9b75a3d coredump: do not allow user to access coredumps with changed uid/gid/capabilities

Authored and Committed by zbyszek a year ago
    coredump: do not allow user to access coredumps with changed uid/gid/capabilities
    
    When the user starts a program which elevates its permissions via setuid,
    setgid, or capabilities set on the file, it may access additional information
    which would then be visible in the coredump. We shouldn't make the the coredump
    visible to the user in such cases.
    
    Reported-by: Matthias Gerstner <mgerstner@suse.de>
    
    This reads the /proc/<pid>/auxv file and attaches it to the process metadata as
    PROC_AUXV. Before the coredump is submitted, it is parsed and if either
    at_secure was set (which the kernel will do for processes that are setuid,
    setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file
    is not made accessible to the user. If we can't access this data, we assume the
    file should not be made accessible either. In principle we could also access
    the auxv data from a note in the core file, but that is much more complex and
    it seems better to use the stand-alone file that is provided by the kernel.
    
    Attaching auxv is both convient for this patch (because this way it's passed
    between the stages along with other fields), but I think it makes sense to save
    it in general.
    
    We use the information early in the core file to figure out if the program was
    32-bit or 64-bit and its endianness. This way we don't need heuristics to guess
    whether the format of the auxv structure. This test might reject some cases on
    fringe architecutes. But the impact would be limited: we just won't grant the
    user permissions to view the coredump file. If people report that we're missing
    some cases, we can always enhance this to support more architectures.
    
    I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and
    ppc64el, but not the whole coredump handling.
    
    (cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03)
    
        
file modified
+9 -0
file modified
+183 -13