[kernel] - SELinux apply a different permission to ptrace a child vs non-child - Reenable debug
Justin M. Forbes
jforbes at fedoraproject.org
Mon Apr 9 21:39:19 UTC 2012
commit 1d7d6c12f3998ded631f92f6dccb997e1776a5c6
Author: Justin M. Forbes <jforbes at redhat.com>
Date: Mon Apr 9 16:40:04 2012 -0500
- SELinux apply a different permission to ptrace a child vs non-child
- Reenable debug
config-generic | 8 +-
config-nodebug | 110 +++++++-------
config-x86-generic | 2 +-
kernel.spec | 18 ++-
...pply-different-permission-to-ptrace-child.patch | 162 ++++++++++++++++++++
5 files changed, 237 insertions(+), 63 deletions(-)
---
diff --git a/config-generic b/config-generic
index f565c2f..b832223 100644
--- a/config-generic
+++ b/config-generic
@@ -1464,13 +1464,13 @@ CONFIG_B43_SDIO=y
CONFIG_B43_BCMA=y
# CONFIG_B43_BCMA_EXTRA is not set
CONFIG_B43_BCMA_PIO=y
-# CONFIG_B43_DEBUG is not set
+CONFIG_B43_DEBUG=y
CONFIG_B43_PHY_LP=y
CONFIG_B43_PHY_N=y
CONFIG_B43_PHY_HT=y
# CONFIG_B43_FORCE_PIO is not set
CONFIG_B43LEGACY=m
-# CONFIG_B43LEGACY_DEBUG is not set
+CONFIG_B43LEGACY_DEBUG=y
CONFIG_B43LEGACY_DMA=y
CONFIG_B43LEGACY_PIO=y
CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
@@ -3054,7 +3054,7 @@ CONFIG_USB_STORAGE_REALTEK=m
CONFIG_REALTEK_AUTOPM=y
CONFIG_USB_STORAGE_ENE_UB6250=m
# CONFIG_USB_LIBUSUAL is not set
-# CONFIG_USB_UAS is not set
+CONFIG_USB_UAS=m
#
@@ -3959,7 +3959,7 @@ CONFIG_IBMASR=m
CONFIG_PM_DEBUG=y
CONFIG_PM_TRACE=y
CONFIG_PM_TRACE_RTC=y
-# CONFIG_PM_TEST_SUSPEND is not set
+CONFIG_PM_TEST_SUSPEND=y
CONFIG_PM_RUNTIME=y
# CONFIG_PM_OPP is not set
diff --git a/config-nodebug b/config-nodebug
index aff3001..c147542 100644
--- a/config-nodebug
+++ b/config-nodebug
@@ -2,109 +2,109 @@ CONFIG_SND_VERBOSE_PRINTK=y
CONFIG_SND_DEBUG=y
CONFIG_SND_PCM_XRUN_DEBUG=y
-# CONFIG_DEBUG_ATOMIC_SLEEP is not set
-
-# CONFIG_DEBUG_MUTEXES is not set
-# CONFIG_DEBUG_RT_MUTEXES is not set
-# CONFIG_DEBUG_LOCK_ALLOC is not set
-# CONFIG_PROVE_LOCKING is not set
-# CONFIG_DEBUG_SPINLOCK is not set
-# CONFIG_PROVE_RCU is not set
+CONFIG_DEBUG_ATOMIC_SLEEP=y
+
+CONFIG_DEBUG_MUTEXES=y
+CONFIG_DEBUG_RT_MUTEXES=y
+CONFIG_DEBUG_LOCK_ALLOC=y
+CONFIG_PROVE_LOCKING=y
+CONFIG_DEBUG_SPINLOCK=y
+CONFIG_PROVE_RCU=y
# CONFIG_PROVE_RCU_REPEATEDLY is not set
-# CONFIG_DEBUG_PER_CPU_MAPS is not set
+CONFIG_DEBUG_PER_CPU_MAPS=y
CONFIG_CPUMASK_OFFSTACK=y
-# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set
+CONFIG_CPU_NOTIFIER_ERROR_INJECT=m
-# CONFIG_FAULT_INJECTION is not set
-# CONFIG_FAILSLAB is not set
-# CONFIG_FAIL_PAGE_ALLOC is not set
-# CONFIG_FAIL_MAKE_REQUEST is not set
-# CONFIG_FAULT_INJECTION_DEBUG_FS is not set
-# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set
-# CONFIG_FAIL_IO_TIMEOUT is not set
-# CONFIG_FAIL_MMC_REQUEST is not set
+CONFIG_FAULT_INJECTION=y
+CONFIG_FAILSLAB=y
+CONFIG_FAIL_PAGE_ALLOC=y
+CONFIG_FAIL_MAKE_REQUEST=y
+CONFIG_FAULT_INJECTION_DEBUG_FS=y
+CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y
+CONFIG_FAIL_IO_TIMEOUT=y
+CONFIG_FAIL_MMC_REQUEST=y
-# CONFIG_SLUB_DEBUG_ON is not set
+CONFIG_SLUB_DEBUG_ON=y
-# CONFIG_LOCK_STAT is not set
+CONFIG_LOCK_STAT=y
-# CONFIG_DEBUG_STACK_USAGE is not set
+CONFIG_DEBUG_STACK_USAGE=y
-# CONFIG_ACPI_DEBUG is not set
+CONFIG_ACPI_DEBUG=y
# CONFIG_ACPI_DEBUG_FUNC_TRACE is not set
-# CONFIG_DEBUG_SG is not set
