Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped...

BugLink: https://bugs.launchpad.net/bugs/1639345
This reverts commit a76b8ce7ad1f65a96638f161ff83075de04ec9cc to
apply a more complete fix from linux-next.

CVE-2015-8709
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 32462e624ae3990ffcce2fd9d14706bcb4dfc2fb..3189e51db7e896c9596d607dd1ef7926367509c5 100644 (file)
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -207,32 +207,12 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
        return ret;
 }
 
-static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
+static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
 {
-       struct user_namespace *tns = tcred->user_ns;
-       struct user_namespace *curns = current_cred()->user_ns;
-
-       /* When a root-owned process enters a user namespace created by a
-        * malicious user, the user shouldn't be able to execute code under
-        * uid 0 by attaching to the root-owned process via ptrace.
-        * Therefore, similar to the capable_wrt_inode_uidgid() check,
-        * verify that all the uids and gids of the target process are
-        * mapped into the current namespace.
-        * No fsuid/fsgid check because __ptrace_may_access doesn't do it
-        * either.
-        */
-       if (!kuid_has_mapping(curns, tcred->euid) ||
-                       !kuid_has_mapping(curns, tcred->suid) ||
-                       !kuid_has_mapping(curns, tcred->uid)  ||
-                       !kgid_has_mapping(curns, tcred->egid) ||
-                       !kgid_has_mapping(curns, tcred->sgid) ||
-                       !kgid_has_mapping(curns, tcred->gid))
-               return false;
-
        if (mode & PTRACE_MODE_NOAUDIT)
-               return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
+               return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
        else
-               return has_ns_capability(current, tns, CAP_SYS_PTRACE);
+               return has_ns_capability(current, ns, CAP_SYS_PTRACE);
 }
 
 /* Returns 0 on success, -errno on denial. */
@@ -284,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
            gid_eq(caller_gid, tcred->sgid) &&
            gid_eq(caller_gid, tcred->gid))
                goto ok;
-       if (ptrace_has_cap(tcred, mode))
+       if (ptrace_has_cap(tcred->user_ns, mode))
                goto ok;
        rcu_read_unlock();
        return -EPERM;
@@ -295,7 +275,7 @@ ok:
                dumpable = get_dumpable(task->mm);
        rcu_read_lock();
        if (dumpable != SUID_DUMP_USER &&
-           !ptrace_has_cap(__task_cred(task), mode)) {
+           !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
                rcu_read_unlock();
                return -EPERM;
        }