1. 01 Dec, 2016 3 commits
  2. 24 Nov, 2016 4 commits
  3. 23 Nov, 2016 23 commits
  4. 14 Nov, 2016 1 commit
  5. 11 Nov, 2016 6 commits
  6. 10 Nov, 2016 2 commits
  7. 09 Nov, 2016 1 commit
    • Eric W. Biederman's avatar
      (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission checks · de8a1b67
      Eric W. Biederman authored
      BugLink: https://bugs.launchpad.net/bugs/1639345
      
      During exec dumpable is cleared if the file that is being executed is
      not readable by the user executing the file.  A bug in
      ptrace_may_access allows reading the file if the executable happens to
      enter into a subordinate user namespace (aka clone(CLONE_NEWUSER),
      unshare(CLONE_NEWUSER), or setns(fd, CLONE_NEWUSER).
      
      This problem is fixed with only necessary userspace breakage by adding
      a user namespace owner to mm_struct, captured at the time of exec, so
      it is clear in which user namespace CAP_SYS_PTRACE must be present in
      to be able to safely give read permission to the executable.
      
      The function ptrace_may_access is modified to verify that the ptracer
      has CAP_SYS_ADMIN in task->mm->user_ns instead of task->cred->user_ns.
      This ensures that if the task changes it's cred into a subordinate
      user namespace it does not become ptraceable.
      
      The function ptrace_attach is modified to only set PT_PTRACE_CAP when
      CAP_SYS_PTRACE is held over task->mm->user_ns.  The intent of
      PT_PTRACE_CAP is to be a flag to note that whatever permission changes
      the task might go through the tracer has sufficient permissions for
      it not to be an issue.  task->cred->user_ns is always the same
      as or descendent of mm->user_ns.  Which guarantees that having
      CAP_SYS_PTRACE over mm->user_ns is the worst case for the tasks
      credentials.
      
      To prevent regressions mm->dumpable and mm->user_ns are not considered
      when a task has no mm.  As simply failing ptrace_may_attach causes
      regressions in privileged applications attempting to read things
      such as /proc/<pid>/stat
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Fixes: 8409cca7 ("userns: allow ptrace from non-init user namespaces")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      (cherry picked from commit 2e41414828bb0b066bde2f156cfa848c38531edf linux-next)
      CVE-2015-8709
      Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Acked-by: default avatarBrad Figg <brad.figg@canonical.com>
      Acked-by: default avatarTim Gardner <tim.gardner@canonical.com>
      Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
      de8a1b67