- SELinux apply a different permission to ptrace a child vs non-child

- Reenable debug
This commit is contained in:
Justin M. Forbes 2012-04-09 16:40:04 -05:00
parent 232e1a44c9
commit 1d7d6c12f3
5 changed files with 236 additions and 62 deletions

View File

@ -1464,13 +1464,13 @@ CONFIG_B43_SDIO=y
CONFIG_B43_BCMA=y
# CONFIG_B43_BCMA_EXTRA is not set
CONFIG_B43_BCMA_PIO=y
# CONFIG_B43_DEBUG is not set
CONFIG_B43_DEBUG=y
CONFIG_B43_PHY_LP=y
CONFIG_B43_PHY_N=y
CONFIG_B43_PHY_HT=y
# CONFIG_B43_FORCE_PIO is not set
CONFIG_B43LEGACY=m
# CONFIG_B43LEGACY_DEBUG is not set
CONFIG_B43LEGACY_DEBUG=y
CONFIG_B43LEGACY_DMA=y
CONFIG_B43LEGACY_PIO=y
CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
@ -3054,7 +3054,7 @@ CONFIG_USB_STORAGE_REALTEK=m
CONFIG_REALTEK_AUTOPM=y
CONFIG_USB_STORAGE_ENE_UB6250=m
# CONFIG_USB_LIBUSUAL is not set
# CONFIG_USB_UAS is not set
CONFIG_USB_UAS=m
#
@ -3959,7 +3959,7 @@ CONFIG_IBMASR=m
CONFIG_PM_DEBUG=y
CONFIG_PM_TRACE=y
CONFIG_PM_TRACE_RTC=y
# CONFIG_PM_TEST_SUSPEND is not set
CONFIG_PM_TEST_SUSPEND=y
CONFIG_PM_RUNTIME=y
# CONFIG_PM_OPP is not set

