• Jann Horn's avatar
    ptrace: use fsuid, fsgid, effective creds for fs access checks · caaee623
    Jann Horn authored
    By checking the effective credentials instead of the real UID / permitted
    capabilities, ensure that the calling process actually intended to use its
    credentials.
    
    To ensure that all ptrace checks use the correct caller credentials (e.g.
    in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
    flag), use two new flags and require one of them to be set.
    
    The problem was that when a privileged task had temporarily dropped its
    privileges, e.g.  by calling setreuid(0, user_uid), with the intent to
    perform following syscalls with the credentials of a user, it still passed
    ptrace access checks that the user would not be able to pass.
    
    While an attacker should not be able to convince the privileged task to
    perform a ptrace() syscall, this is a problem because the ptrace access
    check is reused for things in procfs.
    
    In particular, the following somewhat interesting procfs entries only rely
    on ptrace access checks:
    
     /proc/$pid/stat - uses the check for determining whether pointers
         should be visible, useful for bypassing ASLR
     /proc/$pid/maps - also useful for bypassing ASLR
     /proc/$pid/cwd - useful for gaining access to restricted
         directories that contain files with lax permissions, e.g. in
         this scenario:
         lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
         drwx------ root root /root
         drwxr-xr-x root root /root/foobar
         -rw-r--r-- root root /root/foobar/secret
    
    Therefore, on a system where a root-owned mode 6755 binary changes its
    effective credentials as described and then dumps a user-specified file,
    this could be used by an attacker to reveal the memory layout of root's
    processes or reveal the contents of files he is not allowed to access
    (through /proc/$pid/cwd).
    
    [akpm@linux-foundation.org: fix warning]
    Signed-off-by: default avatarJann Horn <jann@thejh.net>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Casey Schaufler <casey@schaufler-ca.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: James Morris <james.l.morris@oracle.com>
    Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
    Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Willy Tarreau <w@1wt.eu>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    caaee623
commoncap.c 31.3 KB