From: John Johansen <john.johansen@canonical.com>
To: Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: David Howells <dhowells@redhat.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Casey Schaufler <casey@schaufler-ca.com>,
James Morris <james.l.morris@oracle.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Andy Lutomirski <luto@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 02/15] exec: Rename bprm->cred_prepared to called_set_creds
Date: Tue, 18 Jul 2017 17:08:08 -0700 [thread overview]
Message-ID: <e9f2a4b5-93f3-df86-71ab-7f54a4591ba3@canonical.com> (raw)
In-Reply-To: <1500416736-49829-3-git-send-email-keescook@chromium.org>
On 07/18/2017 03:25 PM, Kees Cook wrote:
> The cred_prepared bprm flag has a misleading name. It has nothing to do
> with the bprm_prepare_cred hook, and actually tracks if bprm_set_creds has
> been called. Rename this flag and improve its comment.
>
> Cc: David Howells <dhowells@redhat.com>
> Cc: John Johansen <john.johansen@canonical.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> Cc: James Morris <james.l.morris@oracle.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
looks good
Acked-by: John Johansen <john.johansen@canonical.com>
> ---
> fs/binfmt_flat.c | 2 +-
> fs/exec.c | 2 +-
> include/linux/binfmts.h | 8 ++++++--
> security/apparmor/domain.c | 2 +-
> security/selinux/hooks.c | 2 +-
> security/smack/smack_lsm.c | 2 +-
> security/tomoyo/tomoyo.c | 2 +-
> 7 files changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
> index 2edcefc0a294..a722530cc468 100644
> --- a/fs/binfmt_flat.c
> +++ b/fs/binfmt_flat.c
> @@ -885,7 +885,7 @@ static int load_flat_shared_library(int id, struct lib_info *libs)
> * as we're past the point of no return and are dealing with shared
> * libraries.
> */
> - bprm.cred_prepared = 1;
> + bprm.called_set_creds = 1;
>
> res = prepare_binprm(&bprm);
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 904199086490..925c85a45d97 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1547,7 +1547,7 @@ int prepare_binprm(struct linux_binprm *bprm)
> retval = security_bprm_set_creds(bprm);
> if (retval)
> return retval;
> - bprm->cred_prepared = 1;
> + bprm->called_set_creds = 1;
>
> memset(bprm->buf, 0, BINPRM_BUF_SIZE);
> return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);
> diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
> index 9508b5f83c7e..36be5a67517a 100644
> --- a/include/linux/binfmts.h
> +++ b/include/linux/binfmts.h
> @@ -25,8 +25,12 @@ struct linux_binprm {
> struct mm_struct *mm;
> unsigned long p; /* current top of mem */
> unsigned int
> - cred_prepared:1,/* true if creds already prepared (multiple
> - * preps happen for interpreters) */
> + /*
> + * True after the bprm_set_creds hook has been called once
> + * (multiple calls can be made via prepare_binprm() for
> + * binfmt_script/misc).
> + */
> + called_set_creds:1,
> cap_effective:1,/* true if has elevated effective capabilities,
> * false if not; except for init which inherits
> * its parent's caps anyway */
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 001e133a3c8c..878407e023e3 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -350,7 +350,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
> const char *name = NULL, *info = NULL;
> int error = 0;
>
> - if (bprm->cred_prepared)
> + if (bprm->called_set_creds)
> return 0;
>
> ctx = cred_ctx(bprm->cred);
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 819fd6858b49..0f1450a06b02 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2327,7 +2327,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
>
> /* SELinux context only depends on initial program or script and not
> * the script interpreter */
> - if (bprm->cred_prepared)
> + if (bprm->called_set_creds)
> return 0;
>
> old_tsec = current_security();
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 658f5d8c7e76..7d4b2e221124 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -917,7 +917,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
> struct superblock_smack *sbsp;
> int rc;
>
> - if (bprm->cred_prepared)
> + if (bprm->called_set_creds)
> return 0;
>
> isp = inode->i_security;
> diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> index 130b4fa4f65f..d25b705360e0 100644
> --- a/security/tomoyo/tomoyo.c
> +++ b/security/tomoyo/tomoyo.c
> @@ -76,7 +76,7 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
> * Do only if this function is called for the first time of an execve
> * operation.
