Yama: add PR_SET_PTRACER_ANY

For a process to entirely disable Yama ptrace restrictions, it can use
the special PR_SET_PTRACER_ANY pid to indicate that any otherwise allowed
process may ptrace it. This is stronger than calling PR_SET_PTRACER with
pid "1" because it includes processes in external pid namespaces. This is
currently needed by the Chrome renderer, since its crash handler (Breakpad)
runs external to the renderer's pid namespace.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/Documentation/security/Yama.txt b/Documentation/security/Yama.txt
index 4f0b7896a21da15ebdac1c03f50e4be8ab1c0d43..a9511f179069121e7805307dd36e3d920da0b054 100644 (file)
--- a/Documentation/security/Yama.txt
+++ b/Documentation/security/Yama.txt
@@ -41,7 +41,12 @@ other process (and its descendents) are allowed to call PTRACE_ATTACH
 against it. Only one such declared debugging process can exists for
 each inferior at a time. For example, this is used by KDE, Chromium, and
 Firefox's crash handlers, and by Wine for allowing only Wine processes
-to ptrace each other.
+to ptrace each other. If a process wishes to entirely disable these ptrace
+restrictions, it can call prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, ...)
+so that any otherwise allowed process (even those in external pid namespaces)
+may attach.
+
+The sysctl settings are:
 
 0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other
     process running under the same uid, as long as it is dumpable (i.e.

diff --git a/include/linux/prctl.h b/include/linux/prctl.h
index 4d0e5bc5458cb09ba0ae6d1f3d1376fe2c0c030e..a0413ac3abe86db4fed4cdc003c2493e0438fe2d 100644 (file)
--- a/include/linux/prctl.h
+++ b/include/linux/prctl.h
@@ -119,5 +119,6 @@
  * A value of 0 mean "no process".
  */
 #define PR_SET_PTRACER 0x59616d61
+# define PR_SET_PTRACER_ANY ((unsigned long)-1)
 
 #endif /* _LINUX_PRCTL_H */

diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index dd4d36067c50e4bd3f158b90b9935acd2ea02ef5..573723843a04fa3c3701826519652cea3b46029d 100644 (file)
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -84,7 +84,7 @@ static void yama_ptracer_del(struct task_struct *tracer,
        spin_lock_bh(&ptracer_relations_lock);
        list_for_each_entry_safe(relation, safe, &ptracer_relations, node)
                if (relation->tracee == tracee ||
-                   relation->tracer == tracer) {
+                   (tracer && relation->tracer == tracer)) {
                        list_del(&relation->node);
                        kfree(relation);
                }
@@ -138,6 +138,8 @@ static int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3,
                if (arg2 == 0) {
                        yama_ptracer_del(NULL, myself);
                        rc = 0;
+               } else if (arg2 == PR_SET_PTRACER_ANY) {
+                       rc = yama_ptracer_add(NULL, myself);
                } else {
                        struct task_struct *tracer;
 
@@ -208,6 +210,7 @@ static int ptracer_exception_found(struct task_struct *tracer,
        int rc = 0;
        struct ptrace_relation *relation;
        struct task_struct *parent = NULL;
+       bool found = false;
 
        spin_lock_bh(&ptracer_relations_lock);
        rcu_read_lock();
@@ -216,10 +219,11 @@ static int ptracer_exception_found(struct task_struct *tracer,
        list_for_each_entry(relation, &ptracer_relations, node)
                if (relation->tracee == tracee) {
                        parent = relation->tracer;
+                       found = true;
                        break;
                }
 
-       if (task_is_descendant(parent, tracer))
+       if (found && (parent == NULL || task_is_descendant(parent, tracer)))
                rc = 1;
        rcu_read_unlock();
        spin_unlock_bh(&ptracer_relations_lock);