diff options
| author | Kees Cook <keescook@chromium.org> | 2021-06-08 10:12:21 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-06-16 11:34:51 +0200 |
| commit | bd354c01cb175c50533899743e0e5736e3e36ab0 (patch) | |
| tree | 1e766724a88b53fa68b78d7423947659e24267de /fs | |
| parent | 2b9e462d8dc2b13e6b5d9dc8c7ed95502c9718f5 (diff) | |
proc: Track /proc/$pid/attr/ opener mm_struct
commit 591a22c14d3f45cc38bd1931c593c221df2f1881 upstream.
Commit bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener")
tried to make sure that there could not be a confusion between the opener of
a /proc/$pid/attr/ file and the writer. It used struct cred to make sure
the privileges didn't change. However, there were existing cases where a more
privileged thread was passing the opened fd to a differently privileged thread
(during container setup). Instead, use mm_struct to track whether the opener
and writer are still the same process. (This is what several other proc files
already do, though for different reasons.)
Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
Reported-by: Andrea Righi <andrea.righi@canonical.com>
Tested-by: Andrea Righi <andrea.righi@canonical.com>
Fixes: bfb819ea20ce ("proc: Check /proc/$pid/attr/ writes against file opener")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/proc/base.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c index 2166f24af37e..d2428d20d5a9 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -2384,6 +2384,11 @@ out: } #ifdef CONFIG_SECURITY +static int proc_pid_attr_open(struct inode *inode, struct file *file) +{ + return __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS); +} + static ssize_t proc_pid_attr_read(struct file * file, char __user * buf, size_t count, loff_t *ppos) { @@ -2414,7 +2419,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf, struct task_struct *task = get_proc_task(inode); /* A task may only write when it was the opener. */ - if (file->f_cred != current_real_cred()) + if (file->private_data != current->mm) return -EPERM; length = -ESRCH; @@ -2455,9 +2460,11 @@ out_no_task: } static const struct file_operations proc_pid_attr_operations = { + .open = proc_pid_attr_open, .read = proc_pid_attr_read, .write = proc_pid_attr_write, .llseek = generic_file_llseek, + .release = mem_release, }; static const struct pid_entry attr_dir_stuff[] = { |