[PATCH 07/12] procfs: add permission checks on the file's opener of /proc/*/stack

From: Djalal Harouni
Date: Wed Sep 25 2013 - 16:24:48 EST

Next message: Kent Overstreet: "[PATCH 1/6] block: Introduce bio_for_each_page()"
Previous message: Kent Overstreet: "[PATCH 5/6] convert integrity to new merging"
In reply to: Djalal Harouni: "Re: [PATCH 06/12] procfs: make /proc/*/stack 0400"
Next in thread: Djalal Harouni: "[PATCH 08/12] procfs: add permission checks on the file's opener of /proc/*/personality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

/proc file descriptors can be passed to a more privileged process
(e.g. a suid-exec) which will pass the classic ptrace_may_access()
permission check during read().

Use proc_same_open_cred() to detect if the cred of current between
->open() and ->read() have changed, if so then call proc_allow_access()
to check if the original file's opener had enough privileges to access
the /proc's task entries during ->read().
The file's opener cred are obtained by seq_f_cred() on seq_file struct.

The ptrace_may_access() + proc_allow_access() check is performed during
->read() time, where the ptrace_may_access() check should also be
performed during ->open(), however currently this is not the case.

This is due to /procfs ONE files that share the same ->open() function
proc_single_open(). Adding the ptrace_may_access() check to
proc_single_open() might break userspace from accessing other ONE files
like /proc/*/stat and /proc/*/statm.

So just perform the checks during ->read() and if current's cred have
changed, then check the file's opener cred with proc_allow_access().
This will block passing the file descriptor to a more privileged
process (e.g. a suid-exec).

Cc: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
Signed-off-by: Djalal Harouni <tixxdz@xxxxxxxxxx>
---
fs/proc/base.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index bb90171..d6a17b3 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -402,6 +402,8 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
unsigned long *entries;
int err;
int i;
+ int same_cred;
+ const struct cred *fcred = seq_f_cred(m);

entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL);
if (!entries)
@@ -412,18 +414,28 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns,
trace.entries = entries;
trace.skip = 0;

+ same_cred = proc_same_open_cred(fcred);
+
err = lock_trace(task);
- if (!err) {
- save_stack_trace_tsk(task, &trace);
+ if (err)
+ goto free;

- for (i = 0; i < trace.nr_entries; i++) {
- seq_printf(m, "[<%pK>] %pS\n",
- (void *)entries[i], (void *)entries[i]);
- }
+ if (!same_cred && !proc_allow_access(fcred, task, PTRACE_MODE_ATTACH)) {
+ err = -EPERM;
unlock_trace(task);
+ goto free;
}
- kfree(entries);

+ save_stack_trace_tsk(task, &trace);
+ unlock_trace(task);
+
+ for (i = 0; i < trace.nr_entries; i++) {
+ seq_printf(m, "[<%pK>] %pS\n",
+ (void *)entries[i], (void *)entries[i]);
+ }
+
+free:
+ kfree(entries);
return err;
}
#endif
--
1.7.11.7

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Kent Overstreet: "[PATCH 1/6] block: Introduce bio_for_each_page()"
Previous message: Kent Overstreet: "[PATCH 5/6] convert integrity to new merging"
In reply to: Djalal Harouni: "Re: [PATCH 06/12] procfs: make /proc/*/stack 0400"
Next in thread: Djalal Harouni: "[PATCH 08/12] procfs: add permission checks on the file's opener of /proc/*/personality"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]