+CONFIG_DEBUG_SG=y
# CONFIG_DEBUG_PAGEALLOC is not set
-# CONFIG_DEBUG_WRITECOUNT is not set
-# CONFIG_DEBUG_OBJECTS is not set
+CONFIG_DEBUG_WRITECOUNT=y
+CONFIG_DEBUG_OBJECTS=y
# CONFIG_DEBUG_OBJECTS_SELFTEST is not set
-# CONFIG_DEBUG_OBJECTS_FREE is not set
-# CONFIG_DEBUG_OBJECTS_TIMERS is not set
-# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set
+CONFIG_DEBUG_OBJECTS_FREE=y
+CONFIG_DEBUG_OBJECTS_TIMERS=y
+CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
-# CONFIG_X86_PTDUMP is not set
+CONFIG_X86_PTDUMP=y
-# CONFIG_CAN_DEBUG_DEVICES is not set
+CONFIG_CAN_DEBUG_DEVICES=y
-# CONFIG_MODULE_FORCE_UNLOAD is not set
+CONFIG_MODULE_FORCE_UNLOAD=y
-# CONFIG_SYSCTL_SYSCALL_CHECK is not set
+CONFIG_SYSCTL_SYSCALL_CHECK=y
-# CONFIG_DEBUG_NOTIFIERS is not set
+CONFIG_DEBUG_NOTIFIERS=y
-# CONFIG_DMA_API_DEBUG is not set
+CONFIG_DMA_API_DEBUG=y
-# CONFIG_MMIOTRACE is not set
+CONFIG_MMIOTRACE=y
-# CONFIG_DEBUG_CREDENTIALS is not set
+CONFIG_DEBUG_CREDENTIALS=y
# off in both production debug and nodebug builds,
# on in rawhide nodebug builds
-# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y
-# CONFIG_EXT4_DEBUG is not set
+CONFIG_EXT4_DEBUG=y
-# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_DEBUG_PERF_USE_VMALLOC=y
-# CONFIG_JBD2_DEBUG is not set
+CONFIG_JBD2_DEBUG=y
-# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_DEBUG_BLK_CGROUP=y
-# CONFIG_DRBD_FAULT_INJECTION is not set
+CONFIG_DRBD_FAULT_INJECTION=y
-# CONFIG_ATH_DEBUG is not set
-# CONFIG_CARL9170_DEBUGFS is not set
-# CONFIG_IWLWIFI_DEVICE_TRACING is not set
+CONFIG_ATH_DEBUG=y
+CONFIG_CARL9170_DEBUGFS=y
+CONFIG_IWLWIFI_DEVICE_TRACING=y
-# CONFIG_DEBUG_OBJECTS_WORK is not set
+CONFIG_DEBUG_OBJECTS_WORK=y
-# CONFIG_DMADEVICES_DEBUG is not set
-# CONFIG_DMADEVICES_VDEBUG is not set
+CONFIG_DMADEVICES_DEBUG=y
+CONFIG_DMADEVICES_VDEBUG=y
CONFIG_PM_ADVANCED_DEBUG=y
-# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
-# CONFIG_QUOTA_DEBUG is not set
+CONFIG_CEPH_LIB_PRETTYDEBUG=y
+CONFIG_QUOTA_DEBUG=y
CONFIG_PCI_DEFAULT_USE_CRS=y
CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
-# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set
-# CONFIG_TEST_LIST_SORT is not set
+CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
+CONFIG_TEST_LIST_SORT=y
-# CONFIG_DETECT_HUNG_TASK is not set
+CONFIG_DETECT_HUNG_TASK=y
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
-# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set
+CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y
-# CONFIG_DEBUG_KMEMLEAK is not set
+CONFIG_DEBUG_KMEMLEAK=y
CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024
# CONFIG_DEBUG_KMEMLEAK_TEST is not set
CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y
diff --git a/config-x86-generic b/config-x86-generic
index 859d92d..4243d22 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -313,7 +313,7 @@ CONFIG_STRICT_DEVMEM=y
# CONFIG_NO_BOOTMEM is not set
# CONFIG_MEMTEST is not set
-# CONFIG_MAXSMP is not set
+CONFIG_MAXSMP=y
CONFIG_HP_ILO=m
diff --git a/kernel.spec b/kernel.spec
index fbb0cb0..c6fdf32 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 2
+%global baserelease 3
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -163,7 +163,7 @@ Summary: The Linux kernel
