Control: tag -1 patch On Mon, 2018-01-08 at 10:29 +0100, Camilo Echevarne wrote: [...] > After updating the linux-image-amd64 system package, when we try to > mount proc with the hidepid option the server throws a kernel panic. [...]
This is a warning, not a panic (which would stop the kernel completely). Still, I assume that the permission denial makes it impractical to use the system with hidepid enabled. This problem was not caused by any of the fixes in the latest update, but by a fix in 3.2.93 that meant I should have updated the backport of the hidepid feature. However, I added a binary compatibility patch to avoid problems like this with any out-of-tree users of the API, and that hid the problem until I bumped the ABI number and removed all the binary compatibility patches. I'll fix this in the next upload. As a temporary measure, you can rebuild the kernel package with the attached patch, by following the instructions here: https://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyou
From: Ben Hutchings <b...@decadent.org.uk> Date: Sun, 14 Jan 2018 21:32:45 +0000 Subject: proc: Fix ptrace mode in has_pid_permissions() Forwarded: not-needed Bug-Debian: https://bugs.debian.org/887106 Commit caaee6234d05 "ptrace: use fsuid, fsgid, effective creds for fs access checks" added the requirement that all calls to ptrace_may_access() include one of the PTRACE_MODE_{REAL,FS}CREDS flags in the mode argument, and updated all callers to do this. This was backported in 3.2.93. For backward binary compatibility, I added a patch to make these flags optional. When I bumped the ABI version recently, I removed that patch, and it turns out that there is one in-tree caller that wasn't updated - has_pid_permissions(). This is was part of the backport of the procfs hidepid feature and not included in 3.2-stable. So update it separately here. --- --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -586,7 +586,7 @@ static bool has_pid_permissions(struct p return true; if (in_group_p(pid->pid_gid)) return true; - return ptrace_may_access(task, PTRACE_MODE_READ); + return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); }
signature.asc
Description: This is a digitally signed message part