View File

@ -2,109 +2,109 @@ CONFIG_SND_VERBOSE_PRINTK=y
CONFIG_SND_DEBUG=y
CONFIG_SND_PCM_XRUN_DEBUG=y
# CONFIG_DEBUG_ATOMIC_SLEEP is not set
CONFIG_DEBUG_ATOMIC_SLEEP=y
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_RT_MUTEXES is not set
# CONFIG_DEBUG_LOCK_ALLOC is not set
# CONFIG_PROVE_LOCKING is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_PROVE_RCU is not set
CONFIG_DEBUG_MUTEXES=y
CONFIG_DEBUG_RT_MUTEXES=y
CONFIG_DEBUG_LOCK_ALLOC=y
CONFIG_PROVE_LOCKING=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_PROVE_RCU=y
# CONFIG_PROVE_RCU_REPEATEDLY is not set
# CONFIG_DEBUG_PER_CPU_MAPS is not set
CONFIG_DEBUG_PER_CPU_MAPS=y
CONFIG_CPUMASK_OFFSTACK=y
# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
# CONFIG_FAULT_INJECTION is not set
# CONFIG_FAILSLAB is not set
# CONFIG_FAIL_PAGE_ALLOC is not set
# CONFIG_FAIL_MAKE_REQUEST is not set
# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
# CONFIG_FAIL_IO_TIMEOUT is not set
# CONFIG_FAIL_MMC_REQUEST is not set
CONFIG_FAULT_INJECTION=y
CONFIG_FAILSLAB=y
CONFIG_FAIL_PAGE_ALLOC=y
CONFIG_FAIL_MAKE_REQUEST=y
CONFIG_FAULT_INJECTION_DEBUG_FS=y
CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
CONFIG_FAIL_IO_TIMEOUT=y
CONFIG_FAIL_MMC_REQUEST=y
# CONFIG_SLUB_DEBUG_ON is not set
CONFIG_SLUB_DEBUG_ON=y
# CONFIG_LOCK_STAT is not set
CONFIG_LOCK_STAT=y
# CONFIG_DEBUG_STACK_USAGE is not set
CONFIG_DEBUG_STACK_USAGE=y
# CONFIG_ACPI_DEBUG is not set
CONFIG_ACPI_DEBUG=y
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
# CONFIG_DEBUG_SG is not set
CONFIG_DEBUG_SG=y
# CONFIG_DEBUG_PAGEALLOC is not set
# CONFIG_DEBUG_WRITECOUNT is not set
# CONFIG_DEBUG_OBJECTS is not set
CONFIG_DEBUG_WRITECOUNT=y
CONFIG_DEBUG_OBJECTS=y
# CONFIG_DEBUG_OBJECTS_SELFTEST is not set
# CONFIG_DEBUG_OBJECTS_FREE is not set
# CONFIG_DEBUG_OBJECTS_TIMERS is not set
# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
CONFIG_DEBUG_OBJECTS_FREE=y
CONFIG_DEBUG_OBJECTS_TIMERS=y
CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
# CONFIG_X86_PTDUMP is not set
CONFIG_X86_PTDUMP=y
# CONFIG_CAN_DEBUG_DEVICES is not set
CONFIG_CAN_DEBUG_DEVICES=y
# CONFIG_MODULE_FORCE_UNLOAD is not set
CONFIG_MODULE_FORCE_UNLOAD=y
# CONFIG_SYSCTL_SYSCALL_CHECK is not set
CONFIG_SYSCTL_SYSCALL_CHECK=y
# CONFIG_DEBUG_NOTIFIERS is not set
CONFIG_DEBUG_NOTIFIERS=y
# CONFIG_DMA_API_DEBUG is not set
CONFIG_DMA_API_DEBUG=y
# CONFIG_MMIOTRACE is not set
CONFIG_MMIOTRACE=y
# CONFIG_DEBUG_CREDENTIALS is not set
CONFIG_DEBUG_CREDENTIALS=y
# off in both production debug and nodebug builds,
# on in rawhide nodebug builds
# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
# CONFIG_EXT4_DEBUG is not set
CONFIG_EXT4_DEBUG=y
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
CONFIG_DEBUG_PERF_USE_VMALLOC=y
# CONFIG_JBD2_DEBUG is not set
CONFIG_JBD2_DEBUG=y
# CONFIG_DEBUG_BLK_CGROUP is not set
CONFIG_DEBUG_BLK_CGROUP=y
# CONFIG_DRBD_FAULT_INJECTION is not set
CONFIG_DRBD_FAULT_INJECTION=y
# CONFIG_ATH_DEBUG is not set
# CONFIG_CARL9170_DEBUGFS is not set
# CONFIG_IWLWIFI_DEVICE_TRACING is not set
CONFIG_ATH_DEBUG=y
CONFIG_CARL9170_DEBUGFS=y
CONFIG_IWLWIFI_DEVICE_TRACING=y
# CONFIG_DEBUG_OBJECTS_WORK is not set
CONFIG_DEBUG_OBJECTS_WORK=y
# CONFIG_DMADEVICES_DEBUG is not set
# CONFIG_DMADEVICES_VDEBUG is not set
CONFIG_DMADEVICES_DEBUG=y
CONFIG_DMADEVICES_VDEBUG=y
CONFIG_PM_ADVANCED_DEBUG=y
# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
# CONFIG_QUOTA_DEBUG is not set
CONFIG_CEPH_LIB_PRETTYDEBUG=y
CONFIG_QUOTA_DEBUG=y
CONFIG_PCI_DEFAULT_USE_CRS=y
CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
# CONFIG_TEST_LIST_SORT is not set
CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
CONFIG_TEST_LIST_SORT=y
# CONFIG_DETECT_HUNG_TASK is not set
CONFIG_DETECT_HUNG_TASK=y
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
# CONFIG_DEBUG_KMEMLEAK is not set
CONFIG_DEBUG_KMEMLEAK=y
CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
# CONFIG_DEBUG_KMEMLEAK_TEST is not set
CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y

View File

@ -313,7 +313,7 @@ CONFIG_STRICT_DEVMEM=y
# CONFIG_NO_BOOTMEM is not set
# CONFIG_MEMTEST is not set
# CONFIG_MAXSMP is not set
CONFIG_MAXSMP=y
CONFIG_HP_ILO=m

View File

@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 2
%global baserelease 3
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -163,7 +163,7 @@ Summary: The Linux kernel
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
# and 0 for rawhide (all kernels are debug kernels).
# See also 'make debug' and 'make release'.
%define debugbuildsenabled 1
%define debugbuildsenabled 0
# Want to build a vanilla kernel build without any non-upstream patches?
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
@ -176,7 +176,7 @@ Summary: The Linux kernel
%define doc_build_fail true
%endif
%define rawhide_skip_docs 0
%define rawhide_skip_docs 1
%if 0%{?rawhide_skip_docs}
%define with_doc 0
%define doc_build_fail true
@ -746,6 +746,9 @@ Patch21400: unhandled-irqs-switch-to-polling.patch
Patch22000: weird-root-dentry-name-debug.patch
#selinux ptrace child permissions
Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@ -1429,6 +1432,9 @@ ApplyPatch unhandled-irqs-switch-to-polling.patch
ApplyPatch weird-root-dentry-name-debug.patch
#selinux ptrace child permissions
ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
#Highbank clock functions
ApplyPatch highbank-export-clock-functions.patch
@ -2293,6 +2299,12 @@ fi
# ||----w |
# || ||
%changelog
* Mon Apr 09 2012 Justin M. Forbes <jforbes@redhat.com> - 3.4.0-0.rc2.git0.3
- Reenable debugging options.
* Mon Apr 09 2012 Justin M. Forbes <jforbes@redhat.com>
- SELinux apply a different permission to ptrace a child vs non-child
* Mon Apr 09 2012 Justin M. Forbes <jforbes@redhat.com> - 3.4.0-0.rc2.git0.2
- Disable debugging options.

