Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 159d08f4 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 

Pull Yama locking fix from James Morris:
 "Fix for the Yama LSM"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  Yama: fix double-spinlock and user access in atomic context
parents 2f7c3a18 dca6b414

security/yama/yama_lsm.c

+63 −6
Original line number Original line Diff line number Diff line
@@ -19,6 +19,9 @@ 
#include <linux/ratelimit.h>

#include <linux/ratelimit.h>

#include <linux/workqueue.h>

#include <linux/workqueue.h>

#include <linux/string_helpers.h>

#include <linux/string_helpers.h>

#include <linux/task_work.h>

#include <linux/sched.h>

#include <linux/spinlock.h>





#define YAMA_SCOPE_DISABLED	0

#define YAMA_SCOPE_DISABLED	0

#define YAMA_SCOPE_RELATIONAL	1

#define YAMA_SCOPE_RELATIONAL	1
@@ -42,20 +45,71 @@ static DEFINE_SPINLOCK(ptracer_relations_lock); 
static void yama_relation_cleanup(struct work_struct *work);

static void yama_relation_cleanup(struct work_struct *work);

static DECLARE_WORK(yama_relation_work, yama_relation_cleanup);

static DECLARE_WORK(yama_relation_work, yama_relation_cleanup);





static void report_access(const char *access, struct task_struct *target,

struct access_report_info {

			  struct task_struct *agent)

	struct callback_head work;

	const char *access;

	struct task_struct *target;

	struct task_struct *agent;

};



static void __report_access(struct callback_head *work)

{

{

	struct access_report_info *info =

		container_of(work, struct access_report_info, work);

	char *target_cmd, *agent_cmd;

	char *target_cmd, *agent_cmd;





	target_cmd = kstrdup_quotable_cmdline(target, GFP_ATOMIC);

	target_cmd = kstrdup_quotable_cmdline(info->target, GFP_KERNEL);

	agent_cmd = kstrdup_quotable_cmdline(agent, GFP_ATOMIC);

	agent_cmd = kstrdup_quotable_cmdline(info->agent, GFP_KERNEL);





	pr_notice_ratelimited(

	pr_notice_ratelimited(

		"ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n",

		"ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n",

		access, target_cmd, target->pid, agent_cmd, agent->pid);

		info->access, target_cmd, info->target->pid, agent_cmd,

		info->agent->pid);





	kfree(agent_cmd);

	kfree(agent_cmd);

	kfree(target_cmd);

	kfree(target_cmd);



	put_task_struct(info->agent);

	put_task_struct(info->target);

	kfree(info);

}



/* defers execution because cmdline access can sleep */

static void report_access(const char *access, struct task_struct *target,

				struct task_struct *agent)

{

	struct access_report_info *info;

	char agent_comm[sizeof(agent->comm)];



	assert_spin_locked(&target->alloc_lock); /* for target->comm */



	if (current->flags & PF_KTHREAD) {

		/* I don't think kthreads call task_work_run() before exiting.

		 * Imagine angry ranting about procfs here.

		 */

		pr_notice_ratelimited(

		    "ptrace %s of \"%s\"[%d] was attempted by \"%s\"[%d]\n",

		    access, target->comm, target->pid,

		    get_task_comm(agent_comm, agent), agent->pid);

		return;

	}



	info = kmalloc(sizeof(*info), GFP_ATOMIC);

	if (!info)

		return;

	init_task_work(&info->work, __report_access);

	get_task_struct(target);

	get_task_struct(agent);

	info->access = access;

	info->target = target;

	info->agent = agent;

	if (task_work_add(current, &info->work, true) == 0)

		return; /* success */



	WARN(1, "report_access called from exiting task");

	put_task_struct(target);

	put_task_struct(agent);

	kfree(info);

}

}





/**

/**
@@ -351,8 +405,11 @@ int yama_ptrace_traceme(struct task_struct *parent) 
		break;

		break;

	}

	}





	if (rc)

	if (rc) {

		task_lock(current);

		report_access("traceme", current, parent);

		report_access("traceme", current, parent);

		task_unlock(current);

	}





	return rc;

	return rc;

}

}