Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1840049ybl; Thu, 5 Dec 2019 07:51:19 -0800 (PST) X-Google-Smtp-Source: APXvYqxaygz+o4jyADQCIbtyxg0d9/J1fWsmzsP8e8abEAloCzZbNuaaDb8A5DyMaQRizp268O9z X-Received: by 2002:aca:5657:: with SMTP id k84mr7776426oib.113.1575561079048; Thu, 05 Dec 2019 07:51:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575561079; cv=none; d=google.com; s=arc-20160816; b=gqPlulY5umTiGiYJTfbBlhyRaJxmHw/CfwfMVDEOBM3rWtQ0O3YNn5Rriy3RY5o8Oy z4JKMusYWcWRE/BEo2H5gDrt0kA13GPpAwY+8k18Ybysl4+7K98DWqB1k/4w6sIHBf1X hC8o2X/IjnRVLXfeyypviEtbn1Ek/ytCuqgb4NExf9tVpiuyQDLdlaJ+VRJ5tK9aIXA0 w3Eg70egcXncUCpe68j+uVdoqnahW8xJYrnFRy9wRDhGLsvVMvrXXD21ZcMSWDB591ir zf4BIIhryOGFkFVfqqXdEwQQ9BU1HnHBLCKJegV7a0FGSxnFskZoqLOapBkgvY50Ot/P J9dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:date:cc:to:from:subject:message-id; bh=tC2k0theIwErckpfq8dTBwU4AU3snlhEy21vskiR4wU=; b=gHJajnmIaWWuXw6WtJzh3wjS5Ot+ETZoP2rNGLXeJv302+iCqLN685t5BprwpxLryw 0BVeSV+AHE5TU5Wd8eWQ8tT0yTyukW1/IVffjb1ygUdZxEdih/pvtduQ1R9b1vajEric FoIpZjxnHWM81qMoEfODMFLQ2+8+ea+QTQyJ/BDSGv+p4SrkVQEgs3vGKDDEk58EVS+P z4XwIk9oHQtyeArUEX8H9n2J2XnpHg/MBAyTzTovwV0FquO8MekTnPP5jgsN+KpsqrJy bievXiK4XK9urCSmFNNA9IgXtOxjgA41UbJjlgHV1DokoJ4ffYq+Ry74rBvdnwZEnUUR 6mYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q16si4718338otk.226.2019.12.05.07.51.03; Thu, 05 Dec 2019 07:51:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729793AbfLEPuT (ORCPT + 99 others); Thu, 5 Dec 2019 10:50:19 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:42334 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726028AbfLEPuT (ORCPT ); Thu, 5 Dec 2019 10:50:19 -0500 Received: from [167.98.27.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1ictOQ-0001Ug-Rq; Thu, 05 Dec 2019 15:50:14 +0000 Received: from ben by deadeye with local (Exim 4.93-RC1) (envelope-from ) id 1ictOO-00048x-Fj; Thu, 05 Dec 2019 15:50:12 +0000 Message-ID: <64c5b8b423774029c3030ae778bf214d36499d2a.camel@decadent.org.uk> Subject: Re: [PATCH 4.9 45/47] Smack: Dont ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set From: Ben Hutchings To: Jann Horn , Casey Schaufler Cc: stable@vger.kernel.org, Greg Kroah-Hartman , LKML Date: Thu, 05 Dec 2019 15:50:07 +0000 In-Reply-To: <20191006172019.260683324@linuxfoundation.org> References: <20191006172016.873463083@linuxfoundation.org> <20191006172019.260683324@linuxfoundation.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-WzXc7kbU+hI7YjTyITy7" User-Agent: Evolution 3.30.5-1.1 MIME-Version: 1.0 X-SA-Exim-Connect-IP: 167.98.27.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-WzXc7kbU+hI7YjTyITy7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2019-10-06 at 19:21 +0200, Greg Kroah-Hartman wrote: > From: Jann Horn >=20 > commit 3675f052b43ba51b99b85b073c7070e083f3e6fb upstream. [...] > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -949,7 +949,8 @@ static int smack_bprm_set_creds(struct l > =20 > if (rc !=3D 0) > return rc; > - } else if (bprm->unsafe) > + } > + if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) I think this needs to be ~(LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP) for 4.9 and older branches. Ben. > return -EPERM; > =20 > bsp->smk_task =3D isp->smk_task; >=20 >=20 --=20 Ben Hutchings Every program is either trivial or else contains at least one bug --=-WzXc7kbU+hI7YjTyITy7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl3pJy8ACgkQ57/I7JWG EQmkkA//UD3fSIdKqnWIbSozwT+fUUEodPEtil8oS6YYfxQ30ozagDG/xri/pnc8 gvpAdqfdw1jMv31OSPJKimWj3vN7GGzrNuIM3Xx+GUiV3xkCu52yhW7WONUPJG9n BHmp2Sq0iCYZfufHTY4p0lqdSw4BYKEQKH9+mPc+SD06tAXazjDVnxmfJYyb3RBY XzUJYhHJ78pJuuUeQdZ+gZq+CS22i0H/vfX+EwbxiNHu3skGz42/TuQ9aJVnGJLa kM/14+MLXAqJ82JRQ53LRn5aPJEkbnHAijx5f1tdPJ6wZ7QQejfCJux1uKL6ow2f exfVmpr2sBz5c9vW3/hmzzQ7DACMnLikQyGHw3M5niR9WloDLroDaPwzI5D0KjrV SobwoY0nv19vyOiSO7qnZ3QAk5lsCgGIfEP6gt67a/VXnzyLN4DEj+1jPgxyAs2M h4HPPfZRcGk9D8AiNnn4gM/5vAibscWFb1QUBakP/e9396VRP2LUAAWa6wW7x1jH iV93B0jve4/vHMYY7k2KqY+GU2mgt13hOT3kE9j/IzVUSZNWpup5+fcavnf8bnX7 vZw96C7TTxYPOFNaw06R5PxjQ3M1mA1pFDHWY7SfXewrD6V0HkIQ3q9uvWyr6Poi k26kOColNp1s6r/NBr5+USxQawr8F4xAB2/Z75yyfU9CDbvOuLs= =8ruJ -----END PGP SIGNATURE----- --=-WzXc7kbU+hI7YjTyITy7--