2005-04-17 02:20:36 +04:00
|
|
|
/*
|
|
|
|
* linux/fs/proc/array.c
|
|
|
|
*
|
|
|
|
* Copyright (C) 1992 by Linus Torvalds
|
|
|
|
* based on ideas by Darren Senn
|
|
|
|
*
|
|
|
|
* Fixes:
|
|
|
|
* Michael. K. Johnson: stat,statm extensions.
|
|
|
|
* <johnsonm@stolaf.edu>
|
|
|
|
*
|
|
|
|
* Pauline Middelink : Made cmdline,envline only break at '\0's, to
|
|
|
|
* make sure SET_PROCTITLE works. Also removed
|
|
|
|
* bad '!' which forced address recalculation for
|
|
|
|
* EVERY character on the current page.
|
|
|
|
* <middelin@polyware.iaf.nl>
|
|
|
|
*
|
|
|
|
* Danny ter Haar : added cpuinfo
|
|
|
|
* <dth@cistron.nl>
|
|
|
|
*
|
|
|
|
* Alessandro Rubini : profile extension.
|
|
|
|
* <rubini@ipvvis.unipv.it>
|
|
|
|
*
|
|
|
|
* Jeff Tranter : added BogoMips field to cpuinfo
|
|
|
|
* <Jeff_Tranter@Mitel.COM>
|
|
|
|
*
|
|
|
|
* Bruno Haible : remove 4K limit for the maps file
|
|
|
|
* <haible@ma2s2.mathematik.uni-karlsruhe.de>
|
|
|
|
*
|
|
|
|
* Yves Arrouye : remove removal of trailing spaces in get_array.
|
|
|
|
* <Yves.Arrouye@marin.fdn.fr>
|
|
|
|
*
|
|
|
|
* Jerome Forissier : added per-CPU time information to /proc/stat
|
|
|
|
* and /proc/<pid>/cpu extension
|
|
|
|
* <forissier@isia.cma.fr>
|
|
|
|
* - Incorporation and non-SMP safe operation
|
|
|
|
* of forissier patch in 2.1.78 by
|
|
|
|
* Hans Marcus <crowbar@concepts.nl>
|
|
|
|
*
|
|
|
|
* aeb@cwi.nl : /proc/partitions
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* Alan Cox : security fixes.
|
2008-10-27 18:19:48 +03:00
|
|
|
* <alan@lxorguk.ukuu.org.uk>
|
2005-04-17 02:20:36 +04:00
|
|
|
*
|
|
|
|
* Al Viro : safe handling of mm_struct
|
|
|
|
*
|
|
|
|
* Gerhard Wichert : added BIGMEM support
|
|
|
|
* Siemens AG <Gerhard.Wichert@pdb.siemens.de>
|
|
|
|
*
|
|
|
|
* Al Viro & Jeff Garzik : moved most of the thing into base.c and
|
|
|
|
* : proc_misc.c. The rest may eventually go into
|
|
|
|
* : base.c too.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/time.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/kernel_stat.h>
|
|
|
|
#include <linux/tty.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <linux/mman.h>
|
|
|
|
#include <linux/proc_fs.h>
|
|
|
|
#include <linux/ioport.h>
|
2007-07-16 11:46:31 +04:00
|
|
|
#include <linux/uaccess.h>
|
|
|
|
#include <linux/io.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/hugetlb.h>
|
|
|
|
#include <linux/pagemap.h>
|
|
|
|
#include <linux/swap.h>
|
|
|
|
#include <linux/smp.h>
|
|
|
|
#include <linux/signal.h>
|
|
|
|
#include <linux/highmem.h>
|
|
|
|
#include <linux/file.h>
|
2008-04-24 15:44:08 +04:00
|
|
|
#include <linux/fdtable.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <linux/times.h>
|
|
|
|
#include <linux/cpuset.h>
|
2005-09-17 06:28:13 +04:00
|
|
|
#include <linux/rcupdate.h>
|
2006-07-14 11:24:43 +04:00
|
|
|
#include <linux/delayacct.h>
|
2008-02-08 15:18:31 +03:00
|
|
|
#include <linux/seq_file.h>
|
2007-10-19 10:40:14 +04:00
|
|
|
#include <linux/pid_namespace.h>
|
2009-05-04 22:51:14 +04:00
|
|
|
#include <linux/ptrace.h>
|
2008-07-26 06:45:49 +04:00
|
|
|
#include <linux/tracehook.h>
|
2015-02-13 02:01:11 +03:00
|
|
|
#include <linux/string_helpers.h>
|
2011-11-15 03:56:38 +04:00
|
|
|
#include <linux/user_namespace.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
#include <asm/pgtable.h>
|
|
|
|
#include <asm/processor.h>
|
|
|
|
#include "internal.h"
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
static inline void task_name(struct seq_file *m, struct task_struct *p)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2015-02-13 02:01:11 +03:00
|
|
|
char *buf;
|
2015-11-07 03:30:03 +03:00
|
|
|
size_t size;
|
2005-04-17 02:20:36 +04:00
|
|
|
char tcomm[sizeof(p->comm)];
|
2015-11-07 03:30:03 +03:00
|
|
|
int ret;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
get_task_comm(tcomm, p);
|
|
|
|
|
2011-01-13 04:00:32 +03:00
|
|
|
seq_puts(m, "Name:\t");
|
2015-02-13 02:01:11 +03:00
|
|
|
|
2015-11-07 03:30:03 +03:00
|
|
|
size = seq_get_buf(m, &buf);
|
|
|
|
ret = string_escape_str(tcomm, buf, size, ESCAPE_SPACE | ESCAPE_SPECIAL, "\n\\");
|
|
|
|
seq_commit(m, ret < size ? ret : -1);
|
2015-02-13 02:01:11 +03:00
|
|
|
|
2011-01-13 04:00:32 +03:00
|
|
|
seq_putc(m, '\n');
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The task state array is a strange "bitmap" of
|
|
|
|
* reasons to sleep. Thus "running" is zero, and
|
|
|
|
* you can test for combinations of others with
|
|
|
|
* simple bit tests.
|
|
|
|
*/
|
2011-05-27 03:25:51 +04:00
|
|
|
static const char * const task_state_array[] = {
|
2009-12-17 15:16:30 +03:00
|
|
|
"R (running)", /* 0 */
|
|
|
|
"S (sleeping)", /* 1 */
|
|
|
|
"D (disk sleep)", /* 2 */
|
|
|
|
"T (stopped)", /* 4 */
|
|
|
|
"t (tracing stop)", /* 8 */
|
2014-04-08 02:38:46 +04:00
|
|
|
"X (dead)", /* 16 */
|
|
|
|
"Z (zombie)", /* 32 */
|
2005-04-17 02:20:36 +04:00
|
|
|
};
|
|
|
|
|
2007-07-16 11:46:31 +04:00
|
|
|
static inline const char *get_task_state(struct task_struct *tsk)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2014-01-24 03:55:35 +04:00
|
|
|
unsigned int state = (tsk->state | tsk->exit_state) & TASK_REPORT;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
procfs: treat parked tasks as sleeping for task state
Allowing watchdog threads to be parked means that we now have the
opportunity of actually seeing persistent parked threads in the output
of /proc/<pid>/stat and /proc/<pid>/status. The existing code reported
such threads as "Running", which is kind-of true if you think of the
case where we park them as part of taking cpus offline. But if we allow
parking them indefinitely, "Running" is pretty misleading, so we report
them as "Sleeping" instead.
We could simply report them with a new string, "Parked", but it feels
like it's a bit risky for userspace to see unexpected new values; the
output is already documented in Documentation/filesystems/proc.txt, and
it seems like a mistake to change that lightly.
The scheduler does report parked tasks with a "P" in debugging output
from sched_show_task() or dump_cpu_task(), but that's a different API.
Similarly, the trace_ctxwake_* routines report a "P" for parked tasks,
but again, different API.
This change seemed slightly cleaner than updating the task_state_array
to have additional rows. TASK_DEAD should be subsumed by the exit_state
bits; TASK_WAKEKILL is just a modifier; and TASK_WAKING can very
reasonably be reported as "Running" (as it is now). Only TASK_PARKED
shows up with unreasonable output here.
Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>
Cc: Don Zickus <dzickus@redhat.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Ulrich Obergfell <uobergfe@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-06-25 02:55:48 +03:00
|
|
|
/*
|
|
|
|
* Parked tasks do not run; they sit in __kthread_parkme().
|
|
|
|
* Without this check, we would report them as running, which is
|
|
|
|
* clearly wrong, so we report them as sleeping instead.
|
|
|
|
*/
|
|
|
|
if (tsk->state == TASK_PARKED)
|
|
|
|
state = TASK_INTERRUPTIBLE;
|
|
|
|
|
2014-01-24 03:55:35 +04:00
|
|
|
BUILD_BUG_ON(1 + ilog2(TASK_REPORT) != ARRAY_SIZE(task_state_array)-1);
|
2009-12-17 15:16:30 +03:00
|
|
|
|
2014-01-24 03:55:35 +04:00
|
|
|
return task_state_array[fls(state)];
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
static inline void task_state(struct seq_file *m, struct pid_namespace *ns,
|
|
|
|
struct pid *pid, struct task_struct *p)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2012-08-11 23:38:26 +04:00
|
|
|
struct user_namespace *user_ns = seq_user_ns(m);
|
2005-04-17 02:20:36 +04:00
|
|
|
struct group_info *group_info;
|
|
|
|
int g;
|
2014-12-11 02:45:18 +03:00
|
|
|
struct task_struct *tracer;
|
2008-11-14 02:39:19 +03:00
|
|
|
const struct cred *cred;
|
2014-12-11 02:45:18 +03:00
|
|
|
pid_t ppid, tpid = 0, tgid, ngid;
|
2014-12-11 02:45:12 +03:00
|
|
|
unsigned int max_fds = 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2006-10-02 13:18:54 +04:00
|
|
|
rcu_read_lock();
|
2007-10-19 10:40:14 +04:00
|
|
|
ppid = pid_alive(p) ?
|
|
|
|
task_tgid_nr_ns(rcu_dereference(p->real_parent), ns) : 0;
|
2014-12-11 02:45:18 +03:00
|
|
|
|
|
|
|
tracer = ptrace_parent(p);
|
|
|
|
if (tracer)
|
|
|
|
tpid = task_pid_nr_ns(tracer, ns);
|
2014-12-11 02:45:15 +03:00
|
|
|
|
|
|
|
tgid = task_tgid_nr_ns(p, ns);
|
|
|
|
ngid = task_numa_group_id(p);
|
CRED: Fix get_task_cred() and task_state() to not resurrect dead credentials
It's possible for get_task_cred() as it currently stands to 'corrupt' a set of
credentials by incrementing their usage count after their replacement by the
task being accessed.
