[CRIU] PR_SET_MM_MAP and capability check
Cyrill Gorcunov
gorcunov at gmail.com
Thu Jun 16 07:18:19 PDT 2016
On Thu, Jun 16, 2016 at 04:08:04PM +0200, Takashi Iwai wrote:
> Hi,
>
> while dealing with a security issue CVE-2016-1583, I noticed that
> PR_SET_MM_MAP is executed before the capability check in
> kernel/sys.c. This is one of the things the crasher code in that bug
> is abusing. Now I wonder whether it's safer to move it after the
> capability check like other PR_SET_MM_* calls.
Other calls as far as I remember operate with individual mm fields,
that's why they are under caps.
>
> My understanding is that it's done for allowing non-root user to C/R.
Exactly.
> But, currently C/R by a non-root user doesn't work properly in anyway
> (most of NS and other tweaks need CAP_SYS_RESOURCES or CAP_SYS_ADMIN),
> and leaving this might be seen as a weak point.
Well, indeed there are places in kernel which we've not yet addressed,
but we are hoping to with time, so I would prefer to not make it back
under caps protection.
Takashi, could you please point/explain how exactly this prctl code
can be abused?
More information about the CRIU
mailing list