]>
Commit | Line | Data |
---|---|---|
e8e0e55a GKH |
1 | From 4aa68e07d845562561f5e73c04aa521376e95252 Mon Sep 17 00:00:00 2001 |
2 | From: Eric Biggers <ebiggers@google.com> | |
3 | Date: Mon, 18 Sep 2017 11:38:29 -0700 | |
4 | Subject: KEYS: restrict /proc/keys by credentials at open time | |
5 | ||
6 | From: Eric Biggers <ebiggers@google.com> | |
7 | ||
8 | commit 4aa68e07d845562561f5e73c04aa521376e95252 upstream. | |
9 | ||
10 | When checking for permission to view keys whilst reading from | |
11 | /proc/keys, we should use the credentials with which the /proc/keys file | |
12 | was opened. This is because, in a classic type of exploit, it can be | |
13 | possible to bypass checks for the *current* credentials by passing the | |
14 | file descriptor to a suid program. | |
15 | ||
16 | Following commit 34dbbcdbf633 ("Make file credentials available to the | |
17 | seqfile interfaces") we can finally fix it. So let's do it. | |
18 | ||
19 | Signed-off-by: Eric Biggers <ebiggers@google.com> | |
20 | Signed-off-by: David Howells <dhowells@redhat.com> | |
21 | Signed-off-by: Zubin Mithra <zsm@chromium.org> | |
22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
23 | ||
24 | --- | |
25 | security/keys/proc.c | 8 ++------ | |
26 | 1 file changed, 2 insertions(+), 6 deletions(-) | |
27 | ||
28 | --- a/security/keys/proc.c | |
29 | +++ b/security/keys/proc.c | |
30 | @@ -187,7 +187,7 @@ static int proc_keys_show(struct seq_fil | |
31 | ||
32 | struct keyring_search_context ctx = { | |
33 | .index_key = key->index_key, | |
34 | - .cred = current_cred(), | |
35 | + .cred = m->file->f_cred, | |
36 | .match_data.cmp = lookup_user_key_possessed, | |
37 | .match_data.raw_data = key, | |
38 | .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, | |
39 | @@ -207,11 +207,7 @@ static int proc_keys_show(struct seq_fil | |
40 | } | |
41 | } | |
42 | ||
43 | - /* check whether the current task is allowed to view the key (assuming | |
44 | - * non-possession) | |
45 | - * - the caller holds a spinlock, and thus the RCU read lock, making our | |
46 | - * access to __current_cred() safe | |
47 | - */ | |
48 | + /* check whether the current task is allowed to view the key */ | |
49 | rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW); | |
50 | if (rc < 0) | |
51 | return 0; |