1 /* 2 * Yama Linux Security Module 3 * 4 * Author: Kees Cook <keescook@chromium.org> 5 * 6 * Copyright (C) 2010 Canonical, Ltd. 7 * Copyright (C) 2011 The Chromium OS Authors. 8 * 9 * This program is free software; you can redistribute it and/or modify 10 * it under the terms of the GNU General Public License version 2, as 11 * published by the Free Software Foundation. 12 * 13 */ 14 15 #include <linux/security.h> 16 #include <linux/sysctl.h> 17 #include <linux/ptrace.h> 18 #include <linux/prctl.h> 19 #include <linux/ratelimit.h> 20 #include <linux/workqueue.h> 21 22 #define YAMA_SCOPE_DISABLED 0 23 #define YAMA_SCOPE_RELATIONAL 1 24 #define YAMA_SCOPE_CAPABILITY 2 25 #define YAMA_SCOPE_NO_ATTACH 3 26 27 static int ptrace_scope = YAMA_SCOPE_RELATIONAL; 28 29 /* describe a ptrace relationship for potential exception */ 30 struct ptrace_relation { 31 struct task_struct *tracer; 32 struct task_struct *tracee; 33 bool invalid; 34 struct list_head node; 35 struct rcu_head rcu; 36 }; 37 38 static LIST_HEAD(ptracer_relations); 39 static DEFINE_SPINLOCK(ptracer_relations_lock); 40 41 static void yama_relation_cleanup(struct work_struct *work); 42 static DECLARE_WORK(yama_relation_work, yama_relation_cleanup); 43 44 /** 45 * yama_relation_cleanup - remove invalid entries from the relation list 46 * 47 */ 48 static void yama_relation_cleanup(struct work_struct *work) 49 { 50 struct ptrace_relation *relation; 51 52 spin_lock(&ptracer_relations_lock); 53 rcu_read_lock(); 54 list_for_each_entry_rcu(relation, &ptracer_relations, node) { 55 if (relation->invalid) { 56 list_del_rcu(&relation->node); 57 kfree_rcu(relation, rcu); 58 } 59 } 60 rcu_read_unlock(); 61 spin_unlock(&ptracer_relations_lock); 62 } 63 64 /** 65 * yama_ptracer_add - add/replace an exception for this tracer/tracee pair 66 * @tracer: the task_struct of the process doing the ptrace 67 * @tracee: the task_struct of the process to be ptraced 68 * 69 * Each tracee can have, at most, one tracer registered. Each time this 70 * is called, the prior registered tracer will be replaced for the tracee. 71 * 72 * Returns 0 if relationship was added, -ve on error. 73 */ 74 static int yama_ptracer_add(struct task_struct *tracer, 75 struct task_struct *tracee) 76 { 77 struct ptrace_relation *relation, *added; 78 79 added = kmalloc(sizeof(*added), GFP_KERNEL); 80 if (!added) 81 return -ENOMEM; 82 83 added->tracee = tracee; 84 added->tracer = tracer; 85 added->invalid = false; 86 87 spin_lock(&ptracer_relations_lock); 88 rcu_read_lock(); 89 list_for_each_entry_rcu(relation, &ptracer_relations, node) { 90 if (relation->invalid) 91 continue; 92 if (relation->tracee == tracee) { 93 list_replace_rcu(&relation->node, &added->node); 94 kfree_rcu(relation, rcu); 95 goto out; 96 } 97 } 98 99 list_add_rcu(&added->node, &ptracer_relations); 100 101 out: 102 rcu_read_unlock(); 103 spin_unlock(&ptracer_relations_lock); 104 return 0; 105 } 106 107 /** 108 * yama_ptracer_del - remove exceptions related to the given tasks 109 * @tracer: remove any relation where tracer task matches 110 * @tracee: remove any relation where tracee task matches 111 */ 112 static void yama_ptracer_del(struct task_struct *tracer, 113 struct task_struct *tracee) 114 { 115 struct ptrace_relation *relation; 116 bool marked = false; 117 118 rcu_read_lock(); 119 list_for_each_entry_rcu(relation, &ptracer_relations, node) { 120 if (relation->invalid) 121 continue; 122 if (relation->tracee == tracee || 123 (tracer && relation->tracer == tracer)) { 124 relation->invalid = true; 125 marked = true; 126 } 127 } 128 rcu_read_unlock(); 129 130 if (marked) 131 schedule_work(&yama_relation_work); 132 } 133 134 /** 135 * yama_task_free - check for task_pid to remove from exception list 136 * @task: task being removed 137 */ 138 void yama_task_free(struct task_struct *task) 139 { 140 yama_ptracer_del(task, task); 141 } 142 143 /** 144 * yama_task_prctl - check for Yama-specific prctl operations 145 * @option: operation 146 * @arg2: argument 147 * @arg3: argument 148 * @arg4: argument 149 * @arg5: argument 150 * 151 * Return 0 on success, -ve on error. -ENOSYS is returned when Yama 152 * does not handle the given option. 