On Sun, Sep 18, 2016 at 07:38:48PM +0100, Ben Hutchings wrote:
> On Sun, Sep 18, 2016 at 05:05:15PM +0200, Jann Horn wrote:
> > This ensures that VFS implementations don't call ptrace_may_access() from
> > VFS read or write handlers. In order for file descriptor passing to have
> > its intended security properties, VFS read/write handlers must not do any
> > kind of privilege checking.
> [...]
> > --- a/kernel/ptrace.c
> > +++ b/kernel/ptrace.c
> > @@ -302,6 +302,13 @@ ok:
> >  bool ptrace_may_access(struct task_struct *task, unsigned int mode)
> >  {
> >  	int err;
> > +
> > +	/* If you have to check for ptrace access from a VFS method, use
> > +	 * ptrace_may_access_noncurrent() instead.
> > +	 */
> > +	if (WARN_ON(current->in_unprivileged_vfs != 0))
> 
> Shouldn't this be WARN_ON_ONCE(), so that any such bug can't e used
> to spam the log?

Hm, makes sense. I'll change it in v2.