** Changed in: linux (Ubuntu Bionic)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1890848
Title:
'ptrace trace' needed to readlink() /proc/*/ns/* files on older
kernels
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Triaged
Status in linux source package in Bionic:
Fix Committed
Bug description:
SRU Justification:
[Impact]
Permission 'ptrace trace' is required to readlink() /proc/*/ns/*, when
only 'ptrace read' should be required according to 'man namespaces':
"Permission to dereference or read (readlink(2)) these symbolic links
is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2)."
[Fix]
Upstream commit 338d0be437ef10e247a35aed83dbab182cf406a2 fixes ptrace
read check.
[Test Plan]
BugLink contains the source of a binary that reproduces the issue. In
summary, it executes readlink() on /proc/*/ns/*. There's also a policy
that has only 'ptrace read' permission. When the bug is fixed,
execution is allowed.
[Where problems could occur]
The regression can be considered as low, since it's lowering the number
of permissions required. Existing policies that already contain the
permission 'ptrace trace' and 'ptrace read' will have a broader policy
than required.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1890848/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
