From: Andrew Morton <akpm@osdl.org>
To: ebiederm@xmission.com (Eric W. Biederman)
Cc: efault@gmx.de, nickpiggin@yahoo.com.au, laurent.riffard@free.fr,
jesper.juhl@gmail.com, linux-kernel@vger.kernel.org, rjw@sisk.pl,
mbligh@mbligh.org, clameter@engr.sgi.com, pj@sgi.com
Subject: Re: [PATCH] proc: Use sane permission checks on the /proc/<pid>/fd/ symlinks.
Date: Fri, 3 Mar 2006 00:49:42 -0800 [thread overview]
Message-ID: <20060303004942.3b96a8ae.akpm@osdl.org> (raw)
In-Reply-To: <m1u0agkdkh.fsf_-_@ebiederm.dsl.xmission.com>
With all your latest patches I get a big spew lateish in the boot:
EXT3-fs: INFO: recovery required on readonly filesystem.
EXT3-fs: write access will be enabled during recovery.
kjournald starting. Commit interval 5 seconds
EXT3-fs: recovery complete.
EXT3-fs: mounted filesystem with ordered data mode.
security: 3 users, 6 roles, 1135 types, 133 bools, 1 sens, 256 cats
security: 55 classes, 37666 rules
SELinux: Completing initialization.
SELinux: Setting up existing superblocks.
SELinux: initialized (dev sda6, type ext3), uses xattr
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts
SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts
SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs
SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts
SELinux: initialized (dev devpts, type devpts), uses transition SIDs
SELinux: initialized (dev eventpollfs, type eventpollfs), uses genfs_contexts
SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts
SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs
SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts
SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
SELinux: initialized (dev proc, type proc), uses genfs_contexts
SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts
SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
audit(1141341858.520:2): avc: denied { ptrace } for pid=372 comm="restorecon" scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:restorecon_t:s0 tclass=process
audit(1141341858.520:3): avc: denied { ptrace } for pid=372 comm="restorecon" scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:restorecon_t:s0 tclass=process
audit(1141341858.520:4): avc: denied { ptrace } for pid=372 comm="restorecon" scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:restorecon_t:s0 tclass=process
audit(1141341858.520:5): avc: denied { ptrace } for pid=372 comm="restorecon" scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:restorecon_t:s0 tclass=process
audit(1141341858.520:6): avc: denied { ptrace } for pid=372 comm="restorecon" scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:system_r:restorecon_t:s0 tclass=process
...
audit(1141370661.947:106): avc: denied { ptrace } for pid=380 comm="hwclock" scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:hwclock_t:s0 tclass=process
audit(1141370661.947:107): avc: denied { ptrace } for pid=380 comm="hwclock" scontext=system_u:system_r:hwclock_t:s0 tcontext=system_u:system_r:hwclock_t:s0 tclass=process
ICH6: IDE controller at PCI slot 0000:00:1f.1
ACPI: PCI Interrupt 0000:00:1f.1[B] -> GSI 18 (level, low) -> IRQ 18
ICH6: chipset revision 3
ICH6: not 100% native mode: will probe irqs later
Reverting just this patch prevents the above.
This is with basically unaltered FC5 as of a few days ago. The audit
patches weren't applied.
What is happening is that both `current' and get_proc_task(inode) are the
same task_struct: `restorecon' is trying to read its own proc files. But
ptrace_may_attach()->security_ptrace() is returning -EACCES.
So I bodged it in the obvious manner:
--- devel/fs/proc/base.c~proc-use-sane-permission-checks-on-the-proc-pid-fd-fix 2006-03-03 00:38:17.000000000 -0800
+++ devel-akpm/fs/proc/base.c 2006-03-03 00:43:54.000000000 -0800
@@ -521,8 +521,11 @@ static int proc_fd_access_allowed(struct
* allow access if we have the proper capability.
*/
task = get_proc_task(inode);
- if (task) {
+ if (task == current)
+ allowed = 1;
+ if (task && !allowed) {
int alive;
+
task_lock(task);
alive = !!task->mm;
task_unlock(task);
And the messages went away.
But I have a bad feeling about these /proc permission changes, Eric. I
suspect we'll be chasing a gradually decreasing frequency of weird problems
for a long time.
That task_lock() you have in proc_fd_access_allowed() looks very fishy,
btw. As soon as the lock is dropped, local `alive' becomes meaningless.
Either that, or the lock wasn't needed.
btw, it's surprising (to me) that security_ptrace(t1, t2) fails when
t1==t2?
