From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 3.16 17/19] vfs: Commit to never having exectuables on proc and sysfs.
Date: Sat, 01 Apr 2017 14:17:50 +0100 [thread overview]
Message-ID: <lsq.1491052670.720732719@decadent.org.uk> (raw)
In-Reply-To: <lsq.1491052670.319419763@decadent.org.uk>
3.16.43-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a upstream.
Today proc and sysfs do not contain any executable files. Several
applications today mount proc or sysfs without noexec and nosuid and
then depend on there being no exectuables files on proc or sysfs.
Having any executable files show on proc or sysfs would cause
a user space visible regression, and most likely security problems.
Therefore commit to never allowing executables on proc and sysfs by
adding a new flag to mark them as filesystems without executables and
enforce that flag.
Test the flag where MNT_NOEXEC is tested today, so that the only user
visible effect will be that exectuables will be treated as if the
execute bit is cleared.
The filesystems proc and sysfs do not currently incoporate any
executable files so this does not result in any user visible effects.
This makes it unnecessary to vet changes to proc and sysfs tightly for
adding exectuable files or changes to chattr that would modify
existing files, as no matter what the individual file say they will
not be treated as exectuable files by the vfs.
Not having to vet changes to closely is important as without this we
are only one proc_create call (or another goof up in the
implementation of notify_change) from having problematic executables
on proc. Those mistakes are all too easy to make and would create
a situation where there are security issues or the assumptions of
some program having to be broken (and cause userspace regressions).
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[bwh: Backported to 3.16: we don't have super_block::s_iflags; use
file_system_type::fs_flags instead]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -98,6 +98,12 @@ static inline void put_binfmt(struct lin
module_put(fmt->module);
}
+bool path_noexec(const struct path *path)
+{
+ return (path->mnt->mnt_flags & MNT_NOEXEC) ||
+ (path->mnt->mnt_sb->s_type->fs_flags & FS_NOEXEC);
+}
+
#ifdef CONFIG_USELIB
/*
* Note that a shared library must be both readable and executable due to
@@ -132,7 +138,7 @@ SYSCALL_DEFINE1(uselib, const char __use
goto exit;
error = -EACCES;
- if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
+ if (path_noexec(&file->f_path))
goto exit;
fsnotify_open(file);
@@ -773,7 +779,7 @@ static struct file *do_open_exec(struct
if (!S_ISREG(file_inode(file)->i_mode))
goto exit;
- if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
+ if (path_noexec(&file->f_path))
goto exit;
fsnotify_open(file);
--- a/fs/open.c
+++ b/fs/open.c
@@ -359,7 +359,7 @@ retry:
* with the "noexec" flag.
*/
res = -EACCES;
- if (path.mnt->mnt_flags & MNT_NOEXEC)
+ if (path_noexec(&path))
goto out_path_release;
}
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -161,7 +161,7 @@ static struct file_system_type proc_fs_t
.name = "proc",
.mount = proc_mount,
.kill_sb = proc_kill_sb,
- .fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT,
+ .fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT | FS_NOEXEC,
};
void __init proc_root_init(void)
--- a/fs/sysfs/mount.c
+++ b/fs/sysfs/mount.c
@@ -40,6 +40,7 @@ static struct dentry *sysfs_mount(struct
SYSFS_MAGIC, &new_sb, ns);
if (IS_ERR(root) || !new_sb)
kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
+
return root;
}
@@ -55,7 +56,7 @@ static struct file_system_type sysfs_fs_
.name = "sysfs",
.mount = sysfs_mount,
.kill_sb = sysfs_kill_sb,
- .fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT,
+ .fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT | FS_NOEXEC,
};
int __init sysfs_init(void)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1767,6 +1767,7 @@ struct file_system_type {
#define FS_USERNS_MOUNT 8 /* Can be mounted by userns root */
#define FS_USERNS_DEV_MOUNT 16 /* A userns mount does not imply MNT_NODEV */
#define FS_USERNS_VISIBLE 32 /* FS must already be visible */
+#define FS_NOEXEC 64 /* Ignore executables on this fs */
#define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */
struct dentry *(*mount) (struct file_system_type *, int,
const char *, void *);
@@ -2782,4 +2783,6 @@ static inline bool dir_relax(struct inod
return !IS_DEADDIR(inode);
}
+extern bool path_noexec(const struct path *path);
+
#endif /* _LINUX_FS_H */
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1646,8 +1646,7 @@ static int prctl_set_mm_exe_file(struct
* overall picture.
*/
err = -EACCES;
- if (!S_ISREG(inode->i_mode) ||
- exe.file->f_path.mnt->mnt_flags & MNT_NOEXEC)
+ if (!S_ISREG(inode->i_mode) || path_noexec(&exe.file->f_path))
goto exit;
err = inode_permission(inode, MAY_EXEC);
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1250,7 +1250,7 @@ unsigned long do_mmap_pgoff(struct file
* mounted, in which case we dont add PROT_EXEC.)
