From: Kees Cook <keescook@chromium.org> To: Andrew Morton <akpm@linux-foundation.org> Cc: Kees Cook <keescook@chromium.org>, David Howells <dhowells@redhat.com>, "Eric W. Biederman" <ebiederm@xmission.com>, John Johansen <john.johansen@canonical.com>, "Serge E. Hallyn" <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>, Casey Schaufler <casey@schaufler-ca.com>, Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, James Morris <james.l.morris@oracle.com>, Andy Lutomirski <luto@kernel.org>, Linus Torvalds <torvalds@linux-foundation.org>, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 03/15] binfmt: Introduce secureexec flag Date: Mon, 31 Jul 2017 16:51:21 -0700 [thread overview] Message-ID: <1501545093-56634-4-git-send-email-keescook@chromium.org> (raw) In-Reply-To: <1501545093-56634-1-git-send-email-keescook@chromium.org> The bprm_secureexec hook can be moved earlier. Right now, it is called during create_elf_tables(), via load_binary(), via search_binary_handler(), via exec_binprm(). Nearly all (see exception below) state used by bprm_secureexec is created during the bprm_set_creds hook, called from prepare_binprm(). For all LSMs (except commoncaps described next), only the first execution of bprm_set_creds takes any effect (they all check bprm->called_set_creds which prepare_binprm() sets after the first call to the bprm_set_creds hook). However, all these LSMs also only do anything with bprm_secureexec when they detected a secure state during their first run of bprm_set_creds. Therefore, it is functionally identical to move the detection into bprm_set_creds, since the results from secureexec here only need to be based on the first call to the LSM's bprm_set_creds hook. The single exception is that the commoncaps secureexec hook also examines euid/uid and egid/gid differences which are controlled by bprm_fill_uid(), via prepare_binprm(), which can be called multiple times (e.g. binfmt_script, binfmt_misc), and may clear the euid/egid for the final load (i.e. the script interpreter). However, while commoncaps specifically ignores bprm->cred_prepared, and runs its bprm_set_creds hook each time prepare_binprm() may get called, it needs to base the secureexec decision on the final call to bprm_set_creds. As a result, it will need special handling. To begin this refactoring, this adds the secureexec flag to the bprm struct, and calls the secureexec hook during setup_new_exec(). This is safe since all the cred work is finished (and past the point of no return). This explicit call will be removed in later patches once the hook has been removed. Cc: David Howells <dhowells@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serge@hallyn.com> --- fs/binfmt_elf.c | 2 +- fs/binfmt_elf_fdpic.c | 2 +- fs/exec.c | 2 ++ include/linux/binfmts.h | 6 ++++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 5075fd5c62c8..7f6ec4dac13d 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -254,7 +254,7 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid)); - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes); #ifdef ELF_HWCAP2 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2); diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index cf93a4fad012..5aa9199dfb13 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -650,7 +650,7 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, NEW_AUX_ENT(AT_EUID, (elf_addr_t) from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->egid)); - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_EXECFN, bprm->exec); #ifdef ARCH_DLINFO diff --git a/fs/exec.c b/fs/exec.c index 90bd5b85814f..77244367c773 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1322,6 +1322,8 @@ EXPORT_SYMBOL(would_dump); void setup_new_exec(struct linux_binprm * bprm) { + bprm->secureexec |= security_bprm_secureexec(bprm); + arch_pick_mmap_layout(current->mm); current->sas_ss_sp = current->sas_ss_size = 0; diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 3cd98e8bc9dc..6cfd36a27d4e 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -34,6 +34,12 @@ struct linux_binprm { cap_effective:1;/* true if has elevated effective capabilities, * false