From 1d7d6c12f3998ded631f92f6dccb997e1776a5c6 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 9 Apr 2012 16:40:04 -0500 Subject: [PATCH] - SELinux apply a different permission to ptrace a child vs non-child - Reenable debug --- config-generic | 8 +- config-nodebug | 108 ++++++------ config-x86-generic | 2 +- kernel.spec | 18 +- ...different-permission-to-ptrace-child.patch | 162 ++++++++++++++++++ 5 files changed, 236 insertions(+), 62 deletions(-) create mode 100644 selinux-apply-different-permission-to-ptrace-child.patch diff --git a/config-generic b/config-generic index f565c2f54..b832223d1 100644 --- a/config-generic +++ b/config-generic @@ -1464,13 +1464,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3054,7 +3054,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -# CONFIG_USB_UAS is not set +CONFIG_USB_UAS=m # @@ -3959,7 +3959,7 @@ CONFIG_IBMASR=m CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set diff --git a/config-nodebug b/config-nodebug index aff30011e..c14754265 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,109 +2,109 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y -# CONFIG_SLUB_DEBUG_ON is not set +CONFIG_SLUB_DEBUG_ON=y -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -# CONFIG_DEBUG_SG is not set +CONFIG_DEBUG_SG=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_WRITECOUNT is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_WRITECOUNT=y +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -# CONFIG_X86_PTDUMP is not set +CONFIG_X86_PTDUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_SYSCTL_SYSCALL_CHECK is not set +CONFIG_SYSCTL_SYSCALL_CHECK=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set -# CONFIG_DMADEVICES_VDEBUG is not set +CONFIG_DMADEVICES_DEBUG=y +CONFIG_DMADEVICES_VDEBUG=y CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_PCI_DEFAULT_USE_CRS=y CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +CONFIG_TEST_LIST_SORT=y -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y diff --git a/config-x86-generic b/config-x86-generic index 859d92dcb..4243d2233 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -313,7 +313,7 @@ CONFIG_STRICT_DEVMEM=y # CONFIG_NO_BOOTMEM is not set # CONFIG_MEMTEST is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index fbb0cb068..c6fdf3227 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -163,7 +163,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -176,7 +176,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 0 +%define rawhide_skip_docs 1 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -746,6 +746,9 @@ Patch21400: unhandled-irqs-switch-to-polling.patch Patch22000: weird-root-dentry-name-debug.patch +#selinux ptrace child permissions +Patch22001: selinux-apply-different-permission-to-ptrace-child.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1429,6 +1432,9 @@ ApplyPatch unhandled-irqs-switch-to-polling.patch ApplyPatch weird-root-dentry-name-debug.patch +#selinux ptrace child permissions +ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch + #Highbank clock functions ApplyPatch highbank-export-clock-functions.patch @@ -2293,6 +2299,12 @@ fi # ||----w | # || || %changelog +* Mon Apr 09 2012 Justin M. Forbes - 3.4.0-0.rc2.git0.3 +- Reenable debugging options. + +* Mon Apr 09 2012 Justin M. Forbes +- SELinux apply a different permission to ptrace a child vs non-child + * Mon Apr 09 2012 Justin M. Forbes - 3.4.0-0.rc2.git0.2 - Disable debugging options. diff --git a/selinux-apply-different-permission-to-ptrace-child.patch b/selinux-apply-different-permission-to-ptrace-child.patch new file mode 100644 index 000000000..90baad840 --- /dev/null +++ b/selinux-apply-different-permission-to-ptrace-child.patch @@ -0,0 +1,162 @@ +Some applications, like gdb, are able to ptrace both children or other +completely unrelated tasks. We would like to be able to discern these two +things and to be able to allow gdb to ptrace it's children, but not to be +able to ptrace unrelated tasks for security reasons. + +Upstream is a bit weary of this patch as it may be incomplete. They are +not fundamentally opposed to the patch, I was just ask to see if I could +flush out any needed refinement in Fedora where we already had the +problem. We may find that we need to emulate the YAMA non-child +registration module in order to completely deal with 'normal' ptrace on +a system. At the moment however, this patch will at least let us get +gdb working for many users in Fedora (See fedora-devel-list