[PATCH] proc: prevent changes to overridden credentials

[Paul Moore]

On Fri, Apr 19, 2019 at 2:55 PM Paul Moore <paul at paul-moore.com> wrote:
> Prevent userspace from changing the the /proc/PID/attr values if the
> task's credentials are currently overriden.  This not only makes sense
> conceptually, it also prevents some really bizarre error cases caused
> when trying to commit credentials to a task with overridden
> credentials.
>
> Cc: <stable at vger.kernel.org>
> Reported-by: "chengjian (D)" <cj.chengjian at huawei.com>
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
>  fs/proc/base.c |    5 +++++
>  1 file changed, 5 insertions(+)

I sent this to the LSM list as I figure it should probably go via
James' linux-security tree since it is cross-LSM and doesn't really
contain any LSM specific code.  That said, if you don't want this
James let me know and I'll send it via the SELinux tree assuming I can
get ACKs from John and Casey (this should only affect SELinux,
AppArmor, and Smack).

> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index ddef482f1334..87ba007b86db 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -2539,6 +2539,11 @@ static ssize_t proc_pid_attr_write(struct file * file, const char __user * buf,
>                 rcu_read_unlock();
>                 return -EACCES;
>         }
> +       /* Prevent changes to overridden credentials. */
> +       if (current_cred() != current_real_cred()) {
> +               rcu_read_unlock();
> +               return -EBUSY;
> +       }
>         rcu_read_unlock();
>
>         if (count > PAGE_SIZE)
>

-- 
paul moore
www.paul-moore.com