I am really happy to announce a new Kernel release that thoroughly addresses the issues associated with the ptrace_may_access function. As you may know, the latter is used to verify permissions throughout the whole kernel code (for example, in procfs).
With the release of this new patch, the ClouldLinux Team became able to unlink the ptrace-related verifications from its other counterparts. Now, ptrace does not depend on hidepid or any other verifications as the new CloudLinux Kernel patch provides additional verifications for procfs.
This new patch also resolves the conflict of running/killing the ptrace function and accessing user processes by means of procfs (provided that the hidepid=1 or hidepid=2 function is running). Another important thing about the CLKRN-250 is that it uses fsuid when accessing any file system objects (including /proc) - this eliminates the opportunity of an unauthorized access owing to ptrace verifications.
- CLKRN-250: solved the conflict between user ptrace switch and process visibility controlled by the hidepid option. The patch also uses fsuid when accessing files in procfs which prevents illegal access to processes of another user;
- CLKRN-247: investigated and fixed high SLAB usage.
To install a new kernel, please use the following command:
yum clean all --enablerepo=cloudlinux-updates-testing && yum install kernel-3.10.0-714.10.2.lve1.5.16.el7 --enablerepo=cloudlinux-updates-testing
CloudLinux 6 Hybrid:
yum clean all --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing && yum install kernel-3.10.0-714.10.2.lve1.5.16.el6h --enablerepo=cloudlinux-updates-testing,cloudlinux-hybrid-testing