| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1493123038-30590-6-git-send-email-tixxdz@gmail.com>
Date: Tue, 25 Apr 2017 14:23:57 +0200
From: Djalal Harouni <tixxdz@...il.com>
To: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Andy Lutomirski <luto@...nel.org>,
Kees Cook <keescook@...omium.org>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-fsdevel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
linux-security-module@...r.kernel.org
Cc: Linux API <linux-api@...r.kernel.org>,
Dongsu Park <dpark@...teo.net>,
Casey Schaufler <casey@...aufler-ca.com>,
James Morris <james.l.morris@...cle.com>, <serge@...lyn.com>,
Jeff Layton <jlayton@...chiereds.net>, <bfields@...ldses.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Ingo Molnar <mingo@...nel.org>, <ebiederm@...ssion.com>,
Oleg Nesterov <oleg@...hat.com>,
Michal Hocko <mhocko@...e.com>,
Jonathan Corbet <corbet@....net>,
Djalal Harouni <tixxdz@...il.com>
Subject: [PATCH RFC v2 5/6] proc: instantiate only pids that we can ptrace on 'limit_pids=1' mount option
If "limit_pids=1" mount option is set then do not instantiate pids that
we can not ptrace. "limit_pids=1" means that procfs should only contain
pids that the caller can ptrace.
Cc: Kees Cook <keescook@...omium.org>
Cc: Andy Lutomirski <luto@...nel.org>
Signed-off-by: Djalal Harouni <tixxdz@...il.com>
---
fs/proc/base.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 2e0f661..a663284 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -3149,6 +3149,7 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
unsigned tgid;
struct proc_fs_info *fs_info = proc_sb(dir->i_sb);
struct pid_namespace *ns = fs_info->pid_ns;
+ int limit_pids = proc_fs_limit_pids(fs_info);
tgid = name_to_int(&dentry->d_name);
if (tgid == ~0U)
@@ -3162,7 +3163,15 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
if (!task)
goto out;
+ /* Limit procfs to only ptracable tasks */
+ if (limit_pids == PROC_LIMIT_PIDS_PTRACE) {
+ cond_resched();
+ if (!has_pid_permissions(fs_info, task, HIDEPID_NO_ACCESS))
+ goto out_put_task;
+ }
+
result = proc_pid_instantiate(dir, dentry, task, NULL);
+out_put_task:
put_task_struct(task);
out:
return ERR_PTR(result);
--
2.10.2
Powered by blists - more mailing lists