From: Kalesh Singh <kaleshsingh@google.com>
To: unlisted-recipients:; (no To-header on input)
Cc: keescook@chromium.org, torvalds@linux-foundation.org,
ebiederm@xmission.com, christian.brauner@ubuntu.com,
christian.koenig@amd.com, surenb@google.com, hridya@google.com,
kernel-team@android.com, Kalesh Singh <kaleshsingh@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: [PATCH] procfs: Prevent unpriveleged processes accessing fdinfo
Date: Thu, 8 Jul 2021 15:56:43 +0000 [thread overview]
Message-ID: <20210708155647.44208-1-kaleshsingh@google.com> (raw)
The file permissions on the fdinfo dir from were changed from
S_IRUSR|S_IXUSR to S_IRUGO|S_IXUGO, and a PTRACE_MODE_READ check was
added for opening the fdinfo files [1]. However, the ptrace permission
check was not added to the directory, allowing anyone to get the open FD
numbers by reading the fdinfo directory.
Add the missing ptrace permission check for opening the fdinfo directory.
The check is also added for readdir, lseek in the case that
an unprivileged process inherits an open FD to the fdinfo dir after an
exec.
For the same reason, similar checks are added for fdinfo files which
previously only checked the ptrace permission in open.
[1] https://lkml.kernel.org/r/20210308170651.919148-1-kaleshsingh@google.com
Fixes: 7bc3fa0172a4 ("procfs: allow reading fdinfo with PTRACE_MODE_READ")
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
---
fs/proc/fd.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 61 insertions(+), 4 deletions(-)
diff --git a/fs/proc/fd.c b/fs/proc/fd.c
index 172c86270b31..aea59e243bae 100644
--- a/fs/proc/fd.c
+++ b/fs/proc/fd.c
@@ -72,7 +72,7 @@ static int seq_show(struct seq_file *m, void *v)
return 0;
}
-static int seq_fdinfo_open(struct inode *inode, struct file *file)
+static int proc_fdinfo_access_allowed(struct inode *inode)
{
bool allowed = false;
struct task_struct *task = get_proc_task(inode);
@@ -86,13 +86,44 @@ static int seq_fdinfo_open(struct inode *inode, struct file *file)
if (!allowed)
return -EACCES;
+ return 0;
+}
+
+static int seq_fdinfo_open(struct inode *inode, struct file *file)
+{
+ int ret = proc_fdinfo_access_allowed(inode);
+
+ if (ret)
+ return ret;
+
return single_open(file, seq_show, inode);
}
+static ssize_t seq_fdinfo_read(struct file *file, char __user *buf, size_t size,
+ loff_t *ppos)
+{
+ int ret = proc_fdinfo_access_allowed(file_inode(file));
+
+ if (ret)
+ return ret;
+
+ return seq_read(file, buf, size, ppos);
+}
+
+static loff_t seq_fdinfo_lseek(struct file *file, loff_t offset, int whence)
+{
+ int ret = proc_fdinfo_access_allowed(file_inode(file));
+
+ if (ret)
+ return ret;
+
+ return seq_lseek(file, offset, whence);
+}
+
static const struct file_operations proc_fdinfo_file_operations = {
.open = seq_fdinfo_open,
- .read = seq_read,
- .llseek = seq_lseek,
+ .read = seq_fdinfo_read,
+ .llseek = seq_fdinfo_lseek,
.release = single_release,
};
@@ -344,17 +375,43 @@ proc_lookupfdinfo(struct inode *dir, struct dentry *dentry, unsigned int flags)
static int proc_readfdinfo(struct file *file, struct dir_context *ctx)
{
+ int ret = proc_fdinfo_access_allowed(file_inode(file));
+
+ if (ret)
+ return ret;
+
return proc_readfd_common(file, ctx,
proc_fdinfo_instantiate);
}
+static loff_t proc_llseek_fdinfo(struct file *file, loff_t offset, int whence)
+{
+ int ret = proc_fdinfo_access_allowed(file_inode(file));
+
+ if (ret)
+ return ret;
+
+ return generic_file_llseek(file, offset, whence);
+}
+
+static int proc_open_fdinfo(struct inode *inode, struct file *file)
+{
+ int ret = proc_fdinfo_access_allowed(inode);
+
+ if (ret)
+ return ret;
+
+ return 0;
+}
+
const struct inode_operations proc_fdinfo_inode_operations = {
.lookup = proc_lookupfdinfo,
.setattr = proc_setattr,
};
const struct file_operations proc_fdinfo_operations = {
+ .open = proc_open_fdinfo,
.read = generic_read_dir,
.iterate_shared = proc_readfdinfo,
- .llseek = generic_file_llseek,
+ .llseek = proc_llseek_fdinfo,
};
base-commit: e9f1cbc0c4114880090c7a578117d3b9cf184ad4
--
2.32.0.93.g670b81a890-goog
next reply other threads:[~2021-07-08 15:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-08 15:56 Kalesh Singh [this message]
2021-07-10 18:21 ` [PATCH] procfs: Prevent unpriveleged processes accessing fdinfo Linus Torvalds
2021-07-12 19:45 ` Kalesh Singh
2021-07-12 20:02 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210708155647.44208-1-kaleshsingh@google.com \
--to=kaleshsingh@google.com \
--cc=akpm@linux-foundation.org \
--cc=christian.brauner@ubuntu.com \
--cc=christian.koenig@amd.com \
--cc=ebiederm@xmission.com \
--cc=hridya@google.com \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=surenb@google.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox