| commit | 557102e3ede7dab854ae1da534a5daaf3dd8eb5d | [log] [tgz] |
|---|---|---|
| author | Jann Horn <[email protected]> | Sat Mar 19 02:08:37 2022 +0100 |
| committer | Michael Kochera <[email protected]> | Wed Jun 01 05:38:53 2022 +0000 |
| tree | 3816de5eac5849929b31823e955d1a3a0caa3175 | |
| parent | 9f532ed12d6b1717f2026aaa9af01db9256fdfe0 [diff] |
ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream. Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged operation because it allows the tracee to completely bypass all seccomp filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to be settable by a process with global CAP_SYS_ADMIN, and only if that process is not subject to any seccomp filters at all. However, while these permission checks were done on the PTRACE_SETOPTIONS path, they were missing on the PTRACE_SEIZE path, which also sets user-specified ptrace flags. Move the permissions checks out into a helper function and let both ptrace_attach() and ptrace_setoptions() call it. BUG=b/233870223 TEST=http://sponge2/a43d22d1-9fd6-4d63-a070-a38dcd23c56d RELEASE_NOTE=Fixed CVE-2022-30594 in Linux Kernel SOURCE=UPSTREAM(ee1fee900537b5d9560e9f937402de5ddc8412f3) cos-patch: security-moderate Cc: [email protected] Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") Signed-off-by: Jann Horn <[email protected]> Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Eric W. Biederman <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Change-Id: Ifadfb7aa605e33f783ff99c29d2e374d8f38f45e Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/33304 Tested-by: Cusky Presubmit Bot <[email protected]> Reviewed-by: Vaibhav Rustagi <[email protected]>