linux: 4.4.0-9.X fails yama ptrace restrictions tests

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1551894

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Hrm, this looks like it might be a legit regression. 4.4.0-8 passes the test, while 4.4.0-9.X is failing. In both instances, /proc/sys/kernel/yama/ptrace_scope is set to 1. It looks like cousin processes are allowed to ptrace each other, which yama's ptrace restrictions should prevent.

Looking at the git commits between tags Ubuntu-4.4.0-8.23 and Ubuntu-4.4.0-9.24, the following commits stand out as being ptrace relevent:

  commit 969624b7c1c8c9784651eb97431e6f2bbb7a024c
  Author: Jann Horn <email address hidden>
  Date: Wed Jan 20 15:00:04 2016 -0800
  ptrace: use fsuid, fsgid, effective creds for fs access checks
  upstream commit caaee6234d05a58c5b4d05e7bf766131b810a657 upstream.

and

  commit a76b8ce7ad1f65a96638f161ff83075de04ec9cc
  Author: Jann Horn <email address hidden>
  Date: Sat Dec 12 21:12:41 2015 +0100
  UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids
  upstream reference https://lkml.org/lkml/2015/12/12/259

But it's not obvious to me why either commit would break this.

Actually, commit 969624b7c1c8c9784651eb97431e6f2bbb7a024c is the only patch that touches kernel/ptrace.c since linux 4.4.0-8.23

Hi Tim,

I've installed your test kernel 4.4.0-10.25-generic that has 969624b7c1c8c9784651eb97431e6f2bbb7a024c removed and can confirm that the yama ptrace restrictions work once again.

Please also backport 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 from 4.5-rc1.

Steve - new test kernel at http://people.canonical.com/~rtg/4.4.0-10.2/ with only 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 applied.

Tim - I can confirm that the second kernel image with 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 also passes the yama ptrace tests. Thanks!

Thanks Kees.

This bug was fixed in the package linux - 4.4.0-10.25

---------------
linux (4.4.0-10.25) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1552247

  * linux: 4.4.0-9.X fails yama ptrace restrictions tests (LP: #1551894)
    - security: let security modules use PTRACE_MODE_* with bitmasks

  * [wily][regression] systemtap script compilation broken by new kernels (LP: #1545330)
    - SAUCE: (noup) locking/qspinlock: Move __ARCH_SPIN_LOCK_UNLOCKED to qspinlock_types.h

  * [Feature]SD/SDIO/eMMC support for Broxton-P (LP: #1520454)
    - mmc: sdhci: 64-bit DMA actually has 4-byte alignment
    - mmc: sdhci: Fix DMA descriptor with zero data length

  * Miscellaneous Ubuntu changes
    - SAUCE: (noup) cgroup: fix and restructure error handling in copy_cgroup_ns()

 -- Tim Gardner <email address hidden> Mon, 29 Feb 2016 13:04:14 -0700