next prev parent reply other threads:[~2006-03-03 9:06 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-28 12:24 2.6.16-rc5-mm1 Andrew Morton
2006-02-28 14:41 ` 2.6.16-rc5-mm1 Cornelia Huck
2006-02-28 14:55 ` 2.6.16-rc5-mm1 Martin Schwidefsky
2006-02-28 15:08 ` 2.6.16-rc5-mm1 gsmith
2006-02-28 15:01 ` 2.6.16-rc5-mm1 Michal Piotrowski
2006-02-28 16:20 ` 2.6.16-rc5-mm1 Michal Piotrowski
2006-03-01 2:16 ` 2.6.16-rc5-mm1 Nick Piggin
2006-03-01 2:44 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 3:10 ` 2.6.16-rc5-mm1 Nick Piggin
2006-03-01 3:21 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 3:30 ` 2.6.16-rc5-mm1 Nick Piggin
2006-03-01 3:42 ` 2.6.16-rc5-mm1 Andrew Morton
2006-02-28 19:40 ` usb usb5: Manufacturer: Linux 2.6.16-rc5-mm1 ehci_hcd Alexey Dobriyan
2006-02-28 20:48 ` [linux-usb-devel] " Alan Stern
2006-02-28 20:48 ` 2.6.16-rc5-mm1 Mattia Dongili
2006-02-28 23:49 ` 2.6.16-rc5-mm1 Alessandro Zummo
2006-02-28 21:13 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-02-28 22:27 ` 2.6.16-rc5-mm1 Jiri Slaby
2006-02-28 22:30 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-02-28 23:18 ` 2.6.16-rc5-mm1 Laurent Riffard
2006-02-28 23:57 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-03-01 0:21 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 0:33 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-03-01 3:05 ` 2.6.16-rc5-mm1 Paul Jackson
2006-03-01 3:20 ` 2.6.16-rc5-mm1 Paul Jackson
2006-03-01 4:15 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-01 4:26 ` 2.6.16-rc5-mm1 Paul Jackson
2006-03-01 4:57 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-01 10:06 ` 2.6.16-rc5-mm1 Laurent Riffard
2006-03-01 10:32 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 11:25 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 18:14 ` 2.6.16-rc5-mm1 Ashok Raj
2006-03-01 18:48 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 19:31 ` 2.6.16-rc5-mm1 Ashok Raj
2006-03-01 13:58 ` 2.6.16-rc5-mm1 Mike Galbraith
2006-03-01 14:50 ` 2.6.16-rc5-mm1 Laurent Riffard
2006-03-01 15:33 ` 2.6.16-rc5-mm1 Mike Galbraith
2006-03-01 20:12 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 20:19 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 20:35 ` 2.6.16-rc5-mm1 Peter Staubach
2006-03-01 20:43 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-02 4:52 ` 2.6.16-rc5-mm1 Nick Piggin
2006-03-02 16:37 ` [PATCH] proc: Use sane permission checks on the /proc/<pid>/fd/ symlinks Eric W. Biederman
2006-03-03 8:49 ` Andrew Morton [this message]
2006-03-03 12:00 ` Eric W. Biederman
2006-03-01 14:22 ` 2.6.16-rc5-mm1 J.A. Magallon
2006-03-02 4:51 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-02 21:11 ` 2.6.16-rc5-mm1 J.A. Magallon
2006-03-02 22:31 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-02 3:10 ` 2.6.16-rc5-mm1 Paul Jackson
2006-03-01 10:35 ` 2.6.16-rc5-mm1 Laurent Riffard
2006-03-01 10:47 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-02 1:41 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-03-02 20:16 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-03-02 22:34 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-06 0:05 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-02-28 23:15 ` 2.6.16-rc5-mm1 Andrew Morton
2006-02-28 23:33 ` 2.6.16-rc5-mm1 Jesper Juhl
2006-02-28 22:34 ` 2.6.16-rc5-mm1 Rafael J. Wysocki
2006-02-28 23:48 ` 2.6.16-rc5-mm1 Andrew Morton
2006-03-01 0:52 ` 2.6.16-rc5-mm1 Eric W. Biederman
2006-03-01 11:42 ` 2.6.16-rc5-mm1 Rafael J. Wysocki
2006-02-28 23:56 ` 2.6.16-rc5-mm1 Martin Bligh
2006-03-01 16:45 ` [PATCH] Fix powerpc bad_page_fault output (Re: 2.6.16-rc5-mm1) Olof Johansson
2006-03-02 0:09 ` Paul E. McKenney
2006-03-02 0:35 ` Paul Mackerras
2006-03-02 1:14 ` Martin Bligh
2006-03-02 2:22 ` Olof Johansson
2006-03-02 5:24 ` Anton Blanchard
2006-03-02 5:16 ` Paul Mackerras
2006-03-02 10:27 ` 2.6.16-rc5-mm1 -- strange load balancing problems Peter Williams
2006-03-02 22:23 ` Peter Williams
2006-03-13 4:46 ` Peter Williams
2006-03-03 15:32 ` 2.6.16-rc5-mm1: USB compile errors Adrian Bunk
-- strict thread matches above, loose matches on Subject: below --
2006-03-02 21:38 [PATCH] proc: Use sane permission checks on the /proc/<pid>/fd/ symlinks Sam Vilain
2006-03-02 23:18 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060303004942.3b96a8ae.akpm@osdl.org \
--to=akpm@osdl.org \
--cc=clameter@engr.sgi.com \
--cc=ebiederm@xmission.com \
--cc=efault@gmx.de \
--cc=jesper.juhl@gmail.com \
--cc=laurent.riffard@free.fr \
--cc=linux-kernel@vger.kernel.org \
--cc=mbligh@mbligh.org \
--cc=nickpiggin@yahoo.com.au \
--cc=pj@sgi.com \
--cc=rjw@sisk.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox