From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from thejh.net ([37.221.195.125]:48118 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758892AbcIWUkt (ORCPT ); Fri, 23 Sep 2016 16:40:49 -0400 From: Jann Horn To: Alexander Viro , Roland McGrath , Oleg Nesterov , John Johansen , James Morris , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Eric Paris , Casey Schaufler , Kees Cook , Andrew Morton , Janis Danisevskis , Seth Forshee , "Eric . Biederman" , Thomas Gleixner , Benjamin LaHaise , Ben Hutchings , Andy Lutomirski , Linus Torvalds Cc: linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, security@kernel.org Subject: [PATCH v2 0/8] Various fixes related to ptrace_may_access() Date: Fri, 23 Sep 2016 22:40:30 +0200 Message-Id: <1474663238-22134-1-git-send-email-jann@thejh.net> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: This series has a bunch of loosely-related fixes for minor security bugs. Since the bugs are minor and the patches aren't trivial, I'm sending it publicly. The reason I'm bundling these patches up as a series instead of sending patches one by one is that e.g. patch 2 creates some common infrastructure that multiple other patches depend on. For specific information about what the purpose of this series is, please see the individual commits - but the general theme is: - get rid of races that can leak things like userspace addresses during setuid execve() - get rid of procfs files that cause unexpected behavior when passed around - add warnings to keep developers from creating more issues like this - document access checks Changes in v2: - removed "ptrace: forbid ptrace checks against current_cred() from VFS context" (Linus Torvalds) - use the luid scheme suggested by Andy Lutomirski - patch 2/8 changed a lot - various other changes in individual patches There is a somewhat ugly detail in patch 2/8 now, which is that the tasklist_lock is taken for reading while regenerating the luid during execve. I'm not sure whether that can be avoided. Jann Horn (8): exec: introduce cred_guard_light exec: turn self_exec_id into self_privunit proc: use open()-time creds for ptrace checks futex: don't leak robust_list pointer proc: lock properly in ptrace_may_access callers ptrace: warn on ptrace_may_access without proper locking fs/proc: fix attr access check Documentation: add security/ptrace_checks.txt Documentation/security/ptrace_checks.txt | 229 +++++++++++++++++++++++++++++++ fs/exec.c | 56 +++++++- fs/proc/array.c | 10 +- fs/proc/base.c | 224 ++++++++++++++++++++++-------- fs/proc/internal.h | 14 ++ fs/proc/namespaces.c | 14 ++ include/linux/init_task.h | 1 + include/linux/lsm_hooks.h | 3 +- include/linux/ptrace.h | 5 + include/linux/sched.h | 27 +++- include/linux/security.h | 10 +- kernel/fork.c | 6 +- kernel/futex.c | 30 ++-- kernel/futex_compat.c | 30 ++-- kernel/ptrace.c | 54 ++++++-- kernel/signal.c | 5 +- security/apparmor/include/ipc.h | 2 +- security/apparmor/ipc.c | 4 +- security/apparmor/lsm.c | 14 +- security/commoncap.c | 8 +- security/security.c | 5 +- security/selinux/hooks.c | 15 +- security/smack/smack_lsm.c | 18 ++- security/yama/yama_lsm.c | 9 +- 24 files changed, 662 insertions(+), 131 deletions(-) create mode 100644 Documentation/security/ptrace_checks.txt -- 2.1.4