Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp680482pxb; Tue, 5 Apr 2022 18:30:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxTnmnxRiO4A6Gwa9/L/AqUejSPGh2CmSIdAXyZWl00onGLk+Dv+N2GW+S48nT96X4rvyHt X-Received: by 2002:a05:6402:50c9:b0:419:3019:2d35 with SMTP id h9-20020a05640250c900b0041930192d35mr6351313edb.95.1649208658978; Tue, 05 Apr 2022 18:30:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649208658; cv=none; d=google.com; s=arc-20160816; b=xmGr4msGdGYKAAZDrXxhKDnX49Kx6tmJYk8HUyNJhvWngeVUSjEnrlyriRIPIzOXMh yHR8yKhNVeBG+mjEisLzVDjrKpWe5Q7m9lCgG0rTKcbsELV2pXJwjobQ1crrcqS7xseg bwx4XZYVvzgBIYT5MAlsivFBflN+I3H5XTPKeaLAgwWWbr+bexfOopLqxEjFL0Kpby7q y2fKOvgi77GQsgSOxl3GxkShpG8sB+T/Z3Vf6dmjDXR71mgxp6P11BMqRpicBdkPThS/ 65MBHE10RAZrgPf2pIqBEd3wfnjqQipRF/ae7rB9+zbdy3Y8h1AzX2g+VRmz2ynklBj7 dIsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FF6Pfs24b9b+miVQMX8rU3cDOC4d0+UzxEcJDy6PXqs=; b=NJatEnq8iUqZxpP+ZyblP4g3HV6sX9NNuwzmnCKs+Fyt9/2kcYJQI347vPUJNmBHEm 0giCJaFGbLGuCshWEO2egU8H5briV7qEthRn+AFVRdIHpsUAZavNdLdHPJGSNBio8gR/ ZBd0tOBB3gWZl70GunHhSWVz1ahlz/7UcuVxLBU2TDoU4Dhoa633JtB56RaxDU0KgpX8 za2s7SWvu70G1gHBtYCQd15GPARFooq0+c9uUA8M7wSIQ5JknZHdebOXuc69aOEJrDcO 7bSTVmLYMxmv4ExwS6e209Fs8C1ALkQb9BmnuaWYuxicdAr4X2ZuwFJ4CasLUtTILzFI ODmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FzJgSXjy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q20-20020a1709064cd400b006df76385d5dsi10383524ejt.509.2022.04.05.18.30.26; Tue, 05 Apr 2022 18:30:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FzJgSXjy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345420AbiDELAg (ORCPT + 99 others); Tue, 5 Apr 2022 07:00:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235352AbiDEIjr (ORCPT ); Tue, 5 Apr 2022 04:39:47 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABA5C6427; Tue, 5 Apr 2022 01:33:22 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 64DE3B81B92; Tue, 5 Apr 2022 08:33:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C7F2BC385A1; Tue, 5 Apr 2022 08:33:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649147600; bh=Os+qxn1DhxDjshDTdAdlcK8Fy8Mz/bgvQq9b255khpM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FzJgSXjyX/D868649XSu8Xhi1tU6WAQwIKa+yzVTL5DTCp28FFhv40Ohco1JqXs9R LYGokm4VSmf1ETIWlLREJHG/7SiwJ7IjO62EoY/rTOwhoOdpVT9FDJFUBI4JsyTqrG F0+8wbJQtljUFfcRlTTvPVS7PI8YUZuMup8OSRZ4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Jann Horn , "Eric W. Biederman" Subject: [PATCH 5.16 0054/1017] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE Date: Tue, 5 Apr 2022 09:16:07 +0200 Message-Id: <20220405070355.788117394@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream. Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged operation because it allows the tracee to completely bypass all seccomp filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to be settable by a process with global CAP_SYS_ADMIN, and only if that process is not subject to any seccomp filters at all. However, while these permission checks were done on the PTRACE_SETOPTIONS path, they were missing on the PTRACE_SEIZE path, which also sets user-specified ptrace flags. Move the permissions checks out into a helper function and let both ptrace_attach() and ptrace_setoptions() call it. Cc: stable@kernel.org Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") Signed-off-by: Jann Horn Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com Signed-off-by: Eric W. Biederman Signed-off-by: Greg Kroah-Hartman --- kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -371,6 +371,26 @@ bool ptrace_may_access(struct task_struc return !err; } +static int check_ptrace_options(unsigned long data) +{ + if (data & ~(unsigned long)PTRACE_O_MASK) + return -EINVAL; + + if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { + if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || + !IS_ENABLED(CONFIG_SECCOMP)) + return -EINVAL; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || + current->ptrace & PT_SUSPEND_SECCOMP) + return -EPERM; + } + return 0; +} + static int ptrace_attach(struct task_struct *task, long request, unsigned long addr, unsigned long flags) @@ -382,8 +402,16 @@ static int ptrace_attach(struct task_str if (seize) { if (addr != 0) goto out; + /* + * This duplicates the check in check_ptrace_options() because + * ptrace_attach() and ptrace_setoptions() have historically + * used different error codes for unknown ptrace options. + */ if (flags & ~(unsigned long)PTRACE_O_MASK) goto out; + retval = check_ptrace_options(flags); + if (retval) + return retval; flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); } else { flags = PT_PTRACED; @@ -656,22 +684,11 @@ int ptrace_writedata(struct task_struct static int ptrace_setoptions(struct task_struct *child, unsigned long data) { unsigned flags; + int ret; - if (data & ~(unsigned long)PTRACE_O_MASK) - return -EINVAL; - - if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { - if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || - !IS_ENABLED(CONFIG_SECCOMP)) - return -EINVAL; - - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - - if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || - current->ptrace & PT_SUSPEND_SECCOMP) - return -EPERM; - } + ret = check_ptrace_options(data); + if (ret) + return ret; /* Avoid intermediate state when all opts are cleared */ flags = child->ptrace;