From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>,
David Howells <dhowells@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
John Johansen <john.johansen@canonical.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Casey Schaufler <casey@schaufler-ca.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
James Morris <james.l.morris@oracle.com>,
Andy Lutomirski <luto@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v3 10/15] exec: Use secureexec for setting dumpability
Date: Tue, 25 Jul 2017 20:59:15 -0700 [thread overview]
Message-ID: <CAGXu5jJe5PB8Cof4GomKa6HO28ioCDtGjhcSH6Ruy0RvAZ+R8A@mail.gmail.com> (raw)
In-Reply-To: <1500416736-49829-11-git-send-email-keescook@chromium.org>
On Tue, Jul 18, 2017 at 3:25 PM, Kees Cook <keescook@chromium.org> wrote:
> The examination of "current" to decide dumpability is wrong. This was a
> check of and euid/uid (or egid/gid) mismatch in the existing process,
> not the newly created one. This appears to stretch back into even the
> "history.git" tree. Luckily, dumpability is later set in commit_creds().
> In earlier kernel versions before creds existed, similar checks also
> existed late in the exec flow, covering up the mistake as far back as I
> could find.
>
> Note that because the commit_creds() check examines differences of euid,
> uid, egid, gid, and capabilities between the old and new creds, it would
> look like the setup_new_exec() dumpability test could be entirely removed.
> However, the secureexec test may cover a different set of tests (specific
> to the LSMs) than what commit_creds() checks for. So, fix this test to
> use secureexec (the removed euid tests are redundant to the commoncap
> secureexec checks now).
>
> Cc: David Howells <dhowells@redhat.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
David (or anyone else), how does this (and the following undiscussed
patches) look? I only have a few unreviewed patches in this series,
and I'd like to get some more eyes on it.
Thanks!
-Kees
> ---
> fs/exec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index f9480d3e0b82..5241c8f25f5d 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1353,7 +1353,7 @@ void setup_new_exec(struct linux_binprm * bprm)
>
> current->sas_ss_sp = current->sas_ss_size = 0;
>
> - if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid()))
> + if (!bprm->secureexec)
> set_dumpable(current->mm, SUID_DUMP_USER);
> else
> set_dumpable(current->mm, suid_dumpable);
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v3 10/15] exec: Use secureexec for setting dumpability
Date: Tue, 25 Jul 2017 20:59:15 -0700 [thread overview]
Message-ID: <CAGXu5jJe5PB8Cof4GomKa6HO28ioCDtGjhcSH6Ruy0RvAZ+R8A@mail.gmail.com> (raw)
In-Reply-To: <1500416736-49829-11-git-send-email-keescook@chromium.org>
On Tue, Jul 18, 2017 at 3:25 PM, Kees Cook <keescook@chromium.org> wrote:
> The examination of "current" to decide dumpability is wrong. This was a
> check of and euid/uid (or egid/gid) mismatch in the existing process,
> not the newly created one. This appears to stretch back into even the
> "history.git" tree. Luckily, dumpability is later set in commit_creds().
> In earlier kernel versions before creds existed, similar checks also
> existed late in the exec flow, covering up the mistake as far back as I
> could find.
>
> Note that because the commit_creds() check examines differences of euid,
> uid, egid, gid, and capabilities between the old and new creds, it would
> look like the setup_new_exec() dumpability test could be entirely removed.
> However, the secureexec test may cover a different set of tests (specific
> to the LSMs) than what commit_creds() checks for. So, fix this test to
> use secureexec (the removed euid tests are redundant to the commoncap
> secureexec checks now).
>
> Cc: David Howells <dhowells@redhat.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
David (or anyone else), how does this (and the following undiscussed
patches) look? I only have a few unreviewed patches in this series,
and I'd like to get some more eyes on it.
Thanks!
