userns: allow ptrace from non-init user namespaces

ptrace is allowed to tasks in the same user namespace according to the
usual rules (i.e.  the same rules as for two tasks in the init user
namespace).  ptrace is also allowed to a user namespace to which the
current task the has CAP_SYS_PTRACE capability.

Changelog:
	Dec 31: Address feedback by Eric:
		. Correct ptrace uid check
		. Rename may_ptrace_ns to ptrace_capable
		. Also fix the cap_ptrace checks.
	Jan  1: Use const cred struct
	Jan 11: use task_ns_capable() in place of ptrace_capable().
	Feb 23: same_or_ancestore_user_ns() was not an appropriate
		check to constrain cap_issubset.  Rather, cap_issubset()
		only is meaningful when both capsets are in the same
		user_ns.

Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Acked-by: David Howells <dhowells@redhat.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 7c9c82903012ebaa9fe8fec79e9efb62c518b12b..2ec4a8cc86a59092a8300804b4465dfdf6082d9c 100644 (file)
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -553,6 +553,8 @@ static inline kernel_cap_t cap_raise_nfsd_set(const kernel_cap_t a,
  */
 #define has_capability(t, cap) (security_real_capable((t), &init_user_ns, (cap)) == 0)
 
+#define has_ns_capability(t, ns, cap) (security_real_capable((t), (ns), (cap)) == 0)
+
 /**
  * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
  * @t: The task in question

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index e2302e40b360006d671b4fe5cad9baf5de7419e3..0fc1eed28d2783e0b2779fe50d1ff86fbf4ca858 100644 (file)
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -134,21 +134,24 @@ int __ptrace_may_access(struct task_struct *task, unsigned int mode)
                return 0;
        rcu_read_lock();
        tcred = __task_cred(task);
-       if ((cred->uid != tcred->euid ||
-            cred->uid != tcred->suid ||
-            cred->uid != tcred->uid  ||
-            cred->gid != tcred->egid ||
-            cred->gid != tcred->sgid ||
-            cred->gid != tcred->gid) &&
-           !capable(CAP_SYS_PTRACE)) {
-               rcu_read_unlock();
-               return -EPERM;
-       }
+       if (cred->user->user_ns == tcred->user->user_ns &&
+           (cred->uid == tcred->euid &&
+            cred->uid == tcred->suid &&
+            cred->uid == tcred->uid  &&
+            cred->gid == tcred->egid &&
+            cred->gid == tcred->sgid &&
+            cred->gid == tcred->gid))
+               goto ok;
+       if (ns_capable(tcred->user->user_ns, CAP_SYS_PTRACE))
+               goto ok;
+       rcu_read_unlock();
+       return -EPERM;
+ok:
        rcu_read_unlock();
        smp_rmb();
        if (task->mm)
                dumpable = get_dumpable(task->mm);
-       if (!dumpable && !capable(CAP_SYS_PTRACE))
+       if (!dumpable && !task_ns_capable(task, CAP_SYS_PTRACE))
                return -EPERM;
 
        return security_ptrace_access_check(task, mode);
@@ -198,7 +201,7 @@ static int ptrace_attach(struct task_struct *task)
                goto unlock_tasklist;
 
        task->ptrace = PT_PTRACED;
-       if (capable(CAP_SYS_PTRACE))
+       if (task_ns_capable(task, CAP_SYS_PTRACE))
                task->ptrace |= PT_PTRACE_CAP;
 
        __ptrace_link(task, current);

diff --git a/security/commoncap.c b/security/commoncap.c
index 43a205bc7d7c52645a4dfa1fa4172fb770059fbf..f20e984ccfb459c141222f51791f4b5a3fcab6a9 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -127,18 +127,30 @@ int cap_settime(const struct timespec *ts, const struct timezone *tz)
  * @child: The process to be accessed
  * @mode: The mode of attachment.
  *
+ * If we are in the same or an ancestor user_ns and have all the target
+ * task's capabilities, then ptrace access is allowed.
+ * If we have the ptrace capability to the target user_ns, then ptrace
+ * access is allowed.
+ * Else denied.
+ *
  * Determine whether a process may access another, returning 0 if permission
  * granted, -ve if denied.
  */
 int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
 {
        int ret = 0;
+       const struct cred *cred, *child_cred;
 
        rcu_read_lock();
-       if (!cap_issubset(__task_cred(child)->cap_permitted,
-                         current_cred()->cap_permitted) &&
-           !capable(CAP_SYS_PTRACE))
-               ret = -EPERM;
+       cred = current_cred();
+       child_cred = __task_cred(child);
+       if (cred->user->user_ns == child_cred->user->user_ns &&
+           cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
+               goto out;
+       if (ns_capable(child_cred->user->user_ns, CAP_SYS_PTRACE))
+               goto out;
+       ret = -EPERM;
+out:
        rcu_read_unlock();
        return ret;
 }
@@ -147,18 +159,30 @@ int cap_ptrace_access_check(struct task_struct *child, unsigned int mode)
  * cap_ptrace_traceme - Determine whether another process may trace the current
  * @parent: The task proposed to be the tracer
  *
+ * If parent is in the same or an ancestor user_ns and has all current's
+ * capabilities, then ptrace access is allowed.
+ * If parent has the ptrace capability to current's user_ns, then ptrace
+ * access is allowed.
+ * Else denied.
+ *
  * Determine whether the nominated task is permitted to trace the current
  * process, returning 0 if permission is granted, -ve if denied.
  */
 int cap_ptrace_traceme(struct task_struct *parent)
 {
        int ret = 0;
+       const struct cred *cred, *child_cred;
 
        rcu_read_lock();
-       if (!cap_issubset(current_cred()->cap_permitted,
-                         __task_cred(parent)->cap_permitted) &&
-           !has_capability(parent, CAP_SYS_PTRACE))
-               ret = -EPERM;
+       cred = __task_cred(parent);
+       child_cred = current_cred();
+       if (cred->user->user_ns == child_cred->user->user_ns &&
+           cap_issubset(child_cred->cap_permitted, cred->cap_permitted))
+               goto out;
+       if (has_ns_capability(parent, child_cred->user->user_ns, CAP_SYS_PTRACE))
+               goto out;
+       ret = -EPERM;
+out:
        rcu_read_unlock();
        return ret;
 }