'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Triaged
|
Medium
|
John Johansen | ||
Bionic |
Fix Released
|
Medium
|
John Johansen |
Bug Description
SRU Justification:
[Impact]
Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
only 'ptrace read' should be required according to 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links
is governed by a ptrace access mode PTRACE_
ptrace(2)."
[Fix]
Upstream commit 338d0be437ef10e
read check.
[Test Plan]
BugLink contains the source of a binary that reproduces the issue. In
summary, it executes readlink() on /proc/*/ns/*. There's also a policy
that has only 'ptrace read' permission. When the bug is fixed,
execution is allowed.
[Where problems could occur]
The regression can be considered as low, since it's lowering the number
of permissions required. Existing policies that already contain the
permission 'ptrace trace' and 'ptrace read' will have a broader policy
than required.
Changed in linux (Ubuntu): | |
status: | New → Fix Released |
tags: | added: apparmor |
Changed in linux (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in linux (Ubuntu Xenial): | |
status: | New → Confirmed |
summary: |
- 'ptrace trace' needed to readlink() /proc/*/ns/* files + 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels |
Changed in linux (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
We need to pick the upstream fix
338d0be437ef apparmor: fix ptrace read check
and we should probably pick
1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in ptrace access check
to avoid other problems.