What happens is that get_task_cred() can race with commit_creds():
TASK_1 TASK_2 RCU_CLEANER
-->get_task_cred(TASK_2)
rcu_read_lock()
__cred = __task_cred(TASK_2)
-->commit_creds()
old_cred = TASK_2->real_cred
TASK_2->real_cred = ...
put_cred(old_cred)
call_rcu(old_cred)
[__cred->usage == 0]
get_cred(__cred)
[__cred->usage == 1]
rcu_read_unlock()
-->put_cred_rcu()
[__cred->usage == 1]
panic()
However, since a tasks credentials are generally not changed very often, we can
reasonably make use of a loop involving reading the creds pointer and using
atomic_inc_not_zero() to attempt to increment it if it hasn't already hit zero.
If successful, we can safely return the credentials in the knowledge that, even
if the task we're accessing has released them, they haven't gone to the RCU
cleanup code.
We then change task_state() in procfs to use get_task_cred() rather than
calling get_cred() on the result of __task_cred(), as that suffers from the
same problem.
Without this change, a BUG_ON in __put_cred() or in put_cred_rcu() can be
tripped when it is noticed that the usage count is not zero as it ought to be,
for example:
kernel BUG at kernel/cred.c:168!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/kernel/mm/ksm/run
CPU 0
Pid: 2436, comm: master Not tainted 2.6.33.3-85.fc13.x86_64 #1 0HR330/OptiPlex
745
RIP: 0010:[<ffffffff81069881>] [<ffffffff81069881>] __put_cred+0xc/0x45
RSP: 0018:ffff88019e7e9eb8 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff880161514480 RCX: 00000000ffffffff
RDX: 00000000ffffffff RSI: ffff880140c690c0 RDI: ffff880140c690c0
RBP: ffff88019e7e9eb8 R08: 00000000000000d0 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000040 R12: ffff880140c690c0
R13: ffff88019e77aea0 R14: 00007fff336b0a5c R15: 0000000000000001
FS: 00007f12f50d97c0(0000) GS:ffff880007400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8f461bc000 CR3: 00000001b26ce000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process master (pid: 2436, threadinfo ffff88019e7e8000, task ffff88019e77aea0)
Stack:
ffff88019e7e9ec8 ffffffff810698cd ffff88019e7e9ef8 ffffffff81069b45
<0> ffff880161514180 ffff880161514480 ffff880161514180 0000000000000000
<0> ffff88019e7e9f28 ffffffff8106aace 0000000000000001 0000000000000246
Call Trace:
[<ffffffff810698cd>] put_cred+0x13/0x15
[<ffffffff81069b45>] commit_creds+0x16b/0x175
[<ffffffff8106aace>] set_current_groups+0x47/0x4e
[<ffffffff8106ac89>] sys_setgroups+0xf6/0x105
[<ffffffff81009b02>] system_call_fastpath+0x16/0x1b
Code: 48 8d 71 ff e8 7e 4e 15 00 85 c0 78 0b 8b 75 ec 48 89 df e8 ef 4a 15 00
48 83 c4 18 5b c9 c3 55 8b 07 8b 07 48 89 e5 85 c0 74 04 <0f> 0b eb fe 65 48 8b
04 25 00 cc 00 00 48 3b b8 58 04 00 00 75
RIP [<ffffffff81069881>] __put_cred+0xc/0x45
RSP <ffff88019e7e9eb8>
---[ end trace df391256a100ebdd ]---
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-07-29 15:45:49 +04:00
|
|
|
cred = get_task_cred(p);
|
2014-12-11 02:45:12 +03:00
|
|
|
|
|
|
|
task_lock(p);
|
|
|
|
if (p->files)
|
|
|
|
max_fds = files_fdtable(p->files)->max_fds;
|
|
|
|
task_unlock(p);
|
2014-12-11 02:45:15 +03:00
|
|
|
rcu_read_unlock();
|
2014-12-11 02:45:12 +03:00
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
seq_printf(m,
|
2005-04-17 02:20:36 +04:00
|
|
|
"State:\t%s\n"
|
|
|
|
"Tgid:\t%d\n"
|
2013-10-07 14:29:22 +04:00
|
|
|
"Ngid:\t%d\n"
|
2005-04-17 02:20:36 +04:00
|
|
|
"Pid:\t%d\n"
|
|
|
|
"PPid:\t%d\n"
|
|
|
|
"TracerPid:\t%d\n"
|
|
|
|
"Uid:\t%d\t%d\t%d\t%d\n"
|
2014-12-11 02:45:12 +03:00
|
|
|
"Gid:\t%d\t%d\t%d\t%d\n"
|
|
|
|
"FDSize:\t%d\nGroups:\t",
|
2005-04-17 02:20:36 +04:00
|
|
|
get_task_state(p),
|
2014-12-11 02:45:15 +03:00
|
|
|
tgid, ngid, pid_nr_ns(pid, ns), ppid, tpid,
|
2012-02-09 20:48:21 +04:00
|
|
|
from_kuid_munged(user_ns, cred->uid),
|
|
|
|
from_kuid_munged(user_ns, cred->euid),
|
|
|
|
from_kuid_munged(user_ns, cred->suid),
|
|
|
|
from_kuid_munged(user_ns, cred->fsuid),
|
|
|
|
from_kgid_munged(user_ns, cred->gid),
|
|
|
|
from_kgid_munged(user_ns, cred->egid),
|
|
|
|
from_kgid_munged(user_ns, cred->sgid),
|
2014-12-11 02:45:12 +03:00
|
|
|
from_kgid_munged(user_ns, cred->fsgid),
|
|
|
|
max_fds);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-11-14 02:39:19 +03:00
|
|
|
group_info = cred->group_info;
|
2012-12-18 04:03:17 +04:00
|
|
|
for (g = 0; g < group_info->ngroups; g++)
|
2011-11-15 03:56:38 +04:00
|
|
|
seq_printf(m, "%d ",
|
|
|
|
from_kgid_munged(user_ns, GROUP_AT(group_info, g)));
|
2008-11-14 02:39:19 +03:00
|
|
|
put_cred(cred);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2015-04-16 02:16:30 +03:00
|
|
|
#ifdef CONFIG_PID_NS
|
|
|
|
seq_puts(m, "\nNStgid:");
|
|
|
|
for (g = ns->level; g <= pid->level; g++)
|
|
|
|
seq_printf(m, "\t%d",
|
|
|
|
task_tgid_nr_ns(p, pid->numbers[g].ns));
|
|
|
|
seq_puts(m, "\nNSpid:");
|
|
|
|
for (g = ns->level; g <= pid->level; g++)
|
|
|
|
seq_printf(m, "\t%d",
|
|
|
|
task_pid_nr_ns(p, pid->numbers[g].ns));
|
|
|
|
seq_puts(m, "\nNSpgid:");
|
|
|
|
for (g = ns->level; g <= pid->level; g++)
|
|
|
|
seq_printf(m, "\t%d",
|
|
|
|
task_pgrp_nr_ns(p, pid->numbers[g].ns));
|
|
|
|
seq_puts(m, "\nNSsid:");
|
|
|
|
for (g = ns->level; g <= pid->level; g++)
|
|
|
|
seq_printf(m, "\t%d",
|
|
|
|
task_session_nr_ns(p, pid->numbers[g].ns));
|
|
|
|
#endif
|
2011-01-13 04:00:32 +03:00
|
|
|
seq_putc(m, '\n');
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2012-12-18 04:05:02 +04:00
|
|
|
void render_sigset_t(struct seq_file *m, const char *header,
|
2008-02-08 15:18:33 +03:00
|
|
|
sigset_t *set)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2008-02-08 15:18:33 +03:00
|
|
|
int i;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2011-01-13 04:00:32 +03:00
|
|
|
seq_puts(m, header);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
i = _NSIG;
|
|
|
|
do {
|
|
|
|
int x = 0;
|
|
|
|
|
|
|
|
i -= 4;
|
|
|
|
if (sigismember(set, i+1)) x |= 1;
|
|
|
|
if (sigismember(set, i+2)) x |= 2;
|
|
|
|
if (sigismember(set, i+3)) x |= 4;
|
|
|
|
if (sigismember(set, i+4)) x |= 8;
|
2008-02-08 15:18:33 +03:00
|
|
|
seq_printf(m, "%x", x);
|
2005-04-17 02:20:36 +04:00
|
|
|
} while (i >= 4);
|
|
|
|
|
2011-01-13 04:00:32 +03:00
|
|
|
seq_putc(m, '\n');
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void collect_sigign_sigcatch(struct task_struct *p, sigset_t *ign,
|
|
|
|
sigset_t *catch)
|
|
|
|
{
|
|
|
|
struct k_sigaction *k;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
k = p->sighand->action;
|
|
|
|
for (i = 1; i <= _NSIG; ++i, ++k) {
|
|
|
|
if (k->sa.sa_handler == SIG_IGN)
|
|
|
|
sigaddset(ign, i);
|
|
|
|
else if (k->sa.sa_handler != SIG_DFL)
|
|
|
|
sigaddset(catch, i);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
static inline void task_sig(struct seq_file *m, struct task_struct *p)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2006-10-02 13:18:52 +04:00
|
|
|
unsigned long flags;
|
2005-04-17 02:20:36 +04:00
|
|
|
sigset_t pending, shpending, blocked, ignored, caught;
|
|
|
|
int num_threads = 0;
|
|
|
|
unsigned long qsize = 0;
|
|
|
|
unsigned long qlim = 0;
|
|
|
|
|
|
|
|
sigemptyset(&pending);
|
|
|
|
sigemptyset(&shpending);
|
|
|
|
sigemptyset(&blocked);
|
|
|
|
sigemptyset(&ignored);
|
|
|
|
sigemptyset(&caught);
|
|
|
|
|
2006-10-02 13:18:52 +04:00
|
|
|
if (lock_task_sighand(p, &flags)) {
|
2005-04-17 02:20:36 +04:00
|
|
|
pending = p->pending.signal;
|
|
|
|
shpending = p->signal->shared_pending.signal;
|
|
|
|
blocked = p->blocked;
|
|
|
|
collect_sigign_sigcatch(p, &ignored, &caught);
|
2010-05-27 01:43:22 +04:00
|
|
|
num_threads = get_nr_threads(p);
|
2010-02-23 04:04:52 +03:00
|
|
|
rcu_read_lock(); /* FIXME: is this correct? */
|
2008-11-14 02:39:19 +03:00
|
|
|
qsize = atomic_read(&__task_cred(p)->user->sigpending);
|
2010-02-23 04:04:52 +03:00
