Commit 96d0df79 authored Sep 11, 2013 by Oleg Nesterov Committed by Linus Torvalds Sep 11, 2013

proc: make proc_fd_permission() thread-friendly



proc_fd_permission() says "process can still access /proc/self/fd after it
has executed a setuid()", but the "task_pid() = proc_pid() check only
helps if the task is group leader, /proc/self points to
/proc/<leader-pid>.

Change this check to use task_tgid() so that the whole thread group can
access its /proc/self/fd or /proc/<tid-of-sub-thread>/fd.

Notes:
	- CLONE_THREAD does not require CLONE_FILES so task->files
	  can differ, but I don't think this can lead to any security
	  problem. And this matches same_thread_group() in
	  __ptrace_may_access().

	- /proc/self should probably point to /proc/<thread-tid>, but
	  it is too late to change the rules. Perhaps it makes sense
	  to add /proc/thread though.

Test-case:

	void *tfunc(void *arg)
	{
		assert(opendir("/proc/self/fd"));
		return NULL;
	}

	int main(void)
	{
		pthread_t t;
		pthread_create(&t, NULL, tfunc, NULL);
		pthread_join(t, NULL);
		return 0;
	}

fails if, say, this executable is not readable and suid_dumpable = 0.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent a3c03992

fs/proc/fd.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -286,7 +286,7 @@ int proc_fd_permission(struct inode *inode, int mask)
		int rv = generic_permission(inode, mask);
		if (rv == 0)
		return 0;
		if (task_pid(current) == proc_pid(inode))
		if (task_tgid(current) == proc_pid(inode))
		rv = 0;
		return rv;
		}

Admin message