Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp2811104pxb; Mon, 18 Apr 2022 08:43:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy7agi9oAvZFw6BV+6/IdbM1q+FqC3OS1TumuJ1QCpIHH+Vqsolab/UFEza8346UjnubjOw X-Received: by 2002:a17:907:94c9:b0:6e8:ab67:829e with SMTP id dn9-20020a17090794c900b006e8ab67829emr9330579ejc.313.1650296580699; Mon, 18 Apr 2022 08:43:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650296580; cv=none; d=google.com; s=arc-20160816; b=IdRQHaZwPwtjfzB8fhEHxMeoG0U7iDrko3j8Dl+egTG2O0+lRE1L4yI7Z1mi3e6sqb grmm8xOlaWjwliPSc71h5qoD98y0rZmq3h/BKHIDI1sZuPHGTYkqH4acUwk0GQ0cPoP8 dEeGBfXTrOZbNpElm/LzU/iL0R9MrugIDL2kTcML/D/ekVqLRJbXpKh2C+9MD7s0gQT8 0yGohzSd1u1xx+LQ+9mlYjplsIaymwGEe+MbQdQLM24ups43T9b+3PIo/JaFPBQt+NaY db8y733uXKwsXtxXBj/vYIE8/MgrH2YUKJXtS7RNLIYhPiDoO2XQDUseHj9WYR20eqDA L18w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9RF5vruz+qnaNzeDJFd1YQ62XoJaL1CH6utsSu42Hhs=; b=PBu8Dxmcesh9EMi2JD5I2rEW2UZg/YNXVoOfx9onvUUJLE55JIN8YwW/18tDBOm2Vf PowpKNp3oHKMddKRxe2k5fTMHmU3dsYXJMS0lT8C/qM+W7pmhNmf27j+yebs4LzCo5Rp gwiJNwn5r9RDzyVYZnWTsyAikzUH6+a6XJNEaCx7JrQRJPnaHyExm6fEfyh5Stcgi6QX TO8M1ptsrwT70XjSWQokH/Hc0tpTJu8+NX8CGz2HXeKpSGH0dq2jBgCBESXfjqqimFXj FaL0CRo8++UQmY+GoQ7FzHJb1QSJ8Y94q8wWoiVa84KrPjQZjXiERqnHH67fUVWxi2hq t08g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Pxoe6Hbx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g28-20020a056402321c00b0041d2fcc31a3si6074605eda.28.2022.04.18.08.42.36; Mon, 18 Apr 2022 08:43:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Pxoe6Hbx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243730AbiDRNeQ (ORCPT + 99 others); Mon, 18 Apr 2022 09:34:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241601AbiDRNIZ (ORCPT ); Mon, 18 Apr 2022 09:08:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A98421827; Mon, 18 Apr 2022 05:47:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 832FA6124A; Mon, 18 Apr 2022 12:47:46 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76BDFC385A7; Mon, 18 Apr 2022 12:47:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1650286065; bh=0EpLQqBQHjcTpSODKHXy71hIZ4eq3bpxMs0J0sqKlmw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Pxoe6HbxlLIdeEwGWUswFcDpFBqeuF9iOR5VSsujzqWCcM4QLtYzbBAeYtMFuoBZY SUTgaFJZvsPXwGfv/6aowBrSLPVclJNsRdkpSfo9Fadb+LTf26zWR0zgQunypWGGhm JH/Lqp2w/+LdpKPBxramBtrbMdx/A04elIqKzn84= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, stable@kernel.org, Jann Horn , "Eric W. Biederman" Subject: [PATCH 4.14 019/284] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE Date: Mon, 18 Apr 2022 14:10:00 +0200 Message-Id: <20220418121211.243931743@linuxfoundation.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220418121210.689577360@linuxfoundation.org> References: <20220418121210.689577360@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream. Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged operation because it allows the tracee to completely bypass all seccomp filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to be settable by a process with global CAP_SYS_ADMIN, and only if that process is not subject to any seccomp filters at all. However, while these permission checks were done on the PTRACE_SETOPTIONS path, they were missing on the PTRACE_SEIZE path, which also sets user-specified ptrace flags. Move the permissions checks out into a helper function and let both ptrace_attach() and ptrace_setoptions() call it. Cc: stable@kernel.org Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") Signed-off-by: Jann Horn Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com Signed-off-by: Eric W. Biederman Signed-off-by: Greg Kroah-Hartman --- kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -370,6 +370,26 @@ bool ptrace_may_access(struct task_struc return !err; } +static int check_ptrace_options(unsigned long data) +{ + if (data & ~(unsigned long)PTRACE_O_MASK) + return -EINVAL; + + if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { + if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || + !IS_ENABLED(CONFIG_SECCOMP)) + return -EINVAL; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || + current->ptrace & PT_SUSPEND_SECCOMP) + return -EPERM; + } + return 0; +} + static int ptrace_attach(struct task_struct *task, long request, unsigned long addr, unsigned long flags) @@ -381,8 +401,16 @@ static int ptrace_attach(struct task_str if (seize) { if (addr != 0) goto out; + /* + * This duplicates the check in check_ptrace_options() because + * ptrace_attach() and ptrace_setoptions() have historically + * used different error codes for unknown ptrace options. + */ if (flags & ~(unsigned long)PTRACE_O_MASK) goto out; + retval = check_ptrace_options(flags); + if (retval) + return retval; flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); } else { flags = PT_PTRACED; @@ -655,22 +683,11 @@ int ptrace_writedata(struct task_struct static int ptrace_setoptions(struct task_struct *child, unsigned long data) { unsigned flags; + int ret; - if (data & ~(unsigned long)PTRACE_O_MASK) - return -EINVAL; - - if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { - if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || - !IS_ENABLED(CONFIG_SECCOMP)) - return -EINVAL; - - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - - if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || - current->ptrace & PT_SUSPEND_SECCOMP) - return -EPERM; - } + ret = check_ptrace_options(data); + if (ret) + return ret; /* Avoid intermediate state when all opts are cleared */ flags = child->ptrace;