|
|
|
rcu_read_unlock();
|
2010-03-06 00:42:42 +03:00
|
|
|
qlim = task_rlimit(p, RLIMIT_SIGPENDING);
|
2006-10-02 13:18:52 +04:00
|
|
|
unlock_task_sighand(p, &flags);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
seq_printf(m, "Threads:\t%d\n", num_threads);
|
|
|
|
seq_printf(m, "SigQ:\t%lu/%lu\n", qsize, qlim);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
/* render them all */
|
2008-02-08 15:18:33 +03:00
|
|
|
render_sigset_t(m, "SigPnd:\t", &pending);
|
|
|
|
render_sigset_t(m, "ShdPnd:\t", &shpending);
|
|
|
|
render_sigset_t(m, "SigBlk:\t", &blocked);
|
|
|
|
render_sigset_t(m, "SigIgn:\t", &ignored);
|
|
|
|
render_sigset_t(m, "SigCgt:\t", &caught);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
static void render_cap_t(struct seq_file *m, const char *header,
|
|
|
|
kernel_cap_t *a)
|
2008-02-05 09:29:42 +03:00
|
|
|
{
|
|
|
|
unsigned __capi;
|
|
|
|
|
2011-01-13 04:00:32 +03:00
|
|
|
seq_puts(m, header);
|
2008-02-05 09:29:42 +03:00
|
|
|
CAP_FOR_EACH_U32(__capi) {
|
2008-02-08 15:18:33 +03:00
|
|
|
seq_printf(m, "%08x",
|
2014-07-23 23:36:26 +04:00
|
|
|
a->cap[CAP_LAST_U32 - __capi]);
|
2008-02-05 09:29:42 +03:00
|
|
|
}
|
2011-01-13 04:00:32 +03:00
|
|
|
seq_putc(m, '\n');
|
2008-02-05 09:29:42 +03:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
static inline void task_cap(struct seq_file *m, struct task_struct *p)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2008-11-14 02:39:19 +03:00
|
|
|
const struct cred *cred;
|
capabilities: ambient capabilities
Credit where credit is due: this idea comes from Christoph Lameter with
a lot of valuable input from Serge Hallyn. This patch is heavily based
on Christoph's patch.
===== The status quo =====
On Linux, there are a number of capabilities defined by the kernel. To
perform various privileged tasks, processes can wield capabilities that
they hold.
Each task has four capability masks: effective (pE), permitted (pP),
inheritable (pI), and a bounding set (X). When the kernel checks for a
capability, it checks pE. The other capability masks serve to modify
what capabilities can be in pE.
Any task can remove capabilities from pE, pP, or pI at any time. If a
task has a capability in pP, it can add that capability to pE and/or pI.
If a task has CAP_SETPCAP, then it can add any capability to pI, and it
can remove capabilities from X.
Tasks are not the only things that can have capabilities; files can also
have capabilities. A file can have no capabilty information at all [1].
If a file has capability information, then it has a permitted mask (fP)
and an inheritable mask (fI) as well as a single effective bit (fE) [2].
File capabilities modify the capabilities of tasks that execve(2) them.
A task that successfully calls execve has its capabilities modified for
the file ultimately being excecuted (i.e. the binary itself if that
binary is ELF or for the interpreter if the binary is a script.) [3] In
the capability evolution rules, for each mask Z, pZ represents the old
value and pZ' represents the new value. The rules are:
pP' = (X & fP) | (pI & fI)
pI' = pI
pE' = (fE ? pP' : 0)
X is unchanged
For setuid binaries, fP, fI, and fE are modified by a moderately
complicated set of rules that emulate POSIX behavior. Similarly, if
euid == 0 or ruid == 0, then fP, fI, and fE are modified differently
(primary, fP and fI usually end up being the full set). For nonroot
users executing binaries with neither setuid nor file caps, fI and fP
are empty and fE is false.
As an extra complication, if you execute a process as nonroot and fE is
set, then the "secure exec" rules are in effect: AT_SECURE gets set,
LD_PRELOAD doesn't work, etc.
This is rather messy. We've learned that making any changes is
dangerous, though: if a new kernel version allows an unprivileged
program to change its security state in a way that persists cross
execution of a setuid program or a program with file caps, this
persistent state is surprisingly likely to allow setuid or file-capped
programs to be exploited for privilege escalation.
===== The problem =====
Capability inheritance is basically useless.
If you aren't root and you execute an ordinary binary, fI is zero, so
your capabilities have no effect whatsoever on pP'. This means that you
can't usefully execute a helper process or a shell command with elevated
capabilities if you aren't root.
On current kernels, you can sort of work around this by setting fI to
the full set for most or all non-setuid executable files. This causes
pP' = pI for nonroot, and inheritance works. No one does this because
it's a PITA and it isn't even supported on most filesystems.
If you try this, you'll discover that every nonroot program ends up with
secure exec rules, breaking many things.
This is a problem that has bitten many people who have tried to use
capabilities for anything useful.
===== The proposed change =====
This patch adds a fifth capability mask called the ambient mask (pA).
pA does what most people expect pI to do.
pA obeys the invariant that no bit can ever be set in pA if it is not
set in both pP and pI. Dropping a bit from pP or pI drops that bit from
pA. This ensures that existing programs that try to drop capabilities
still do so, with a complication. Because capability inheritance is so
broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and
then calling execve effectively drops capabilities. Therefore,
setresuid from root to nonroot conditionally clears pA unless
SECBIT_NO_SETUID_FIXUP is set. Processes that don't like this can
re-add bits to pA afterwards.
The capability evolution rules are changed:
pA' = (file caps or setuid or setgid ? 0 : pA)
pP' = (X & fP) | (pI & fI) | pA'
pI' = pI
pE' = (fE ? pP' : pA')
X is unchanged
If you are nonroot but you have a capability, you can add it to pA. If
you do so, your children get that capability in pA, pP, and pE. For
example, you can set pA = CAP_NET_BIND_SERVICE, and your children can
automatically bind low-numbered ports. Hallelujah!
Unprivileged users can create user namespaces, map themselves to a
nonzero uid, and create both privileged (relative to their namespace)
and unprivileged process trees. This is currently more or less
impossible. Hallelujah!
You cannot use pA to try to subvert a setuid, setgid, or file-capped
program: if you execute any such program, pA gets cleared and the
resulting evolution rules are unchanged by this patch.
Users with nonzero pA are unlikely to unintentionally leak that
capability. If they run programs that try to drop privileges, dropping
privileges will still work.
It's worth noting that the degree of paranoia in this patch could
possibly be reduced without causing serious problems. Specifically, if
we allowed pA to persist across executing non-pA-aware setuid binaries
and across setresuid, then, naively, the only capabilities that could
leak as a result would be the capabilities in pA, and any attacker
*already* has those capabilities. This would make me nervous, though --
setuid binaries that tried to privilege-separate might fail to do so,
and putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have
unexpected side effects. (Whether these unexpected side effects would
be exploitable is an open question.) I've therefore taken the more
paranoid route. We can revisit this later.
An alternative would be to require PR_SET_NO_NEW_PRIVS before setting
ambient capabilities. I think that this would be annoying and would
make granting otherwise unprivileged users minor ambient capabilities
(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than
it is with this patch.
===== Footnotes =====
[1] Files that are missing the "security.capability" xattr or that have
unrecognized values for that xattr end up with has_cap set to false.
