#include #include #include #include #include #include #include "lve_global_params.h" extern kgid_t proc_super_kgid; /* * check access from current task to the child. */ static int sandbox_proc_task_access(struct task_struct *child) { int rc = 0; uint64_t val; if (capable(CAP_SYS_ADMIN)) return 0; if (capable(CAP_SYS_RESOURCE)) return 0; if (param_is_enabled(LVE_PROC_CAN_SEE_OTHER_UID)) return 0; if (lve_get_param(LVE_PROC_SUPER_GID, &val) < 0) goto check2; if (val && in_group_p(proc_super_kgid)) return 0; check2: if (!uid_eq(current_euid(), task_euid(child))) rc = -EPERM; return rc; } /* CLKRN-250: fix user_ptace behavior with the procfs hidepid option CL6 commit commit ee53ee0712ba672c15ae0250a780e35cd1f894d8 Author: Andrew Perepechko disable ptrace for user by default Reviewed-on: http://gerrit.cloudlinux.com:8080/203 */ int sandbox_ptrace_access(struct task_struct *child, unsigned int mode) { #ifdef PTRACE_MODE_FSCREDS if (mode & PTRACE_MODE_FSCREDS) return sandbox_proc_task_access(child); #endif if (capable(CAP_SYS_PTRACE)) return 0; if (param_is_enabled(LVE_PTRACE_ENABLED)) return 0; return -EPERM; } /* CKSIX-87: user_ptrace sysctl is not working We've been reported that "strace date" works just fine from under uid>0 with kernel.user_ptrace=0. Unlike the attach request, which was tested with the original user_ptrace patch, ptraceme is not subject to the ptrace_attach security checks. This patch adds a new sysctl, kernel.user_ptrace_self. The sysctl provides the same functionality as kernel.user_ptrace, just for the ptraceme request. This patch is a port of https://gerrit.cloudlinux.com/#/c/11299/ */ int sandbox_ptrace_traceme(struct task_struct *parent) { if (!capable(CAP_SYS_PTRACE) && !param_is_enabled(LVE_PTRACE_SELF_ENABLED)) return -EPERM; return 0; }