All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>,
	Michal Hocko <mhocko@kernel.org>,
	Ben Hutchings <ben@decadent.org.uk>, Willy Tarreau <w@1wt.eu>,
	Hugh Dickins <hughd@google.com>, Oleg Nesterov <oleg@redhat.com>,
	"Jason A. Donenfeld" <Jason@zx2c4.com>,
	Rik van Riel <riel@redhat.com>,
	Larry Woodman <lwoodman@redhat.com>,
	"Kirill A. Shutemov" <kirill@shutemov.name>,
	Tony Luck <tony.luck@intel.com>,
	"James E.J. Bottomley" <jejb@parisc-linux.org>,
	Helge Diller <deller@gmx.de>,
	James Hogan <james.hogan@imgtec.com>,
	Laura Abbott <labbott@redhat.com>, Greg KH <greg@kroah.com>,
	"security@kernel.org" <security@kernel.org>,
	Qualys Security Advisory <qsa@qualys.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Ximin Luo <infinity0@debian.org>
Subject: Re: [RFC][PATCH] exec: Use init rlimits for setuid exec
Date: Fri, 7 Jul 2017 11:27:58 -0700	[thread overview]
Message-ID: <CAGXu5jLdADJ8o_Ncc_TuP_r+KqG1VNGsoTkJTY5cP30Fs44WVg@mail.gmail.com> (raw)
In-Reply-To: <CA+55aFyuh30Lx1=LnQHrm7kecujUgh0K+WQtpLZE5g_7g4PMiw@mail.gmail.com>

On Fri, Jul 7, 2017 at 9:22 AM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Thu, Jul 6, 2017 at 11:40 PM, Kees Cook <keescook@chromium.org> wrote:
> So I definitely like this approach, as long as we clarify that crazy
> security_bprm_secureexec() model. That code really is insane.

Yeah, it really seems like security_bprm_secureexec() should be
checking the bprm cred, though there are comments in the LSMs about
why this isn't done. I'll dig through the history there; it may be an
artifact of the old cred installation ordering...

It seems like an LSM would want to see "current creds" and "new creds"
as distinct things for comparing the results, but I'll check it out.

> In contrast, if the code just did:
>
>     if (security_bprm_secureexec(bprm)) {
>         if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
>             current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
>     }
>
> and leave the hard limit alone entirely. At least that doesn't let
> anybody escape the limits that the sysadmin has set.

Sounds good to me.

>
> Hmm? Yes, this allows people to try to attack suid binaries with a
> really small stack. But that's a pre-existing attack - do we have
> worries about it?

Agreed, I think that's out of scope for this.

-Kees

-- 
Kees Cook
Pixel Security

  reply	other threads:[~2017-07-07 18:28 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-06  4:32 [RFC][PATCH] exec: Use init rlimits for setuid exec Kees Cook
2017-07-06  4:59 ` Andy Lutomirski
2017-07-06 12:45   ` Eric W. Biederman
2017-07-06 15:27     ` Andy Lutomirski
2017-07-06  5:47 ` Willy Tarreau
2017-07-06 12:38 ` Eric W. Biederman
2017-07-06 15:30   ` Andy Lutomirski
2017-07-06 16:34 ` Linus Torvalds
2017-07-06 16:50   ` Linus Torvalds
2017-07-06 17:29   ` Kees Cook
2017-07-06 17:52     ` Linus Torvalds
2017-07-06 19:12       ` Kees Cook
2017-07-07  4:48         ` Andy Lutomirski
2017-07-07  5:03           ` Linus Torvalds
2017-07-07  5:10           ` Kees Cook
2017-07-07  5:15             ` Kees Cook
2017-07-07  5:36               ` Andy Lutomirski
2017-07-07  5:45                 ` Kees Cook
2017-07-07  6:02                   ` Linus Torvalds
2017-07-07  6:10                     ` Kees Cook
2017-07-07 16:06                       ` Linus Torvalds
2017-07-07 18:28                         ` Kees Cook
2017-07-07 14:48                   ` Andy Lutomirski
2017-07-07  5:39               ` Linus Torvalds
2017-07-07  5:49                 ` Kees Cook
2017-07-07  6:40                   ` Kees Cook
2017-07-07 16:22                     ` Linus Torvalds
2017-07-07 18:27                       ` Kees Cook [this message]
2017-07-10  8:44         ` Michal Hocko
2017-07-10 16:12           ` Kees Cook
2017-07-10 16:18             ` Linus Torvalds
2017-07-10 16:52               ` Willy Tarreau
2017-07-10 16:27             ` Michal Hocko
2017-07-10 18:16               ` Michal Hocko
2017-07-10 18:29                 ` Rik van Riel
2017-07-12 23:50   ` Alan Cox

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5jLdADJ8o_Ncc_TuP_r+KqG1VNGsoTkJTY5cP30Fs44WVg@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=Jason@zx2c4.com \
    --cc=ben@decadent.org.uk \
    --cc=deller@gmx.de \
    --cc=greg@kroah.com \
    --cc=hughd@google.com \
    --cc=infinity0@debian.org \
    --cc=james.hogan@imgtec.com \
    --cc=jejb@parisc-linux.org \
    --cc=kirill@shutemov.name \
    --cc=labbott@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=lwoodman@redhat.com \
    --cc=mhocko@kernel.org \
    --cc=oleg@redhat.com \
    --cc=qsa@qualys.com \
    --cc=riel@redhat.com \
    --cc=security@kernel.org \
    --cc=tony.luck@intel.com \
    --cc=torvalds@linux-foundation.org \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.