current->uid != task->suid) ||
(current->uid != task->uid) ||
@@ -130,7 +140,9 @@ static int may_attach(struct task_struct
(current->gid != task->gid)) && !capable(CAP_SYS_PTRACE))
return -EPERM;
smp_rmb();
- if (!task->mm->dumpable && !capable(CAP_SYS_PTRACE))
+ if (task->mm)
+ dumpable = task->mm->dumpable;
+ if (!dumpable && !capable(CAP_SYS_PTRACE))
return -EPERM;
return security_ptrace(current, task);
@@ -176,6 +188,8 @@ repeat:
goto repeat;
}
+ if (!task->mm)
+ goto bad;
/* the same process cannot be attached many times */
if (task->ptrace & PT_PTRACED)
goto bad;
_
Patches currently in -mm which might be from ebiederm@xxxxxxxxxxxx are
origin.patch
powerpc-adding-the-use-of-the-firmware-soft-reset-nmi-to-kdump.patch
proc-sysctl-add-_proc_do_string-helper.patch
namespaces-add-nsproxy.patch
namespaces-add-nsproxy-dont-include-compileh.patch
namespaces-incorporate-fs-namespace-into-nsproxy.patch
namespaces-utsname-introduce-temporary-helpers.patch
namespaces-utsname-switch-to-using-uts-namespaces.patch
namespaces-utsname-switch-to-using-uts-namespaces-alpha-fix.patch
namespaces-utsname-switch-to-using-uts-namespaces-cleanup.patch
namespaces-utsname-use-init_utsname-when-appropriate.patch
namespaces-utsname-use-init_utsname-when-appropriate-cifs-update.patch
namespaces-utsname-implement-utsname-namespaces.patch
namespaces-utsname-implement-utsname-namespaces-export.patch
namespaces-utsname-implement-utsname-namespaces-dont-include-compileh.patch
namespaces-utsname-sysctl-hack.patch
namespaces-utsname-sysctl-hack-cleanup.patch
namespaces-utsname-sysctl-hack-cleanup-2.patch
namespaces-utsname-sysctl-hack-cleanup-2-fix.patch
namespaces-utsname-remove-system_utsname.patch
namespaces-utsname-implement-clone_newuts-flag.patch
uts-copy-nsproxy-only-when-needed.patch
ipc-namespace-core-fix.patch
ipc-namespace-core-unshare-fix.patch
ipc-namespace-utils-compilation-fix.patch
genirq-irq-document-what-an-irq-is.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
