Drop long carried selinux ptraceme patch
Nobody is working on this in Fedora at the moment, and it really needs to come from upstream.
This commit is contained in:
parent
dce629e00c
commit
989a44de86
@ -724,9 +724,6 @@ Patch21247: ath9k_rx_dma_stop_check.patch
|
||||
|
||||
Patch22000: weird-root-dentry-name-debug.patch
|
||||
|
||||
#selinux ptrace child permissions
|
||||
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
|
||||
|
||||
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||
|
||||
#CVE-2013-4345 rhbz 1007690 1009136
|
||||
@ -1421,9 +1418,6 @@ ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
|
||||
|
||||
#pplyPatch weird-root-dentry-name-debug.patch
|
||||
|
||||
#selinux ptrace child permissions
|
||||
ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
|
||||
|
||||
# https://fedoraproject.org/wiki/Features/Checkpoint_Restore
|
||||
ApplyPatch criu-no-expert.patch
|
||||
|
||||
|
@ -1,162 +0,0 @@
|
||||
Some applications, like gdb, are able to ptrace both children or other
|
||||
completely unrelated tasks. We would like to be able to discern these two
|
||||
things and to be able to allow gdb to ptrace it's children, but not to be
|
||||
able to ptrace unrelated tasks for security reasons.
|
||||
|
||||
Upstream is a bit weary of this patch as it may be incomplete. They are
|
||||
not fundamentally opposed to the patch, I was just ask to see if I could
|
||||
flush out any needed refinement in Fedora where we already had the
|
||||
problem. We may find that we need to emulate the YAMA non-child
|
||||
registration module in order to completely deal with 'normal' ptrace on
|
||||
a system. At the moment however, this patch will at least let us get
|
||||
gdb working for many users in Fedora (See fedora-devel-list for a
|
||||
discussion of the current issues people are complaining about in F17
|
||||
without this)
|
||||
|
||||
---
|
||||
|
||||
security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++
|
||||
security/selinux/include/classmap.h | 2 +-
|
||||
security/selinux/include/security.h | 2 ++
|
||||
security/selinux/selinuxfs.c | 3 ++-
|
||||
security/selinux/ss/services.c | 3 +++
|
||||
5 files changed, 46 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
||||
index 1a4acf4..b226f26 100644
|
||||
--- a/security/selinux/hooks.c
|
||||
+++ b/security/selinux/hooks.c
|
||||
@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file)
|
||||
|
||||
/* Hook functions begin here. */
|
||||
|
||||
+/**
|
||||
+ * task_is_descendant - walk up a process family tree looking for a match
|
||||
+ * @parent: the process to compare against while walking up from child
|
||||
+ * @child: the process to start from while looking upwards for parent
|
||||
+ *
|
||||
+ * Returns 1 if child is a descendant of parent, 0 if not.
