ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream.
Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged
operation because it allows the tracee to completely bypass all seccomp
filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to
be settable by a process with global CAP_SYS_ADMIN, and only if that
process is not subject to any seccomp filters at all.
However, while these permission checks were done on the PTRACE_SETOPTIONS
path, they were missing on the PTRACE_SEIZE path, which also sets
user-specified ptrace flags.
Move the permissions checks out into a helper function and let both
ptrace_attach() and ptrace_setoptions() call it.
BUG=b/233870223
TEST=http://sponge2/a43d22d1-9fd6-4d63-a070-a38dcd23c56d
RELEASE_NOTE=Fixed CVE-2022-30594 in Linux Kernel
SOURCE=UPSTREAM(ee1fee900537b5d9560e9f937402de5ddc8412f3)
cos-patch: security-moderate
Cc: stable@kernel.org
Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume")
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ifadfb7aa605e33f783ff99c29d2e374d8f38f45e
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/33304
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
1 file changed