From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Kees Cook <keescook@chromium.org>,
Cyrill Gorcunov <gorcunov@openvz.org>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 4.4 29/60] mm: Add a user_ns owner to mm_struct and fix ptrace permission checks
Date: Wed, 4 Jan 2017 21:47:14 +0100 [thread overview]
Message-ID: <20170104200707.074472105@linuxfoundation.org> (raw)
In-Reply-To: <20170104200705.627445996@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric W. Biederman <ebiederm@xmission.com>
commit bfedb589252c01fa505ac9f6f2a3d5d68d707ef4 upstream.
During exec dumpable is cleared if the file that is being executed is
not readable by the user executing the file. A bug in
ptrace_may_access allows reading the file if the executable happens to
enter into a subordinate user namespace (aka clone(CLONE_NEWUSER),
unshare(CLONE_NEWUSER), or setns(fd, CLONE_NEWUSER).
This problem is fixed with only necessary userspace breakage by adding
a user namespace owner to mm_struct, captured at the time of exec, so
it is clear in which user namespace CAP_SYS_PTRACE must be present in
to be able to safely give read permission to the executable.
The function ptrace_may_access is modified to verify that the ptracer
has CAP_SYS_ADMIN in task->mm->user_ns instead of task->cred->user_ns.
This ensures that if the task changes it's cred into a subordinate
user namespace it does not become ptraceable.
The function ptrace_attach is modified to only set PT_PTRACE_CAP when
CAP_SYS_PTRACE is held over task->mm->user_ns. The intent of
PT_PTRACE_CAP is to be a flag to note that whatever permission changes
the task might go through the tracer has sufficient permissions for
it not to be an issue. task->cred->user_ns is always the same
as or descendent of mm->user_ns. Which guarantees that having
CAP_SYS_PTRACE over mm->user_ns is the worst case for the tasks
credentials.
To prevent regressions mm->dumpable and mm->user_ns are not considered
when a task has no mm. As simply failing ptrace_may_attach causes
regressions in privileged applications attempting to read things
such as /proc/<pid>/stat
Acked-by: Kees Cook <keescook@chromium.org>
Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
Fixes: 8409cca70561 ("userns: allow ptrace from non-init user namespaces")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm_types.h | 1 +
kernel/fork.c | 9 ++++++---
kernel/ptrace.c | 26 +++++++++++---------------
mm/init-mm.c | 2 ++
4 files changed, 20 insertions(+), 18 deletions(-)
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -469,6 +469,7 @@ struct mm_struct {
*/
struct task_struct __rcu *owner;
#endif
+ struct user_namespace *user_ns;
/* store ref to file /proc/<pid>/exe symlink points to */
struct file __rcu *exe_file;
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -585,7 +585,8 @@ static void mm_init_owner(struct mm_stru
#endif
}
-static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p)
+static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
+ struct user_namespace *user_ns)
{
mm->mmap = NULL;
mm->mm_rb = RB_ROOT;
@@ -625,6 +626,7 @@ static struct mm_struct *mm_init(struct
if (init_new_context(p, mm))
goto fail_nocontext;
+ mm->user_ns = get_user_ns(user_ns);
return mm;
fail_nocontext:
@@ -670,7 +672,7 @@ struct mm_struct *mm_alloc(void)
return NULL;
memset(mm, 0, sizeof(*mm));
- return mm_init(mm, current);
+ return mm_init(mm, current, current_user_ns());
}
/*
@@ -685,6 +687,7 @@ void __mmdrop(struct mm_struct *mm)
destroy_context(mm);
mmu_notifier_mm_destroy(mm);
check_mm(mm);
+ put_user_ns(mm->user_ns);
free_mm(mm);
}
EXPORT_SYMBOL_GPL(__mmdrop);
@@ -942,7 +945,7 @@ static struct mm_struct *dup_mm(struct t
memcpy(mm, oldmm, sizeof(*mm));
- if (!mm_init(mm, tsk))
+ if (!mm_init(mm, tsk, mm->user_ns))
goto fail_nomem;
err = dup_mmap(mm, oldmm);
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -219,7 +219,7 @@ static int ptrace_has_cap(struct user_na
static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
{
const struct cred *cred = current_cred(), *tcred;
- int dumpable = 0;
+ struct mm_struct *mm;
kuid_t caller_uid;
kgid_t caller_gid;
@@ -270,16 +270,11 @@ static int __ptrace_may_access(struct ta
return -EPERM;
ok:
rcu_read_unlock();
- smp_rmb();
- if (task->mm)
- dumpable = get_dumpable(task->mm);
- rcu_read_lock();
- if (dumpable != SUID_DUMP_USER &&
- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
- rcu_read_unlock();
- return -EPERM;
- }
- rcu_read_unlock();
+ mm = task->mm;
+ if (mm &&
+ ((get_dumpable(mm) != SUID_DUMP_USER) &&
+ !ptrace_has_cap(mm->user_ns, mode)))
+ return -EPERM;
return security_ptrace_access_check(task, mode);
}
@@ -330,6 +325,11 @@ static int ptrace_attach(struct task_str
task_lock(task);
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
+ if (!retval) {
+ struct mm_struct *mm = task->mm;
+ if (mm && ns_capable(mm->user_ns, CAP_SYS_PTRACE))
+ flags |= PT_PTRACE_CAP;
+ }
task_unlock(task);
if (retval)
goto unlock_creds;
@@ -343,10 +343,6 @@ static int ptrace_attach(struct task_str
if (seize)
flags |= PT_SEIZED;
- rcu_read_lock();
- if (ns_capable(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
- flags |= PT_PTRACE_CAP;
- rcu_read_unlock();
task->ptrace = flags;
__ptrace_link(task, current);
--- a/mm/init-mm.c
+++ b/mm/init-mm.c
@@ -6,6 +6,7 @@
#include <linux/cpumask.h>
#include <linux/atomic.h>
+#include <linux/user_namespace.h>
#include <asm/pgtable.h>
#include <asm/mmu.h>
@@ -21,5 +22,6 @@ struct mm_struct init_mm = {
.mmap_sem = __RWSEM_INITIALIZER(init_mm.mmap_sem),
.page_table_lock = __SPIN_LOCK_UNLOCKED(init_mm.page_table_lock),
.mmlist = LIST_HEAD_INIT(init_mm.mmlist),
+ .user_ns = &init_user_ns,
INIT_MM_CONTEXT(init_mm)
};
next prev parent reply other threads:[~2017-01-04 20:49 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20170104205105epcas5p4dfb9f8f2e2771bc19858b096e326c051@epcas5p4.samsung.com>
2017-01-04 20:46 ` [PATCH 4.4 00/60] 4.4.40-stable review Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 01/60] btrfs: limit async_work allocation and worker func duration Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 02/60] Btrfs: fix tree search logic when replaying directory entry deletes Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 03/60] btrfs: store and load values of stripes_min/stripes_max in balance status item Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 04/60] Btrfs: fix qgroup rescan worker initialization Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 05/60] USB: serial: option: add support for Telit LE922A PIDs 0x1040, 0x1041 Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 06/60] USB: serial: option: add dlink dwm-158 Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 07/60] USB: serial: kl5kusb105: fix open error path Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 08/60] USB: cdc-acm: add device id for GW Instek AFG-125 Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 09/60] usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 10/60] usb: gadget: f_uac2: fix error handling at afunc_bind Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 11/60] usb: gadget: composite: correctly initialize ep->maxpacket Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 12/60] USB: UHCI: report non-PME wakeup signalling for Intel hardware Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 13/60] ALSA: usb-audio: Add QuickCam Communicate Deluxe/S7500 to volume_control_quirks Greg Kroah-Hartman
2017-01-04 20:46 ` [PATCH 4.4 14/60] ALSA: hiface: Fix M2Tech hiFace driver sampling rate change Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 15/60] ALSA: hda/ca0132 - Add quirk for Alienware 15 R2 2016 Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 16/60] ALSA: hda - ignore the assoc and seq when comparing pin configurations Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 17/60] ALSA: hda - fix headset-mic problem on a Dell laptop Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 18/60] ALSA: hda - Gate the mic jack on HP Z1 Gen3 AiO Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 19/60] ALSA: hda: when comparing pin configurations, ignore assoc in addition to seq Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 20/60] clk: ti: omap36xx: Work around sprz319 advisory 2.1 Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 21/60] Btrfs: fix memory leak in reading btree blocks Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 22/60] Btrfs: bail out if block group has different mixed flag Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 23/60] Btrfs: return gracefully from balance if fs tree is corrupted Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 24/60] Btrfs: dont leak reloc root nodes on error Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 25/60] Btrfs: fix memory leak in do_walk_down Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 26/60] Btrfs: dont BUG() during drop snapshot Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 27/60] btrfs: make file clone aware of fatal signals Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 28/60] block_dev: dont test bdev->bd_contains when it is not stable Greg Kroah-Hartman
