From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752079AbcKIHCp (ORCPT ); Wed, 9 Nov 2016 02:02:45 -0500 Received: from mail-lf0-f65.google.com ([209.85.215.65]:36105 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751425AbcKIHCm (ORCPT ); Wed, 9 Nov 2016 02:02:42 -0500 Date: Wed, 9 Nov 2016 10:02:38 +0300 From: Cyrill Gorcunov To: Josh Triplett Cc: Andrew Morton , Kees Cook , Johannes Weiner , Arnd Bergmann , Ingo Molnar , Andy Lutomirski , Petr Mladek , Thomas Garnier , Ard Biesheuvel , Nicolas Pitre , Zefan Li , Li Bin , "Eric W. Biederman" , Dmitry Vyukov , Ralf Baechle , Alex Thorlton , Michal Hocko , Mateusz Guzik , John Stultz , Al Viro , Zach Brown , Anna Schumaker , Dave Hansen , linux-kernel@vger.kernel.org, linux-api@vger.kernel.org Subject: Re: [PATCH 1/2] kernel: Move prctl and helpers from kernel/sys.c to new kernel/prctl.c Message-ID: <20161109070238.GA1870@uranus.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.1 (2016-10-04) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 08, 2016 at 04:18:13PM -0800, Josh Triplett wrote: > This prepares for making prctl optional. > > Signed-off-by: Josh Triplett > + ... > +static int prctl_set_mm_exe_file(struct mm_struct *mm, unsigned int fd) > +{ > + struct fd exe; > + struct file *old_exe, *exe_file; > + struct inode *inode; > + int err; > + > + exe = fdget(fd); > + if (!exe.file) > + return -EBADF; > + > + inode = file_inode(exe.file); > + > + /* > + * Because the original mm->exe_file points to executable file, make > + * sure that this one is executable as well, to avoid breaking an > + * overall picture. > + */ > + err = -EACCES; > + if (!S_ISREG(inode->i_mode) || path_noexec(&exe.file->f_path)) > + goto exit; > + > + err = inode_permission(inode, MAY_EXEC); > + if (err) > + goto exit; > + > + /* > + * Forbid mm->exe_file change if old file still mapped. > + */ > + exe_file = get_mm_exe_file(mm); > + err = -EBUSY; > + if (exe_file) { > + struct vm_area_struct *vma; > + > + down_read(&mm->mmap_sem); > + for (vma = mm->mmap; vma; vma = vma->vm_next) { > + if (!vma->vm_file) > + continue; > + if (path_equal(&vma->vm_file->f_path, > + &exe_file->f_path)) > + goto exit_err; > + } > + > + up_read(&mm->mmap_sem); > + fput(exe_file); > + } > + > + /* > + * The symlink can be changed only once, just to disallow arbitrary > + * transitions malicious software might bring in. This means one > + * could make a snapshot over all processes running and monitor > + * /proc/pid/exe changes to notice unusual activity if needed. > + */ > + err = -EPERM; > + if (test_and_set_bit(MMF_EXE_FILE_CHANGED, &mm->flags)) > + goto exit; IIRC this snippet has been dropped in linux-next tree. Stas CC'ed. The rest looks cool for me. Thanks! Reviewed-by: Cyrill Gorcunov