if not; except for init which inherits * its parent's caps anyway */ + /* + * Set by bprm_set_creds hook to indicate a privilege-gaining + * exec has happened. Used to sanitize execution environment + * and to set AT_SECURE auxv for glibc. + */ + secureexec:1; #ifdef __alpha__ unsigned int taso:1; #endif -- 2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook) To: linux-security-module@vger.kernel.org Subject: [PATCH v4 03/15] binfmt: Introduce secureexec flag Date: Mon, 31 Jul 2017 16:51:21 -0700 [thread overview] Message-ID: <1501545093-56634-4-git-send-email-keescook@chromium.org> (raw) In-Reply-To: <1501545093-56634-1-git-send-email-keescook@chromium.org> The bprm_secureexec hook can be moved earlier. Right now, it is called during create_elf_tables(), via load_binary(), via search_binary_handler(), via exec_binprm(). Nearly all (see exception below) state used by bprm_secureexec is created during the bprm_set_creds hook, called from prepare_binprm(). For all LSMs (except commoncaps described next), only the first execution of bprm_set_creds takes any effect (they all check bprm->called_set_creds which prepare_binprm() sets after the first call to the bprm_set_creds hook). However, all these LSMs also only do anything with bprm_secureexec when they detected a secure state during their first run of bprm_set_creds. Therefore, it is functionally identical to move the detection into bprm_set_creds, since the results from secureexec here only need to be based on the first call to the LSM's bprm_set_creds hook. The single exception is that the commoncaps secureexec hook also examines euid/uid and egid/gid differences which are controlled by bprm_fill_uid(), via prepare_binprm(), which can be called multiple times (e.g. binfmt_script, binfmt_misc), and may clear the euid/egid for the final load (i.e. the script interpreter). However, while commoncaps specifically ignores bprm->cred_prepared, and runs its bprm_set_creds hook each time prepare_binprm() may get called, it needs to base the secureexec decision on the final call to bprm_set_creds. As a result, it will need special handling. To begin this refactoring, this adds the secureexec flag to the bprm struct, and calls the secureexec hook during setup_new_exec(). This is safe since all the cred work is finished (and past the point of no return). This explicit call will be removed in later patches once the hook has been removed. Cc: David Howells <dhowells@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serge@hallyn.com> --- fs/binfmt_elf.c | 2 +- fs/binfmt_elf_fdpic.c | 2 +- fs/exec.c | 2 ++ include/linux/binfmts.h | 6 ++++++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 5075fd5c62c8..7f6ec4dac13d 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -254,7 +254,7 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid)); - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes); #ifdef ELF_HWCAP2 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2); diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index cf93a4fad012..5aa9199dfb13 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -650,7 +650,7 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, NEW_AUX_ENT(AT_EUID, (elf_addr_t) from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->egid)); - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_EXECFN, bprm->exec); #ifdef ARCH_DLINFO diff --git a/fs/exec.c b/fs/exec.c index 90bd5b85814f..77244367c773 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1322,6 +1322,8 @@ EXPORT_SYMBOL(would_dump); void setup_new_exec(struct linux_binprm * bprm) { + bprm->secureexec |= security_bprm_secureexec(bprm); + arch_pick_mmap_layout(current->mm); current->sas_ss_sp = current->sas_ss_size = 0; diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 3cd98e8bc9dc..6cfd36a27d4e 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -34,6 +34,12 @@ struct linux_binprm { cap_effective:1;/* true if has elevated effective capabilities, * false if not; except for init which inherits * its parent's caps anyway */ + /* + * Set by bprm_set_creds hook to indicate a privilege-gaining + * exec has