From 053da2e7bb563840470792f46fd8cccf9f32de83 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Fri, 15 May 2026 07:33:28 +0000
Subject: [PATCH] Bump version to 4.18.0-553.124.4

ptrace: require CAP_SYS_PTRACE when task has no mm

kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
("ptrace: slightly saner 'get_dumpable()' logic"). The upstream
fix adds a user_dumpable bit to task_struct and caches it from
exit_mm() -- both layout changes would break the kABI signature
of struct task_struct (referenced by stablelist exports such as
__put_task_struct, sched_setscheduler, set_cpus_allowed_ptr, and
wake_up_process).

Instead, take the minimal kABI-safe slice: in __ptrace_may_access(),
when task->mm == NULL, require CAP_SYS_PTRACE in init_user_ns
unconditionally. This closes the Qualys Security Advisory hole
without touching task_struct or exit.c. The only behavioural
delta versus upstream is that an already-exited user task whose
mm has been cleared now also requires CAP_SYS_PTRACE.
---
 ...1-ptrace-require-cap-on-mm-less-task.patch | 55 +++++++++++++++++++
 SPECS/kernel.spec                             |  9 ++-
 2 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 SOURCES/1101-ptrace-require-cap-on-mm-less-task.patch

diff --git a/SOURCES/1101-ptrace-require-cap-on-mm-less-task.patch b/SOURCES/1101-ptrace-require-cap-on-mm-less-task.patch
new file mode 100644
index 000000000..a564748e2
--- /dev/null
+++ b/SOURCES/1101-ptrace-require-cap-on-mm-less-task.patch
@@ -0,0 +1,55 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 8] ptrace: require CAP_SYS_PTRACE when task has no mm
+
+kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
+("ptrace: slightly saner 'get_dumpable()' logic") posted at
+https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+
+The upstream fix adds a 'user_dumpable:1' bit to task_struct and
+caches the last dumpability in exit_mm() so __ptrace_may_access()
+can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
+threads or already-exited user tasks). That layout change to
+task_struct breaks kABI on RHEL/AlmaLinux 8 (the symtype
+signature of struct task_struct is referenced by stablelist exports
+such as set_cpus_allowed_ptr() and wake_up_process()), so we cannot
+import the field/exit_mm hunks as-is.
+
+Take the minimal kABI-safe slice instead: when task->mm == NULL,
+require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
+the Qualys Security Advisory hole -- mm-less targets no longer pass
+the dumpability check by default -- without touching task_struct or
+exit.c. The only behavioural delta versus upstream is that a user
+task that has already cleared its mm in exit_mm() (a dying/zombie
+task) now also requires CAP_SYS_PTRACE to attach, instead of being
+remembered as previously dumpable. Such targets are rarely ptraced
+in practice.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-4.18.0-553.124.1.el8_10.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ kernel/ptrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -351,8 +351,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	smp_rmb();
+ 	mm = task->mm;
+-	if (mm &&
+-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
+-	     !ptrace_has_cap(mm->user_ns, mode)))
+-	    return -EPERM;
++	if (mm) {
++		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
++		    !ptrace_has_cap(mm->user_ns, mode))
++			return -EPERM;
++	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
++		return -EPERM;
++	}
+ 
+ 	return security_ptrace_access_check(task, mode);
+--
+2.43.0
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 99df734b5..b9d43ab69 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -38,11 +38,11 @@
 # define buildid .local
 
 %define specversion 4.18.0
-%define pkgrelease 553.124.3.el8_10
+%define pkgrelease 553.124.4.el8_10
 %define tarfile_release 553.124.1.el8_10
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 553.124.3%{?dist}
+%define specrelease 553.124.4%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -540,6 +540,7 @@ Patch2006: 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 Patch2007: 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 Patch2008: 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 Patch1100: 1100-net-skbuff-propagate-shared-frag-marker.patch
+Patch1101: 1101-ptrace-require-cap-on-mm-less-task.patch
 
 # END OF PATCH DEFINITIONS
 
@@ -1118,6 +1119,7 @@ ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch
 ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch
 ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch
 ApplyPatch 1100-net-skbuff-propagate-shared-frag-marker.patch
+ApplyPatch 1101-ptrace-require-cap-on-mm-less-task.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2716,6 +2718,9 @@ fi
 #
 #
 %changelog
+* Fri May 15 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 4.18.0-553.124.4
+- ptrace: require CAP_SYS_PTRACE when task has no mm (kABI-safe)
+
 * Thu May 14 2026 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.0-553.124.3
 - net: skbuff: propagate shared-frag marker through frag-transfer helpers