Commit 96d0df79 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Linus Torvalds
Browse files

proc: make proc_fd_permission() thread-friendly



proc_fd_permission() says "process can still access /proc/self/fd after it
has executed a setuid()", but the "task_pid() = proc_pid() check only
helps if the task is group leader, /proc/self points to
/proc/<leader-pid>.

Change this check to use task_tgid() so that the whole thread group can
access its /proc/self/fd or /proc/<tid-of-sub-thread>/fd.

Notes:
	- CLONE_THREAD does not require CLONE_FILES so task->files
	  can differ, but I don't think this can lead to any security
	  problem. And this matches same_thread_group() in
	  __ptrace_may_access().

	- /proc/self should probably point to /proc/<thread-tid>, but
	  it is too late to change the rules. Perhaps it makes sense
	  to add /proc/thread though.

Test-case:

	void *tfunc(void *arg)
	{
		assert(opendir("/proc/self/fd"));
		return NULL;
	}

	int main(void)
	{
		pthread_t t;
		pthread_create(&t, NULL, tfunc, NULL);
		pthread_join(t, NULL);
		return 0;
	}

fails if, say, this executable is not readable and suid_dumpable = 0.
Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent a3c03992
...@@ -286,7 +286,7 @@ int proc_fd_permission(struct inode *inode, int mask) ...@@ -286,7 +286,7 @@ int proc_fd_permission(struct inode *inode, int mask)
int rv = generic_permission(inode, mask); int rv = generic_permission(inode, mask);
if (rv == 0) if (rv == 0)
return 0; return 0;
if (task_pid(current) == proc_pid(inode)) if (task_tgid(current) == proc_pid(inode))
rv = 0; rv = 0;
return rv; return rv;
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment