UPSTREAM: Sanitize 'move_pages()' permission checks
The 'move_paghes()' system call was introduced long long ago with the
same permission checks as for sending a signal (except using
CAP_SYS_NICE instead of CAP_SYS_KILL for the overriding capability).
That turns out to not be a great choice - while the system call really
only moves physical page allocations around (and you need other
capabilities to do a lot of it), you can check the return value to map
out some the virtual address choices and defeat ASLR of a binary that
still shares your uid.
So change the access checks to the more common 'ptrace_may_access()'
model instead.
This tightens the access checks for the uid, and also effectively
changes the CAP_SYS_NICE check to CAP_SYS_PTRACE, but it's unlikely that
anybody really _uses_ this legacy system call any more (we hav ebetter
NUMA placement models these days), so I expect nobody to notice.
Famous last words.
BUG=chromium:762903
TEST=Build and run
Change-Id: Ie5c0299225b5e05a5da3c9e86d9275a28f073f44
Reported-by: Otto Ebeling <[email protected]>
Acked-by: Eric W. Biederman <[email protected]>
Cc: Willy Tarreau <[email protected]>
Cc: [email protected]
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Guenter Roeck <[email protected]>
(cherry picked from commit 197e7e521384a23)
Reviewed-on: https://chromium-review.googlesource.com/664042
1 file changed