2017-01-04 20:47 ` Greg Kroah-Hartman [this message]
2017-01-04 20:47 ` [PATCH 4.4 30/60] ptrace: Capture the ptracers creds not PT_PTRACE_CAP Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 32/60] ext4: fix mballoc breakage with 64k block size Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 33/60] ext4: fix stack memory corruption " Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 34/60] ext4: use more strict checks for inodes_per_block on mount Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 35/60] ext4: fix in-superblock mount options processing Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 36/60] ext4: add sanity checking to count_overhead() Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 37/60] ext4: reject inodes with negative size Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 38/60] ext4: return -ENOMEM instead of success Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 39/60] ext4: do not perform data journaling when data is encrypted Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 40/60] f2fs: set ->owner for debugfs status files file_operations Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 41/60] loop: return proper error from loop_queue_rq() Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 42/60] mm/vmscan.c: set correct defer count for shrinker Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 43/60] fs: exec: apply CLOEXEC before changing dumpable task flags Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 44/60] exec: Ensure mm->user_ns contains the execed files Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 45/60] usb: gadget: composite: always set ep->mult to a sensible value Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 46/60] blk-mq: Do not invoke .queue_rq() for a stopped queue Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 47/60] dm flakey: return -EINVAL on interval bounds error in flakey_ctr() Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 48/60] dm crypt: mark key as invalid until properly loaded Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 49/60] dm space map metadata: fix struct sm_metadata leak on failed create Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 50/60] ASoC: intel: Fix crash at suspend/resume without card registration Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 51/60] CIFS: Fix a possible memory corruption during reconnect Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 52/60] CIFS: Fix missing nls unload in smb2_reconnect() Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 53/60] CIFS: Fix a possible memory corruption in push locks Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 54/60] kernel/watchdog: use nmi registers snapshot in hardlockup handler Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 55/60] kernel/debug/debug_core.c: more properly delay for secondary CPUs Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 56/60] tpm xen: Remove bogus tpm_chip_unregister Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 57/60] xen/gntdev: Use VM_MIXEDMAP instead of VM_IO to avoid NUMA balancing Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 58/60] arm/xen: Use alloc_percpu rather than __alloc_percpu Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 59/60] xfs: set AGI buffer type in xlog_recover_clear_agi_bucket Greg Kroah-Hartman
2017-01-04 20:47 ` [PATCH 4.4 60/60] driver core: fix race between creating/querying glue dir and its cleanup Greg Kroah-Hartman
2017-01-05 0:42 ` [PATCH 4.4 00/60] 4.4.40-stable review Shuah Khan
2017-01-05 5:25 ` Guenter Roeck
2017-01-05 15:33 ` Guillaume Nault
2017-01-05 20:35 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170104200707.074472105@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiederm@xmission.com \
--cc=gorcunov@openvz.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).