happened. Used to sanitize execution environment + * and to set AT_SECURE auxv for glibc. + */ + secureexec:1; #ifdef __alpha__ unsigned int taso:1; #endif -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-07-31 23:56 UTC|newest] Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-07-31 23:51 [PATCH v4 00/15] exec: Use sane stack rlimit under secureexec Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-07-31 23:51 ` [PATCH v4 01/15] exec: Rename bprm->cred_prepared to called_set_creds Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-07-31 23:51 ` [PATCH v4 02/15] exec: Correct comments about "point of no return" Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-07-31 23:51 ` Kees Cook [this message] 2017-07-31 23:51 ` [PATCH v4 03/15] binfmt: Introduce secureexec flag Kees Cook 2017-08-01 0:23 ` Kees Cook 2017-08-01 0:23 ` Kees Cook 2017-08-01 0:44 ` James Morris 2017-08-01 0:44 ` James Morris 2017-07-31 23:51 ` [PATCH v4 04/15] apparmor: Refactor to remove bprm_secureexec hook Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-07-31 23:51 ` [PATCH v4 05/15] selinux: " Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-08-01 0:45 ` James Morris 2017-08-01 0:45 ` James Morris 2017-08-01 13:24 ` Andy Lutomirski 2017-08-01 13:24 ` Andy Lutomirski 2017-07-31 23:51 ` [PATCH v4 06/15] smack: " Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-08-01 0:46 ` James Morris 2017-08-01 0:46 ` James Morris 2017-08-01 15:24 ` Casey Schaufler 2017-08-01 15:24 ` Casey Schaufler 2017-07-31 23:51 ` [PATCH v4 07/15] commoncap: " Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-07-31 23:51 ` [PATCH v4 08/15] commoncap: Move cap_elevated calculation into bprm_set_creds Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-08-01 13:46 ` Andy Lutomirski 2017-08-01 13:46 ` Andy Lutomirski 2017-07-31 23:51 ` [PATCH v4 09/15] LSM: drop bprm_secureexec hook Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-07-31 23:51 ` [PATCH v4 10/15] exec: Use secureexec for setting dumpability Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-08-01 0:48 ` James Morris 2017-08-01 0:48 ` James Morris 2017-07-31 23:51 ` [PATCH v4 11/15] exec: Use secureexec for clearing pdeath_signal Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-08-01 0:50 ` James Morris 2017-08-01 0:50 ` James Morris 2017-07-31 23:51 ` [PATCH v4 12/15] smack: Remove redundant pdeath_signal clearing Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-08-01 0:50 ` James Morris 2017-08-01 0:50 ` James Morris 2017-08-01 15:24 ` Casey Schaufler 2017-08-01 15:24 ` Casey Schaufler 2017-07-31 23:51 ` [PATCH v4 13/15] exec: Consolidate dumpability logic Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-07-31 23:51 ` [PATCH v4 14/15] exec: Use sane stack rlimit under secureexec Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-07-31 23:51 ` [PATCH v4 15/15] exec: Consolidate pdeath_signal clearing Kees Cook 2017-07-31 23:51 ` Kees Cook 2017-08-01 0:52 ` James Morris 2017-08-01 0:52 ` James Morris 2017-08-01 0:34 ` [PATCH v4 00/15] exec: Use sane stack rlimit under secureexec Kees Cook 2017-08-01 0:34 ` Kees Cook 2017-08-01 0:54 ` James Morris 2017-08-01 0:54 ` James Morris 2017-08-01 3:03 ` Kees Cook 2017-08-01 3:03 ` Kees Cook 2017-08-01 5:11 ` Linus Torvalds 2017-08-01 5:11 ` Linus Torvalds 2017-08-01 5:14 ` Linus Torvalds 2017-08-01 5:14 ` Linus Torvalds 2017-08-01 15:04 ` Kees Cook 2017-08-01 15:04 ` Kees Cook 2017-08-01 20:19 ` Linus Torvalds 2017-08-01 20:19 ` Linus Torvalds 2017-08-01 21:04 ` Kees Cook 2017-08-01 21:04 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1501545093-56634-4-git-send-email-keescook@chromium.org \ --to=keescook@chromium.org \ --cc=akpm@linux-foundation.org \ --cc=casey@schaufler-ca.com \ --cc=dhowells@redhat.com \ --cc=ebiederm@xmission.com \ --cc=james.l.morris@oracle.com \ --cc=john.johansen@canonical.com \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@kernel.org \ --cc=paul@paul-moore.com \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=sds@tycho.nsa.gov \ --cc=serge@hallyn.com \ --cc=torvalds@linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.