linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Leaking path for search_binary_handler
@ 2018-09-25 17:27 Tong Zhang
  2018-09-26 12:59 ` Stephen Smalley
  0 siblings, 1 reply; 2+ messages in thread
From: Tong Zhang @ 2018-09-25 17:27 UTC (permalink / raw)
  To: viro; +Cc: linux-fsdevel, linux-kernel, linux-security-module, wenbo.s

Kernel Version: 4.18.5

Problem Description:

search_binary_handler() should be called after setting bprm using prepare_binprm(),
and in prepare_binprm(), there’s a LSM hook security_bprm_set_creds(), 
which can make a decision that binfmt cares.

We found a leaking path In fs/binfmt_misc.c:235, that don’t ask LSM’s decision.

- Tong

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Leaking path for search_binary_handler
  2018-09-25 17:27 Leaking path for search_binary_handler Tong Zhang
@ 2018-09-26 12:59 ` Stephen Smalley
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2018-09-26 12:59 UTC (permalink / raw)
  To: Tong Zhang; +Cc: linux-fsdevel, linux-kernel, linux-security-module, wenbo.s

On 09/25/2018 01:27 PM, Tong Zhang wrote:
> Kernel Version: 4.18.5
> 
> Problem Description:
> 
> search_binary_handler() should be called after setting bprm using prepare_binprm(),
> and in prepare_binprm(), there’s a LSM hook security_bprm_set_creds(),
> which can make a decision that binfmt cares.
> 
> We found a leaking path In fs/binfmt_misc.c:235, that don’t ask LSM’s decision.

Do you mean the MISC_FMT_CREDENTIALS case? That looks intentional to me, 
as noted in the comment there, and as per 
Documentation/admin-guide/binfmt-misc.rst's discussion of the 
credentials flag.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-09-26 12:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-25 17:27 Leaking path for search_binary_handler Tong Zhang
2018-09-26 12:59 ` Stephen Smalley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).