alistair23-linux

redonkable

Fork of alistair23 Linux kernel for reMarkable from https://github.com/alistair23/linux

Go to file

Christian Brauner a26a635887 ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() commit `6b3ad6649a` upstream. Commit `69f594a389` ("ptrace: do not audit capability check when outputing /proc/pid/stat") introduced the ability to opt out of audit messages for accesses to various proc files since they are not violations of policy. While doing so it somehow switched the check from ns_capable() to has_ns_capability{_noaudit}(). That means it switched from checking the subjective credentials of the task to using the objective credentials. This is wrong since. ptrace_has_cap() is currently only used in ptrace_may_access() And is used to check whether the calling task (subject) has the CAP_SYS_PTRACE capability in the provided user namespace to operate on the target task (object). According to the cred.h comments this would mean the subjective credentials of the calling task need to be used. This switches ptrace_has_cap() to use security_capable(). Because we only call ptrace_has_cap() in ptrace_may_access() and in there we already have a stable reference to the calling task's creds under rcu_read_lock() there's no need to go through another series of dereferences and rcu locking done in ns_capable{_noaudit}(). As one example where this might be particularly problematic, Jann pointed out that in combination with the upcoming IORING_OP_OPENAT feature, this bug might allow unprivileged users to bypass the capability checks while asynchronously opening files like /proc/*/mem, because the capability checks for this would be performed against kernel credentials. To illustrate on the former point about this being exploitable: When io_uring creates a new context it records the subjective credentials of the caller. Later on, when it starts to do work it creates a kernel thread and registers a callback. The callback runs with kernel creds for ktask->real_cred and ktask->cred. To prevent this from becoming a full-blown 0-day io_uring will call override_cred() and override ktask->cred with the subjective credentials of the creator of the io_uring instance. With ptrace_has_cap() currently looking at ktask->real_cred this override will be ineffective and the caller will be able to open arbitray proc files as mentioned above. Luckily, this is currently not exploitable but will turn into a 0-day once IORING_OP_OPENAT{2} land in v5.6. Fix it now! Cc: Oleg Nesterov <oleg@redhat.com> Cc: Eric Paris <eparis@redhat.com> Cc: stable@vger.kernel.org Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: Jann Horn <jannh@google.com> Fixes: `69f594a389` ("ptrace: do not audit capability check when outputing /proc/pid/stat") Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-01-23 08:22:36 +01:00
Documentation	mei: fix modalias documentation	2020-01-17 19:48:48 +01:00
LICENSES	LICENSES: Rename other to deprecated	2019-05-03 06:34:32 -06:00
arch	ARM: davinci: select CONFIG_RESET_CONTROLLER	2020-01-23 08:22:32 +01:00
block	block: fix an integer overflow in logical block size	2020-01-23 08:22:32 +01:00
certs	PKCS#7: Refactor verify_pkcs7_signature()	2019-08-05 18:40:18 -04:00
crypto	crypto: algif_skcipher - Use chunksize instead of blocksize	2020-01-17 19:48:46 +01:00
drivers	scsi: mptfusion: Fix double fetch bug in ioctl	2020-01-23 08:22:35 +01:00
fs	io_uring: only allow submit from owning task	2020-01-23 08:22:32 +01:00
include	block: fix an integer overflow in logical block size	2020-01-23 08:22:32 +01:00
init	Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security	2019-09-28 08:14:15 -07:00
ipc	ipc/sem.c: convert to use built-in RCU list checking	2019-09-25 17:51:41 -07:00
kernel	ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()	2020-01-23 08:22:36 +01:00
lib	sbitmap: only queue kyber's wait callback if not already active	2020-01-12 12:21:44 +01:00
mm	uaccess: Add non-pagefault user-space write function	2020-01-17 19:48:40 +01:00
net	rxrpc: Fix missing security check on incoming calls	2020-01-17 19:49:05 +01:00
samples	samples: bpf: fix syscall_tp due to unused syscall	2020-01-12 12:21:26 +01:00
scripts	kbuild/deb-pkg: annotate libelf-dev dependency as :native	2020-01-17 19:49:07 +01:00
security	tomoyo: Suppress RCU warning at list_for_each_entry_rcu().	2020-01-17 19:49:05 +01:00
sound	ALSA: usb-audio: fix sync-ep altsetting sanity check	2020-01-23 08:22:31 +01:00
tools	rseq/selftests: Turn off timeout setting	2020-01-17 19:49:04 +01:00
usr	gen_initramfs_list.sh: fix 'bad variable name' error	2020-01-09 10:20:00 +01:00
virt	KVM: arm/arm64: Properly handle faulting of device mappings	2019-12-31 16:46:24 +01:00
.clang-format	clang-format: Update with the latest for_each macro list	2019-08-31 10:00:51 +02:00
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	2016-07-22 12:13:39 +02:00
.get_maintainer.ignore	Opt out of scripts/get_maintainer.pl	2019-05-16 10:53:40 -07:00
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	Modules updates for v5.4	2019-09-22 10:34:46 -07:00
.mailmap	ARM: SoC fixes	2019-11-10 13:41:59 -08:00
COPYING	COPYING: use the new text with points to the license files	2018-03-23 12:41:45 -06:00
CREDITS	MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer	2019-10-10 08:12:51 -07:00
Kbuild	kbuild: do not descend to ./Kbuild when cleaning	2019-08-21 21:03:58 +09:00
Kconfig	docs: kbuild: convert docs to ReST and rename to *.rst	2019-06-14 14:21:21 -06:00
MAINTAINERS	MAINTAINERS: Append missed file to the database	2020-01-17 19:48:28 +01:00
Makefile	Linux 5.4.13	2020-01-17 19:49:08 +01:00
README	Drop all 00-INDEX files from Documentation/	2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.