# Set debugbuildsenabled to 1 for production (build separate debug kernels)
# and 0 for rawhide (all kernels are debug kernels).
# See also 'make debug' and 'make release'.
-%define debugbuildsenabled 1
+%define debugbuildsenabled 0
# Want to build a vanilla kernel build without any non-upstream patches?
%define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0}
@@ -176,7 +176,7 @@ Summary: The Linux kernel
%define doc_build_fail true
%endif
-%define rawhide_skip_docs 0
+%define rawhide_skip_docs 1
%if 0%{?rawhide_skip_docs}
%define with_doc 0
%define doc_build_fail true
@@ -746,6 +746,9 @@ Patch21400: unhandled-irqs-switch-to-polling.patch
Patch22000: weird-root-dentry-name-debug.patch
+#selinux ptrace child permissions
+Patch22001: selinux-apply-different-permission-to-ptrace-child.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1429,6 +1432,9 @@ ApplyPatch unhandled-irqs-switch-to-polling.patch
ApplyPatch weird-root-dentry-name-debug.patch
+#selinux ptrace child permissions
+ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch
+
#Highbank clock functions
ApplyPatch highbank-export-clock-functions.patch
@@ -2293,6 +2299,12 @@ fi
# ||----w |
# || ||
%changelog
+* Mon Apr 09 2012 Justin M. Forbes <jforbes at redhat.com> - 3.4.0-0.rc2.git0.3
+- Reenable debugging options.
+
+* Mon Apr 09 2012 Justin M. Forbes <jforbes at redhat.com>
+- SELinux apply a different permission to ptrace a child vs non-child
+
* Mon Apr 09 2012 Justin M. Forbes <jforbes at redhat.com> - 3.4.0-0.rc2.git0.2
- Disable debugging options.
diff --git a/selinux-apply-different-permission-to-ptrace-child.patch b/selinux-apply-different-permission-to-ptrace-child.patch
new file mode 100644
index 0000000..90baad8
--- /dev/null
+++ b/selinux-apply-different-permission-to-ptrace-child.patch
@@ -0,0 +1,162 @@
+Some applications, like gdb, are able to ptrace both children or other
+completely unrelated tasks. We would like to be able to discern these two
+things and to be able to allow gdb to ptrace it's children, but not to be
+able to ptrace unrelated tasks for security reasons.
+
+Upstream is a bit weary of this patch as it may be incomplete. They are
+not fundamentally opposed to the patch, I was just ask to see if I could
+flush out any needed refinement in Fedora where we already had the
+problem. We may find that we need to emulate the YAMA non-child
+registration module in order to completely deal with 'normal' ptrace on
+a system. At the moment however, this patch will at least let us get
+gdb working for many users in Fedora (See fedora-devel-list for a
+discussion of the current issues people are complaining about in F17
+without this)
+
+---
+
+ security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++
+ security/selinux/include/classmap.h | 2 +-
+ security/selinux/include/security.h | 2 ++
+ security/selinux/selinuxfs.c | 3 ++-
+ security/selinux/ss/services.c | 3 +++
+ 5 files changed, 46 insertions(+), 2 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 1a4acf4..b226f26 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file)
+
+ /* Hook functions begin here. */
+
++/**
++ * task_is_descendant - walk up a process family tree looking for a match
++ * @parent: the process to compare against while walking up from child
++ * @child: the process to start from while looking upwards for parent
++ *
++ * Returns 1 if child is a descendant of parent, 0 if not.
