2006-03-08 20:52:54

by Ram Gupta

[permalink] [raw]
Subject: [PATCH] capability: Fix bug in checking capabilties in ptrace system call

This patch fixes a bug of ptrace for PTRACE_TRACEME request. In this
case the call is made by the child process & code needs to check the
capabilty of the parent process to trace the child process but code
incorrectly makes check for the child process.

Signed-off-by: Ram Gupta <[email protected]>

--- linux-2.6.14-patch-2.6.15/security/commoncap.c.orig Wed Mar 8 13:54:06 2006
+++ linux-2.6.14-patch-2.6.15/security/commoncap.c Wed Mar 8 13:57:07 2006
@@ -59,9 +59,13 @@ int cap_settime(struct timespec *ts, str
int cap_ptrace (struct task_struct *parent, struct task_struct *child)
{
/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
- if (!cap_issubset (child->cap_permitted, current->cap_permitted) &&
- !capable(CAP_SYS_PTRACE))
- return -EPERM;
+ if (!cap_issubset (child->cap_permitted, current->cap_permitted)){
+ if(!security_ops->capable(parent,CAP_SYS_PTRACE)){
+ parent->flags |= PF_SUPERPRIV;
+ }
+ else
+ return -EPERM;
+ }
return 0;
}

Regards
Ram Gupta


2006-03-09 10:53:13

by Chris Wright

[permalink] [raw]
Subject: Re: [PATCH] capability: Fix bug in checking capabilties in ptrace system call

* Ram Gupta ([email protected]) wrote:
> This patch fixes a bug of ptrace for PTRACE_TRACEME request. In this
> case the call is made by the child process & code needs to check the
> capabilty of the parent process to trace the child process but code
> incorrectly makes check for the child process.

Actually, that check is never triggered, for slightly subtle reason.

> Signed-off-by: Ram Gupta <[email protected]>
>
> --- linux-2.6.14-patch-2.6.15/security/commoncap.c.orig Wed Mar 8 13:54:06 2006
> +++ linux-2.6.14-patch-2.6.15/security/commoncap.c Wed Mar 8 13:57:07 2006
> @@ -59,9 +59,13 @@ int cap_settime(struct timespec *ts, str
> int cap_ptrace (struct task_struct *parent, struct task_struct *child)
> {
> /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
> - if (!cap_issubset (child->cap_permitted, current->cap_permitted) &&

In the context of TRACEME, child == current.

Historically, there's been no default security check for TRACEME, so
a change here has some small chance of breaking things (which would
be fine for plugging a real security hole). Parent less privileged
than child which did TRACEME is a bit of a contrived case, so security
implications aren't so worrisome. Modules like SELinux will actually
check this case, and should properly restrict. We can try a change in
-mm for a while.

> - !capable(CAP_SYS_PTRACE))
> - return -EPERM;
> + if (!cap_issubset (child->cap_permitted, current->cap_permitted)){
> + if(!security_ops->capable(parent,CAP_SYS_PTRACE)){

This is not valid when !CONFIG_SECURITY.

thanks,
-chris
--