review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	Mickaël Salaün <mic@linux.microsoft.com>
	Thu, 22 Apr 2021 15:41:14 +0000 (17:41 +0200)
committer	James Morris <jamorris@linux.microsoft.com>
	Thu, 22 Apr 2021 19:22:10 +0000 (12:22 -0700)
commit	afe81f754117dd96853677c5cb815f49abef0ba0
tree	9c89ace4b459dece96d08922e6ae9be04bf22091	tree \| snapshot
parent	385975dca53eb41031d0cbd1de318eb1bc5d6bb9	commit \| diff

landlock: Add ptrace restrictions

Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access(), various part of
the kernel can check if a tracer is more privileged than a tracee.

A landlocked process has fewer privileges than a non-landlocked process
and must then be subject to additional restrictions when manipulating
processes. To be allowed to use ptrace(2) and related syscalls on a
target process, a landlocked process must have a subset of the target
process's rules (i.e. the tracee must be in a sub-domain of the tracer).

Cc: James Morris <jmorris@namei.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Reviewed-by: Jann Horn <jannh@google.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210422154123.13086-5-mic@digikod.net
Signed-off-by: James Morris <jamorris@linux.microsoft.com>

security/landlock/Makefile		diff \| blob \| history
security/landlock/ptrace.c	[new file with mode: 0644]	blob
security/landlock/ptrace.h	[new file with mode: 0644]	blob
security/landlock/setup.c		diff \| blob \| history