From: Kees Cook <keescook@chromium.org> To: Andrew Morton <akpm@linux-foundation.org> Cc: Kees Cook <keescook@chromium.org>, David Howells <dhowells@redhat.com>, "Eric W. Biederman" <ebiederm@xmission.com>, John Johansen <john.johansen@canonical.com>, "Serge E. Hallyn" <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>, Casey Schaufler <casey@schaufler-ca.com>, Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>, James Morris <james.l.morris@oracle.com>, Andy Lutomirski <luto@kernel.org>, Linus Torvalds <torvalds@linux-foundation.org>, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Date: Tue, 18 Jul 2017 15:25:21 -0700 [thread overview] Message-ID: <1500416736-49829-1-git-send-email-keescook@chromium.org> (raw) This series has grown... :P As discussed with Linus and Andy, we need to reset the stack rlimit before we do memory layouts when execing a privilege-gaining (e.g. setuid) program. To do this, we need to know the results of the bprm_secureexec hook before memory layouts. As it turns out, this can be made _mostly_ trivial by collapsing bprm_secureexec into bprm_set_creds. The LSMs using bprm_secureexec nearly always save state between bprm_set_creds and bprm_secureexec. In the face of multiple calls to bprm_set_creds (via prepare_binprm() calls from binfmt_script, etc), all LSMs except commoncap only pay attention to the first call, so that aligns well with collapsing bprm_secureexec into bprm_set_creds. The commoncaps, though, needs to check the _last_ bprm_set_creds, so this series just swaps one bprm flag for another (cap_effective is no longer needed to save state between bprm_set_creds and bprm_secureexec, but we do need to keep a separate state, so we add the cap_elevated flag). Once secureexec is available to setup_new_exec() before the memory layout, we can add an rlimit sanity-check for setuid execs. (With no need to clean up since we're past the point of no return.) Along the way, this fixes comments, renames a variable, and consolidates dumpability and pdeath_signal clearing, which includes some commit log archeology to examine the subtle differences between what we had and what we need. I'd appreciate some extra eyes on this to make sure this isn't broken in some special way. Looking at the diffstat, even after all my long comments, this is a net reduction in lines. :) Given this crosses a bunch of areas, I think this is likely best to go via the -mm tree, which is where nearly all of my prior exec work has lived too. Thanks! -Kees ---------------------------------------------------------------- Kees Cook (15): binfmt: Introduce secureexec flag exec: Rename bprm->cred_prepared to called_set_creds apparmor: Refactor to remove bprm_secureexec hook selinux: Refactor to remove bprm_secureexec hook smack: Refactor to remove bprm_secureexec hook commoncap: Refactor to remove bprm_secureexec hook commoncap: Move cap_elevated calculation into bprm_set_creds LSM: drop bprm_secureexec hook exec: Correct comments about "point of no return" exec: Use secureexec for setting dumpability exec: Use secureexec for clearing pdeath_signal smack: Remove redundant pdeath_signal clearing exec: Consolidate dumpability logic exec: Use sane stack rlimit under secureexec exec: Consolidate pdeath_signal clearing fs/binfmt_elf.c | 2 +- fs/binfmt_elf_fdpic.c | 2 +- fs/binfmt_flat.c | 2 +- fs/exec.c | 56 ++++++++++++++++++++++++++++---------- include/linux/binfmts.h | 24 ++++++++++++---- include/linux/lsm_hooks.h | 14 ++++------ include/linux/security.h | 7 ----- security/apparmor/domain.c | 24 ++-------------- security/apparmor/include/domain.h | 1 - security/apparmor/include/file.h | 3 -- security/apparmor/lsm.c | 1 - security/commoncap.c | 50 ++++++++-------------------------- security/security.c | 5 ---- security/selinux/hooks.c | 26 ++++-------------- security/smack/smack_lsm.c | 34 ++--------------------- security/tomoyo/tomoyo.c | 2 +- 16 files changed, 91 insertions(+), 162 deletions(-) v3: - collapse brpm_secureexec into bprm_set_creds; ebiederm. - continue to improve various comments v2: - fix missed current_security() uses in LSMs. - research/consolidate dumpability setting logic - research/consolidate pdeath_signal clearing logic - split up logical steps a little more for easier review (and bisection) - fix some old broken comments
