Bump version to 4.18.0-553.124.2.rt7.465

ptrace: require CAP_SYS_PTRACE when task has no mm

kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
("ptrace: slightly saner 'get_dumpable()' logic"). Mirrors the patch
shipped on the AlmaLinux 8 main kernel branch at 553.124.4.

The upstream fix adds a user_dumpable bit to task_struct -- that
layout change breaks the kABI signature of struct task_struct,
which is referenced by stablelist exports such as __put_task_struct,
sched_setscheduler, set_cpus_allowed_ptr, and wake_up_process.

Instead, take the minimal kABI-safe slice: in __ptrace_may_access(),
when task->mm == NULL, require CAP_SYS_PTRACE in init_user_ns
unconditionally. This closes the Qualys Security Advisory hole
without touching task_struct or exit.c. The only behavioural delta
versus upstream is that an already-exited user task whose mm has
been cleared now also requires CAP_SYS_PTRACE.

Reintroduce the tarfile_release indirection so pkgrelease can
advance independently of the imported source tarball.

SOURCES/1100-ptrace-require-cap-on-mm-less-task.patch

@@ -0,0 +1,57 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 8 RT] ptrace: require CAP_SYS_PTRACE when task has no mm
+
+kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
+("ptrace: slightly saner 'get_dumpable()' logic") posted at
+https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+
+The upstream fix adds a 'user_dumpable:1' bit to task_struct and
+caches the last dumpability in exit_mm() so __ptrace_may_access()
+can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
+threads or already-exited user tasks). That layout change to
+task_struct breaks kABI on RHEL/AlmaLinux 8 (the symtype signature
+of struct task_struct is referenced by stablelist exports such as
+__put_task_struct(), sched_setscheduler(), set_cpus_allowed_ptr()
+and wake_up_process()), so we cannot import the field/exit_mm
+hunks as-is. AlmaLinux 8's exit_mm() also predates the upstream
+rewrite that the second hunk targets.
+
+Take the minimal kABI-safe slice instead: when task->mm == NULL,
+require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
+the Qualys Security Advisory hole -- mm-less targets no longer pass
+the dumpability check by default -- without touching task_struct or
+exit.c. The only behavioural delta versus upstream is that a user
+task that has already cleared its mm in exit_mm() (a dying/zombie
+task) now also requires CAP_SYS_PTRACE to attach, instead of being
+remembered as previously dumpable. Such targets are rarely ptraced
+in practice.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-rt-4.18.0-553.124.1.rt7.465.el8_10.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ kernel/ptrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -375,8 +375,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	smp_rmb();
+ 	mm = task->mm;
+-	if (mm &&
+-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
+-	     !ptrace_has_cap(mm->user_ns, mode)))
+-	    return -EPERM;
++	if (mm) {
++		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
++		    !ptrace_has_cap(mm->user_ns, mode))
++			return -EPERM;
++	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
++		return -EPERM;
++	}
+ 
+ 	return security_ptrace_access_check(task, mode);
+--
+2.43.0

SPECS/kernel.spec

@@ -38,10 +38,11 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.124.1.rt7.465.el8_10
+%define pkgrelease 553.124.2.rt7.465.el8_10
+%define tarfile_release 553.124.1.rt7.465.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.124.1.rt7.465%{?dist}
+%define specrelease 553.124.2.rt7.465%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -435,7 +436,7 @@ BuildRequires: xmlto
 BuildRequires: asciidoc
 %endif
 
-Source0: linux-%{specversion}-%{pkgrelease}.tar.xz
+Source0: linux-%{specversion}-%{tarfile_release}.tar.xz
 
 Source9: x509.genkey
 
@@ -535,6 +536,7 @@ Patch2005: 0005-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
 Patch2006: 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 Patch2007: 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
+Patch1100: 1100-ptrace-require-cap-on-mm-less-task.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1092,8 +1094,8 @@ ApplyOptionalPatch()
   fi
 }
 
-%setup -q -n %{name}-%{specversion}-%{pkgrelease} -c
-mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL}
+%setup -q -n %{name}-%{specversion}-%{tarfile_release} -c
+mv linux-%{specversion}-%{tarfile_release} linux-%{KVERREL}
 
 cd linux-%{KVERREL}
 
@@ -1108,6 +1110,7 @@ ApplyPatch 0005-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch
 ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
+ApplyPatch 1100-ptrace-require-cap-on-mm-less-task.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2711,6 +2714,10 @@ fi
 #
 #
 %changelog
+* Fri May 15 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.124.2.rt7.465
+- ptrace: require CAP_SYS_PTRACE when task has no mm (kABI-safe backport
+  of upstream 31e62c2ebbfd, Qualys Security Advisory)
+
 * Tue May 12 2026 Andrei Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.124.1.rt7.465
 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024
 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024