The code that does that appears to be complicated for no good reason.
[2] The libcap capability mask parsers and formatters are dangerously
misleading and the documentation is flat-out wrong. fE is *not* a mask;
it's a single bit. This has probably confused every single person who
has tried to use file capabilities.
[3] Linux very confusingly processes both the script and the interpreter
if applicable, for reasons that elude me. The results from thinking
about a script's file capabilities and/or setuid bits are mostly
discarded.
Preliminary userspace code is here, but it needs updating:
https://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h=cap_ambient&id=7f5afbd175d2
Here is a test program that can be used to verify the functionality
(from Christoph):
/*
* Test program for the ambient capabilities. This program spawns a shell
* that allows running processes with a defined set of capabilities.
*
* (C) 2015 Christoph Lameter <cl@linux.com>
* Released under: GPL v3 or later.
*
*
* Compile using:
*
* gcc -o ambient_test ambient_test.o -lcap-ng
*
* This program must have the following capabilities to run properly:
* Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE
*
* A command to equip the binary with the right caps is:
*
* setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test
*
*
* To get a shell with additional caps that can be inherited by other processes:
*
* ./ambient_test /bin/bash
*
*
* Verifying that it works:
*
* From the bash spawed by ambient_test run
*
* cat /proc/$$/status
*
* and have a look at the capabilities.
*/
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <cap-ng.h>
#include <sys/prctl.h>
#include <linux/capability.h>
/*
* Definitions from the kernel header files. These are going to be removed
* when the /usr/include files have these defined.
*/
#define PR_CAP_AMBIENT 47
#define PR_CAP_AMBIENT_IS_SET 1
#define PR_CAP_AMBIENT_RAISE 2
#define PR_CAP_AMBIENT_LOWER 3
#define PR_CAP_AMBIENT_CLEAR_ALL 4
static void set_ambient_cap(int cap)
{
int rc;
capng_get_caps_process();
rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
if (rc) {
printf("Cannot add inheritable cap\n");
exit(2);
}
capng_apply(CAPNG_SELECT_CAPS);
/* Note the two 0s at the end. Kernel checks for these */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
perror("Cannot set cap");
exit(1);
}
}
int main(int argc, char **argv)
{
int rc;
set_ambient_cap(CAP_NET_RAW);
set_ambient_cap(CAP_NET_ADMIN);
set_ambient_cap(CAP_SYS_NICE);
printf("Ambient_test forking shell\n");
if (execv(argv[1], argv + 1))
perror("Cannot exec");
return 0;
}
Signed-off-by: Christoph Lameter <cl@linux.com> # Original author
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Aaron Jones <aaronmdjones@gmail.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Markku Savela <msa@moth.iki.fi>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-09-05 01:42:45 +03:00
|
|
|
kernel_cap_t cap_inheritable, cap_permitted, cap_effective,
|
|
|
|
cap_bset, cap_ambient;
|
2008-11-14 02:39:16 +03:00
|
|
|
|
2008-11-14 02:39:19 +03:00
|
|
|
rcu_read_lock();
|
|
|
|
cred = __task_cred(p);
|
|
|
|
cap_inheritable = cred->cap_inheritable;
|
|
|
|
cap_permitted = cred->cap_permitted;
|
|
|
|
cap_effective = cred->cap_effective;
|
|
|
|
cap_bset = cred->cap_bset;
|
capabilities: ambient capabilities
Credit where credit is due: this idea comes from Christoph Lameter with
a lot of valuable input from Serge Hallyn. This patch is heavily based
on Christoph's patch.
===== The status quo =====
On Linux, there are a number of capabilities defined by the kernel. To
perform various privileged tasks, processes can wield capabilities that
they hold.
Each task has four capability masks: effective (pE), permitted (pP),
inheritable (pI), and a bounding set (X). When the kernel checks for a
capability, it checks pE. The other capability masks serve to modify
what capabilities can be in pE.
Any task can remove capabilities from pE, pP, or pI at any time. If a
task has a capability in pP, it can add that capability to pE and/or pI.
If a task has CAP_SETPCAP, then it can add any capability to pI, and it
can remove capabilities from X.
Tasks are not the only things that can have capabilities; files can also
have capabilities. A file can have no capabilty information at all [1].
If a file has capability information, then it has a permitted mask (fP)
and an inheritable mask (fI) as well as a single effective bit (fE) [2].
File capabilities modify the capabilities of tasks that execve(2) them.
A task that successfully calls execve has its capabilities modified for
the file ultimately being excecuted (i.e. the binary itself if that
binary is ELF or for the interpreter if the binary is a script.) [3] In
the capability evolution rules, for each mask Z, pZ represents the old
value and pZ' represents the new value. The rules are:
pP' = (X & fP) | (pI & fI)
pI' = pI
pE' = (fE ? pP' : 0)
X is unchanged
For setuid binaries, fP, fI, and fE are modified by a moderately
complicated set of rules that emulate POSIX behavior. Similarly, if
euid == 0 or ruid == 0, then fP, fI, and fE are modified differently
(primary, fP and fI usually end up being the full set). For nonroot
users executing binaries with neither setuid nor file caps, fI and fP
are empty and fE is false.
As an extra complication, if you execute a process as nonroot and fE is
set, then the "secure exec" rules are in effect: AT_SECURE gets set,
LD_PRELOAD doesn't work, etc.
This is rather messy. We've learned that making any changes is
dangerous, though: if a new kernel version allows an unprivileged
program to change its security state in a way that persists cross
execution of a setuid program or a program with file caps, this
persistent state is surprisingly likely to allow setuid or file-capped
programs to be exploited for privilege escalation.
===== The problem =====
Capability inheritance is basically useless.
If you aren't root and you execute an ordinary binary, fI is zero, so
your capabilities have no effect whatsoever on pP'. This means that you
can't usefully execute a helper process or a shell command with elevated
capabilities if you aren't root.
On current kernels, you can sort of work around this by setting fI to
the full set for most or all non-setuid executable files. This causes
pP' = pI for nonroot, and inheritance works. No one does this because
it's a PITA and it isn't even supported on most filesystems.
If you try this, you'll discover that every nonroot program ends up with
secure exec rules, breaking many things.
This is a problem that has bitten many people who have tried to use
capabilities for anything useful.
===== The proposed change =====
This patch adds a fifth capability mask called the ambient mask (pA).
pA does what most people expect pI to do.
pA obeys the invariant that no bit can ever be set in pA if it is not
set in both pP and pI. Dropping a bit from pP or pI drops that bit from
pA. This ensures that existing programs that try to drop capabilities
still do so, with a complication. Because capability inheritance is so
broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and
then calling execve effectively drops capabilities. Therefore,
setresuid from root to nonroot conditionally clears pA unless
SECBIT_NO_SETUID_FIXUP is set. Processes that don't like this can
re-add bits to pA afterwards.
The capability evolution rules are changed:
pA' = (file caps or setuid or setgid ? 0 : pA)
pP' = (X & fP) | (pI & fI) | pA'
pI' = pI
pE' = (fE ? pP' : pA')
X is unchanged
If you are nonroot but you have a capability, you can add it to pA. If
you do so, your children get that capability in pA, pP, and pE. For
example, you can set pA = CAP_NET_BIND_SERVICE, and your children can
automatically bind low-numbered ports. Hallelujah!
Unprivileged users can create user namespaces, map themselves to a
nonzero uid, and create both privileged (relative to their namespace)
and unprivileged process trees. This is currently more or less
impossible. Hallelujah!
You cannot use pA to try to subvert a setuid, setgid, or file-capped
program: if you execute any such program, pA gets cleared and the
resulting evolution rules are unchanged by this patch.
Users with nonzero pA are unlikely to unintentionally leak that
capability. If they run programs that try to drop privileges, dropping
privileges will still work.
It's worth noting that the degree of paranoia in this patch could
possibly be reduced without causing serious problems. Specifically, if
we allowed pA to persist across executing non-pA-aware setuid binaries
and across setresuid, then, naively, the only capabilities that could
leak as a result would be the capabilities in pA, and any attacker
*already* has those capabilities. This would make me nervous, though --
setuid binaries that tried to privilege-separate might fail to do so,
and putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have
unexpected side effects. (Whether these unexpected side effects would
be exploitable is an open question.) I've therefore taken the more
paranoid route. We can revisit this later.
An alternative would be to require PR_SET_NO_NEW_PRIVS before setting
ambient capabilities. I think that this would be annoying and would
make granting otherwise unprivileged users minor ambient capabilities
(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than
it is with this patch.
===== Footnotes =====
[1] Files that are missing the "security.capability" xattr or that have
unrecognized values for that xattr end up with has_cap set to false.
The code that does that appears to be complicated for no good reason.
[2] The libcap capability mask parsers and formatters are dangerously
misleading and the documentation is flat-out wrong. fE is *not* a mask;
it's a single bit. This has probably confused every single person who
has tried to use file capabilities.
[3] Linux very confusingly processes both the script and the interpreter
if applicable, for reasons that elude me. The results from thinking
about a script's file capabilities and/or setuid bits are mostly
discarded.
Preliminary userspace code is here, but it needs updating:
https://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h=cap_ambient&id=7f5afbd175d2
Here is a test program that can be used to verify the functionality
(from Christoph):
/*
* Test program for the ambient capabilities. This program spawns a shell
* that allows running processes with a defined set of capabilities.
*
* (C) 2015 Christoph Lameter <cl@linux.com>
* Released under: GPL v3 or later.
