From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>,
David Howells <dhowells@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
John Johansen <john.johansen@canonical.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Casey Schaufler <casey@schaufler-ca.com>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
James Morris <james.l.morris@oracle.com>,
Andy Lutomirski <luto@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v4 04/15] apparmor: Refactor to remove bprm_secureexec hook
Date: Mon, 31 Jul 2017 16:51:22 -0700 [thread overview]
Message-ID: <1501545093-56634-5-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1501545093-56634-1-git-send-email-keescook@chromium.org>
The AppArmor bprm_secureexec hook can be merged with the bprm_set_creds
hook since it's dealing with the same information, and all of the details
are finalized during the first call to the bprm_set_creds hook via
prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored
via bprm->called_set_creds).
Here, all the comments describe how secureexec is actually calculated
during bprm_set_creds, so this actually does it, drops the bprm flag that
was being used internally by AppArmor, and drops the bprm_secureexec hook.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
---
security/apparmor/domain.c | 22 +---------------------
security/apparmor/include/domain.h | 1 -
security/apparmor/include/file.h | 3 ---
security/apparmor/lsm.c | 1 -
4 files changed, 1 insertion(+), 26 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 878407e023e3..1a1b1ec89d9d 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -485,14 +485,11 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
*
* Cases 2 and 3 are marked as requiring secure exec
* (unless policy specified "unsafe exec")
- *
- * bprm->unsafe is used to cache the AA_X_UNSAFE permission
- * to avoid having to recompute in secureexec
*/
if (!(perms.xindex & AA_X_UNSAFE)) {
AA_DEBUG("scrubbing environment variables for %s profile=%s\n",
name, new_profile->base.hname);
- bprm->unsafe |= AA_SECURE_X_NEEDED;
+ bprm->secureexec = 1;
}
apply:
/* when transitioning profiles clear unsafe personality bits */
@@ -521,23 +518,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
}
/**
- * apparmor_bprm_secureexec - determine if secureexec is needed
- * @bprm: binprm for exec (NOT NULL)
- *
- * Returns: %1 if secureexec is needed else %0
- */
-int apparmor_bprm_secureexec(struct linux_binprm *bprm)
-{
- /* the decision to use secure exec is computed in set_creds
- * and stored in bprm->unsafe.
- */
- if (bprm->unsafe & AA_SECURE_X_NEEDED)
- return 1;
-
- return 0;
-}
-
-/**
* apparmor_bprm_committing_creds - do task cleanup on committing new creds
* @bprm: binprm for the exec (NOT NULL)
*/
diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
index 30544729878a..2495af293587 100644
--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
@@ -24,7 +24,6 @@ struct aa_domain {
};
int apparmor_bprm_set_creds(struct linux_binprm *bprm);
-int apparmor_bprm_secureexec(struct linux_binprm *bprm);
void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
void apparmor_bprm_committed_creds(struct linux_binprm *bprm);
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 38f821bf49b6..076ac4501d97 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -66,9 +66,6 @@ struct path;
#define AA_X_INHERIT 0x4000
#define AA_X_UNCONFINED 0x8000
-/* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */
-#define AA_SECURE_X_NEEDED 0x8000
-
/* need to make conditional which ones are being set */
struct path_cond {
kuid_t uid;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8f3c0f7aca5a..291c7126350f 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -624,7 +624,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
- LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
};
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v4 04/15] apparmor: Refactor to remove bprm_secureexec hook
Date: Mon, 31 Jul 2017 16:51:22 -0700 [thread overview]
Message-ID: <1501545093-56634-5-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1501545093-56634-1-git-send-email-keescook@chromium.org>
The AppArmor bprm_secureexec hook can be merged with the bprm_set_creds
hook since it's dealing with the same information, and all of the details
are finalized during the first call to the bprm_set_creds hook via
prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored
via bprm->called_set_creds).
Here, all the comments describe how secureexec is actually calculated
during bprm_set_creds, so this actually does it, drops the bprm flag that
was being used internally by AppArmor, and drops the bprm_secureexec hook.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
---
security/apparmor/domain.c | 22 +---------------------
security/apparmor/include/domain.h | 1 -
security/apparmor/include/file.h | 3 ---
security/apparmor/lsm.c | 1 -
4 files changed, 1 insertion(+), 26 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 878407e023e3..1a1b1ec89d9d 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -485,14 +485,11 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
*
* Cases 2 and 3 are marked as requiring secure exec
* (unless policy specified "unsafe exec")
- *
- * bprm->unsafe is used to cache the AA_X_UNSAFE permission
- * to avoid having to recompute in secureexec
*/
if (!(perms.xindex & AA_X_UNSAFE)) {
AA_DEBUG("scrubbing environment variables for %s profile=%s\n",
name, new_profile->base.hname);
- bprm->unsafe |= AA_SECURE_X_NEEDED;
+ bprm->secureexec = 1;
}
apply:
/* when transitioning profiles clear unsafe personality bits */
@@ -521,23 +518,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
}
/**
- * apparmor_bprm_secureexec - determine if secureexec is needed
- * @bprm: binprm for exec (NOT NULL)
- *
- * Returns: %1 if secureexec is needed else %0
- */
-int apparmor_bprm_secureexec(struct linux_binprm *bprm)
-{
- /* the decision to use secure exec is computed in set_creds
- * and stored in bprm->unsafe.