View File

@ -0,0 +1,162 @@
Some applications, like gdb, are able to ptrace both children or other
completely unrelated tasks. We would like to be able to discern these two
things and to be able to allow gdb to ptrace it's children, but not to be
able to ptrace unrelated tasks for security reasons.
Upstream is a bit weary of this patch as it may be incomplete. They are
not fundamentally opposed to the patch, I was just ask to see if I could
flush out any needed refinement in Fedora where we already had the
problem. We may find that we need to emulate the YAMA non-child
registration module in order to completely deal with 'normal' ptrace on
a system. At the moment however, this patch will at least let us get
gdb working for many users in Fedora (See fedora-devel-list for a
discussion of the current issues people are complaining about in F17
without this)
---
security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++
security/selinux/include/classmap.h | 2 +-
security/selinux/include/security.h | 2 ++
security/selinux/selinuxfs.c | 3 ++-
security/selinux/ss/services.c | 3 +++
5 files changed, 46 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1a4acf4..b226f26 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file)
/* Hook functions begin here. */
+/**
+ * task_is_descendant - walk up a process family tree looking for a match
+ * @parent: the process to compare against while walking up from child
+ * @child: the process to start from while looking upwards for parent
+ *
+ * Returns 1 if child is a descendant of parent, 0 if not.
+ */
+static int task_is_descendant(struct task_struct *parent,
+ struct task_struct *child)
+{
+ int rc = 0;
+ struct task_struct *walker = child;
+
+ if (!parent || !child)
+ return 0;
+
+ rcu_read_lock();
+ if (!thread_group_leader(parent))
+ parent = rcu_dereference(parent->group_leader);
+ while (walker->pid > 0) {
+ if (!thread_group_leader(walker))
+ walker = rcu_dereference(walker->group_leader);
+ if (walker == parent) {
+ rc = 1;
+ break;
+ }
+ walker = rcu_dereference(walker->real_parent);
+ }
+ rcu_read_unlock();
+
+ return rc;
+}
+
static int selinux_ptrace_access_check(struct task_struct *child,
unsigned int mode)
{
@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child,
return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
}
+
+ if (selinux_policycap_ptrace_child && task_is_descendant(current, child))
+ return current_has_perm(child, PROCESS__PTRACE_CHILD);
return current_has_perm(child, PROCESS__PTRACE);
}
@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
if (rc)
return rc;
+ if (selinux_policycap_ptrace_child && task_is_descendant(parent, current))
+ return task_has_perm(parent, current, PROCESS__PTRACE_CHILD);
return task_has_perm(parent, current, PROCESS__PTRACE);
}
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 39e678c..72c08b9 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = {
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
"execmem", "execstack", "execheap", "setkeycreate",
- "setsockcreate", NULL } },
+ "setsockcreate", "ptrace_child", NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod",
"syslog_console", "module_request", NULL } },
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index dde2005..ac14b0a 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -68,12 +68,14 @@ extern int selinux_enabled;
enum {
POLICYDB_CAPABILITY_NETPEER,
POLICYDB_CAPABILITY_OPENPERM,
+ POLICYDB_CAPABILITY_PTRACE_CHILD,
__POLICYDB_CAPABILITY_MAX
};
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
extern int selinux_policycap_netpeer;
extern int selinux_policycap_openperm;
+extern int selinux_policycap_ptrace_child;
/*
* type_datum properties
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 4e93f9e..3379765 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -44,7 +44,8 @@
/* Policy capability filenames */
static char *policycap_names[] = {
"network_peer_controls",
- "open_perms"
+ "open_perms",
+ "ptrace_child",
};
unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 9b7e7ed..4d12a6e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -72,6 +72,7 @@
int selinux_policycap_netpeer;
int selinux_policycap_openperm;
+int selinux_policycap_ptrace_child;
static DEFINE_RWLOCK(policy_rwlock);
@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
POLICYDB_CAPABILITY_NETPEER);
selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
POLICYDB_CAPABILITY_OPENPERM);
+ selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps,
+ POLICYDB_CAPABILITY_PTRACE_CHILD);
}
static int security_preserve_bools(struct policydb *p);
_______________________________________________
kernel mailing list
kernel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/kernel