*/
if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
- if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
+ if (!(file && path_noexec(&file->f_path)))
prot |= PROT_EXEC;
if (!len)
@@ -1322,7 +1322,7 @@ unsigned long do_mmap_pgoff(struct file
case MAP_PRIVATE:
if (!(file->f_mode & FMODE_READ))
return -EACCES;
- if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) {
+ if (path_noexec(&file->f_path)) {
if (vm_flags & VM_EXEC)
return -EPERM;
vm_flags &= ~VM_MAYEXEC;
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -1043,7 +1043,7 @@ static int validate_mmap_request(struct
/* handle executable mappings and implied executable
* mappings */
- if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) {
+ if (path_noexec(&file->f_path)) {
if (prot & PROT_EXEC)
return -EPERM;
} else if ((prot & PROT_READ) && !(prot & PROT_EXEC)) {
--- a/security/security.c
+++ b/security/security.c
@@ -728,7 +728,7 @@ static inline unsigned long mmap_prot(st
* ditto if it's not on noexec mount, except that on !MMU we need
* BDI_CAP_EXEC_MMAP (== VM_MAYEXEC) in this case
*/
- if (!(file->f_path.mnt->mnt_flags & MNT_NOEXEC)) {
+ if (!path_noexec(&file->f_path)) {
#ifndef CONFIG_MMU
unsigned long caps = 0;
struct address_space *mapping = file->f_mapping;
next prev parent reply other threads:[~2017-04-01 13:23 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-01 13:17 [PATCH 3.16 00/19] 3.16.43-rc1 review Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 05/19] MIPS: save/disable MSA in lose_fpu Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 14/19] MIPS: Zero variable read by get_user / __get_user in case of an error Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 04/19] MIPS: preserve scalar FP CSR when switching vector context Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 15/19] HID: hid-input: Add parentheses to quell gcc warning Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 18/19] aio: mark AIO pseudo-fs noexec Ben Hutchings
2017-04-01 13:17 ` Ben Hutchings [this message]
2017-04-01 13:17 ` [PATCH 3.16 12/19] serial: samsung: Use %pa to print 'resource_size_t' type Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 16/19] netlink: remove mmapped netlink support Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 11/19] mmc: sunxi: avoid invalid pointer calculation Ben Hutchings
2017-04-01 18:45 ` David Lanzendörfer
2017-04-01 19:53 ` Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 08/19] atm: iphase: fix misleading indention Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 19/19] keys: Guard against null match function in keyring_search_aux() Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 10/19] fs/nfs: fix new compiler warning about boolean in switch Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 13/19] MIPS: ralink: Cosmetic change to prom_init() Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 06/19] MIPS: init upper 64b of vector registers when MSA is first used Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 02/19] blk: rq_data_dir() should not return a boolean Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 09/19] crypto: improve gcc optimization flags for serpent and wp512 Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 03/19] MIPS: save/restore MSACSR register on context switch Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 01/19] fs: namespace: suppress 'may be used uninitialized' warnings Ben Hutchings
2017-04-01 13:17 ` [PATCH 3.16 07/19] MIPS: Fix build with binutils 2.24.51+ Ben Hutchings
2017-04-01 17:43 ` [PATCH 3.16 00/19] 3.16.43-rc1 review Guenter Roeck
2017-04-01 22:40 ` Ben Hutchings
2017-04-02 2:21 ` Guenter Roeck
2017-04-02 2:48 ` Ben Hutchings
2017-04-02 3:04 ` [PATCH 3.16 00/26] 3.16.43-rc2 review Ben Hutchings
2017-04-02 3:04 ` [PATCH 3.16 22/26] MIPS: traps: Fix inline asm ctc1 missing .set hardfloat Ben Hutchings
2017-04-02 3:04 ` [PATCH 3.16 23/26] MIPS: Push .set mips64r* into the functions needing it Ben Hutchings
2017-04-02 3:04 ` [PATCH 3.16 24/26] MIPS: assume at as source/dest of MSA copy/insert instructions Ben Hutchings
2017-04-02 3:04 ` [PATCH 3.16 20/26] MIPS: allow msa.h to be included in assembly files Ben Hutchings
2017-04-02 3:04 ` [PATCH 3.16 26/26] MIPS: wrap cfcmsa & ctcmsa accesses for toolchains with MSA support Ben Hutchings
2017-04-02 3:04 ` [PATCH 3.16 21/26] MIPS: mipsregs.h: Add write_32bit_cp1_register() Ben Hutchings
2017-04-02 3:04 ` [PATCH 3.16 25/26] MIPS: remove MSA macro recursion Ben Hutchings
2017-04-02 3:15 ` [PATCH 3.16 00/26] 3.16.43-rc2 review Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1491052670.720732719@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.