*
*
* Compile using:
*
* gcc -o ambient_test ambient_test.o -lcap-ng
*
* This program must have the following capabilities to run properly:
* Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE
*
* A command to equip the binary with the right caps is:
*
* setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test
*
*
* To get a shell with additional caps that can be inherited by other processes:
*
* ./ambient_test /bin/bash
*
*
* Verifying that it works:
*
* From the bash spawed by ambient_test run
*
* cat /proc/$$/status
*
* and have a look at the capabilities.
*/
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <cap-ng.h>
#include <sys/prctl.h>
#include <linux/capability.h>
/*
* Definitions from the kernel header files. These are going to be removed
* when the /usr/include files have these defined.
*/
#define PR_CAP_AMBIENT 47
#define PR_CAP_AMBIENT_IS_SET 1
#define PR_CAP_AMBIENT_RAISE 2
#define PR_CAP_AMBIENT_LOWER 3
#define PR_CAP_AMBIENT_CLEAR_ALL 4
static void set_ambient_cap(int cap)
{
int rc;
capng_get_caps_process();
rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
if (rc) {
printf("Cannot add inheritable cap\n");
exit(2);
}
capng_apply(CAPNG_SELECT_CAPS);
/* Note the two 0s at the end. Kernel checks for these */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
perror("Cannot set cap");
exit(1);
}
}
int main(int argc, char **argv)
{
int rc;
set_ambient_cap(CAP_NET_RAW);
set_ambient_cap(CAP_NET_ADMIN);
set_ambient_cap(CAP_SYS_NICE);
printf("Ambient_test forking shell\n");
if (execv(argv[1], argv + 1))
perror("Cannot exec");
return 0;
}
Signed-off-by: Christoph Lameter <cl@linux.com> # Original author
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Aaron Jones <aaronmdjones@gmail.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Markku Savela <msa@moth.iki.fi>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-09-05 01:42:45 +03:00
|
|
|
cap_ambient = cred->cap_ambient;
|
2008-11-14 02:39:19 +03:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
render_cap_t(m, "CapInh:\t", &cap_inheritable);
|
|
|
|
render_cap_t(m, "CapPrm:\t", &cap_permitted);
|
|
|
|
render_cap_t(m, "CapEff:\t", &cap_effective);
|
|
|
|
render_cap_t(m, "CapBnd:\t", &cap_bset);
|
capabilities: ambient capabilities
Credit where credit is due: this idea comes from Christoph Lameter with
a lot of valuable input from Serge Hallyn. This patch is heavily based
on Christoph's patch.
===== The status quo =====
On Linux, there are a number of capabilities defined by the kernel. To
perform various privileged tasks, processes can wield capabilities that
they hold.
Each task has four capability masks: effective (pE), permitted (pP),
inheritable (pI), and a bounding set (X). When the kernel checks for a
capability, it checks pE. The other capability masks serve to modify
what capabilities can be in pE.
Any task can remove capabilities from pE, pP, or pI at any time. If a
task has a capability in pP, it can add that capability to pE and/or pI.
If a task has CAP_SETPCAP, then it can add any capability to pI, and it
can remove capabilities from X.
Tasks are not the only things that can have capabilities; files can also
have capabilities. A file can have no capabilty information at all [1].
If a file has capability information, then it has a permitted mask (fP)
and an inheritable mask (fI) as well as a single effective bit (fE) [2].
File capabilities modify the capabilities of tasks that execve(2) them.
A task that successfully calls execve has its capabilities modified for
the file ultimately being excecuted (i.e. the binary itself if that
binary is ELF or for the interpreter if the binary is a script.) [3] In
the capability evolution rules, for each mask Z, pZ represents the old
value and pZ' represents the new value. The rules are:
pP' = (X & fP) | (pI & fI)
pI' = pI
pE' = (fE ? pP' : 0)
X is unchanged
For setuid binaries, fP, fI, and fE are modified by a moderately
complicated set of rules that emulate POSIX behavior. Similarly, if
euid == 0 or ruid == 0, then fP, fI, and fE are modified differently
(primary, fP and fI usually end up being the full set). For nonroot
users executing binaries with neither setuid nor file caps, fI and fP
are empty and fE is false.
As an extra complication, if you execute a process as nonroot and fE is
set, then the "secure exec" rules are in effect: AT_SECURE gets set,
LD_PRELOAD doesn't work, etc.
This is rather messy. We've learned that making any changes is
dangerous, though: if a new kernel version allows an unprivileged
program to change its security state in a way that persists cross
execution of a setuid program or a program with file caps, this
persistent state is surprisingly likely to allow setuid or file-capped
programs to be exploited for privilege escalation.
===== The problem =====
Capability inheritance is basically useless.
If you aren't root and you execute an ordinary binary, fI is zero, so
your capabilities have no effect whatsoever on pP'. This means that you
can't usefully execute a helper process or a shell command with elevated
capabilities if you aren't root.
On current kernels, you can sort of work around this by setting fI to
the full set for most or all non-setuid executable files. This causes
pP' = pI for nonroot, and inheritance works. No one does this because
it's a PITA and it isn't even supported on most filesystems.
If you try this, you'll discover that every nonroot program ends up with
secure exec rules, breaking many things.
This is a problem that has bitten many people who have tried to use
capabilities for anything useful.
===== The proposed change =====
This patch adds a fifth capability mask called the ambient mask (pA).
pA does what most people expect pI to do.
pA obeys the invariant that no bit can ever be set in pA if it is not
set in both pP and pI. Dropping a bit from pP or pI drops that bit from
pA. This ensures that existing programs that try to drop capabilities
still do so, with a complication. Because capability inheritance is so
broken, setting KEEPCAPS, using setresuid to switch to nonroot uids, and
then calling execve effectively drops capabilities. Therefore,
setresuid from root to nonroot conditionally clears pA unless
SECBIT_NO_SETUID_FIXUP is set. Processes that don't like this can
re-add bits to pA afterwards.
The capability evolution rules are changed:
pA' = (file caps or setuid or setgid ? 0 : pA)
pP' = (X & fP) | (pI & fI) | pA'
pI' = pI
pE' = (fE ? pP' : pA')
X is unchanged
If you are nonroot but you have a capability, you can add it to pA. If
you do so, your children get that capability in pA, pP, and pE. For
example, you can set pA = CAP_NET_BIND_SERVICE, and your children can
automatically bind low-numbered ports. Hallelujah!
Unprivileged users can create user namespaces, map themselves to a
nonzero uid, and create both privileged (relative to their namespace)
and unprivileged process trees. This is currently more or less
impossible. Hallelujah!
You cannot use pA to try to subvert a setuid, setgid, or file-capped
program: if you execute any such program, pA gets cleared and the
resulting evolution rules are unchanged by this patch.
Users with nonzero pA are unlikely to unintentionally leak that
capability. If they run programs that try to drop privileges, dropping
privileges will still work.
It's worth noting that the degree of paranoia in this patch could
possibly be reduced without causing serious problems. Specifically, if
we allowed pA to persist across executing non-pA-aware setuid binaries
and across setresuid, then, naively, the only capabilities that could
leak as a result would be the capabilities in pA, and any attacker
*already* has those capabilities. This would make me nervous, though --
setuid binaries that tried to privilege-separate might fail to do so,
and putting CAP_DAC_READ_SEARCH or CAP_DAC_OVERRIDE into pA could have
unexpected side effects. (Whether these unexpected side effects would
be exploitable is an open question.) I've therefore taken the more
paranoid route. We can revisit this later.
An alternative would be to require PR_SET_NO_NEW_PRIVS before setting
ambient capabilities. I think that this would be annoying and would
make granting otherwise unprivileged users minor ambient capabilities
(CAP_NET_BIND_SERVICE or CAP_NET_RAW for example) much less useful than
it is with this patch.
===== Footnotes =====
[1] Files that are missing the "security.capability" xattr or that have
unrecognized values for that xattr end up with has_cap set to false.
The code that does that appears to be complicated for no good reason.
[2] The libcap capability mask parsers and formatters are dangerously
misleading and the documentation is flat-out wrong. fE is *not* a mask;
it's a single bit. This has probably confused every single person who
has tried to use file capabilities.
[3] Linux very confusingly processes both the script and the interpreter
if applicable, for reasons that elude me. The results from thinking
about a script's file capabilities and/or setuid bits are mostly
discarded.
Preliminary userspace code is here, but it needs updating:
https://git.kernel.org/cgit/linux/kernel/git/luto/util-linux-playground.git/commit/?h=cap_ambient&id=7f5afbd175d2
Here is a test program that can be used to verify the functionality
(from Christoph):
/*
* Test program for the ambient capabilities. This program spawns a shell
* that allows running processes with a defined set of capabilities.
*
* (C) 2015 Christoph Lameter <cl@linux.com>
* Released under: GPL v3 or later.
*
*
* Compile using:
*
* gcc -o ambient_test ambient_test.o -lcap-ng
*
* This program must have the following capabilities to run properly:
* Permissions for CAP_NET_RAW, CAP_NET_ADMIN, CAP_SYS_NICE
*
* A command to equip the binary with the right caps is:
*
* setcap cap_net_raw,cap_net_admin,cap_sys_nice+p ambient_test
*
*
* To get a shell with additional caps that can be inherited by other processes:
*
* ./ambient_test /bin/bash
*
*
* Verifying that it works:
*
* From the bash spawed by ambient_test run
*
* cat /proc/$$/status
*
* and have a look at the capabilities.
*/
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <cap-ng.h>
#include <sys/prctl.h>
#include <linux/capability.h>
/*
* Definitions from the kernel header files. These are going to be removed
* when the /usr/include files have these defined.
