Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") introduced the ability to opt out of audit messages for accesses to various proc files since they are not violations of policy. While doing so it somehow switched the check from ns_capable() to has_ns_capability{_noaudit}(). That means it switched from checking the subjective credentials of the task to using the objective credentials. I couldn't find the original lkml thread and so I don't know why this switch was done. But it seems wrong since ptrace_has_cap() is currently only used in ptrace_may_access(). And it's used to check whether the calling task (subject) has the CAP_SYS_PTRACE capability in the provided user namespace to operate on the target task (object). According to the cred.h comments this would mean the subjective credentials of the calling task need to be used. This switches it to use security_capable() because we only call ptrace_has_cap() in ptrace_may_access() and in there we already have a stable reference to the calling tasks creds under rcu_read_lock() so there's no need to go through another series of dereferences and rcu locking done in ns_capable{_noaudit}().

As one example where this might be particularly problematic, Jann pointed out that in combination with the upcoming IORING_OP_OPENAT feature, this bug might allow unprivileged users to bypass the capability checks while asynchronously opening files like /proc/*/mem, because the capability checks for this would be performed against kernel credentials.

Cc: Kees Cook keescook@chromium.org Cc: Oleg Nesterov oleg@redhat.com Cc: Eric Paris eparis@redhat.com Cc: stable@vger.kernel.org Reviewed-by: Serge Hallyn serge@hallyn.com Reviewed-by: Jann Horn jannh@google.com Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") Signed-off-by: Christian Brauner christian.brauner@ubuntu.com --- /* v1 */ Link: https://lore.kernel.org/r/20200115171736.16994-1-christian.brauner@ubuntu.co...

/* v2 */ Link: https://lore.kernel.org/r/20200116224518.30598-1-christian.brauner@ubuntu.co... - Christian Brauner christian.brauner@ubuntu.com: - fix incorrect CAP_OPT_NOAUDIT, CAPT_OPT_NONE order

/* v3 */ - Kees Cook keescook@chromium.org: - remove misleading reference to cread guard mutex from commit message - replace if-branches with ternary ?: operator --- kernel/ptrace.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c index cb9ddcc08119..6eb3ccf180e0 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c @@ -264,12 +264,12 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state) return ret; }

-static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode) +static int ptrace_has_cap(const struct cred *cred, struct user_namespace *ns, + unsigned int mode) { - if (mode & PTRACE_MODE_NOAUDIT) - return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE); - else - return has_ns_capability(current, ns, CAP_SYS_PTRACE); + return security_capable(cred, ns, CAP_SYS_PTRACE, + (mode & PTRACE_MODE_NOAUDIT) ? CAP_OPT_NOAUDIT : + CAP_OPT_NONE); }

/* Returns 0 on success, -errno on denial. */ @@ -321,7 +321,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) gid_eq(caller_gid, tcred->sgid) && gid_eq(caller_gid, tcred->gid)) goto ok; - if (ptrace_has_cap(tcred->user_ns, mode)) + if (ptrace_has_cap(cred, tcred->user_ns, mode)) goto ok; rcu_read_unlock(); return -EPERM; @@ -340,7 +340,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) mm = task->mm; if (mm && ((get_dumpable(mm) != SUID_DUMP_USER) && - !ptrace_has_cap(mm->user_ns, mode))) + !ptrace_has_cap(cred, mm->user_ns, mode))) return -EPERM;

return security_ptrace_access_check(task, mode);

base-commit: b3a987b0264d3ddbb24293ebff10eddfc472f653