-Kees
> ---
> fs/exec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index f9480d3e0b82..5241c8f25f5d 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1353,7 +1353,7 @@ void setup_new_exec(struct linux_binprm * bprm)
>
> current->sas_ss_sp = current->sas_ss_size = 0;
>
> - if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid()))
> + if (!bprm->secureexec)
> set_dumpable(current->mm, SUID_DUMP_USER);
> else
> set_dumpable(current->mm, suid_dumpable);
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-07-26 3:59 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-18 22:25 [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 01/15] binfmt: Introduce secureexec flag Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:05 ` John Johansen
2017-07-19 0:05 ` John Johansen
2017-07-19 1:01 ` Andy Lutomirski
2017-07-19 1:01 ` Andy Lutomirski
2017-07-18 22:25 ` [PATCH v3 02/15] exec: Rename bprm->cred_prepared to called_set_creds Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:08 ` John Johansen
2017-07-19 0:08 ` John Johansen
2017-07-19 1:06 ` Andy Lutomirski
2017-07-19 1:06 ` Andy Lutomirski
2017-07-19 4:40 ` Kees Cook
2017-07-19 4:40 ` Kees Cook
2017-07-19 9:19 ` James Morris
2017-07-19 9:19 ` James Morris
2017-07-19 23:56 ` Paul Moore
2017-07-19 23:56 ` Paul Moore
2017-07-18 22:25 ` [PATCH v3 03/15] apparmor: Refactor to remove bprm_secureexec hook Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:00 ` John Johansen
2017-07-19 0:00 ` John Johansen
2017-07-19 9:21 ` James Morris
2017-07-19 9:21 ` James Morris
2017-07-18 22:25 ` [PATCH v3 04/15] selinux: " Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-20 0:03 ` Paul Moore
2017-07-20 0:03 ` Paul Moore
2017-07-20 0:19 ` Paul Moore
2017-07-20 0:19 ` Paul Moore
2017-07-20 1:37 ` Kees Cook
2017-07-20 1:37 ` Kees Cook
2017-07-20 13:42 ` Paul Moore
2017-07-20 13:42 ` Paul Moore
2017-07-20 17:06 ` Kees Cook
2017-07-20 17:06 ` Kees Cook
2017-07-20 20:42 ` Paul Moore
2017-07-20 20:42 ` Paul Moore
2017-07-21 15:40 ` Paul Moore
2017-07-21 15:40 ` Paul Moore
2017-07-21 17:37 ` Kees Cook
2017-07-21 17:37 ` Kees Cook
2017-07-21 19:16 ` Paul Moore
2017-07-21 19:16 ` Paul Moore
2017-07-18 22:25 ` [PATCH v3 05/15] smack: " Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-26 3:58 ` Kees Cook
2017-07-26 3:58 ` Kees Cook
2017-07-26 15:24 ` Casey Schaufler
2017-07-26 15:24 ` Casey Schaufler
2017-07-18 22:25 ` [PATCH v3 06/15] commoncap: " Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 1:10 ` Andy Lutomirski
2017-07-19 1:10 ` Andy Lutomirski
2017-07-19 4:41 ` Kees Cook
2017-07-19 4:41 ` Kees Cook
2017-07-20 4:53 ` Andy Lutomirski
2017-07-20 4:53 ` Andy Lutomirski
2017-07-31 22:43 ` Kees Cook
2017-07-31 22:43 ` Kees Cook
2017-08-01 13:12 ` Andy Lutomirski
2017-08-01 13:12 ` Andy Lutomirski
2017-07-19 9:26 ` James Morris
2017-07-19 9:26 ` James Morris
2017-07-18 22:25 ` [PATCH v3 07/15] commoncap: Move cap_elevated calculation into bprm_set_creds Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 1:52 ` Andy Lutomirski
2017-07-19 1:52 ` Andy Lutomirski
2017-07-19 9:28 ` James Morris
2017-07-19 9:28 ` James Morris
2017-07-18 22:25 ` [PATCH v3 08/15] LSM: drop bprm_secureexec hook Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:02 ` John Johansen
2017-07-19 0:02 ` John Johansen
2017-07-19 9:29 ` James Morris
2017-07-19 9:29 ` James Morris
2017-07-18 22:25 ` [PATCH v3 09/15] exec: Correct comments about "point of no return" Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:45 ` Eric W. Biederman
2017-07-19 0:45 ` Eric W. Biederman
2017-07-18 22:25 ` [PATCH v3 10/15] exec: Use secureexec for setting dumpability Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-26 3:59 ` Kees Cook [this message]
2017-07-26 3:59 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 11/15] exec: Use secureexec for clearing pdeath_signal Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 12/15] smack: Remove redundant pdeath_signal clearing Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 13/15] exec: Consolidate dumpability logic Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 14/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 9:42 ` James Morris
2017-07-19 9:42 ` James Morris
2017-07-18 22:25 ` [PATCH v3 15/15] exec: Consolidate pdeath_signal clearing Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 23:03 ` [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Linus Torvalds
2017-07-18 23:03 ` Linus Torvalds
2017-07-19 3:22 ` Serge E. Hallyn
2017-07-19 3:22 ` Serge E. Hallyn
2017-07-19 5:23 ` Kees Cook
2017-07-19 5:23 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jJe5PB8Cof4GomKa6HO28ioCDtGjhcSH6Ruy0RvAZ+R8A@mail.gmail.com \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.