Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

Commit

Permalink
proc: Track /proc/$pid/attr/ opener mm_struct
Browse files Browse the repository at this point in the history 
commit 591a22c upstream.

Commit bfb819e ("proc: Check /proc/$pid/attr/ writes against file opener")
tried to make sure that there could not be a confusion between the opener of
a /proc/$pid/attr/ file and the writer. It used struct cred to make sure
the privileges didn't change. However, there were existing cases where a more
privileged thread was passing the opened fd to a differently privileged thread
(during container setup). Instead, use mm_struct to track whether the opener
and writer are still the same process. (This is what several other proc files
already do, though for different reasons.)

Reported-by: Christian Brauner <[email protected]>
Reported-by: Andrea Righi <[email protected]>
Tested-by: Andrea Righi <[email protected]>
Fixes: bfb819e ("proc: Check /proc/$pid/attr/ writes against file opener")
Cc: [email protected]
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
@kees @gregkh
kees authored and gregkh committed Jun 16, 2021
1 parent 3d3abdc commit 7e6d9c4
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion fs/proc/base.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2528,6 +2528,11 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
}

#ifdef CONFIG_SECURITY
static int proc_pid_attr_open(struct inode *inode, struct file *file)
{
return __mem_open(inode, file, PTRACE_MODE_READ_FSCREDS);
}

static ssize_t proc_pid_attr_read(struct file * file, char __user * buf,
size_t count, loff_t *ppos)
{
Expand Down Expand Up @@ -2558,7 +2563,7 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
struct task_struct *task = get_proc_task(inode);

/* A task may only write when it was the opener. */
if (file->f_cred != current_real_cred())
if (file->private_data != current->mm)
return -EPERM;

length = -ESRCH;
Expand Down Expand Up @@ -2601,9 +2606,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
}

static const struct file_operations proc_pid_attr_operations = {
.open = proc_pid_attr_open,
.read = proc_pid_attr_read,
.write = proc_pid_attr_write,
.llseek = generic_file_llseek,
.release = mem_release,
};

static const struct pid_entry attr_dir_stuff[] = {
Expand Down

0 comments on commit 7e6d9c4

Please sign in to comment.