From patchwork Fri Dec 2 23:49:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9459397 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 574AA60585 for ; Fri, 2 Dec 2016 23:49:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 25CD428576 for ; Fri, 2 Dec 2016 23:49:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1821428586; Fri, 2 Dec 2016 23:49:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7998528576 for ; Fri, 2 Dec 2016 23:49:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752360AbcLBXtr (ORCPT ); Fri, 2 Dec 2016 18:49:47 -0500 Received: from mail-pg0-f49.google.com ([74.125.83.49]:35800 "EHLO mail-pg0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751451AbcLBXtp (ORCPT ); Fri, 2 Dec 2016 18:49:45 -0500 Received: by mail-pg0-f49.google.com with SMTP id p66so112576454pga.2 for ; Fri, 02 Dec 2016 15:49:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=7zFjJjlTXk1PJ1KIFxEs8mW8Pzb5CK7hVmF2jMnhpFg=; b=WdHv+zRfMbVz/G3P9ER76UT8nYqXDTcPlkML2B3bsIYgFct/hY6LzS4pSS0DEvFQC9 BwrZ2wy2m5qGwqPyDibt4sp4TD1BR4gdYDFgEZ1CQ7LN4quIHW3uddwxmlnzxzODP0oG EsjyaXYRbDhutEeuiOlrKaBOmDkFs9NjM49VY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=7zFjJjlTXk1PJ1KIFxEs8mW8Pzb5CK7hVmF2jMnhpFg=; b=cLU4EEqWbunNO5FsW3+bU4FBTZ131Ql4NmyPO6FEndpN2B97anDoXCAx8qTz3HWemU tR5L69t3dX7GG1zumBBs+2GKClq+AOMV8JEC7Fgh7ozxos2KaH+p9pFbpQihQNVk45Gu ydsmv8aRQzpE5HbRYlp8bfKQ4Y/HAMzca4r73nmQHMVVDrqcvfMV/nntFEcEVUfyzxzq YfVzvR/DGYGgefjXGLgLv7T006MsSOiLVTe2YOAWYn4iVUyehe69rRxIwnMB4NQFjYMG nNxCA0/ze6HGnubUxNoLshW5auOk1OpDXrbu0fY7q+Xs9TlUiGhz4hnrCRd+chQJ015d Axdg== X-Gm-Message-State: AKaTC03hI/Up/RZ6RfLJHOxAve9Sx9wf8IUNaWUhhdmbrFtnGhBuerp9XYVwoD77u7snFnZ5 X-Received: by 10.84.209.227 with SMTP id y90mr101710176plh.111.1480722585245; Fri, 02 Dec 2016 15:49:45 -0800 (PST) Received: from www.outflux.net ([2002:ada4:7085:0:91bb:8001:81c:8db4]) by smtp.gmail.com with ESMTPSA id o1sm10141785pgf.35.2016.12.02.15.49.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Dec 2016 15:49:44 -0800 (PST) Date: Fri, 2 Dec 2016 15:49:43 -0800 From: Kees Cook To: James Morris Cc: "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Yama: allow access for the current ptrace parent Message-ID: <20161202234943.GA116779@beast> MIME-Version: 1.0 Content-Disposition: inline Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Josh Stone Under ptrace_scope=1, it's possible to have a tracee that is already ptrace-attached, but is no longer a direct descendant. For instance, a forking daemon will be re-parented to init, losing its ancestry to the tracer that launched it. The tracer can continue using ptrace in that state, but it will be denied other accesses that check PTRACE_MODE_ATTACH, like process_vm_rw and various procfs files. There's no reason to prevent such access for a tracer that already has ptrace control anyway. This patch adds a case to ptracer_exception_found to allow access for any task in the same thread group as the current ptrace parent. Signed-off-by: Josh Stone Cc: Kees Cook Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook --- James, can you pull this into your -next tree? I made a tiny fix to the comment style, but it is otherwise identical to what Josh sent originally. --- security/yama/yama_lsm.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 0309f2111c70..968e5e0a3f81 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c @@ -309,7 +309,7 @@ static int task_is_descendant(struct task_struct *parent, * @tracer: the task_struct of the process attempting ptrace * @tracee: the task_struct of the process to be ptraced * - * Returns 1 if tracer has is ptracer exception ancestor for tracee. + * Returns 1 if tracer has a ptracer exception ancestor for tracee. */ static int ptracer_exception_found(struct task_struct *tracer, struct task_struct *tracee) @@ -320,6 +320,18 @@ static int ptracer_exception_found(struct task_struct *tracer, bool found = false; rcu_read_lock(); + + /* + * If there's already an active tracing relationship, then make an + * exception for the sake of other accesses, like process_vm_rw(). + */ + parent = ptrace_parent(tracee); + if (parent != NULL && same_thread_group(parent, tracer)) { + rc = 1; + goto unlock; + } + + /* Look for a PR_SET_PTRACER relationship. */ if (!thread_group_leader(tracee)) tracee = rcu_dereference(tracee->group_leader); list_for_each_entry_rcu(relation, &ptracer_relations, node) { @@ -334,6 +346,8 @@ static int ptracer_exception_found(struct task_struct *tracer, if (found && (parent == NULL || task_is_descendant(parent, tracer))) rc = 1; + +unlock: rcu_read_unlock(); return rc;