[PATCH 0/9] Various fixes related to ptrace_may_access()

From: Jann Horn <jann@thejh.net>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
	Roland McGrath <roland@hack.frob.com>,
	Oleg Nesterov <oleg@redhat.com>,
	John Johansen <john.johansen@canonical.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Paul Moore <aul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Kees Cook <eescook@chromium.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Janis Danisevskis <jdanis@google.com>,
	Seth Forshee <seth.forshee@canonical.com>,
	"Eric . Biederman" <ebiederm@xmission.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Benjamin LaHaise <bcrl@kvack.org>
Cc: linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, security@kernel.org
Subject: [PATCH 0/9] Various fixes related to ptrace_may_access()
Date: Sun, 18 Sep 2016 17:05:08 +0200	[thread overview]
Message-ID: <1474211117-16674-1-git-send-email-jann@thejh.net> (raw)

This series has a bunch of loosely-related fixes for minor security bugs. Since
the bugs are minor and the patches aren't trivial, I'm sending it publicly.

The reason I'm bundling these patches up as a series instead of sending patches
one by one is that e.g. patch 2 creates some common infrastructure that multiple
other patches depend on.

For specific information about what the purpose of this series is, please see
the individual commits - but the general theme is:

 - get rid of races that can leak things like userspace addresses during setuid
   execve()
 - get rid of procfs files that cause unexpected behavior when passed around
 - add warnings to keep developers from creating more issues like this
 - document access checks

I hope I split the patches up sufficiently?

(To people on the security ML: This is a reworked version of my old ptrace fixes
series.)

Jann Horn (9):
  exec: introduce cred_guard_light
  exec: turn self_exec_id into self_privunit_id
  proc: use open()-time creds for ptrace checks
  futex: don't leak robust_list pointer
  proc: lock properly in ptrace_may_access callers
  ptrace: warn on ptrace_may_access without proper locking
  ptrace: forbid ptrace checks against current_cred() from VFS context
  fs/proc: fix attr access check
  Documentation: add security/ptrace_checks.txt

 Documentation/security/ptrace_checks.txt | 229 +++++++++++++++++++++++++++++++
 fs/aio.c                                 |   2 +
 fs/exec.c                                |  36 ++++-
 fs/proc/array.c                          |  10 +-
 fs/proc/base.c                           | 204 ++++++++++++++++++++-------
 fs/proc/internal.h                       |  14 ++
 fs/proc/namespaces.c                     |  14 ++
 fs/read_write.c                          |  12 ++
 fs/splice.c                              |  12 +-
 include/linux/binfmts.h                  |   1 +
 include/linux/init_task.h                |   1 +
 include/linux/lsm_hooks.h                |   3 +-
 include/linux/ptrace.h                   |   5 +
 include/linux/sched.h                    |  18 ++-
 include/linux/security.h                 |  10 +-
 kernel/fork.c                            |   6 +-
 kernel/futex.c                           |  31 +++--
 kernel/futex_compat.c                    |  31 +++--
 kernel/ptrace.c                          |  60 ++++++--
 kernel/signal.c                          |   2 +-
 security/apparmor/include/ipc.h          |   2 +-
 security/apparmor/ipc.c                  |   4 +-
 security/apparmor/lsm.c                  |  14 +-
 security/commoncap.c                     |   8 +-
 security/security.c                      |   5 +-
 security/selinux/hooks.c                 |   4 +-
 security/smack/smack_lsm.c               |  18 ++-
 security/yama/yama_lsm.c                 |   9 +-
 28 files changed, 646 insertions(+), 119 deletions(-)
 create mode 100644 Documentation/security/ptrace_checks.txt

-- 
2.1.4