*/
#define PR_CAP_AMBIENT 47
#define PR_CAP_AMBIENT_IS_SET 1
#define PR_CAP_AMBIENT_RAISE 2
#define PR_CAP_AMBIENT_LOWER 3
#define PR_CAP_AMBIENT_CLEAR_ALL 4
static void set_ambient_cap(int cap)
{
int rc;
capng_get_caps_process();
rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);
if (rc) {
printf("Cannot add inheritable cap\n");
exit(2);
}
capng_apply(CAPNG_SELECT_CAPS);
/* Note the two 0s at the end. Kernel checks for these */
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {
perror("Cannot set cap");
exit(1);
}
}
int main(int argc, char **argv)
{
int rc;
set_ambient_cap(CAP_NET_RAW);
set_ambient_cap(CAP_NET_ADMIN);
set_ambient_cap(CAP_SYS_NICE);
printf("Ambient_test forking shell\n");
if (execv(argv[1], argv + 1))
perror("Cannot exec");
return 0;
}
Signed-off-by: Christoph Lameter <cl@linux.com> # Original author
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Aaron Jones <aaronmdjones@gmail.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Markku Savela <msa@moth.iki.fi>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-09-05 01:42:45 +03:00
|
|
|
render_cap_t(m, "CapAmb:\t", &cap_ambient);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2012-12-18 04:03:14 +04:00
|
|
|
static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_SECCOMP
|
|
|
|
seq_printf(m, "Seccomp:\t%d\n", p->seccomp.mode);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
static inline void task_context_switch_counts(struct seq_file *m,
|
|
|
|
struct task_struct *p)
|
2007-07-16 10:40:48 +04:00
|
|
|
{
|
2008-02-08 15:18:33 +03:00
|
|
|
seq_printf(m, "voluntary_ctxt_switches:\t%lu\n"
|
|
|
|
"nonvoluntary_ctxt_switches:\t%lu\n",
|
|
|
|
p->nvcsw,
|
|
|
|
p->nivcsw);
|
2007-07-16 10:40:48 +04:00
|
|
|
}
|
|
|
|
|
2009-09-21 13:06:27 +04:00
|
|
|
static void task_cpus_allowed(struct seq_file *m, struct task_struct *task)
|
|
|
|
{
|
2015-02-14 01:38:07 +03:00
|
|
|
seq_printf(m, "Cpus_allowed:\t%*pb\n",
|
|
|
|
cpumask_pr_args(&task->cpus_allowed));
|
|
|
|
seq_printf(m, "Cpus_allowed_list:\t%*pbl\n",
|
|
|
|
cpumask_pr_args(&task->cpus_allowed));
|
2009-09-21 13:06:27 +04:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
|
|
|
|
struct pid *pid, struct task_struct *task)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
struct mm_struct *mm = get_task_mm(task);
|
|
|
|
|
2008-02-08 15:18:33 +03:00
|
|
|
task_name(m, task);
|
|
|
|
task_state(m, ns, pid, task);
|
2007-07-16 11:46:31 +04:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
if (mm) {
|
2008-02-08 15:18:33 +03:00
|
|
|
task_mem(m, mm);
|
2005-04-17 02:20:36 +04:00
|
|
|
mmput(mm);
|
|
|
|
}
|
2008-02-08 15:18:33 +03:00
|
|
|
task_sig(m, task);
|
|
|
|
task_cap(m, task);
|
2012-12-18 04:03:14 +04:00
|
|
|
task_seccomp(m, task);
|
2009-09-21 13:06:27 +04:00
|
|
|
task_cpus_allowed(m, task);
|
2008-02-08 15:18:33 +03:00
|
|
|
cpuset_task_status_allowed(m, task);
|
|
|
|
task_context_switch_counts(m, task);
|
|
|
|
return 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:31 +03:00
|
|
|
static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
|
|
|
|
struct pid *pid, struct task_struct *task, int whole)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
fs/proc, core/debug: Don't expose absolute kernel addresses via wchan
So the /proc/PID/stat 'wchan' field (the 30th field, which contains
the absolute kernel address of the kernel function a task is blocked in)
leaks absolute kernel addresses to unprivileged user-space:
seq_put_decimal_ull(m, ' ', wchan);
The absolute address might also leak via /proc/PID/wchan as well, if
KALLSYMS is turned off or if the symbol lookup fails for some reason:
static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
unsigned long wchan;
char symname[KSYM_NAME_LEN];
wchan = get_wchan(task);
if (lookup_symbol_name(wchan, symname) < 0) {
if (!ptrace_may_access(task, PTRACE_MODE_READ))
return 0;
seq_printf(m, "%lu", wchan);
} else {
seq_printf(m, "%s", symname);
}
return 0;
}
This isn't ideal, because for example it trivially leaks the KASLR offset
to any local attacker:
fomalhaut:~> printf "%016lx\n" $(cat /proc/$$/stat | cut -d' ' -f35)
ffffffff8123b380
Most real-life uses of wchan are symbolic:
ps -eo pid:10,tid:10,wchan:30,comm
and procps uses /proc/PID/wchan, not the absolute address in /proc/PID/stat:
triton:~/tip> strace -f ps -eo pid:10,tid:10,wchan:30,comm 2>&1 | grep wchan | tail -1
open("/proc/30833/wchan", O_RDONLY) = 6
There's one compatibility quirk here: procps relies on whether the
absolute value is non-zero - and we can provide that functionality
by outputing "0" or "1" depending on whether the task is blocked
(whether there's a wchan address).
These days there appears to be very little legitimate reason
user-space would be interested in the absolute address. The
absolute address is mostly historic: from the days when we
didn't have kallsyms and user-space procps had to do the
decoding itself via the System.map.
So this patch sets all numeric output to "0" or "1" and keeps only
symbolic output, in /proc/PID/wchan.
( The absolute sleep address can generally still be profiled via
perf, by tasks with sufficient privileges. )
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: kasan-dev <kasan-dev@googlegroups.com>
Cc: linux-kernel@vger.kernel.org
Link: http://lkml.kernel.org/r/20150930135917.GA3285@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-09-30 16:59:17 +03:00
|
|
|
unsigned long vsize, eip, esp, wchan = 0;
|
2012-06-01 03:26:19 +04:00
|
|
|
int priority, nice;
|
2005-04-17 02:20:36 +04:00
|
|
|
int tty_pgrp = -1, tty_nr = 0;
|
|
|
|
sigset_t sigign, sigcatch;
|
|
|
|
char state;
|
2007-07-16 11:46:31 +04:00
|
|
|
pid_t ppid = 0, pgid = -1, sid = -1;
|
2005-04-17 02:20:36 +04:00
|
|
|
int num_threads = 0;
|
2009-05-04 22:51:14 +04:00
|
|
|
int permitted;
|
2005-04-17 02:20:36 +04:00
|
|
|
struct mm_struct *mm;
|
|
|
|
unsigned long long start_time;
|
|
|
|
unsigned long cmin_flt = 0, cmaj_flt = 0;
|
|
|
|
unsigned long min_flt = 0, maj_flt = 0;
|
2007-08-23 17:18:02 +04:00
|
|
|
cputime_t cutime, cstime, utime, stime;
|
2007-10-15 19:00:19 +04:00
|
|
|
cputime_t cgtime, gtime;
|
2005-04-17 02:20:36 +04:00
|
|
|
unsigned long rsslim = 0;
|
|
|
|
char tcomm[sizeof(task->comm)];
|
2006-10-02 13:18:53 +04:00
|
|
|
unsigned long flags;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
state = *get_task_state(task);
|
|
|
|
vsize = eip = esp = 0;
|
ptrace: use fsuid, fsgid, effective creds for fs access checks
By checking the effective credentials instead of the real UID / permitted
capabilities, ensure that the calling process actually intended to use its
credentials.
To ensure that all ptrace checks use the correct caller credentials (e.g.
in case out-of-tree code or newly added code omits the PTRACE_MODE_*CREDS
flag), use two new flags and require one of them to be set.
The problem was that when a privileged task had temporarily dropped its
privileges, e.g. by calling setreuid(0, user_uid), with the intent to
perform following syscalls with the credentials of a user, it still passed
ptrace access checks that the user would not be able to pass.
While an attacker should not be able to convince the privileged task to
perform a ptrace() syscall, this is a problem because the ptrace access
check is reused for things in procfs.
In particular, the following somewhat interesting procfs entries only rely
on ptrace access checks:
/proc/$pid/stat - uses the check for determining whether pointers
should be visible, useful for bypassing ASLR
/proc/$pid/maps - also useful for bypassing ASLR
/proc/$pid/cwd - useful for gaining access to restricted
directories that contain files with lax permissions, e.g. in
this scenario:
lrwxrwxrwx root root /proc/13020/cwd -> /root/foobar
drwx------ root root /root
drwxr-xr-x root root /root/foobar
-rw-r--r-- root root /root/foobar/secret
Therefore, on a system where a root-owned mode 6755 binary changes its
effective credentials as described and then dumps a user-specified file,
this could be used by an attacker to reveal the memory layout of root's
processes or reveal the contents of files he is not allowed to access
(through /proc/$pid/cwd).
