diff --git a/kernel.spec b/kernel.spec index 610b875..99afe23 100644 --- a/kernel.spec +++ b/kernel.spec @@ -748,9 +748,6 @@ Patch21247: ath9k_rx_dma_stop_check.patch Patch22000: weird-root-dentry-name-debug.patch -#selinux ptrace child permissions -Patch22001: selinux-apply-different-permission-to-ptrace-child.patch - #rhbz 927469 Patch23006: fix-child-thread-introspection.patch @@ -1506,9 +1503,6 @@ ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch ApplyPatch weird-root-dentry-name-debug.patch -#selinux ptrace child permissions -ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch - # https://fedoraproject.org/wiki/Features/Checkpoint_Restore ApplyPatch criu-no-expert.patch diff --git a/selinux-apply-different-permission-to-ptrace-child.patch b/selinux-apply-different-permission-to-ptrace-child.patch deleted file mode 100644 index 90baad8..0000000 --- a/selinux-apply-different-permission-to-ptrace-child.patch +++ /dev/null @@ -1,162 +0,0 @@ -Some applications, like gdb, are able to ptrace both children or other -completely unrelated tasks. We would like to be able to discern these two -things and to be able to allow gdb to ptrace it's children, but not to be -able to ptrace unrelated tasks for security reasons. - -Upstream is a bit weary of this patch as it may be incomplete. They are -not fundamentally opposed to the patch, I was just ask to see if I could -flush out any needed refinement in Fedora where we already had the -problem. We may find that we need to emulate the YAMA non-child -registration module in order to completely deal with 'normal' ptrace on -a system. At the moment however, this patch will at least let us get -gdb working for many users in Fedora (See fedora-devel-list for a -discussion of the current issues people are complaining about in F17 -without this) - ---- - - security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++ - security/selinux/include/classmap.h | 2 +- - security/selinux/include/security.h | 2 ++ - security/selinux/selinuxfs.c | 3 ++- - security/selinux/ss/services.c | 3 +++ - 5 files changed, 46 insertions(+), 2 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 1a4acf4..b226f26 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file) - - /* Hook functions begin here. */ - -+/** -+ * task_is_descendant - walk up a process family tree looking for a match -+ * @parent: the process to compare against while walking up from child -+ * @child: the process to start from while looking upwards for parent -+ * -+ * Returns 1 if child is a descendant of parent, 0 if not. -+ */ -+static int task_is_descendant(struct task_struct *parent, -+ struct task_struct *child) -+{ -+ int rc = 0; -+ struct task_struct *walker = child; -+ -+ if (!parent || !child) -+ return 0; -+ -+ rcu_read_lock(); -+ if (!thread_group_leader(parent)) -+ parent = rcu_dereference(parent->group_leader); -+ while (walker->pid > 0) { -+ if (!thread_group_leader(walker)) -+ walker = rcu_dereference(walker->group_leader); -+ if (walker == parent) { -+ rc = 1; -+ break; -+ } -+ walker = rcu_dereference(walker->real_parent); -+ } -+ rcu_read_unlock(); -+ -+ return rc; -+} -+ - static int selinux_ptrace_access_check(struct task_struct *child, - unsigned int mode) - { -@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child, - return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); - } - -+ -+ if (selinux_policycap_ptrace_child && task_is_descendant(current, child)) -+ return current_has_perm(child, PROCESS__PTRACE_CHILD); - return current_has_perm(child, PROCESS__PTRACE); - } - -@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent) - if (rc) - return rc; - -+ if (selinux_policycap_ptrace_child && task_is_descendant(parent, current)) -+ return task_has_perm(parent, current, PROCESS__PTRACE_CHILD); - return task_has_perm(parent, current, PROCESS__PTRACE); - } - -diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h -index 39e678c..72c08b9 100644 ---- a/security/selinux/include/classmap.h -+++ b/security/selinux/include/classmap.h -@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = { - "getattr", "setexec", "setfscreate", "noatsecure", "siginh", - "setrlimit", "rlimitinh", "dyntransition", "setcurrent", - "execmem", "execstack", "execheap", "setkeycreate", -- "setsockcreate", NULL } }, -+ "setsockcreate", "ptrace_child", NULL } }, - { "system", - { "ipc_info", "syslog_read", "syslog_mod", - "syslog_console", "module_request", NULL } }, -diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h -index dde2005..ac14b0a 100644 ---- a/security/selinux/include/security.h -+++ b/security/selinux/include/security.h -@@ -68,12 +68,14 @@ extern int selinux_enabled; - enum { - POLICYDB_CAPABILITY_NETPEER, - POLICYDB_CAPABILITY_OPENPERM, -+ POLICYDB_CAPABILITY_PTRACE_CHILD, - __POLICYDB_CAPABILITY_MAX - }; - #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) - - extern int selinux_policycap_netpeer; - extern int selinux_policycap_openperm; -+extern int selinux_policycap_ptrace_child; - - /* - * type_datum properties -diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c -index 4e93f9e..3379765 100644 ---- a/security/selinux/selinuxfs.c -+++ b/security/selinux/selinuxfs.c -@@ -44,7 +44,8 @@ - /* Policy capability filenames */ - static char *policycap_names[] = { - "network_peer_controls", -- "open_perms" -+ "open_perms", -+ "ptrace_child", - }; - - unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; -diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c -index 9b7e7ed..4d12a6e 100644 ---- a/security/selinux/ss/services.c -+++ b/security/selinux/ss/services.c -@@ -72,6 +72,7 @@ - - int selinux_policycap_netpeer; - int selinux_policycap_openperm; -+int selinux_policycap_ptrace_child; - - static DEFINE_RWLOCK(policy_rwlock); - -@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void) - POLICYDB_CAPABILITY_NETPEER); - selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, - POLICYDB_CAPABILITY_OPENPERM); -+ selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps, -+ POLICYDB_CAPABILITY_PTRACE_CHILD); - } - - static int security_preserve_bools(struct policydb *p); - - - - -_______________________________________________ -kernel mailing list -kernel@lists.fedoraproject.org -https://admin.fedoraproject.org/mailman/listinfo/kernel