Commit d4eb82c783992551c574580eb55fddc8bb006ad0
Committed by
Linus Torvalds
1 parent
12b5989be1
[PATCH] make cap_ptrace enforce PTRACE_TRACME checks
PTRACE_TRACEME doesn't have proper capabilities validation when parent is less privileged than child. Issue pointed out by Ram Gupta <ram.gupta5@gmail.com>. Note: I haven't identified a strong security issue, and it's a small ABI change that could break apps that rely on existing behaviour (which allows parent that is less privileged than child to ptrace when child does PTRACE_TRACEME). Signed-off-by: Chris Wright <chrisw@sous-sol.org> Cc: Ram Gupta <ram.gupta5@gmail.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Showing 1 changed file with 2 additions and 2 deletions Side-by-side Diff
security/commoncap.c
... | ... | @@ -60,8 +60,8 @@ |
60 | 60 | int cap_ptrace (struct task_struct *parent, struct task_struct *child) |
61 | 61 | { |
62 | 62 | /* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */ |
63 | - if (!cap_issubset (child->cap_permitted, current->cap_permitted) && | |
64 | - !capable(CAP_SYS_PTRACE)) | |
63 | + if (!cap_issubset(child->cap_permitted, parent->cap_permitted) && | |
64 | + !__capable(parent, CAP_SYS_PTRACE)) | |
65 | 65 | return -EPERM; |
66 | 66 | return 0; |
67 | 67 | } |