for a +discussion of the current issues people are complaining about in F17 +without this) + +--- + + security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++ + security/selinux/include/classmap.h | 2 +- + security/selinux/include/security.h | 2 ++ + security/selinux/selinuxfs.c | 3 ++- + security/selinux/ss/services.c | 3 +++ + 5 files changed, 46 insertions(+), 2 deletions(-) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 1a4acf4..b226f26 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file) + + /* Hook functions begin here. */ + ++/** ++ * task_is_descendant - walk up a process family tree looking for a match ++ * @parent: the process to compare against while walking up from child ++ * @child: the process to start from while looking upwards for parent ++ * ++ * Returns 1 if child is a descendant of parent, 0 if not. ++ */ ++static int task_is_descendant(struct task_struct *parent, ++ struct task_struct *child) ++{ ++ int rc = 0; ++ struct task_struct *walker = child; ++ ++ if (!parent || !child) ++ return 0; ++ ++ rcu_read_lock(); ++ if (!thread_group_leader(parent)) ++ parent = rcu_dereference(parent->group_leader); ++ while (walker->pid > 0) { ++ if (!thread_group_leader(walker)) ++ walker = rcu_dereference(walker->group_leader); ++ if (walker == parent) { ++ rc = 1; ++ break; ++ } ++ walker = rcu_dereference(walker->real_parent); ++ } ++ rcu_read_unlock(); ++ ++ return rc; ++} ++ + static int selinux_ptrace_access_check(struct task_struct *child, + unsigned int mode) + { +@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child, + return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); + } + ++ ++ if (selinux_policycap_ptrace_child && task_is_descendant(current, child)) ++ return current_has_perm(child, PROCESS__PTRACE_CHILD); + return current_has_perm(child, PROCESS__PTRACE); + } + +@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent) + if (rc) + return rc; + ++ if (selinux_policycap_ptrace_child && task_is_descendant(parent, current)) ++ return task_has_perm(parent, current, PROCESS__PTRACE_CHILD); + return task_has_perm(parent, current, PROCESS__PTRACE); + } + +diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h +index 39e678c..72c08b9 100644 +--- a/security/selinux/include/classmap.h ++++ b/security/selinux/include/classmap.h +@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = { + "getattr", "setexec", "setfscreate", "noatsecure", "siginh", + "setrlimit", "rlimitinh", "dyntransition", "setcurrent", + "execmem", "execstack", "execheap", "setkeycreate", +- "setsockcreate", NULL } }, ++ "setsockcreate", "ptrace_child", NULL } }, + { "system", + { "ipc_info", "syslog_read", "syslog_mod", + "syslog_console", "module_request", NULL } }, +diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h +index dde2005..ac14b0a 100644 +--- a/security/selinux/include/security.h ++++ b/security/selinux/include/security.h +@@ -68,12 +68,14 @@ extern int selinux_enabled; + enum { + POLICYDB_CAPABILITY_NETPEER, + POLICYDB_CAPABILITY_OPENPERM, ++ POLICYDB_CAPABILITY_PTRACE_CHILD, + __POLICYDB_CAPABILITY_MAX + }; + #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) + + extern int selinux_policycap_netpeer; + extern int selinux_policycap_openperm; ++extern int selinux_policycap_ptrace_child; + + /* + * type_datum properties +diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c +index 4e93f9e..3379765 100644 +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -44,7 +44,8 @@ + /* Policy capability filenames */ + static char *policycap_names[] = { + "network_peer_controls", +- "open_perms" ++ "open_perms", ++ "ptrace_child", + }; + + unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; +diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c +index 9b7e7ed..4d12a6e 100644 +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -72,6 +72,7 @@ + + int selinux_policycap_netpeer; + int selinux_policycap_openperm; ++int selinux_policycap_ptrace_child; + + static DEFINE_RWLOCK(policy_rwlock); + +@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void) + POLICYDB_CAPABILITY_NETPEER); + selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_OPENPERM); ++ selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps, ++ POLICYDB_CAPABILITY_PTRACE_CHILD); + } + + static int security_preserve_bools(struct policydb *p); + + + + +_______________________________________________ +kernel mailing list +kernel@lists.fedoraproject.org +https://admin.fedoraproject.org/mailman/listinfo/kernel