- */
- if (bprm->unsafe & AA_SECURE_X_NEEDED)
- return 1;
-
- return 0;
-}
-
-/**
* apparmor_bprm_committing_creds - do task cleanup on committing new creds
* @bprm: binprm for the exec (NOT NULL)
*/
diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
index 30544729878a..2495af293587 100644
--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
@@ -24,7 +24,6 @@ struct aa_domain {
};
int apparmor_bprm_set_creds(struct linux_binprm *bprm);
-int apparmor_bprm_secureexec(struct linux_binprm *bprm);
void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
void apparmor_bprm_committed_creds(struct linux_binprm *bprm);
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 38f821bf49b6..076ac4501d97 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -66,9 +66,6 @@ struct path;
#define AA_X_INHERIT 0x4000
#define AA_X_UNCONFINED 0x8000
-/* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */
-#define AA_SECURE_X_NEEDED 0x8000
-
/* need to make conditional which ones are being set */
struct path_cond {
kuid_t uid;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8f3c0f7aca5a..291c7126350f 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -624,7 +624,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
- LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
};
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-07-31 23:55 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-31 23:51 [PATCH v4 00/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-07-31 23:51 ` [PATCH v4 01/15] exec: Rename bprm->cred_prepared to called_set_creds Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-07-31 23:51 ` [PATCH v4 02/15] exec: Correct comments about "point of no return" Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-07-31 23:51 ` [PATCH v4 03/15] binfmt: Introduce secureexec flag Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-08-01 0:23 ` Kees Cook
2017-08-01 0:23 ` Kees Cook
2017-08-01 0:44 ` James Morris
2017-08-01 0:44 ` James Morris
2017-07-31 23:51 ` Kees Cook [this message]
2017-07-31 23:51 ` [PATCH v4 04/15] apparmor: Refactor to remove bprm_secureexec hook Kees Cook
2017-07-31 23:51 ` [PATCH v4 05/15] selinux: " Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-08-01 0:45 ` James Morris
2017-08-01 0:45 ` James Morris
2017-08-01 13:24 ` Andy Lutomirski
2017-08-01 13:24 ` Andy Lutomirski
2017-07-31 23:51 ` [PATCH v4 06/15] smack: " Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-08-01 0:46 ` James Morris
2017-08-01 0:46 ` James Morris
2017-08-01 15:24 ` Casey Schaufler
2017-08-01 15:24 ` Casey Schaufler
2017-07-31 23:51 ` [PATCH v4 07/15] commoncap: " Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-07-31 23:51 ` [PATCH v4 08/15] commoncap: Move cap_elevated calculation into bprm_set_creds Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-08-01 13:46 ` Andy Lutomirski
2017-08-01 13:46 ` Andy Lutomirski
2017-07-31 23:51 ` [PATCH v4 09/15] LSM: drop bprm_secureexec hook Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-07-31 23:51 ` [PATCH v4 10/15] exec: Use secureexec for setting dumpability Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-08-01 0:48 ` James Morris
2017-08-01 0:48 ` James Morris
2017-07-31 23:51 ` [PATCH v4 11/15] exec: Use secureexec for clearing pdeath_signal Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-08-01 0:50 ` James Morris
2017-08-01 0:50 ` James Morris
2017-07-31 23:51 ` [PATCH v4 12/15] smack: Remove redundant pdeath_signal clearing Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-08-01 0:50 ` James Morris
2017-08-01 0:50 ` James Morris
2017-08-01 15:24 ` Casey Schaufler
2017-08-01 15:24 ` Casey Schaufler
2017-07-31 23:51 ` [PATCH v4 13/15] exec: Consolidate dumpability logic Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-07-31 23:51 ` [PATCH v4 14/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-07-31 23:51 ` [PATCH v4 15/15] exec: Consolidate pdeath_signal clearing Kees Cook
2017-07-31 23:51 ` Kees Cook
2017-08-01 0:52 ` James Morris
2017-08-01 0:52 ` James Morris
2017-08-01 0:34 ` [PATCH v4 00/15] exec: Use sane stack rlimit under secureexec Kees Cook
2017-08-01 0:34 ` Kees Cook
2017-08-01 0:54 ` James Morris
2017-08-01 0:54 ` James Morris
2017-08-01 3:03 ` Kees Cook
2017-08-01 3:03 ` Kees Cook
2017-08-01 5:11 ` Linus Torvalds
2017-08-01 5:11 ` Linus Torvalds
2017-08-01 5:14 ` Linus Torvalds
2017-08-01 5:14 ` Linus Torvalds
2017-08-01 15:04 ` Kees Cook
2017-08-01 15:04 ` Kees Cook
2017-08-01 20:19 ` Linus Torvalds
2017-08-01 20:19 ` Linus Torvalds
2017-08-01 21:04 ` Kees Cook
2017-08-01 21:04 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1501545093-56634-5-git-send-email-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.