diff mbox

[1/2,trusty] Revert "UBUNTU: ptrace: being capable wrt a process requires mapped uids/gids"

Message ID 1478663225-108884-2-git-send-email-seth.forshee@canonical.com
State New
Headers show

Commit Message

Seth Forshee Nov. 9, 2016, 3:46 a.m. UTC 
This reverts commit a9aaa4df87428776f2e01daf646dfd681d069af4 to
apply a more complete fix from linux-next.

CVE-2016-8709
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 kernel/ptrace.c | 30 +++++-------------------------
 1 file changed, 5 insertions(+), 25 deletions(-)
diff mbox

Patch

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 81fe8755dabf..be9760f8284a 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -213,32 +213,12 @@  static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
 	return ret;
 }
 
-static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
+static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
 {
-	struct user_namespace *tns = tcred->user_ns;
-	struct user_namespace *curns = current_cred()->user_ns;
-
-	/* When a root-owned process enters a user namespace created by a
-	 * malicious user, the user shouldn't be able to execute code under
-	 * uid 0 by attaching to the root-owned process via ptrace.
-	 * Therefore, similar to the capable_wrt_inode_uidgid() check,
-	 * verify that all the uids and gids of the target process are
-	 * mapped into the current namespace.
-	 * No fsuid/fsgid check because __ptrace_may_access doesn't do it
-	 * either.
-	 */
-	if (!kuid_has_mapping(curns, tcred->euid) ||
-			!kuid_has_mapping(curns, tcred->suid) ||
-			!kuid_has_mapping(curns, tcred->uid)  ||
-			!kgid_has_mapping(curns, tcred->egid) ||
-			!kgid_has_mapping(curns, tcred->sgid) ||
-			!kgid_has_mapping(curns, tcred->gid))
-		return false;
-
 	if (mode & PTRACE_MODE_NOAUDIT)
-		return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
+		return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
 	else
-		return has_ns_capability(current, tns, CAP_SYS_PTRACE);
+		return has_ns_capability(current, ns, CAP_SYS_PTRACE);
 }
 
 /* Returns 0 on success, -errno on denial. */
@@ -267,7 +247,7 @@  static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 	    gid_eq(cred->gid, tcred->sgid) &&
 	    gid_eq(cred->gid, tcred->gid))
 		goto ok;
-	if (ptrace_has_cap(tcred, mode))
+	if (ptrace_has_cap(tcred->user_ns, mode))
 		goto ok;
 	rcu_read_unlock();
 	return -EPERM;
@@ -278,7 +258,7 @@  ok:
 		dumpable = get_dumpable(task->mm);
 	rcu_read_lock();
 	if (dumpable != SUID_DUMP_USER &&
-	    !ptrace_has_cap(__task_cred(task), mode)) {
+	    !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
 		rcu_read_unlock();
 		return -EPERM;
 	}