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook) To: linux-security-module@vger.kernel.org Subject: [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Date: Tue, 18 Jul 2017 15:25:21 -0700 [thread overview] Message-ID: <1500416736-49829-1-git-send-email-keescook@chromium.org> (raw) This series has grown... :P As discussed with Linus and Andy, we need to reset the stack rlimit before we do memory layouts when execing a privilege-gaining (e.g. setuid) program. To do this, we need to know the results of the bprm_secureexec hook before memory layouts. As it turns out, this can be made _mostly_ trivial by collapsing bprm_secureexec into bprm_set_creds. The LSMs using bprm_secureexec nearly always save state between bprm_set_creds and bprm_secureexec. In the face of multiple calls to bprm_set_creds (via prepare_binprm() calls from binfmt_script, etc), all LSMs except commoncap only pay attention to the first call, so that aligns well with collapsing bprm_secureexec into bprm_set_creds. The commoncaps, though, needs to check the _last_ bprm_set_creds, so this series just swaps one bprm flag for another (cap_effective is no longer needed to save state between bprm_set_creds and bprm_secureexec, but we do need to keep a separate state, so we add the cap_elevated flag). Once secureexec is available to setup_new_exec() before the memory layout, we can add an rlimit sanity-check for setuid execs. (With no need to clean up since we're past the point of no return.) Along the way, this fixes comments, renames a variable, and consolidates dumpability and pdeath_signal clearing, which includes some commit log archeology to examine the subtle differences between what we had and what we need. I'd appreciate some extra eyes on this to make sure this isn't broken in some special way. Looking at the diffstat, even after all my long comments, this is a net reduction in lines. :) Given this crosses a bunch of areas, I think this is likely best to go via the -mm tree, which is where nearly all of my prior exec work has lived too. Thanks! -Kees ---------------------------------------------------------------- Kees Cook (15): binfmt: Introduce secureexec flag exec: Rename bprm->cred_prepared to called_set_creds apparmor: Refactor to remove bprm_secureexec hook selinux: Refactor to remove bprm_secureexec hook smack: Refactor to remove bprm_secureexec hook commoncap: Refactor to remove bprm_secureexec hook commoncap: Move cap_elevated calculation into bprm_set_creds LSM: drop bprm_secureexec hook exec: Correct comments about "point of no return" exec: Use secureexec for setting dumpability exec: Use secureexec for clearing pdeath_signal smack: Remove redundant pdeath_signal clearing exec: Consolidate dumpability logic exec: Use sane stack rlimit under secureexec exec: Consolidate pdeath_signal clearing fs/binfmt_elf.c | 2 +- fs/binfmt_elf_fdpic.c | 2 +- fs/binfmt_flat.c | 2 +- fs/exec.c | 56 ++++++++++++++++++++++++++++---------- include/linux/binfmts.h | 24 ++++++++++++---- include/linux/lsm_hooks.h | 14 ++++------ include/linux/security.h | 7 ----- security/apparmor/domain.c | 24 ++-------------- security/apparmor/include/domain.h | 1 - security/apparmor/include/file.h | 3 -- security/apparmor/lsm.c | 1 - security/commoncap.c | 50 ++++++++-------------------------- security/security.c | 5 ---- security/selinux/hooks.c | 26 ++++-------------- security/smack/smack_lsm.c | 34 ++--------------------- security/tomoyo/tomoyo.c | 2 +- 16 files changed, 91 insertions(+), 162 deletions(-) v3: - collapse brpm_secureexec into bprm_set_creds; ebiederm. - continue to improve various comments v2: - fix missed current_security() uses in LSMs. - research/consolidate dumpability setting logic - research/consolidate pdeath_signal clearing logic - split up logical steps a little more for easier review (and bisection) - fix some old broken comments -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next reply other threads:[~2017-07-18 22:25 UTC|newest] Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-07-18 22:25 Kees Cook [this message] 2017-07-18 22:25 ` [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Kees Cook 2017-07-18 22:25 ` [PATCH v3 01/15] binfmt: Introduce secureexec flag Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:05 ` John Johansen 2017-07-19 0:05 ` John Johansen 2017-07-19 1:01 ` Andy Lutomirski 2017-07-19 1:01 ` Andy Lutomirski 2017-07-18 22:25 ` [PATCH v3 02/15] exec: Rename bprm->cred_prepared to called_set_creds Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:08 ` John Johansen 2017-07-19 0:08 ` John Johansen 2017-07-19 1:06 ` Andy Lutomirski 2017-07-19 1:06 ` Andy Lutomirski 2017-07-19 4:40 ` Kees Cook 2017-07-19 4:40 ` Kees Cook 2017-07-19 9:19 ` James Morris 2017-07-19 9:19 ` James Morris 2017-07-19 23:56 ` Paul Moore 2017-07-19 23:56 ` Paul Moore 2017-07-18 22:25 ` [PATCH v3 03/15] apparmor: Refactor to remove bprm_secureexec hook Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:00 ` John Johansen 2017-07-19 0:00 ` John Johansen 2017-07-19 9:21 ` James Morris 2017-07-19 9:21 ` James Morris 2017-07-18 22:25 ` [PATCH v3 04/15] selinux: " Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-20 0:03 ` Paul Moore 2017-07-20 0:03 ` Paul Moore 2017-07-20 0:19 ` Paul Moore 2017-07-20 0:19 ` Paul Moore 2017-07-20 1:37 ` Kees Cook 2017-07-20 1:37 ` Kees Cook 2017-07-20 13:42 ` Paul Moore 2017-07-20 13:42 ` Paul Moore 2017-07-20 17:06 ` Kees Cook 2017-07-20 17:06 ` Kees Cook 2017-07-20 20:42 ` Paul Moore 2017-07-20 20:42 ` Paul Moore 2017-07-21 15:40 ` Paul Moore 2017-07-21 15:40 ` Paul Moore 2017-07-21 17:37 ` Kees Cook 2017-07-21 17:37 ` Kees Cook 2017-07-21 19:16 ` Paul Moore 2017-07-21 19:16 ` Paul Moore 2017-07-18 22:25 ` [PATCH v3 05/15] smack: " Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-26 3:58 ` Kees Cook 2017-07-26 3:58 ` Kees Cook 2017-07-26 15:24 ` Casey Schaufler 2017-07-26 15:24 ` Casey Schaufler 2017-07-18 22:25 ` [PATCH v3 06/15] commoncap: " Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 1:10 ` Andy Lutomirski 2017-07-19 1:10 ` Andy Lutomirski 2017-07-19 4:41 ` Kees Cook 2017-07-19 4:41 ` Kees Cook 2017-07-20 4:53 ` Andy Lutomirski 2017-07-20 4:53 ` Andy Lutomirski 2017-07-31 22:43 ` Kees Cook 2017-07-31 22:43 ` Kees Cook 2017-08-01 13:12 ` Andy Lutomirski 2017-08-01 13:12 ` Andy Lutomirski 2017-07-19 9:26 ` James Morris 2017-07-19 9:26 ` James Morris 2017-07-18 22:25 ` [PATCH v3 07/15] commoncap: Move cap_elevated calculation into bprm_set_creds Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 1:52 ` Andy Lutomirski 2017-07-19 1:52 ` Andy Lutomirski 2017-07-19 9:28 ` James Morris 2017-07-19 9:28 ` James Morris 2017-07-18 22:25 ` [PATCH v3 08/15] LSM: drop bprm_secureexec hook Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:02 ` John Johansen 2017-07-19 0:02 ` John Johansen 2017-07-19 9:29 ` James Morris 2017-07-19 9:29 ` James Morris 2017-07-18 22:25 ` [PATCH v3 09/15] exec: Correct comments about "point of no return" Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 0:45 ` Eric W. Biederman 2017-07-19 0:45 ` Eric W. Biederman 2017-07-18 22:25 ` [PATCH v3 10/15] exec: Use secureexec for setting dumpability Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-26 3:59 ` Kees Cook 2017-07-26 3:59 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 11/15] exec: Use secureexec for clearing pdeath_signal Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 12/15] smack: Remove redundant pdeath_signal clearing Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 13/15] exec: Consolidate dumpability logic Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 22:25 ` [PATCH v3 14/15] exec: Use sane stack rlimit under secureexec Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-19 9:42 ` James Morris 2017-07-19 9:42 ` James Morris 2017-07-18 22:25 ` [PATCH v3 15/15] exec: Consolidate pdeath_signal clearing Kees Cook 2017-07-18 22:25 ` Kees Cook 2017-07-18 23:03 ` [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Linus Torvalds 2017-07-18 23:03 ` Linus Torvalds 2017-07-19 3:22 ` Serge E. Hallyn 2017-07-19 3:22 ` Serge E. Hallyn 2017-07-19 5:23 ` Kees Cook 2017-07-19 5:23 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1500416736-49829-1-git-send-email-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=akpm@linux-foundation.org \ --cc=casey@schaufler-ca.com \ --cc=dhowells@redhat.com \ --cc=ebiederm@xmission.com \ --cc=james.l.morris@oracle.com \ --cc=john.johansen@canonical.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@kernel.org \ --cc=paul@paul-moore.com \ --cc=penguin-kernel@I-love.SAKURA.ne.jp \ --cc=sds@tycho.nsa.gov \ --cc=serge@hallyn.com \ --cc=torvalds@linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.