> */
> - if (bprm->cred_prepared)
> + if (bprm->called_set_creds)
> return 0;
> #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
> /*
>
WARNING: multiple messages have this Message-ID (diff)
From: john.johansen@canonical.com (John Johansen)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v3 02/15] exec: Rename bprm->cred_prepared to called_set_creds
Date: Tue, 18 Jul 2017 17:08:08 -0700 [thread overview]
Message-ID: <e9f2a4b5-93f3-df86-71ab-7f54a4591ba3@canonical.com> (raw)
In-Reply-To: <1500416736-49829-3-git-send-email-keescook@chromium.org>
On 07/18/2017 03:25 PM, Kees Cook wrote:
> The cred_prepared bprm flag has a misleading name. It has nothing to do
> with the bprm_prepare_cred hook, and actually tracks if bprm_set_creds has
> been called. Rename this flag and improve its comment.
>
> Cc: David Howells <dhowells@redhat.com>
> Cc: John Johansen <john.johansen@canonical.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>
> Cc: Casey Schaufler <casey@schaufler-ca.com>
> Cc: James Morris <james.l.morris@oracle.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
looks good
Acked-by: John Johansen <john.johansen@canonical.com>
> ---
> fs/binfmt_flat.c | 2 +-
> fs/exec.c | 2 +-
> include/linux/binfmts.h | 8 ++++++--
> security/apparmor/domain.c | 2 +-
> security/selinux/hooks.c | 2 +-
> security/smack/smack_lsm.c | 2 +-
> security/tomoyo/tomoyo.c | 2 +-
> 7 files changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/fs/binfmt_flat.c b/fs/binfmt_flat.c
> index 2edcefc0a294..a722530cc468 100644
> --- a/fs/binfmt_flat.c
> +++ b/fs/binfmt_flat.c
> @@ -885,7 +885,7 @@ static int load_flat_shared_library(int id, struct lib_info *libs)
> * as we're past the point of no return and are dealing with shared
> * libraries.
> */
> - bprm.cred_prepared = 1;
> + bprm.called_set_creds = 1;
>
> res = prepare_binprm(&bprm);
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 904199086490..925c85a45d97 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1547,7 +1547,7 @@ int prepare_binprm(struct linux_binprm *bprm)
> retval = security_bprm_set_creds(bprm);
> if (retval)
> return retval;
> - bprm->cred_prepared = 1;
> + bprm->called_set_creds = 1;
>
> memset(bprm->buf, 0, BINPRM_BUF_SIZE);
> return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);
> diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
> index 9508b5f83c7e..36be5a67517a 100644
> --- a/include/linux/binfmts.h
> +++ b/include/linux/binfmts.h
> @@ -25,8 +25,12 @@ struct linux_binprm {
> struct mm_struct *mm;
> unsigned long p; /* current top of mem */
> unsigned int
> - cred_prepared:1,/* true if creds already prepared (multiple
> - * preps happen for interpreters) */
> + /*
> + * True after the bprm_set_creds hook has been called once
> + * (multiple calls can be made via prepare_binprm() for
> + * binfmt_script/misc).
> + */
> + called_set_creds:1,
> cap_effective:1,/* true if has elevated effective capabilities,
> * false if not; except for init which inherits
> * its parent's caps anyway */
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 001e133a3c8c..878407e023e3 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -350,7 +350,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
> const char *name = NULL, *info = NULL;
> int error = 0;
>
> - if (bprm->cred_prepared)
> + if (bprm->called_set_creds)
> return 0;
>
> ctx = cred_ctx(bprm->cred);
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 819fd6858b49..0f1450a06b02 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -2327,7 +2327,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
>
> /* SELinux context only depends on initial program or script and not
> * the script interpreter */
> - if (bprm->cred_prepared)
> + if (bprm->called_set_creds)
> return 0;
>
> old_tsec = current_security();
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 658f5d8c7e76..7d4b2e221124 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -917,7 +917,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
> struct superblock_smack *sbsp;
> int rc;
>
> - if (bprm->cred_prepared)
> + if (bprm->called_set_creds)
> return 0;
>
> isp = inode->i_security;
> diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> index 130b4fa4f65f..d25b705360e0 100644
> --- a/security/tomoyo/tomoyo.c
> +++ b/security/tomoyo/tomoyo.c
> @@ -76,7 +76,7 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
> * Do only if this function is called for the first time of an execve
> * operation.
> */
> - if (bprm->cred_prepared)
> + if (bprm->called_set_creds)
> return 0;
> #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
> /*
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-07-19 0:08 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-18 22:25 [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 01/15] binfmt: Introduce secureexec flag Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:05 ` John Johansen
2017-07-19 0:05 ` John Johansen
2017-07-19 1:01 ` Andy Lutomirski
2017-07-19 1:01 ` Andy Lutomirski
2017-07-18 22:25 ` [PATCH v3 02/15] exec: Rename bprm->cred_prepared to called_set_creds Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:08 ` John Johansen [this message]
2017-07-19 0:08 ` John Johansen
2017-07-19 1:06 ` Andy Lutomirski
2017-07-19 1:06 ` Andy Lutomirski
2017-07-19 4:40 ` Kees Cook
2017-07-19 4:40 ` Kees Cook
2017-07-19 9:19 ` James Morris
2017-07-19 9:19 ` James Morris
2017-07-19 23:56 ` Paul Moore
2017-07-19 23:56 ` Paul Moore
2017-07-18 22:25 ` [PATCH v3 03/15] apparmor: Refactor to remove bprm_secureexec hook Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:00 ` John Johansen
2017-07-19 0:00 ` John Johansen
2017-07-19 9:21 ` James Morris
2017-07-19 9:21 ` James Morris
2017-07-18 22:25 ` [PATCH v3 04/15] selinux: " Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-20 0:03 ` Paul Moore
2017-07-20 0:03 ` Paul Moore
2017-07-20 0:19 ` Paul Moore
2017-07-20 0:19 ` Paul Moore
2017-07-20 1:37 ` Kees Cook
2017-07-20 1:37 ` Kees Cook
2017-07-20 13:42 ` Paul Moore
2017-07-20 13:42 ` Paul Moore
2017-07-20 17:06 ` Kees Cook
2017-07-20 17:06 ` Kees Cook
2017-07-20 20:42 ` Paul Moore
2017-07-20 20:42 ` Paul Moore
2017-07-21 15:40 ` Paul Moore
2017-07-21 15:40 ` Paul Moore
2017-07-21 17:37 ` Kees Cook
2017-07-21 17:37 ` Kees Cook
2017-07-21 19:16 ` Paul Moore
2017-07-21 19:16 ` Paul Moore
2017-07-18 22:25 ` [PATCH v3 05/15] smack: " Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-26 3:58 ` Kees Cook
2017-07-26 3:58 ` Kees Cook
2017-07-26 15:24 ` Casey Schaufler
2017-07-26 15:24 ` Casey Schaufler
2017-07-18 22:25 ` [PATCH v3 06/15] commoncap: " Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 1:10 ` Andy Lutomirski
2017-07-19 1:10 ` Andy Lutomirski
2017-07-19 4:41 ` Kees Cook
2017-07-19 4:41 ` Kees Cook
2017-07-20 4:53 ` Andy Lutomirski
2017-07-20 4:53 ` Andy Lutomirski
2017-07-31 22:43 ` Kees Cook
2017-07-31 22:43 ` Kees Cook
2017-08-01 13:12 ` Andy Lutomirski
2017-08-01 13:12 ` Andy Lutomirski
2017-07-19 9:26 ` James Morris
2017-07-19 9:26 ` James Morris
2017-07-18 22:25 ` [PATCH v3 07/15] commoncap: Move cap_elevated calculation into bprm_set_creds Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 1:52 ` Andy Lutomirski
2017-07-19 1:52 ` Andy Lutomirski
2017-07-19 9:28 ` James Morris
2017-07-19 9:28 ` James Morris
2017-07-18 22:25 ` [PATCH v3 08/15] LSM: drop bprm_secureexec hook Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:02 ` John Johansen
2017-07-19 0:02 ` John Johansen
2017-07-19 9:29 ` James Morris
2017-07-19 9:29 ` James Morris
2017-07-18 22:25 ` [PATCH v3 09/15] exec: Correct comments about "point of no return" Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 0:45 ` Eric W. Biederman
2017-07-19 0:45 ` Eric W. Biederman
2017-07-18 22:25 ` [PATCH v3 10/15] exec: Use secureexec for setting dumpability Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-26 3:59 ` Kees Cook
2017-07-26 3:59 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 11/15] exec: Use secureexec for clearing pdeath_signal Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 12/15] smack: Remove redundant pdeath_signal clearing Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 13/15] exec: Consolidate dumpability logic Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 22:25 ` [PATCH v3 14/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-19 9:42 ` James Morris
2017-07-19 9:42 ` James Morris
2017-07-18 22:25 ` [PATCH v3 15/15] exec: Consolidate pdeath_signal clearing Kees Cook
2017-07-18 22:25 ` Kees Cook
2017-07-18 23:03 ` [PATCH v3 00/15] exec: Use sane stack rlimit under secureexec Linus Torvalds
2017-07-18 23:03 ` Linus Torvalds
2017-07-19 3:22 ` Serge E. Hallyn
2017-07-19 3:22 ` Serge E. Hallyn
2017-07-19 5:23 ` Kees Cook
2017-07-19 5:23 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e9f2a4b5-93f3-df86-71ab-7f54a4591ba3@canonical.com \
--to=john.johansen@canonical.com \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.