android_kernel_oneplus_msm8998/include
Jann Horn e6ec611add BACKPORT: ptrace: use fsuid, fsgid, effective creds for fs access checks
This patch backports 969624b (which backports caaee6234d0 upstream),
from the v4.4-stable branch to the common/android-4.4 branch.

This patch is needed to provide the PTRACE_MODE_ATTACH_FSCREDS definition
which was used by the backported version of proc/<tid>/timerslack_ns
in change-id: Ie5799b9a3402a31f88cd46437dcda4a0e46415a7

commit caaee6234d05a58c5b4d05e7bf766131b810a657 upstream.

By checking the effective credentials instead of the real UID / permitted
capabilities, ensure that the calling process actually intended to use its
credentials.

To ensure that all ptrace checks use the correct caller credentials (e.g.
in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
flag), use two new flags and require one of them to be set.

The problem was that when a privileged task had temporarily dropped its
privileges, e.g.  by calling setreuid(0, user_uid), with the intent to
perform following syscalls with the credentials of a user, it still passed
ptrace access checks that the user would not be able to pass.

While an attacker should not be able to convince the privileged task to
perform a ptrace() syscall, this is a problem because the ptrace access
check is reused for things in procfs.

In particular, the following somewhat interesting procfs entries only rely
on ptrace access checks:

 /proc/$pid/stat - uses the check for determining whether pointers
     should be visible, useful for bypassing ASLR
 /proc/$pid/maps - also useful for bypassing ASLR
 /proc/$pid/cwd - useful for gaining access to restricted
     directories that contain files with lax permissions, e.g. in
     this scenario:
     lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
     drwx------ root root /root
     drwxr-xr-x root root /root/foobar
     -rw-r--r-- root root /root/foobar/secret

Therefore, on a system where a root-owned mode 6755 binary changes its
effective credentials as described and then dumps a user-specified file,
this could be used by an attacker to reveal the memory layout of root's
processes or reveal the contents of files he is not allowed to access
(through /proc/$pid/cwd).

[akpm@linux-foundation.org: fix warning]
Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[jstultz: Cherry-picked for common/android-4.4]
Signed-off-by: John Stultz <john.stultz@linaro.org>
2016-07-07 16:30:43 -07:00
..
acpi Merge branch 'acpi-pci' 2015-11-07 01:30:10 +01:00
asm-generic treewide: Remove old email address 2015-11-23 09:44:58 +01:00
clocksource
crypto Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2015-11-05 15:32:38 -08:00
drm drm/nouveau: Fix pre-nv50 pageflip events (v4) 2015-12-04 13:49:38 +10:00
dt-bindings ARM: DT updates for v4.4 2015-11-10 15:06:26 -08:00
keys KEYS: Merge the type-specific data with the payload data 2015-10-21 15:18:36 +01:00
kvm KVM: arm/arm64: arch_timer: Preserve physical dist. active state on LR.active 2015-11-24 18:07:40 +01:00
linux BACKPORT: ptrace: use fsuid, fsgid, effective creds for fs access checks 2016-07-07 16:30:43 -07:00
math-emu
media [media] v4l2: add support for SDR transmitter 2015-10-20 15:40:50 -02:00
memory
misc
net Revert "net: activity_stats: Add statistics for network transmission activity" 2016-04-25 22:19:46 +05:30
pcmcia
ras
rdma IB/mad: Require CM send method for everything except ClassPortInfo 2015-12-08 12:19:11 -05:00
rxrpc
scsi Merge branch 'mkp-fixes' into fixes 2015-12-03 09:32:33 -08:00
soc ARM: SoC driver updates for v4.4 2015-11-10 15:00:03 -08:00
sound Merge remote-tracking branch 'asoc/fix/dapm' into asoc-linus 2016-01-05 23:07:32 +00:00
target target: Fix race for SCF_COMPARE_AND_WRITE_POST checking 2015-11-28 19:33:15 -08:00
trace trace: cpufreq: fix typo in min/max cpufreq 2016-03-23 19:49:05 +00:00
uapi fuse: Add support for d_canonical_path 2016-04-25 19:16:11 -07:00
video video: adf: fbdev: add stubs for kernels without ADF_FBDEV 2016-02-16 13:53:22 -08:00
xen xen: Add RING_COPY_REQUEST() 2015-12-18 10:00:17 -05:00
Kbuild