Blame SOURCES/0095-ccpp-do-not-override-existing-files-by-compat-cores.patch

a60cd7
From af945ff58a698ce00c45059a05994ef53a13e192 Mon Sep 17 00:00:00 2001
a60cd7
From: Jakub Filak <jfilak@redhat.com>
a60cd7
Date: Fri, 17 Apr 2015 14:36:45 +0200
a60cd7
Subject: [ABRT PATCH] ccpp: do not override existing files by compat cores
a60cd7
a60cd7
Implement all checks used in kernel's do_coredump() and require
a60cd7
non-relative path if suid_dumpable is 2.
a60cd7
a60cd7
Related: #1212818
a60cd7
a60cd7
Signed-off-by: Jakub Filak <jfilak@redhat.com>
a60cd7
---
a60cd7
 src/hooks/abrt-hook-ccpp.c | 20 ++++++++++++++++----
a60cd7
 1 file changed, 16 insertions(+), 4 deletions(-)
a60cd7
a60cd7
diff --git a/src/hooks/abrt-hook-ccpp.c b/src/hooks/abrt-hook-ccpp.c
a60cd7
index 85e0d35..82ff555 100644
a60cd7
--- a/src/hooks/abrt-hook-ccpp.c
a60cd7
+++ b/src/hooks/abrt-hook-ccpp.c
a60cd7
@@ -24,6 +24,8 @@
a60cd7
 #define  DUMP_SUID_UNSAFE 1
a60cd7
 #define  DUMP_SUID_SAFE 2
a60cd7
 
a60cd7
+static int g_user_core_flags;
a60cd7
+static int g_need_nonrelative;
a60cd7
 
a60cd7
 /* I want to use -Werror, but gcc-4.4 throws a curveball:
a60cd7
  * "warning: ignoring return value of 'ftruncate', declared with attribute warn_unused_result"
a60cd7
@@ -337,7 +339,14 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu
a60cd7
 
a60cd7
     full_core_basename = core_basename;
a60cd7
     if (core_basename[0] != '/')
a60cd7
+    {
a60cd7
+        if (g_need_nonrelative)
a60cd7
+        {
a60cd7
+            error_msg("Current suid_dumpable policy prevents from saving core dumps according to relative core_pattern");
a60cd7
+            return -1;
a60cd7
+        }
a60cd7
         core_basename = concat_path_file(user_pwd, core_basename);
a60cd7
+    }
a60cd7
 
a60cd7
     /* Open (create) compat core file.
a60cd7
      * man core:
a60cd7
@@ -372,19 +381,19 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu
a60cd7
     struct stat sb;
a60cd7
     errno = 0;
a60cd7
     /* Do not O_TRUNC: if later checks fail, we do not want to have file already modified here */
a60cd7
-    int user_core_fd = open(core_basename, O_WRONLY | O_CREAT | O_NOFOLLOW, 0600); /* kernel makes 0600 too */
a60cd7
+    int user_core_fd = open(core_basename, O_WRONLY | O_CREAT | O_NOFOLLOW | g_user_core_flags, 0600); /* kernel makes 0600 too */
a60cd7
     xsetegid(0);
a60cd7
     xseteuid(0);
a60cd7
     if (user_core_fd < 0
a60cd7
      || fstat(user_core_fd, &sb) != 0
a60cd7
      || !S_ISREG(sb.st_mode)
a60cd7
      || sb.st_nlink != 1
a60cd7
-    /* kernel internal dumper checks this too: if (inode->i_uid != current->fsuid) <fail>, need to mimic? */
a60cd7
+     || sb.st_uid != fsuid
a60cd7
     ) {
a60cd7
         if (user_core_fd < 0)
a60cd7
             perror_msg("Can't open '%s'", full_core_basename);
a60cd7
         else
a60cd7
-            perror_msg("'%s' is not a regular file with link count 1", full_core_basename);
a60cd7
+            perror_msg("'%s' is not a regular file with link count 1 owned by UID(%d)", full_core_basename, fsuid);
a60cd7
         return -1;
a60cd7
     }
a60cd7
     if (ftruncate(user_core_fd, 0) != 0) {
a60cd7
@@ -578,8 +587,11 @@ int main(int argc, char** argv)
a60cd7
         /* use root for suided apps unless it's explicitly set to UNSAFE */
a60cd7
         fsuid = 0;
a60cd7
         if (suid_policy == DUMP_SUID_UNSAFE)
a60cd7
-        {
a60cd7
             fsuid = tmp_fsuid;
a60cd7
+        else
a60cd7
+        {
a60cd7
+            g_user_core_flags = O_EXCL;
a60cd7
+            g_need_nonrelative = 1;
a60cd7
         }
a60cd7
     }
a60cd7
 
a60cd7
-- 
a60cd7
1.8.3.1
a60cd7