Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757175AbXJKG1s (ORCPT ); Thu, 11 Oct 2007 02:27:48 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754263AbXJKG1k (ORCPT ); Thu, 11 Oct 2007 02:27:40 -0400 Received: from mx1.redhat.com ([66.187.233.31]:54051 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754061AbXJKG1j (ORCPT ); Thu, 11 Oct 2007 02:27:39 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Roland McGrath To: Linus Torvalds , Andrew Morton Cc: linux-kernel@vger.kernel.org Cc: Oleg Nesterov Subject: [PATCH] core dump: remain dumpable X-Fcc: ~/Mail/linus X-Antipastobozoticataclysm: Bariumenemanilow Message-Id: <20071011062730.19F774D026B@magilla.localdomain> Date: Wed, 10 Oct 2007 23:27:30 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2454 Lines: 64 The coredump code always calls set_dumpable(0) when it starts (even if RLIMIT_CORE prevents any core from being dumped). The effect of this (via task_dumpable) is to make /proc/pid/* files owned by root instead of the user, so the user can no longer examine his own process--in a case where there was never any privileged data to protect. This affects e.g. auxv, environ, fd; in Fedora (execshield) kernels, also maps. In practice, you can only notice this when a debugger has requested PTRACE_EVENT_EXIT tracing. As far as I know, set_dumpable was only used in do_coredump for synchronization and not intended for any security purpose. (It doesn't secure anything that wasn't already unsecured when a process dies by SIGTERM instead of SIGQUIT.) This changes do_coredump to use a separate bit for its synchronization, so the "dumpable" bits remain the same. Signed-off-by: Roland McGrath --- fs/exec.c | 4 ++-- include/linux/sched.h | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 073b0b8..7f1e355 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1727,7 +1727,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) if (!binfmt || !binfmt->core_dump) goto fail; down_write(&mm->mmap_sem); - if (!get_dumpable(mm)) { + if (!get_dumpable(mm) || + test_and_set_bit(MMF_DUMP_STARTED, &mm->flags)) { up_write(&mm->mmap_sem); goto fail; } @@ -1741,7 +1742,6 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) flag = O_EXCL; /* Stop rewrite attacks */ current->fsuid = 0; /* Dump root private */ } - set_dumpable(mm, 0); retval = coredump_wait(exit_code); if (retval < 0) diff --git a/include/linux/sched.h b/include/linux/sched.h index 1f274c2..33676ad 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -367,6 +367,8 @@ extern int get_dumpable(struct mm_struct *mm); #define MMF_DUMP_FILTER_DEFAULT \ ((1 << MMF_DUMP_ANON_PRIVATE) | (1 << MMF_DUMP_ANON_SHARED)) +#define MMF_DUMP_STARTED 16 /* some thread entered do_coredump already */ + struct mm_struct { struct vm_area_struct * mmap; /* list of VMAs */ struct rb_root mm_rb; - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/