++ */
++static int task_is_descendant(struct task_struct *parent,
++ struct task_struct *child)
++{
++ int rc = 0;
++ struct task_struct *walker = child;
++
++ if (!parent || !child)
++ return 0;
++
++ rcu_read_lock();
++ if (!thread_group_leader(parent))
++ parent = rcu_dereference(parent->group_leader);
++ while (walker->pid > 0) {
++ if (!thread_group_leader(walker))
++ walker = rcu_dereference(walker->group_leader);
++ if (walker == parent) {
++ rc = 1;
++ break;
++ }
++ walker = rcu_dereference(walker->real_parent);
++ }
++ rcu_read_unlock();
++
++ return rc;
++}
++
+ static int selinux_ptrace_access_check(struct task_struct *child,
+ unsigned int mode)
+ {
+@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child,
+ return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
+ }
+
++
++ if (selinux_policycap_ptrace_child && task_is_descendant(current, child))
++ return current_has_perm(child, PROCESS__PTRACE_CHILD);
+ return current_has_perm(child, PROCESS__PTRACE);
+ }
+
+@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent)
+ if (rc)
+ return rc;
+
++ if (selinux_policycap_ptrace_child && task_is_descendant(parent, current))
++ return task_has_perm(parent, current, PROCESS__PTRACE_CHILD);
+ return task_has_perm(parent, current, PROCESS__PTRACE);
+ }
+
+diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
+index 39e678c..72c08b9 100644
+--- a/security/selinux/include/classmap.h
++++ b/security/selinux/include/classmap.h
+@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = {
+ "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
+ "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
+ "execmem", "execstack", "execheap", "setkeycreate",
+- "setsockcreate", NULL } },
++ "setsockcreate", "ptrace_child", NULL } },
+ { "system",
+ { "ipc_info", "syslog_read", "syslog_mod",
+ "syslog_console", "module_request", NULL } },
+diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
+index dde2005..ac14b0a 100644
+--- a/security/selinux/include/security.h
++++ b/security/selinux/include/security.h
+@@ -68,12 +68,14 @@ extern int selinux_enabled;
+ enum {
+ POLICYDB_CAPABILITY_NETPEER,
+ POLICYDB_CAPABILITY_OPENPERM,
++ POLICYDB_CAPABILITY_PTRACE_CHILD,
+ __POLICYDB_CAPABILITY_MAX
+ };
+ #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+
+ extern int selinux_policycap_netpeer;
+ extern int selinux_policycap_openperm;
++extern int selinux_policycap_ptrace_child;
+
+ /*
+ * type_datum properties
+diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
+index 4e93f9e..3379765 100644
+--- a/security/selinux/selinuxfs.c
++++ b/security/selinux/selinuxfs.c
+@@ -44,7 +44,8 @@
+ /* Policy capability filenames */
+ static char *policycap_names[] = {
+ "network_peer_controls",
+- "open_perms"
++ "open_perms",
++ "ptrace_child",
+ };
+
+ unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
+diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
+index 9b7e7ed..4d12a6e 100644
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -72,6 +72,7 @@
+
+ int selinux_policycap_netpeer;
+ int selinux_policycap_openperm;
++int selinux_policycap_ptrace_child;
+
+ static DEFINE_RWLOCK(policy_rwlock);
+
+@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void)
+ POLICYDB_CAPABILITY_NETPEER);
+ selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
+ POLICYDB_CAPABILITY_OPENPERM);
++ selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps,
++ POLICYDB_CAPABILITY_PTRACE_CHILD);
+ }
+
+ static int security_preserve_bools(struct policydb *p);
+
+
+
+
+_______________________________________________
+kernel mailing list
+kernel at lists.fedoraproject.org
+https://admin.fedoraproject.org/mailman/listinfo/kernel
More information about the scm-commits
mailing list