Drop long carried selinux ptraceme patch
Nobody is working on this in Fedora at the moment, and it really needs to come from upstream.
This commit is contained in:
parent
dce629e00c
commit
989a44de86
@ -724,9 +724,6 @@ Patch21247: ath9k_rx_dma_stop_check.patch
|
|||||||
|
|
||||||
Patch22000: weird-root-dentry-name-debug.patch
|
Patch22000: weird-root-dentry-name-debug.patch
|
||||||
|
|
||||||
#selinux ptrace child permissions
|
|
||||||
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
|
|
||||||
|
|
||||||
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch
|
||||||
|
|
||||||
#CVE-2013-4345 rhbz 1007690 1009136
|
#CVE-2013-4345 rhbz 1007690 1009136
|
||||||
@ -1421,9 +1418,6 @@ ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch
|
|||||||
|
|
||||||
#pplyPatch weird-root-dentry-name-debug.patch
|
#pplyPatch weird-root-dentry-name-debug.patch
|
||||||
|
|
||||||
#selinux ptrace child permissions
|
|
||||||
ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
|
|
||||||
|
|
||||||
# https://fedoraproject.org/wiki/Features/Checkpoint_Restore
|
# https://fedoraproject.org/wiki/Features/Checkpoint_Restore
|
||||||
ApplyPatch criu-no-expert.patch
|
ApplyPatch criu-no-expert.patch
|
||||||
|
|
||||||
|
@ -1,162 +0,0 @@
|
|||||||
Some applications, like gdb, are able to ptrace both children or other
|
|
||||||
completely unrelated tasks. We would like to be able to discern these two
|
|
||||||
things and to be able to allow gdb to ptrace it's children, but not to be
|
|
||||||
able to ptrace unrelated tasks for security reasons.
|
|
||||||
|
|
||||||
Upstream is a bit weary of this patch as it may be incomplete. They are
|
|
||||||
not fundamentally opposed to the patch, I was just ask to see if I could
|
|
||||||
flush out any needed refinement in Fedora where we already had the
|
|
||||||
problem. We may find that we need to emulate the YAMA non-child
|
|
||||||
registration module in order to completely deal with 'normal' ptrace on
|
|
||||||
a system. At the moment however, this patch will at least let us get
|
|
||||||
gdb working for many users in Fedora (See fedora-devel-list for a
|
|
||||||
discussion of the current issues people are complaining about in F17
|
|
||||||
without this)
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++
|
|
||||||
security/selinux/include/classmap.h | 2 +-
|
|
||||||
security/selinux/include/security.h | 2 ++
|
|
||||||
security/selinux/selinuxfs.c | 3 ++-
|
|
||||||
security/selinux/ss/services.c | 3 +++
|
|
||||||
5 files changed, 46 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
|
|
||||||
index 1a4acf4..b226f26 100644
|
|
||||||
--- a/security/selinux/hooks.c
|
|
||||||
+++ b/security/selinux/hooks.c
|
|
||||||
@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file)
|
|
||||||
|
|
||||||
/* Hook functions begin here. */
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * task_is_descendant - walk up a process family tree looking for a match
|
|
||||||
+ * @parent: the process to compare against while walking up from child
|
|
||||||
+ * @child: the process to start from while looking upwards for parent
|
|
||||||
+ *
|
|
||||||
+ * Returns 1 if child is a descendant of parent, 0 if not.
|
|
||||||
+ */
|
|
||||||
+static int task_is_descendant(struct task_struct *parent,
|
|
||||||
+ struct task_struct *child)
|
|
||||||
+{
|
|
||||||
+ int rc = 0;
|
|
||||||
+ struct task_struct *walker = child;
|
|
||||||
+
|
|
||||||
+ if (!parent || !child)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ rcu_read_lock();
|
|
||||||
+ if (!thread_group_leader(parent))
|
|
||||||
+ parent = rcu_dereference(parent->group_leader);
|
|
||||||
+ while (walker->pid > 0) {
|
|
||||||
+ if (!thread_group_leader(walker))
|
|
||||||
+ walker = rcu_dereference(walker->group_leader);
|
|
||||||
+ if (walker == parent) {
|
|
||||||
+ rc = 1;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ walker = rcu_dereference(walker->real_parent);
|
|
||||||
+ }
|
|
||||||
+ rcu_read_unlock();
|
|
||||||
+
|
|
||||||
+ return rc;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int selinux_ptrace_access_check(struct task_struct *child,
|
|
||||||
unsigned int mode)
|
|
||||||
{
|
|
||||||
@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child,
|
|
||||||
return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
+
|
|
||||||
+ if (selinux_policycap_ptrace_child && task_is_descendant(current, child))
|
|
||||||
+ return current_has_perm(child, PROCESS__PTRACE_CHILD);
|
|
||||||
return current_has_perm(child, PROCESS__PTRACE);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
|
|
||||||
if (rc)
|
|
||||||
return rc;
|
|
||||||
|
|
||||||
+ if (selinux_policycap_ptrace_child && task_is_descendant(parent, current))
|
|
||||||
+ return task_has_perm(parent, current, PROCESS__PTRACE_CHILD);
|
|
||||||
return task_has_perm(parent, current, PROCESS__PTRACE);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
|
|
||||||
index 39e678c..72c08b9 100644
|
|
||||||
--- a/security/selinux/include/classmap.h
|
|
||||||
+++ b/security/selinux/include/classmap.h
|
|
||||||
@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = {
|
|
||||||
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
|
|
||||||
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
|
|
||||||
"execmem", "execstack", "execheap", "setkeycreate",
|
|
||||||
- "setsockcreate", NULL } },
|
|
||||||
+ "setsockcreate", "ptrace_child", NULL } },
|
|
||||||
{ "system",
|
|
||||||
{ "ipc_info", "syslog_read", "syslog_mod",
|
|
||||||
"syslog_console", "module_request", NULL } },
|
|
||||||
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
|
|
||||||
index dde2005..ac14b0a 100644
|
|
||||||
--- a/security/selinux/include/security.h
|
|
||||||
+++ b/security/selinux/include/security.h
|
|
||||||
@@ -68,12 +68,14 @@ extern int selinux_enabled;
|
|
||||||
enum {
|
|
||||||
POLICYDB_CAPABILITY_NETPEER,
|
|
||||||
POLICYDB_CAPABILITY_OPENPERM,
|
|
||||||
+ POLICYDB_CAPABILITY_PTRACE_CHILD,
|
|
||||||
__POLICYDB_CAPABILITY_MAX
|
|
||||||
};
|
|
||||||
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
|
|
||||||
|
|
||||||
extern int selinux_policycap_netpeer;
|
|
||||||
extern int selinux_policycap_openperm;
|
|
||||||
+extern int selinux_policycap_ptrace_child;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* type_datum properties
|
|
||||||
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
|
|
||||||
index 4e93f9e..3379765 100644
|
|
||||||
--- a/security/selinux/selinuxfs.c
|
|
||||||
+++ b/security/selinux/selinuxfs.c
|
|
||||||
@@ -44,7 +44,8 @@
|
|
||||||
/* Policy capability filenames */
|
|
||||||
static char *policycap_names[] = {
|
|
||||||
"network_peer_controls",
|
|
||||||
- "open_perms"
|
|
||||||
+ "open_perms",
|
|
||||||
+ "ptrace_child",
|
|
||||||
};
|
|
||||||
|
|
||||||
unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
|
|
||||||
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
|
|
||||||
index 9b7e7ed..4d12a6e 100644
|
|
||||||
--- a/security/selinux/ss/services.c
|
|
||||||
+++ b/security/selinux/ss/services.c
|
|
||||||
@@ -72,6 +72,7 @@
|
|
||||||
|
|
||||||
int selinux_policycap_netpeer;
|
|
||||||
int selinux_policycap_openperm;
|
|
||||||
+int selinux_policycap_ptrace_child;
|
|
||||||
|
|
||||||
static DEFINE_RWLOCK(policy_rwlock);
|
|
||||||
|
|
||||||
@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
|
|
||||||
POLICYDB_CAPABILITY_NETPEER);
|
|
||||||
selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
|
|
||||||
POLICYDB_CAPABILITY_OPENPERM);
|
|
||||||
+ selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps,
|
|
||||||
+ POLICYDB_CAPABILITY_PTRACE_CHILD);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int security_preserve_bools(struct policydb *p);
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
_______________________________________________
|
|
||||||
kernel mailing list
|
|
||||||
kernel@lists.fedoraproject.org
|
|
||||||
https://admin.fedoraproject.org/mailman/listinfo/kernel
|
|
Loading…
Reference in New Issue
Block a user