Przeglądaj źródła

Attempt to use PR_SET_PTRACER even if not defined at build-time to fix foward-compat.

A binary built on Linux 2.6 will not have PR_SET_PTRACER defined, but
when ran on Linux 3.4+ will still hit the ptrace limitations if
/proc/sys/kernel/yama/ptrace_scope is set to 1.  Work around this by
hardcoding the PR_SET_PTRACER define and trying it anyway.  The result
on older kernel is just an [EINVAL].  This is largely redundant with the
PR_SET_DUMPABLE change but is still worth keeping.
Bryan Drewery 10 lat temu
rodzic
commit
a8dbe5d5e6
2 zmienionych plików z 9 dodań i 5 usunięć
  1. 1 0
      doc/UPDATES.md
  2. 8 5
      src/shell.cc

+ 1 - 0
doc/UPDATES.md

@@ -4,6 +4,7 @@
   * Avoid warnings from Debian's FORTIFY_SOURCE
   * Remove an old +take limiter that was forgotten.
   * Use Linux's prctl(PR_SET_DUMPABLE) to disable core dumps and ptrace(2).
+  * Fix binary compat issue causing ptrace permission errors on Linux 3.4+
 
 # 1.4.6
   * Disable demo TCL support by default to prevent confusion during build.

+ 8 - 5
src/shell.cc

@@ -56,6 +56,9 @@
 #include <signal.h>
 #ifdef HAVE_SYS_PRCTL_H
 #include <sys/prctl.h>
+#ifndef PR_SET_PTRACER
+#define PR_SET_PTRACER 0x59616d61
+#endif
 #endif
 #ifdef HAVE_SYS_PTRACE_H
 # include <sys/ptrace.h>
@@ -269,7 +272,7 @@ static void got_sigtrap(int z)
 void check_trace(int start)
 {
 #ifdef DEBUG
-#ifdef PR_SET_PTRACER
+#ifdef PR_SET_PTRACER_ANY
   if (start == 1)
     prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0);
 #endif
@@ -355,8 +358,8 @@ void check_trace(int start)
         exit(0);
       default:		//parent
 #ifdef PR_SET_PTRACER
-        // Allow the child to debug the parent on Ubuntu
-        // https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
+        // Allow the child to debug the parent on Linux 3.4+
+        // https://github.com/torvalds/linux/commit/2d514487faf188938a4ee4fb3464eeecfbdcf8eb
         prctl(PR_SET_PTRACER, x, 0, 0, 0);
 #endif
         /* Not likely to happen, but make debian FORTIFY_SOURCE happy. */
@@ -427,8 +430,8 @@ int shell_exec(char *cmdline, char *input, char **output, char **erroutput, bool
     size_t fs = 0;
 
 #ifdef PR_SET_PTRACER
-    // Allow the child to debug the parent on Ubuntu
-    // https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
+    // Allow the child to debug the parent on Linux 3.4+
+    // https://github.com/torvalds/linux/commit/2d514487faf188938a4ee4fb3464eeecfbdcf8eb
     prctl(PR_SET_PTRACER, x, 0, 0, 0);
 #endif