• Andrew Morton's avatar
    [PATCH] credentials locking fix · 10c189cd
    Andrew Morton authored
    From: Chris Wright <chrisw@osdl.org>
    
    Contributions from:
    Stephen Smalley <sds@epoch.ncsc.mil>
    Andy Lutomirski <luto@stanford.edu>
    
    During exec the LSM bprm_apply_creds() hooks may tranisition the program to a
    new security context (like setuid binaries).  The security context of the new
    task is dependent on state such as if the task is being ptraced.  
    
    ptrace_detach() doesn't take the task_lock() when clearing task->ptrace.  So
    there is a race possible where a process starts off being ptraced, the
    malicious ptracer detaches and if any checks agains task->ptrace are done more
    than once, the results are indeterminate.
    
    This patch ensures task_lock() is held while bprm_apply_creds() hooks are
    called, keeping it safe against ptrace_attach() races.  Additionally, tests
    against task->ptrace (and ->fs->count, ->files->count and ->sighand->count all
    of which signify potential unsafe resource sharing during a security context
    transition) are done only once the results are passed down to hooks, making it
    safe against ptrace_detach() races.
    
    Additionally:
    
    - s/must_must_not_trace_exec/unsafe_exec/
    - move unsafe_exec() call above security_bprm_apply_creds() call rather than
      in call for readability.
    - fix dummy hook to honor the case where root is ptracing
    - couple minor formatting/spelling fixes
    10c189cd
dummy.c 23.1 KB