[akpm@linux-foundation.org: fix warning]
Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Morris <james.l.morris@oracle.com>
Cc: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-01-21 02:00:04 +03:00
|
|
|
permitted = ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS | PTRACE_MODE_NOAUDIT);
|
2005-04-17 02:20:36 +04:00
|
|
|
mm = get_task_mm(task);
|
|
|
|
if (mm) {
|
|
|
|
vsize = task_vsize(mm);
|
2009-05-04 22:51:14 +04:00
|
|
|
if (permitted) {
|
|
|
|
eip = KSTK_EIP(task);
|
|
|
|
esp = KSTK_ESP(task);
|
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
get_task_comm(tcomm, task);
|
|
|
|
|
|
|
|
sigemptyset(&sigign);
|
|
|
|
sigemptyset(&sigcatch);
|
2011-12-15 17:56:09 +04:00
|
|
|
cutime = cstime = utime = stime = 0;
|
|
|
|
cgtime = gtime = 0;
|
2006-09-29 13:00:41 +04:00
|
|
|
|
2006-10-02 13:18:53 +04:00
|
|
|
if (lock_task_sighand(task, &flags)) {
|
|
|
|
struct signal_struct *sig = task->signal;
|
2006-12-08 13:36:07 +03:00
|
|
|
|
|
|
|
if (sig->tty) {
|
2008-04-30 11:53:31 +04:00
|
|
|
struct pid *pgrp = tty_get_pgrp(sig->tty);
|
|
|
|
tty_pgrp = pid_nr_ns(pgrp, ns);
|
|
|
|
put_pid(pgrp);
|
2006-12-08 13:36:07 +03:00
|
|
|
tty_nr = new_encode_dev(tty_devnum(sig->tty));
|
2006-10-02 13:18:53 +04:00
|
|
|
}
|
|
|
|
|
2010-05-27 01:43:22 +04:00
|
|
|
num_threads = get_nr_threads(task);
|
2005-04-17 02:20:36 +04:00
|
|
|
collect_sigign_sigcatch(task, &sigign, &sigcatch);
|
|
|
|
|
2006-10-02 13:18:53 +04:00
|
|
|
cmin_flt = sig->cmin_flt;
|
|
|
|
cmaj_flt = sig->cmaj_flt;
|
|
|
|
cutime = sig->cutime;
|
|
|
|
cstime = sig->cstime;
|
2007-10-15 19:00:19 +04:00
|
|
|
cgtime = sig->cgtime;
|
2010-03-06 00:42:42 +03:00
|
|
|
rsslim = ACCESS_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur);
|
2006-10-02 13:18:53 +04:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* add up live thread stats at the group level */
|
|
|
|
if (whole) {
|
2006-10-02 13:18:53 +04:00
|
|
|
struct task_struct *t = task;
|
2005-04-17 02:20:36 +04:00
|
|
|
do {
|
|
|
|
min_flt += t->min_flt;
|
|
|
|
maj_flt += t->maj_flt;
|
2012-11-13 17:20:55 +04:00
|
|
|
gtime += task_gtime(t);
|
2014-01-24 03:55:53 +04:00
|
|
|
} while_each_thread(task, t);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2006-10-02 13:18:53 +04:00
|
|
|
min_flt += sig->min_flt;
|
|
|
|
maj_flt += sig->maj_flt;
|
2012-11-21 19:26:44 +04:00
|
|
|
thread_group_cputime_adjusted(task, &utime, &stime);
|
2011-12-15 17:56:09 +04:00
|
|
|
gtime += sig->gtime;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2006-10-02 13:18:53 +04:00
|
|
|
|
2007-10-19 10:40:14 +04:00
|
|
|
sid = task_session_nr_ns(task, ns);
|
2008-01-15 00:02:37 +03:00
|
|
|
ppid = task_tgid_nr_ns(task->real_parent, ns);
|
2007-10-19 10:40:14 +04:00
|
|
|
pgid = task_pgrp_nr_ns(task, ns);
|
2006-10-02 13:18:53 +04:00
|
|
|
|
|
|
|
unlock_task_sighand(task, &flags);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2009-05-04 22:51:14 +04:00
|
|
|
if (permitted && (!whole || num_threads < 2))
|
2005-04-17 02:20:36 +04:00
|
|
|
wchan = get_wchan(task);
|
|
|
|
if (!whole) {
|
|
|
|
min_flt = task->min_flt;
|
|
|
|
maj_flt = task->maj_flt;
|
2012-11-21 19:26:44 +04:00
|
|
|
task_cputime_adjusted(task, &utime, &stime);
|
2012-11-13 17:20:55 +04:00
|
|
|
gtime = task_gtime(task);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/* scale priority and nice values from timeslices to -20..20 */
|
|
|
|
/* to make it look like a "normal" Unix priority/nice value */
|
|
|
|
priority = task_prio(task);
|
|
|
|
nice = task_nice(task);
|
|
|
|
|
|
|
|
/* convert nsec -> ticks */
|
2014-07-17 01:04:32 +04:00
|
|
|
start_time = nsec_to_clock_t(task->real_start_time);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2012-03-24 02:02:54 +04:00
|
|
|
seq_printf(m, "%d (%s) %c", pid_nr_ns(pid, ns), tcomm, state);
|
|
|
|
seq_put_decimal_ll(m, ' ', ppid);
|
|
|
|
seq_put_decimal_ll(m, ' ', pgid);
|
|
|
|
seq_put_decimal_ll(m, ' ', sid);
|
|
|
|
seq_put_decimal_ll(m, ' ', tty_nr);
|
|
|
|
seq_put_decimal_ll(m, ' ', tty_pgrp);
|
|
|
|
seq_put_decimal_ull(m, ' ', task->flags);
|
|
|
|
seq_put_decimal_ull(m, ' ', min_flt);
|
|
|
|
seq_put_decimal_ull(m, ' ', cmin_flt);
|
|
|
|
seq_put_decimal_ull(m, ' ', maj_flt);
|
|
|
|
seq_put_decimal_ull(m, ' ', cmaj_flt);
|
|
|
|
seq_put_decimal_ull(m, ' ', cputime_to_clock_t(utime));
|
|
|
|
seq_put_decimal_ull(m, ' ', cputime_to_clock_t(stime));
|
|
|
|
seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cutime));
|
|
|
|
seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cstime));
|
|
|
|
seq_put_decimal_ll(m, ' ', priority);
|
|
|
|
seq_put_decimal_ll(m, ' ', nice);
|
|
|
|
seq_put_decimal_ll(m, ' ', num_threads);
|
|
|
|
seq_put_decimal_ull(m, ' ', 0);
|
|
|
|
seq_put_decimal_ull(m, ' ', start_time);
|
|
|
|
seq_put_decimal_ull(m, ' ', vsize);
|
2012-06-01 03:26:19 +04:00
|
|
|
seq_put_decimal_ull(m, ' ', mm ? get_mm_rss(mm) : 0);
|
2012-03-24 02:02:54 +04:00
|
|
|
seq_put_decimal_ull(m, ' ', rsslim);
|
|
|
|
seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->start_code : 1) : 0);
|
|
|
|
seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->end_code : 1) : 0);
|
|
|
|
seq_put_decimal_ull(m, ' ', (permitted && mm) ? mm->start_stack : 0);
|
|
|
|
seq_put_decimal_ull(m, ' ', esp);
|
|
|
|
seq_put_decimal_ull(m, ' ', eip);
|
|
|
|
/* The signal information here is obsolete.
|
|
|
|
* It must be decimal for Linux 2.0 compatibility.
|
|
|
|
* Use /proc/#/status for real-time signals.
|
|
|
|
*/
|
|
|
|
seq_put_decimal_ull(m, ' ', task->pending.signal.sig[0] & 0x7fffffffUL);
|
|
|
|
seq_put_decimal_ull(m, ' ', task->blocked.sig[0] & 0x7fffffffUL);
|
|
|
|
seq_put_decimal_ull(m, ' ', sigign.sig[0] & 0x7fffffffUL);
|
|
|
|
seq_put_decimal_ull(m, ' ', sigcatch.sig[0] & 0x7fffffffUL);
|
fs/proc, core/debug: Don't expose absolute kernel addresses via wchan
So the /proc/PID/stat 'wchan' field (the 30th field, which contains
the absolute kernel address of the kernel function a task is blocked in)
leaks absolute kernel addresses to unprivileged user-space:
seq_put_decimal_ull(m, ' ', wchan);
The absolute address might also leak via /proc/PID/wchan as well, if
KALLSYMS is turned off or if the symbol lookup fails for some reason:
static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
struct pid *pid, struct task_struct *task)
{
unsigned long wchan;
char symname[KSYM_NAME_LEN];
wchan = get_wchan(task);
if (lookup_symbol_name(wchan, symname) < 0) {
if (!ptrace_may_access(task, PTRACE_MODE_READ))
return 0;
seq_printf(m, "%lu", wchan);
} else {
seq_printf(m, "%s", symname);
}
return 0;
}
This isn't ideal, because for example it trivially leaks the KASLR offset
to any local attacker:
fomalhaut:~> printf "%016lx\n" $(cat /proc/$$/stat | cut -d' ' -f35)
ffffffff8123b380
Most real-life uses of wchan are symbolic:
ps -eo pid:10,tid:10,wchan:30,comm
and procps uses /proc/PID/wchan, not the absolute address in /proc/PID/stat:
triton:~/tip> strace -f ps -eo pid:10,tid:10,wchan:30,comm 2>&1 | grep wchan | tail -1
open("/proc/30833/wchan", O_RDONLY) = 6
There's one compatibility quirk here: procps relies on whether the
absolute value is non-zero - and we can provide that functionality
by outputing "0" or "1" depending on whether the task is blocked
(whether there's a wchan address).
These days there appears to be very little legitimate reason
user-space would be interested in the absolute address. The
absolute address is mostly historic: from the days when we
didn't have kallsyms and user-space procps had to do the
decoding itself via the System.map.
