Allow access to /proc/$PID/fd after setuid()
/proc/$PID/fd has r-x------ permissions, so if process does setuid(), it will not be able to access /proc/*/fd/. This breaks fstatat() emulation in glibc. open("foo", O_RDONLY|O_DIRECTORY) = 4 setuid32(65534) = 0 stat64("/proc/self/fd/4/bar", 0xbfafb298) = -1 EACCES (Permission denied) Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: James Morris <jmorris@namei.org> Cc: Chris Wright <chrisw@sous-sol.org> Cc: Ulrich Drepper <drepper@redhat.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Acked-By: Kirill Korotaev <dev@openvz.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Родитель
ab1b6f03a1
Коммит
8948e11f45
|
@ -1447,11 +1447,29 @@ static const struct file_operations proc_fd_operations = {
|
|||
.readdir = proc_readfd,
|
||||
};
|
||||
|
||||
/*
|
||||
* /proc/pid/fd needs a special permission handler so that a process can still
|
||||
* access /proc/self/fd after it has executed a setuid().
|
||||
*/
|
||||
static int proc_fd_permission(struct inode *inode, int mask,
|
||||
struct nameidata *nd)
|
||||
{
|
||||
int rv;
|
||||
|
||||
rv = generic_permission(inode, mask, NULL);
|
||||
if (rv == 0)
|
||||
return 0;
|
||||
if (task_pid(current) == proc_pid(inode))
|
||||
rv = 0;
|
||||
return rv;
|
||||
}
|
||||
|
||||
/*
|
||||
* proc directories can do almost nothing..
|
||||
*/
|
||||
static const struct inode_operations proc_fd_inode_operations = {
|
||||
.lookup = proc_lookupfd,
|
||||
.permission = proc_fd_permission,
|
||||
.setattr = proc_setattr,
|
||||
};
|
||||
|
||||
|
|
Загрузка…
Ссылка в новой задаче