Public bug reported: [Impact] PTRACE_O_SUSPEND_SECCOMP allows CRIU to disable seccomp on a process. However, setting this option requires privilege when used with PTRACE_SETOPTIONS. However, when used with PTRACE_SEIZE, no privilege is required. This allows sandboxed processes to exit the sandbox if they are allowed to use ptrace.
[Test case] Run the reproducer from https://bugs.chromium.org/p/project-zero/issues/detail?id=2276. [Potential regression] This may break ptrace users, specially ones using PTRACE_SEIZE or PTRACE_SETOPTIONS. Special attention to processes being sandboxed with seccomp. ** Affects: linux (Ubuntu) Importance: High Status: Fix Committed ** Affects: linux (Ubuntu Xenial) Importance: High Assignee: Thadeu Lima de Souza Cascardo (cascardo) Status: Triaged ** Affects: linux (Ubuntu Bionic) Importance: High Assignee: Thadeu Lima de Souza Cascardo (cascardo) Status: In Progress ** Affects: linux (Ubuntu Focal) Importance: High Status: Fix Committed ** Affects: linux (Ubuntu Impish) Importance: High Assignee: Thadeu Lima de Souza Cascardo (cascardo) Status: In Progress ** Affects: linux (Ubuntu Jammy) Importance: High Status: Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1972740 Title: Unprivileged users may use PTRACE_SEIZE to set PTRACE_O_SUSPEND_SECCOMP option Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: Triaged Status in linux source package in Bionic: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Impish: In Progress Status in linux source package in Jammy: Fix Committed Bug description: [Impact] PTRACE_O_SUSPEND_SECCOMP allows CRIU to disable seccomp on a process. However, setting this option requires privilege when used with PTRACE_SETOPTIONS. However, when used with PTRACE_SEIZE, no privilege is required. This allows sandboxed processes to exit the sandbox if they are allowed to use ptrace. [Test case] Run the reproducer from https://bugs.chromium.org/p/project-zero/issues/detail?id=2276. [Potential regression] This may break ptrace users, specially ones using PTRACE_SEIZE or PTRACE_SETOPTIONS. Special attention to processes being sandboxed with seccomp. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1972740/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp