[PATCH v10 4/9] proc: instantiate only pids that we can ptrace on 'hidepid=4' mount option
Kees Cook
keescook at chromium.org
Sat Mar 28 20:40:03 UTC 2020
On Fri, Mar 27, 2020 at 06:23:26PM +0100, Alexey Gladkov wrote:
> If "hidepid=4" mount option is set then do not instantiate pids that
> we can not ptrace. "hidepid=4" means that procfs should only contain
> pids that the caller can ptrace.
>
> Cc: Kees Cook <keescook at chromium.org>
> Cc: Andy Lutomirski <luto at kernel.org>
> Signed-off-by: Djalal Harouni <tixxdz at gmail.com>
> Reviewed-by: Alexey Dobriyan <adobriyan at gmail.com>
> Signed-off-by: Alexey Gladkov <gladkov.alexey at gmail.com>
> ---
> fs/proc/base.c | 15 +++++++++++++++
> fs/proc/root.c | 13 ++++++++++---
> include/linux/proc_fs.h | 1 +
> 3 files changed, 26 insertions(+), 3 deletions(-)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index 43a28907baf9..1ebe9eba48ea 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -701,6 +701,14 @@ static bool has_pid_permissions(struct proc_fs_info *fs_info,
> struct task_struct *task,
> int hide_pid_min)
> {
> + /*
> + * If 'hidpid' mount option is set force a ptrace check,
> + * we indicate that we are using a filesystem syscall
> + * by passing PTRACE_MODE_READ_FSCREDS
> + */
> + if (fs_info->hide_pid == HIDEPID_NOT_PTRACEABLE)
> + return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
> +
> if (fs_info->hide_pid < hide_pid_min)
> return true;
> if (in_group_p(fs_info->pid_gid))
> @@ -3319,7 +3327,14 @@ struct dentry *proc_pid_lookup(struct dentry *dentry, unsigned int flags)
> if (!task)
> goto out;
>
> + /* Limit procfs to only ptraceable tasks */
> + if (fs_info->hide_pid == HIDEPID_NOT_PTRACEABLE) {
> + if (!has_pid_permissions(fs_info, task, HIDEPID_NO_ACCESS))
> + goto out_put_task;
> + }
> +
> result = proc_pid_instantiate(dentry, task, NULL);
> +out_put_task:
> put_task_struct(task);
> out:
> return result;
> diff --git a/fs/proc/root.c b/fs/proc/root.c
> index 616e8976185c..62eae22403d2 100644
> --- a/fs/proc/root.c
> +++ b/fs/proc/root.c
> @@ -47,6 +47,14 @@ static const struct fs_parameter_spec proc_fs_parameters[] = {
> {}
> };
>
> +static inline int valid_hidepid(unsigned int value)
> +{
> + return (value == HIDEPID_OFF ||
> + value == HIDEPID_NO_ACCESS ||
> + value == HIDEPID_INVISIBLE ||
> + value == HIDEPID_NOT_PTRACEABLE);
This likely easier to do with a ...MAX value? i.e.
return (value < HIDEPID_OFF || value >= HIDEPID_MAX);
> +}
> +
> static int proc_parse_param(struct fs_context *fc, struct fs_parameter *param)
> {
> struct proc_fs_context *ctx = fc->fs_private;
> @@ -63,10 +71,9 @@ static int proc_parse_param(struct fs_context *fc, struct fs_parameter *param)
> break;
>
> case Opt_hidepid:
> + if (!valid_hidepid(result.uint_32))
> + return invalf(fc, "proc: unknown value of hidepid.\n");
> ctx->hidepid = result.uint_32;
> - if (ctx->hidepid < HIDEPID_OFF ||
> - ctx->hidepid > HIDEPID_INVISIBLE)
> - return invalfc(fc, "hidepid value must be between 0 and 2.\n");
> break;
>
> default:
> diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
> index 7d852dbca253..21d19353fdc7 100644
> --- a/include/linux/proc_fs.h
> +++ b/include/linux/proc_fs.h
> @@ -32,6 +32,7 @@ enum {
> HIDEPID_OFF = 0,
> HIDEPID_NO_ACCESS = 1,
> HIDEPID_INVISIBLE = 2,
> + HIDEPID_NOT_PTRACEABLE = 4, /* Limit pids to only ptraceable pids */
This isn't a bit field -- shouldn't this be "3"?
...
HIDEPID_NOT_PTRACEABLE = 3,
HIDEPID_MAX
etc?
> };
>
> struct proc_fs_info {
> --
> 2.25.2
>
--
Kees Cook
More information about the Linux-security-module-archive
mailing list