On Sun, Sep 18, 2016 at 05:05:15PM +0200, Jann Horn wrote:
> This ensures that VFS implementations don't call ptrace_may_access() from
> VFS read or write handlers. In order for file descriptor passing to have
> its intended security properties, VFS read/write handlers must not do any
> kind of privilege checking.
[...]
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -302,6 +302,13 @@ ok:
>  bool ptrace_may_access(struct task_struct *task, unsigned int mode)
>  {
>  	int err;
> +
> +	/* If you have to check for ptrace access from a VFS method, use
> +	 * ptrace_may_access_noncurrent() instead.
> +	 */
> +	if (WARN_ON(current->in_unprivileged_vfs != 0))

Shouldn't this be WARN_ON_ONCE(), so that any such bug can't e used
to spam the log?

Ben.

> +		return false;
> +
>  	task_lock(task);
>  	err = __ptrace_may_access(task, mode, current_cred(),
>  				  &current->self_privunit_id);

-- 
Ben Hutchings
Reality is just a crutch for people who can't handle science fiction.