So this patch sets all numeric output to "0" or "1" and keeps only
symbolic output, in /proc/PID/wchan.
( The absolute sleep address can generally still be profiled via
perf, by tasks with sufficient privileges. )
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: <stable@vger.kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: kasan-dev <kasan-dev@googlegroups.com>
Cc: linux-kernel@vger.kernel.org
Link: http://lkml.kernel.org/r/20150930135917.GA3285@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-09-30 16:59:17 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* We used to output the absolute kernel address, but that's an
|
|
|
|
* information leak - so instead we show a 0/1 flag here, to signal
|
|
|
|
* to user-space whether there's a wchan field in /proc/PID/wchan.
|
|
|
|
*
|
|
|
|
* This works with older implementations of procps as well.
|
|
|
|
*/
|
|
|
|
if (wchan)
|
|
|
|
seq_puts(m, " 1");
|
|
|
|
else
|
|
|
|
seq_puts(m, " 0");
|
|
|
|
|
2012-03-24 02:02:54 +04:00
|
|
|
seq_put_decimal_ull(m, ' ', 0);
|
|
|
|
seq_put_decimal_ull(m, ' ', 0);
|
|
|
|
seq_put_decimal_ll(m, ' ', task->exit_signal);
|
|
|
|
seq_put_decimal_ll(m, ' ', task_cpu(task));
|
|
|
|
seq_put_decimal_ull(m, ' ', task->rt_priority);
|
|
|
|
seq_put_decimal_ull(m, ' ', task->policy);
|
|
|
|
seq_put_decimal_ull(m, ' ', delayacct_blkio_ticks(task));
|
|
|
|
seq_put_decimal_ull(m, ' ', cputime_to_clock_t(gtime));
|
|
|
|
seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cgtime));
|
2012-06-01 03:26:44 +04:00
|
|
|
|
|
|
|
if (mm && permitted) {
|
|
|
|
seq_put_decimal_ull(m, ' ', mm->start_data);
|
|
|
|
seq_put_decimal_ull(m, ' ', mm->end_data);
|
|
|
|
seq_put_decimal_ull(m, ' ', mm->start_brk);
|
|
|
|
seq_put_decimal_ull(m, ' ', mm->arg_start);
|
|
|
|
seq_put_decimal_ull(m, ' ', mm->arg_end);
|
|
|
|
seq_put_decimal_ull(m, ' ', mm->env_start);
|
|
|
|
seq_put_decimal_ull(m, ' ', mm->env_end);
|
|
|
|
} else
|
|
|
|
seq_printf(m, " 0 0 0 0 0 0 0");
|
|
|
|
|
|
|
|
if (permitted)
|
|
|
|
seq_put_decimal_ll(m, ' ', task->exit_code);
|
|
|
|
else
|
|
|
|
seq_put_decimal_ll(m, ' ', 0);
|
|
|
|
|
2012-03-24 02:02:54 +04:00
|
|
|
seq_putc(m, '\n');
|
2007-07-16 11:46:31 +04:00
|
|
|
if (mm)
|
2005-04-17 02:20:36 +04:00
|
|
|
mmput(mm);
|
2008-02-08 15:18:31 +03:00
|
|
|
return 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:31 +03:00
|
|
|
int proc_tid_stat(struct seq_file *m, struct pid_namespace *ns,
|
|
|
|
struct pid *pid, struct task_struct *task)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2008-02-08 15:18:31 +03:00
|
|
|
return do_task_stat(m, ns, pid, task, 0);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:31 +03:00
|
|
|
int proc_tgid_stat(struct seq_file *m, struct pid_namespace *ns,
|
|
|
|
struct pid *pid, struct task_struct *task)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2008-02-08 15:18:31 +03:00
|
|
|
return do_task_stat(m, ns, pid, task, 1);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2008-02-08 15:18:32 +03:00
|
|
|
int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
|
|
|
|
struct pid *pid, struct task_struct *task)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2011-01-13 04:00:32 +03:00
|
|
|
unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
struct mm_struct *mm = get_task_mm(task);
|
2007-07-16 11:46:31 +04:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
if (mm) {
|
|
|
|
size = task_statm(mm, &shared, &text, &data, &resident);
|
|
|
|
mmput(mm);
|
|
|
|
}
|
2012-03-24 02:02:54 +04:00
|
|
|
/*
|
|
|
|
* For quick read, open code by putting numbers directly
|
|
|
|
* expected format is
|
|
|
|
* seq_printf(m, "%lu %lu %lu %lu 0 %lu 0\n",
|
|
|
|
* size, resident, shared, text, data);
|
|
|
|
*/
|
|
|
|
seq_put_decimal_ull(m, 0, size);
|
|
|
|
seq_put_decimal_ull(m, ' ', resident);
|
|
|
|
seq_put_decimal_ull(m, ' ', shared);
|
|
|
|
seq_put_decimal_ull(m, ' ', text);
|
|
|
|
seq_put_decimal_ull(m, ' ', 0);
|
2012-03-29 01:42:39 +04:00
|
|
|
seq_put_decimal_ull(m, ' ', data);
|
2012-03-24 02:02:54 +04:00
|
|
|
seq_put_decimal_ull(m, ' ', 0);
|
|
|
|
seq_putc(m, '\n');
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-02-08 15:18:32 +03:00
|
|
|
return 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2012-06-01 03:26:43 +04:00
|
|
|
|
2015-06-26 01:00:57 +03:00
|
|
|
#ifdef CONFIG_PROC_CHILDREN
|
2012-06-01 03:26:43 +04:00
|
|
|
static struct pid *
|
|
|
|
get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
|
|
|
|
{
|
|
|
|
struct task_struct *start, *task;
|
|
|
|
struct pid *pid = NULL;
|
|
|
|
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
|
|
|
|
start = pid_task(proc_pid(inode), PIDTYPE_PID);
|
|
|
|
if (!start)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Lets try to continue searching first, this gives
|
|
|
|
* us significant speedup on children-rich processes.
|
|
|
|
*/
|
|
|
|
if (pid_prev) {
|
|
|
|
task = pid_task(pid_prev, PIDTYPE_PID);
|
|
|
|
if (task && task->real_parent == start &&
|
|
|
|
!(list_empty(&task->sibling))) {
|
|
|
|
if (list_is_last(&task->sibling, &start->children))
|
|
|
|
goto out;
|
|
|
|
task = list_first_entry(&task->sibling,
|
|
|
|
struct task_struct, sibling);
|
|
|
|
pid = get_pid(task_pid(task));
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Slow search case.
|
|
|
|
*
|
|
|
|
* We might miss some children here if children
|
|
|
|
* are exited while we were not holding the lock,
|
|
|
|
* but it was never promised to be accurate that
|
|
|
|
* much.
|
|
|
|
*
|
|
|
|
* "Just suppose that the parent sleeps, but N children
|
|
|
|
* exit after we printed their tids. Now the slow paths
|
|
|
|
* skips N extra children, we miss N tasks." (c)
|
|
|
|
*
|
|
|
|
* So one need to stop or freeze the leader and all
|
|
|
|
* its children to get a precise result.
|
|
|
|
*/
|
|
|
|
list_for_each_entry(task, &start->children, sibling) {
|
|
|
|
if (pos-- == 0) {
|
|
|
|
pid = get_pid(task_pid(task));
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
out:
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
return pid;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int children_seq_show(struct seq_file *seq, void *v)
|
|
|
|
{
|
|
|
|
struct inode *inode = seq->private;
|
|
|
|
pid_t pid;
|
|
|
|
|
|
|
|
pid = pid_nr_ns(v, inode->i_sb->s_fs_info);
|
2015-04-16 02:18:17 +03:00
|
|
|
seq_printf(seq, "%d ", pid);
|
|
|
|
|
|
|
|
return 0;
|
2012-06-01 03:26:43 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void *children_seq_start(struct seq_file *seq, loff_t *pos)
|
|
|
|
{
|
|
|
|
return get_children_pid(seq->private, NULL, *pos);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void *children_seq_next(struct seq_file *seq, void *v, loff_t *pos)
|
|
|
|
{
|
|
|
|
struct pid *pid;
|
|
|
|
|
|
|
|
pid = get_children_pid(seq->private, v, *pos + 1);
|
|
|
|
put_pid(v);
|
|
|
|
|
|
|
|
++*pos;
|
|
|
|
return pid;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void children_seq_stop(struct seq_file *seq, void *v)
|
|
|
|
{
|
|
|
|
put_pid(v);
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct seq_operations children_seq_ops = {
|
|
|
|
.start = children_seq_start,
|
|
|
|
.next = children_seq_next,
|
|
|
|
.stop = children_seq_stop,
|
|
|
|
.show = children_seq_show,
|
|
|
|
};
|
|
|
|
|
|
|
|
static int children_seq_open(struct inode *inode, struct file *file)
|
|
|
|
{
|
|
|
|
struct seq_file *m;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
ret = seq_open(file, &children_seq_ops);
|
|
|
|
if (ret)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
m = file->private_data;
|
|
|
|
m->private = inode;
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
int children_seq_release(struct inode *inode, struct file *file)
|
|
|
|
{
|
|
|
|
seq_release(inode, file);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
const struct file_operations proc_tid_children_operations = {
|
|
|
|
.open = children_seq_open,
|
|
|
|
.read = seq_read,
|
|
|
|
.llseek = seq_lseek,
|
|
|
|
.release = children_seq_release,
|
|
|
|
};
|
2015-06-26 01:00:57 +03:00
|
|
|
#endif /* CONFIG_PROC_CHILDREN */
|