Commit 5e1f7ed7 authored Jul 07, 2017 by Daniel Mentz

Revert "proc: smaps: Allow smaps access for CAP_SYS_RESOURCE"



This reverts commit f0ce0eee.

This fixes CVE-2017-0710.

SELinux allows more fine grained control: We grant processes that need
access to smaps CAP_SYS_PTRACE but prohibit them from using ptrace
attach().

Bug: 34951864
Bug: 36468447
Change-Id: I57a47771177ee61561a7312bb6e6d78af887b5dd
Signed-off-by: Daniel Mentz <danielmentz@google.com>

parent 1cb8bb45

kernel/fork.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -754,8 +754,7 @@ struct mm_struct mm_access(struct task_struct task, unsigned int mode)

		mm = get_task_mm(task);
		if (mm && mm != current->mm &&
		!ptrace_may_access(task, mode) &&
		!capable(CAP_SYS_RESOURCE)) {
		!ptrace_may_access(task, mode)) {
		mmput(mm);
		mm = ERR_PTR(-EACCES);
		}