| author | Jann Horn <jann@thejh.net> | |
| Wed, 14 Dec 2016 12:24:53 +0000 (13:24 +0100) | ||
| committer | Sasha Levin <alexander.levin@verizon.com> | |
| Fri, 23 Dec 2016 13:56:36 +0000 (08:56 -0500) | ||
| commit | 74cd81c810b98e9373b8ebd2981b5bd3bbee1ae1 | |
| tree | 84e4f8d295d2f9fd27963c7576d95f1a2de137fe | tree | snapshot (tar.xz tar.gz zip) |
| parent | 8165fc3eb28cbd2e4cca07308f3a205ab347a9d1 | commit | diff |
ptrace: being capable wrt a process requires mapped uids/gids
[ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch ]
ptrace_has_cap() checks whether the current process should be
treated as having a certain capability for ptrace checks
against another process. Until now, this was equivalent to
has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
However, if a root-owned process wants to enter a user
namespace for some reason without knowing who owns it and
therefore can't change to the namespace owner's uid and gid
before entering, as soon as it has entered the namespace,
the namespace owner can attach to it via ptrace and thereby
gain access to its uid and gid.
While it is possible for the entering process to switch to
the uid of a claimed namespace owner before entering,
causing the attempt to enter to fail if the claimed uid is
wrong, this doesn't solve the problem of determining an
appropriate gid.
With this change, the entering process can first enter the
namespace and then safely inspect the namespace's
properties, e.g. through /proc/self/{uid_map,gid_map},
assuming that the namespace owner doesn't have access to
uid 0.
Changed in v2: The caller needs to be capable in the
namespace into which tcred's uids/gids can be mapped.
Rederences: CVE-2015-8709
References: https://lkml.org/lkml/2015/12/25/71
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
[ bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch ]
ptrace_has_cap() checks whether the current process should be
treated as having a certain capability for ptrace checks
against another process. Until now, this was equivalent to
has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
However, if a root-owned process wants to enter a user
namespace for some reason without knowing who owns it and
therefore can't change to the namespace owner's uid and gid
before entering, as soon as it has entered the namespace,
the namespace owner can attach to it via ptrace and thereby
gain access to its uid and gid.
While it is possible for the entering process to switch to
the uid of a claimed namespace owner before entering,
causing the attempt to enter to fail if the claimed uid is
wrong, this doesn't solve the problem of determining an
appropriate gid.
With this change, the entering process can first enter the
namespace and then safely inspect the namespace's
properties, e.g. through /proc/self/{uid_map,gid_map},
assuming that the namespace owner doesn't have access to
uid 0.
Changed in v2: The caller needs to be capable in the
namespace into which tcred's uids/gids can be mapped.
Rederences: CVE-2015-8709
References: https://lkml.org/lkml/2015/12/25/71
Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
| kernel/ptrace.c | diff | blob | history |