Commit 362e08d2 authored Jul 07, 2017 by Daniel Mentz

Revert "proc: smaps: Allow smaps access for CAP_SYS_RESOURCE"



This reverts commit 9d19f72b.

This fixes CVE-2017-0710.

SELinux allows more fine grained control: We grant processes that need
access to smaps CAP_SYS_PTRACE but prohibit them from using ptrace
attach().

Bug: 34951864
Bug: 36468447
Change-Id: I8ea67f8771ec212950bc251ee750bd8a7e7c0643
Signed-off-by: Daniel Mentz <danielmentz@google.com>

parent 59ff2e15

kernel/fork.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -827,8 +827,7 @@ struct mm_struct mm_access(struct task_struct task, unsigned int mode)

		mm = get_task_mm(task);
		if (mm && mm != current->mm &&
		!ptrace_may_access(task, mode) &&
		!capable(CAP_SYS_RESOURCE)) {
		!ptrace_may_access(task, mode)) {
		mmput(mm);
		mm = ERR_PTR(-EACCES);
		}