Re: [PATCH] capability: Fix bug in checking capabilties in ptrace system call
From: Chris Wright
Date: Thu Mar 09 2006 - 05:57:45 EST
* Ram Gupta (ram.gupta5@xxxxxxxxx) wrote:
> This patch fixes a bug of ptrace for PTRACE_TRACEME request. In this
> case the call is made by the child process & code needs to check the
> capabilty of the parent process to trace the child process but code
> incorrectly makes check for the child process.
Actually, that check is never triggered, for slightly subtle reason.
> Signed-off-by: Ram Gupta <ram.gupta5@xxxxxxxxx>
>
> --- linux-2.6.14-patch-2.6.15/security/commoncap.c.orig Wed Mar 8 13:54:06 2006
> +++ linux-2.6.14-patch-2.6.15/security/commoncap.c Wed Mar 8 13:57:07 2006
> @@ -59,9 +59,13 @@ int cap_settime(struct timespec *ts, str
> int cap_ptrace (struct task_struct *parent, struct task_struct *child)
> {
> /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
> - if (!cap_issubset (child->cap_permitted, current->cap_permitted) &&
In the context of TRACEME, child == current.
Historically, there's been no default security check for TRACEME, so
a change here has some small chance of breaking things (which would
be fine for plugging a real security hole). Parent less privileged
than child which did TRACEME is a bit of a contrived case, so security
implications aren't so worrisome. Modules like SELinux will actually
check this case, and should properly restrict. We can try a change in
-mm for a while.
> - !capable(CAP_SYS_PTRACE))
> - return -EPERM;
> + if (!cap_issubset (child->cap_permitted, current->cap_permitted)){
> + if(!security_ops->capable(parent,CAP_SYS_PTRACE)){
This is not valid when !CONFIG_SECURITY.
thanks,
-chris
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/