153 */ 154 int yama_task_prctl(int option, unsigned long arg2, unsigned long arg3, 155 unsigned long arg4, unsigned long arg5) 156 { 157 int rc; 158 struct task_struct *myself = current; 159 160 rc = cap_task_prctl(option, arg2, arg3, arg4, arg5); 161 if (rc != -ENOSYS) 162 return rc; 163 164 switch (option) { 165 case PR_SET_PTRACER: 166 /* Since a thread can call prctl(), find the group leader 167 * before calling _add() or _del() on it, since we want 168 * process-level granularity of control. The tracer group 169 * leader checking is handled later when walking the ancestry 170 * at the time of PTRACE_ATTACH check. 171 */ 172 rcu_read_lock(); 173 if (!thread_group_leader(myself)) 174 myself = rcu_dereference(myself->group_leader); 175 get_task_struct(myself); 176 rcu_read_unlock(); 177 178 if (arg2 == 0) { 179 yama_ptracer_del(NULL, myself); 180 rc = 0; 181 } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) { 182 rc = yama_ptracer_add(NULL, myself); 183 } else { 184 struct task_struct *tracer; 185 186 rcu_read_lock(); 187 tracer = find_task_by_vpid(arg2); 188 if (tracer) 189 get_task_struct(tracer); 190 else 191 rc = -EINVAL; 192 rcu_read_unlock(); 193 194 if (tracer) { 195 rc = yama_ptracer_add(tracer, myself); 196 put_task_struct(tracer); 197 } 198 } 199 200 put_task_struct(myself); 201 break; 202 } 203 204 return rc; 205 } 206 207 /** 208 * task_is_descendant - walk up a process family tree looking for a match 209 * @parent: the process to compare against while walking up from child 210 * @child: the process to start from while looking upwards for parent 211 * 212 * Returns 1 if child is a descendant of parent, 0 if not. 213 */ 214 static int task_is_descendant(struct task_struct *parent, 215 struct task_struct *child) 216 { 217 int rc = 0; 218 struct task_struct *walker = child; 219 220 if (!parent || !child) 221 return 0; 222 223 rcu_read_lock(); 224 if (!thread_group_leader(parent)) 225 parent = rcu_dereference(parent->group_leader); 226 while (walker->pid > 0) { 227 if (!thread_group_leader(walker)) 228 walker = rcu_dereference(walker->group_leader); 229 if (walker == parent) { 230 rc = 1; 231 break; 232 } 233 walker = rcu_dereference(walker->real_parent); 234 } 235 rcu_read_unlock(); 236 237 return rc; 238 } 239 240 /** 241 * ptracer_exception_found - tracer registered as exception for this tracee 242 * @tracer: the task_struct of the process attempting ptrace 243 * @tracee: the task_struct of the process to be ptraced 244 * 245 * Returns 1 if tracer has is ptracer exception ancestor for tracee. 246 */ 247 static int ptracer_exception_found(struct task_struct *tracer, 248 struct task_struct *tracee) 249 { 250 int rc = 0; 251 struct ptrace_relation *relation; 252 struct task_struct *parent = NULL; 253 bool found = false; 254 255 rcu_read_lock(); 256 if (!thread_group_leader(tracee)) 257 tracee = rcu_dereference(tracee->group_leader); 258 list_for_each_entry_rcu(relation, &ptracer_relations, node) { 259 if (relation->invalid) 260 continue; 261 if (relation->tracee == tracee) { 262 parent = relation->tracer; 263 found = true; 264 break; 265 } 266 } 267 268 if (found && (parent == NULL || task_is_descendant(parent, tracer))) 269 rc = 1; 270 rcu_read_unlock(); 271 272 return rc; 273 } 274 275 /** 276 * yama_ptrace_access_check - validate PTRACE_ATTACH calls 277 * @child: task that current task is attempting to ptrace 278 * @mode: ptrace attach mode 279 * 280 * Returns 0 if following the ptrace is allowed, -ve on error. 281 */ 282 int yama_ptrace_access_check(struct task_struct *child, 283 unsigned int mode) 284 { 285 int rc; 286 287 /* If standard caps disallows it, so does Yama. We should 288 * only tighten restrictions further. 