Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids"

BugLink: https://bugs.launchpad.net/bugs/1639345 This reverts commit a76b8ce7 to apply a more complete fix from linux-next. CVE-2015-8709 Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids"
BugLink: https://bugs.launchpad.net/bugs/1639345 This reverts commit a76b8ce7 to apply a more complete fix from linux-next. CVE-2015-8709 Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Brad Figg <brad.figg@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
e3f24600 · Seth Forshee · Luis Henriques · 8b098d16 · e3f24600
Commit e3f24600 authored Nov 08, 2016 by Seth Forshee Committed by Luis Henriques Nov 09, 2016
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 25 deletions

kernel/ptrace.c kernel/ptrace.c +5 -25

No files found.
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -207,32 +207,12 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
 	return ret;
 }

-static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
+static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
 {
-	struct user_namespace *tns = tcred->user_ns;
-	struct user_namespace *curns = current_cred()->user_ns;
-
-	/* When a root-owned process enters a user namespace created by a
-	 * malicious user, the user shouldn't be able to execute code under
-	 * uid 0 by attaching to the root-owned process via ptrace.
-	 * Therefore, similar to the capable_wrt_inode_uidgid() check,
-	 * verify that all the uids and gids of the target process are
-	 * mapped into the current namespace.
-	 * No fsuid/fsgid check because __ptrace_may_access doesn't do it
-	 * either.
-	 */
-	if (!kuid_has_mapping(curns, tcred->euid) ||
-			!kuid_has_mapping(curns, tcred->suid) ||
-			!kuid_has_mapping(curns, tcred->uid)  ||
-			!kgid_has_mapping(curns, tcred->egid) ||
-			!kgid_has_mapping(curns, tcred->sgid) ||
-			!kgid_has_mapping(curns, tcred->gid))
-		return false;
-
 	if (mode & PTRACE_MODE_NOAUDIT)
-		return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
+		return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
 	else
-		return has_ns_capability(current, tns, CAP_SYS_PTRACE);
+		return has_ns_capability(current, ns, CAP_SYS_PTRACE);
 }

 /* Returns 0 on success, -errno on denial. */
@@ -284,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 	    gid_eq(caller_gid, tcred->sgid) &&
 	    gid_eq(caller_gid, tcred->gid))
 		goto ok;
-	if (ptrace_has_cap(tcred, mode))
+	if (ptrace_has_cap(tcred->user_ns, mode))
 		goto ok;
 	rcu_read_unlock();
 	return -EPERM;
@@ -295,7 +275,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 		dumpable = get_dumpable(task->mm);
 	rcu_read_lock();
 	if (dumpable != SUID_DUMP_USER &&
-	    !ptrace_has_cap(__task_cred(task), mode)) {
+	    !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
 		rcu_read_unlock();
 		return -EPERM;
 	}