Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750929AbWCIKxN (ORCPT ); Thu, 9 Mar 2006 05:53:13 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751812AbWCIKxN (ORCPT ); Thu, 9 Mar 2006 05:53:13 -0500 Received: from 216-99-217-87.dsl.aracnet.com ([216.99.217.87]:9858 "EHLO sorel.sous-sol.org") by vger.kernel.org with ESMTP id S1750929AbWCIKxM (ORCPT ); Thu, 9 Mar 2006 05:53:12 -0500 Date: Thu, 9 Mar 2006 02:57:54 -0800 From: Chris Wright To: Ram Gupta Cc: linux mailing-list Subject: Re: [PATCH] capability: Fix bug in checking capabilties in ptrace system call Message-ID: <20060309105754.GK27645@sorel.sous-sol.org> References: <728201270603081252v3cb2743dwcb18d99f132cf531@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <728201270603081252v3cb2743dwcb18d99f132cf531@mail.gmail.com> User-Agent: Mutt/1.4.2.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1885 Lines: 43 * Ram Gupta (ram.gupta5@gmail.com) wrote: > This patch fixes a bug of ptrace for PTRACE_TRACEME request. In this > case the call is made by the child process & code needs to check the > capabilty of the parent process to trace the child process but code > incorrectly makes check for the child process. Actually, that check is never triggered, for slightly subtle reason. > Signed-off-by: Ram Gupta > > --- linux-2.6.14-patch-2.6.15/security/commoncap.c.orig Wed Mar 8 13:54:06 2006 > +++ linux-2.6.14-patch-2.6.15/security/commoncap.c Wed Mar 8 13:57:07 2006 > @@ -59,9 +59,13 @@ int cap_settime(struct timespec *ts, str > int cap_ptrace (struct task_struct *parent, struct task_struct *child) > { > /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ > - if (!cap_issubset (child->cap_permitted, current->cap_permitted) && In the context of TRACEME, child == current. Historically, there's been no default security check for TRACEME, so a change here has some small chance of breaking things (which would be fine for plugging a real security hole). Parent less privileged than child which did TRACEME is a bit of a contrived case, so security implications aren't so worrisome. Modules like SELinux will actually check this case, and should properly restrict. We can try a change in -mm for a while. > - !capable(CAP_SYS_PTRACE)) > - return -EPERM; > + if (!cap_issubset (child->cap_permitted, current->cap_permitted)){ > + if(!security_ops->capable(parent,CAP_SYS_PTRACE)){ This is not valid when !CONFIG_SECURITY. thanks, -chris -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/