• Oleg Nesterov's avatar
    proc: make proc_fd_permission() thread-friendly · 96d0df79
    Oleg Nesterov authored
    
    
    proc_fd_permission() says "process can still access /proc/self/fd after it
    has executed a setuid()", but the "task_pid() = proc_pid() check only
    helps if the task is group leader, /proc/self points to
    /proc/<leader-pid>.
    
    Change this check to use task_tgid() so that the whole thread group can
    access its /proc/self/fd or /proc/<tid-of-sub-thread>/fd.
    
    Notes:
    	- CLONE_THREAD does not require CLONE_FILES so task->files
    	  can differ, but I don't think this can lead to any security
    	  problem. And this matches same_thread_group() in
    	  __ptrace_may_access().
    
    	- /proc/self should probably point to /proc/<thread-tid>, but
    	  it is too late to change the rules. Perhaps it makes sense
    	  to add /proc/thread though.
    
    Test-case:
    
    	void *tfunc(void *arg)
    	{
    		assert(opendir("/proc/self/fd"));
    		return NULL;
    	}
    
    	int main(void)
    	{
    		pthread_t t;
    		pthread_create(&t, NULL, tfunc, NULL);
    		pthread_join(t, NULL);
    		return 0;
    	}
    
    fails if, say, this executable is not readable and suid_dumpable = 0.
    Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    96d0df79
fd.c 7.39 KB