|
||||
+ */
|
||||
+static int task_is_descendant(struct task_struct *parent,
|
||||
+ struct task_struct *child)
|
||||
+{
|
||||
+ int rc = 0;
|
||||
+ struct task_struct *walker = child;
|
||||
+
|
||||
+ if (!parent || !child)
|
||||
+ return 0;
|
||||
+
|
||||
+ rcu_read_lock();
|
||||
+ if (!thread_group_leader(parent))
|
||||
+ parent = rcu_dereference(parent->group_leader);
|
||||
+ while (walker->pid > 0) {
|
||||
+ if (!thread_group_leader(walker))
|
||||
+ walker = rcu_dereference(walker->group_leader);
|
||||
+ if (walker == parent) {
|
||||
+ rc = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+ walker = rcu_dereference(walker->real_parent);
|
||||
+ }
|
||||
+ rcu_read_unlock();
|
||||
+
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
static int selinux_ptrace_access_check(struct task_struct *child,
|
||||
unsigned int mode)
|
||||
{
|
||||
@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child,
|
||||
return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
|
||||
}
|
||||
|
||||
+
|
||||
+ if (selinux_policycap_ptrace_child && task_is_descendant(current, child))
|
||||
+ return current_has_perm(child, PROCESS__PTRACE_CHILD);
|
||||
return current_has_perm(child, PROCESS__PTRACE);
|
||||
}
|
||||
|
||||
@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
|
||||
if (rc)
|
||||
return rc;
|
||||
|
||||
+ if (selinux_policycap_ptrace_child && task_is_descendant(parent, current))
|
||||
+ return task_has_perm(parent, current, PROCESS__PTRACE_CHILD);
|
||||
return task_has_perm(parent, current, PROCESS__PTRACE);
|
||||
}
|
||||
|
||||
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
|
||||
index 39e678c..72c08b9 100644
|
||||
--- a/security/selinux/include/classmap.h
|
||||
+++ b/security/selinux/include/classmap.h
|
||||
@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = {
|
||||
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
|
||||
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
|
||||
"execmem", "execstack", "execheap", "setkeycreate",
|
||||
- "setsockcreate", NULL } },
|
||||
+ "setsockcreate", "ptrace_child", NULL } },
|
||||
{ "system",
|
||||
{ "ipc_info", "syslog_read", "syslog_mod",
|
||||
"syslog_console", "module_request", NULL } },
|
||||
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
|
||||
index dde2005..ac14b0a 100644
|
||||
--- a/security/selinux/include/security.h
|
||||
+++ b/security/selinux/include/security.h
|
||||
@@ -68,12 +68,14 @@ extern int selinux_enabled;
|
||||
enum {
|
||||
POLICYDB_CAPABILITY_NETPEER,
|
||||
POLICYDB_CAPABILITY_OPENPERM,
|
||||
+ POLICYDB_CAPABILITY_PTRACE_CHILD,
|
||||
__POLICYDB_CAPABILITY_MAX
|
||||
};
|
||||
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
|
||||
|
||||
extern int selinux_policycap_netpeer;
|
||||
extern int selinux_policycap_openperm;
|
||||
+extern int selinux_policycap_ptrace_child;
|
||||
|
||||
/*
|
||||
* type_datum properties
|
||||
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
|
||||
index 4e93f9e..3379765 100644
|
||||
--- a/security/selinux/selinuxfs.c
|
||||
+++ b/security/selinux/selinuxfs.c
|
||||
@@ -44,7 +44,8 @@
|
||||
/* Policy capability filenames */
|
||||
static char *policycap_names[] = {
|
||||
"network_peer_controls",
|
||||
- "open_perms"
|
||||
+ "open_perms",
|
||||
+ "ptrace_child",
|
||||
};
|
||||
|
||||
unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
|
||||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
|
||||
index 9b7e7ed..4d12a6e 100644
|
||||
--- a/security/selinux/ss/services.c
|
||||
+++ b/security/selinux/ss/services.c
|
||||
@@ -72,6 +72,7 @@
|
||||
|
||||
int selinux_policycap_netpeer;
|
||||
int selinux_policycap_openperm;
|
||||
+int selinux_policycap_ptrace_child;
|
||||
|
||||
static DEFINE_RWLOCK(policy_rwlock);
|
||||
|
||||
@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
|
||||
POLICYDB_CAPABILITY_NETPEER);
|
||||
selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
|
||||
POLICYDB_CAPABILITY_OPENPERM);
|
||||
+ selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps,
|
||||
+ POLICYDB_CAPABILITY_PTRACE_CHILD);
|
||||
}
|
||||
|
||||
static int security_preserve_bools(struct policydb *p);
|
||||
|
||||
|
||||
|
||||
|
||||
_______________________________________________
|
||||
kernel mailing list
|
||||
kernel@lists.fedoraproject.org
|
||||
https://admin.fedoraproject.org/mailman/listinfo/kernel
|
Loading…
Reference in New Issue
Block a user