Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp657604pxb; Tue, 5 Apr 2022 17:35:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwSwlZRw3y2qeZUOoaXjPsZ6eCGiSIlgssaxPI1+cYsjVMV8BNsPKLk3AODG0hMwLRNg5uJ X-Received: by 2002:a50:d4d2:0:b0:410:9fa2:60d6 with SMTP id e18-20020a50d4d2000000b004109fa260d6mr6316916edj.35.1649205350999; Tue, 05 Apr 2022 17:35:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649205350; cv=none; d=google.com; s=arc-20160816; b=I8fSl0zzpBdWutQ2hAyVAeYq+pMZtX+aoMRj2wWvfZ3mX4VATNhnha1mkNNPnDSkA4 bW844QZVJIOJ7+pNM0xuLxt57Yp9ImvIrPxiwE2CjtLYgG44ypT51hjDIxK6c02xf+ht PtmW+kdvhwD/OBfHS9PU85Ch215YxNORxfzX5NMklGSJt+Et7cm5Omr+BzwCOMKFEBgM PsSt++40Krm6+aFf/byV1ByUnkUBRX5XVETtp85/GSUfVPjVDEkynMQDb/twXjDTm3hL gmFsBdG3JyG9ntS8sGMCnIi96rzfgz5V+QVnr9w5acDkI9pKOydvnPF3Qw6LsyTcDr0l 2A5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FF6Pfs24b9b+miVQMX8rU3cDOC4d0+UzxEcJDy6PXqs=; b=Io6yojrctFEQCF6pO2rMVBGYzfYHzejsuSX5ntroWEm+Rhz3wbqjL96Z1vZzSMEB1S kzmv5t06lmIJn/EmEZksv+XJCxWVCwndXQGwz1Eyi0+AigLeZAxRww0NVksKG4RNv3Yj +qntZNqx7qbDfO131uCDJcEABxsuv0AnNqVeurWDwAtt0qHebmhnkjApNeDMWzBsUrxM 4O2/NuXF2dG6c/75BMcFqxZY41GnVWhsAJu3lQ40h+0XSFIBC3l5ntRRtT1H1CUpxb1l oDFDAtHabI4qXcxaDse2qmrvwwlAYGWC5ZeN5FpG6YzGlIAno1GVxZ5bXR/2q36yJg4A Tkdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=E1TzdodM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q9-20020a170906540900b006df76385c90si10601368ejo.304.2022.04.05.17.35.25; Tue, 05 Apr 2022 17:35:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=E1TzdodM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1387683AbiDEOcm (ORCPT + 99 others); Tue, 5 Apr 2022 10:32:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55270 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238856AbiDEJdC (ORCPT ); Tue, 5 Apr 2022 05:33:02 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73C48B48; Tue, 5 Apr 2022 02:20:27 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0EE3E6144D; Tue, 5 Apr 2022 09:20:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1D505C385A0; Tue, 5 Apr 2022 09:20:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649150426; bh=Os+qxn1DhxDjshDTdAdlcK8Fy8Mz/bgvQq9b255khpM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E1TzdodME7QPIUeOwJwneS9vpA7DBrLZ1K4Dg//Nvm4PDYXCLMk89GluQ9ML8Ayvj lQdaimOGirySgQ0C2nd6oJJcFoD+0knkdqr1zntLCARHd+ZAA5ud6Nak8sbS9QzjU0 e+FVCslZM80hTAEIoebSTMB1eEkf1pMtElDKOBGA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Jann Horn , "Eric W. Biederman" Subject: [PATCH 5.15 052/913] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE Date: Tue, 5 Apr 2022 09:18:34 +0200 Message-Id: <20220405070341.379725350@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070339.801210740@linuxfoundation.org> References: <20220405070339.801210740@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream. Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged operation because it allows the tracee to completely bypass all seccomp filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to be settable by a process with global CAP_SYS_ADMIN, and only if that process is not subject to any seccomp filters at all. However, while these permission checks were done on the PTRACE_SETOPTIONS path, they were missing on the PTRACE_SEIZE path, which also sets user-specified ptrace flags. Move the permissions checks out into a helper function and let both ptrace_attach() and ptrace_setoptions() call it. Cc: stable@kernel.org Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") Signed-off-by: Jann Horn Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com Signed-off-by: Eric W. Biederman Signed-off-by: Greg Kroah-Hartman --- kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -371,6 +371,26 @@ bool ptrace_may_access(struct task_struc return !err; } +static int check_ptrace_options(unsigned long data) +{ + if (data & ~(unsigned long)PTRACE_O_MASK) + return -EINVAL; + + if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { + if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || + !IS_ENABLED(CONFIG_SECCOMP)) + return -EINVAL; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || + current->ptrace & PT_SUSPEND_SECCOMP) + return -EPERM; + } + return 0; +} + static int ptrace_attach(struct task_struct *task, long request, unsigned long addr, unsigned long flags) @@ -382,8 +402,16 @@ static int ptrace_attach(struct task_str if (seize) { if (addr != 0) goto out; + /* + * This duplicates the check in check_ptrace_options() because + * ptrace_attach() and ptrace_setoptions() have historically + * used different error codes for unknown ptrace options. + */ if (flags & ~(unsigned long)PTRACE_O_MASK) goto out; + retval = check_ptrace_options(flags); + if (retval) + return retval; flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); } else { flags = PT_PTRACED; @@ -656,22 +684,11 @@ int ptrace_writedata(struct task_struct static int ptrace_setoptions(struct task_struct *child, unsigned long data) { unsigned flags; + int ret; - if (data & ~(unsigned long)PTRACE_O_MASK) - return -EINVAL; - - if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { - if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || - !IS_ENABLED(CONFIG_SECCOMP)) - return -EINVAL; - - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - - if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || - current->ptrace & PT_SUSPEND_SECCOMP) - return -EPERM; - } + ret = check_ptrace_options(data); + if (ret) + return ret; /* Avoid intermediate state when all opts are cleared */ flags = child->ptrace;