289 */ 290 rc = cap_ptrace_access_check(child, mode); 291 if (rc) 292 return rc; 293 294 /* require ptrace target be a child of ptracer on attach */ 295 if (mode == PTRACE_MODE_ATTACH) { 296 switch (ptrace_scope) { 297 case YAMA_SCOPE_DISABLED: 298 /* No additional restrictions. */ 299 break; 300 case YAMA_SCOPE_RELATIONAL: 301 rcu_read_lock(); 302 if (!task_is_descendant(current, child) && 303 !ptracer_exception_found(current, child) && 304 !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) 305 rc = -EPERM; 306 rcu_read_unlock(); 307 break; 308 case YAMA_SCOPE_CAPABILITY: 309 rcu_read_lock(); 310 if (!ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE)) 311 rc = -EPERM; 312 rcu_read_unlock(); 313 break; 314 case YAMA_SCOPE_NO_ATTACH: 315 default: 316 rc = -EPERM; 317 break; 318 } 319 } 320 321 if (rc) { 322 printk_ratelimited(KERN_NOTICE 323 "ptrace of pid %d was attempted by: %s (pid %d)\n", 324 child->pid, current->comm, current->pid); 325 } 326 327 return rc; 328 } 329 330 /** 331 * yama_ptrace_traceme - validate PTRACE_TRACEME calls 332 * @parent: task that will become the ptracer of the current task 333 * 334 * Returns 0 if following the ptrace is allowed, -ve on error. 335 */ 336 int yama_ptrace_traceme(struct task_struct *parent) 337 { 338 int rc; 339 340 /* If standard caps disallows it, so does Yama. We should 341 * only tighten restrictions further. 342 */ 343 rc = cap_ptrace_traceme(parent); 344 if (rc) 345 return rc; 346 347 /* Only disallow PTRACE_TRACEME on more aggressive settings. */ 348 switch (ptrace_scope) { 349 case YAMA_SCOPE_CAPABILITY: 350 if (!has_ns_capability(parent, current_user_ns(), CAP_SYS_PTRACE)) 351 rc = -EPERM; 352 break; 353 case YAMA_SCOPE_NO_ATTACH: 354 rc = -EPERM; 355 break; 356 } 357 358 if (rc) { 359 printk_ratelimited(KERN_NOTICE 360 "ptraceme of pid %d was attempted by: %s (pid %d)\n", 361 current->pid, parent->comm, parent->pid); 362 } 363 364 return rc; 365 } 366 367 #ifndef CONFIG_SECURITY_YAMA_STACKED 368 static struct security_operations yama_ops = { 369 .name = "yama", 370 371 .ptrace_access_check = yama_ptrace_access_check, 372 .ptrace_traceme = yama_ptrace_traceme, 373 .task_prctl = yama_task_prctl, 374 .task_free = yama_task_free, 375 }; 376 #endif 377 378 #ifdef CONFIG_SYSCTL 379 static int yama_dointvec_minmax(struct ctl_table *table, int write, 380 void __user *buffer, size_t *lenp, loff_t *ppos) 381 { 382 int rc; 383 384 if (write && !capable(CAP_SYS_PTRACE)) 385 return -EPERM; 386 387 rc = proc_dointvec_minmax(table, write, buffer, lenp, ppos); 388 if (rc) 389 return rc; 390 391 /* Lock the max value if it ever gets set. */ 392 if (write && *(int *)table->data == *(int *)table->extra2) 393 table->extra1 = table->extra2; 394 395 return rc; 396 } 397 398 static int zero; 399 static int max_scope = YAMA_SCOPE_NO_ATTACH; 400 401 struct ctl_path yama_sysctl_path[] = { 402 { .procname = "kernel", }, 403 { .procname = "yama", }, 404 { } 405 }; 406 407 static struct ctl_table yama_sysctl_table[] = { 408 { 409 .procname = "ptrace_scope", 410 .data = &ptrace_scope, 411 .maxlen = sizeof(int), 412 .mode = 0644, 413 .proc_handler = yama_dointvec_minmax, 414 .extra1 = &zero, 415 .extra2 = &max_scope, 416 }, 417 { } 418 }; 419 #endif /* CONFIG_SYSCTL */ 420 421 static __init int yama_init(void) 422 { 423 #ifndef CONFIG_SECURITY_YAMA_STACKED 424 if (!security_module_enable(&yama_ops)) 425 return 0; 426 #endif 427 428 printk(KERN_INFO "Yama: becoming mindful.\n"); 429 430 #ifndef CONFIG_SECURITY_YAMA_STACKED 431 if (register_security(&yama_ops)) 432 panic("Yama: kernel registration failed.\n"); 433 #endif 434 435 #ifdef CONFIG_SYSCTL 436 if (!register_sysctl_paths(yama_sysctl_path, yama_sysctl_table)) 437 panic("Yama: sysctl registration failed.\n"); 438 #endif 439 440 return 0; 441 } 442 443 security_initcall(yama_init); 444