From patchwork Wed Nov 9 03:47:02 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 692585 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3tDBvc5FQRz9t5m; Wed, 9 Nov 2016 14:47:24 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b="bGDtg2E/"; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1c4Jr7-00028w-Ih; Wed, 09 Nov 2016 03:47:21 +0000 Received: from mail-it0-f44.google.com ([209.85.214.44]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1c4Jqy-00027R-Dr for kernel-team@lists.ubuntu.com; Wed, 09 Nov 2016 03:47:12 +0000 Received: by mail-it0-f44.google.com with SMTP id u205so250122216itc.0 for ; Tue, 08 Nov 2016 19:47:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=fSvg6NN0XbhynTDALLayFwWyYoQNRN8iVfsER5dusCs=; b=bGDtg2E/SSYjhASicMmWKcYpzYrERXpgGLbIniNA3/ygVxNRVhTdTHkqUzTFOnM4nn uNBtvvQ1CXWGtGJBS7udoAygGPiMl4/EjVL6fD/g/dxnSfbD1mvevlrGNLe1B+Uf/wyB HlRxygA5nSqCmAumG7E/r05FtiM7u1k32LUQynjaRU4H9JSj2pUsKCewPe9Mr5jPIHj1 zOxSmKsQGVZHAB6ROpW16SQQLQhDjNZR3GmjREIiN9LZ5NOcpHSvJ+pgR6uvNTFdanLf wiIijb7VDNSa0FDvF+7cQkww+19wJwDg0bjxJjlstc4WOT4TAgLc5E/JPPV6SqMWRX17 xfGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=fSvg6NN0XbhynTDALLayFwWyYoQNRN8iVfsER5dusCs=; b=lmL1wDkSnSH0GWo7b3NjYPcBcOP1JY8f7MN6U0dZ1CelEvasU46h0NMI5cJn64K8qH bC7eX541q68M0iCx4HiQfL08HxICZCFknb58ABgHND0YxThNPTa78elpUblqsjUn7Gdx tBEUYr+bG7HbHTGrloEyLZOjIyMY5YvKSsIX4NxMiG29/cBGyKv7thJmGPenblBeloy1 YxPC+VOSyESDzcvceLUl9aFg9UEXhSDwpppGEKt7gVC8ALL1dDBRUAEYtK2lqhDtVEjW x8HcaTNHV32mmDUjSoMBDnn0EiWPseI6rIunegGeeWbgAELR3oEBm8DvzV7efay35M1o kvPA== X-Gm-Message-State: ABUngvfyiC+FY324DCBJ4GPWxLQMW0TNsoAZecwkNdsr4mN0smuwy/UTED8ohaCvoK49GGPm X-Received: by 10.36.61.212 with SMTP id n203mr12263707itn.79.1478663231190; Tue, 08 Nov 2016 19:47:11 -0800 (PST) Received: from localhost ([2605:a601:aaf:a920:cd0b:269a:552f:c442]) by smtp.gmail.com with ESMTPSA id o65sm511006ioe.15.2016.11.08.19.47.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Nov 2016 19:47:10 -0800 (PST) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2][xenial] Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids" Date: Tue, 8 Nov 2016 21:47:02 -0600 Message-Id: <1478663225-108884-6-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1478663225-108884-1-git-send-email-seth.forshee@canonical.com> References: <1478663225-108884-1-git-send-email-seth.forshee@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This reverts commit a76b8ce7ad1f65a96638f161ff83075de04ec9cc to apply a more complete fix from linux-next. CVE-2016-8709 Signed-off-by: Seth Forshee --- kernel/ptrace.c | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 32462e624ae3..3189e51db7e8 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -207,32 +207,12 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) return ret; } -static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode) +static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) { - struct user_namespace *tns = tcred->user_ns; - struct user_namespace *curns = current_cred()->user_ns; - - /* When a root-owned process enters a user namespace created by a - * malicious user, the user shouldn't be able to execute code under - * uid 0 by attaching to the root-owned process via ptrace. - * Therefore, similar to the capable_wrt_inode_uidgid() check, - * verify that all the uids and gids of the target process are - * mapped into the current namespace. - * No fsuid/fsgid check because __ptrace_may_access doesn't do it - * either. - */ - if (!kuid_has_mapping(curns, tcred->euid) || - !kuid_has_mapping(curns, tcred->suid) || - !kuid_has_mapping(curns, tcred->uid) || - !kgid_has_mapping(curns, tcred->egid) || - !kgid_has_mapping(curns, tcred->sgid) || - !kgid_has_mapping(curns, tcred->gid)) - return false; - if (mode & PTRACE_MODE_NOAUDIT) - return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE); + return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); else - return has_ns_capability(current, tns, CAP_SYS_PTRACE); + return has_ns_capability(current, ns, CAP_SYS_PTRACE); } /* Returns 0 on success, -errno on denial. */ @@ -284,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) gid_eq(caller_gid, tcred->sgid) && gid_eq(caller_gid, tcred->gid)) goto ok; - if (ptrace_has_cap(tcred, mode)) + if (ptrace_has_cap(tcred->user_ns, mode)) goto ok; rcu_read_unlock(); return -EPERM; @@ -295,7 +275,7 @@ ok: dumpable = get_dumpable(task->mm); rcu_read_lock(); if (dumpable != SUID_DUMP_USER && - !ptrace_has_cap(__task_cred(task), mode)) { + !ptrace_has_cap(__task_cred(task)->user_ns, mode)) { rcu_read_unlock(); return -EPERM; }