Commit 112b7147 authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

exec: Convert security_bprm_set_creds into security_bprm_repopulate_creds 

Rename bprm->cap_elevated to bprm->active_secureexec and initialize it
in prepare_binprm instead of in cap_bprm_set_creds.  Initializing
bprm->active_secureexec in prepare_binprm allows multiple
implementations of security_bprm_repopulate_creds to play nicely with
each other.

Rename security_bprm_set_creds to security_bprm_reopulate_creds to
emphasize that this path recomputes part of bprm->cred.  This
recomputation avoids the time of check vs time of use problems that
are inherent in unix #! interpreters.

In short two renames and a move in the location of initializing
bprm->active_secureexec.

Link: https://lkml.kernel.org/r/87o8qkzrxp.fsf_-_@x220.int.ebiederm.org


Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent b8bff599

fs/exec.c

+4 −4
Original line number Diff line number Diff line
@@ -1366,7 +1366,7 @@ int begin_new_exec(struct linux_binprm * bprm) 
	 * the final state of setuid/setgid/fscaps can be merged into the

	 * secureexec flag.

	 */

	bprm->secureexec |= bprm->cap_elevated;

	bprm->secureexec |= bprm->active_secureexec;



	if (bprm->secureexec) {

		/* Make sure parent cannot signal privileged process. */
@@ -1634,10 +1634,10 @@ int prepare_binprm(struct linux_binprm *bprm) 
	int retval;

	loff_t pos = 0;



	/* Recompute parts of bprm->cred based on bprm->file */

	bprm->active_secureexec = 0;

	bprm_fill_uid(bprm);



	/* fill in binprm security blob */

	retval = security_bprm_set_creds(bprm);

	retval = security_bprm_repopulate_creds(bprm);

	if (retval)

		return retval;

include/linux/binfmts.h

+2 −2
Original line number Diff line number Diff line
@@ -27,10 +27,10 @@ struct linux_binprm { 
	unsigned long argmin; /* rlimit marker for copy_strings() */

	unsigned int

		/*

		 * True if most recent call to cap_bprm_set_creds

		 * True if most recent call to security_bprm_set_creds

		 * resulted in elevated privileges.

		 */

		cap_elevated:1,

		active_secureexec:1,

		/*

		 * Set by bprm_creds_for_exec hook to indicate a

		 * privilege-gaining exec has happened. Used to set

include/linux/lsm_hook_defs.h

+1 −1
Original line number Diff line number Diff line
@@ -50,7 +50,7 @@ LSM_HOOK(int, 0, settime, const struct timespec64 *ts, 
	 const struct timezone *tz)

LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)

LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)

LSM_HOOK(int, 0, bprm_set_creds, struct linux_binprm *bprm)

LSM_HOOK(int, 0, bprm_repopulate_creds, struct linux_binprm *bprm)

LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)

LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, struct linux_binprm *bprm)

LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, struct linux_binprm *bprm)

include/linux/lsm_hooks.h

+2 −2
Original line number Diff line number Diff line
@@ -44,7 +44,7 @@ 
 *	request libc enable secure mode.

 *	@bprm contains the linux_binprm structure.

 *	Return 0 if the hook is successful and permission is granted.

 * @bprm_set_creds:

 * @bprm_repopulate_creds:

 *	Assuming that the relevant bits of @bprm->cred->security have been

 *	previously set, examine @bprm->file and regenerate them.  This is

 *	so that the credentials derived from the interpreter the code is
@@ -53,7 +53,7 @@ 
 *	reopen script, and may end up opening something completely different.

 *	This hook may also optionally check permissions (e.g. for

 *	transitions between security domains).

 *	The hook must set @bprm->cap_elevated to 1 if AT_SECURE should be set to

 *	The hook must set @bprm->active_secureexec to 1 if AT_SECURE should be set to

 *	request libc enable secure mode.

 *	@bprm contains the linux_binprm structure.

 *	Return 0 if the hook is successful and permission is granted.

include/linux/security.h

+4 −4
Original line number Diff line number Diff line
@@ -140,7 +140,7 @@ extern int cap_capset(struct cred *new, const struct cred *old, 
		      const kernel_cap_t *effective,

		      const kernel_cap_t *inheritable,

		      const kernel_cap_t *permitted);

extern int cap_bprm_set_creds(struct linux_binprm *bprm);

extern int cap_bprm_repopulate_creds(struct linux_binprm *bprm);

extern int cap_inode_setxattr(struct dentry *dentry, const char *name,

			      const void *value, size_t size, int flags);

extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
@@ -277,7 +277,7 @@ int security_syslog(int type); 
int security_settime64(const struct timespec64 *ts, const struct timezone *tz);

int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);

int security_bprm_creds_for_exec(struct linux_binprm *bprm);

int security_bprm_set_creds(struct linux_binprm *bprm);

int security_bprm_repopulate_creds(struct linux_binprm *bprm);

int security_bprm_check(struct linux_binprm *bprm);

void security_bprm_committing_creds(struct linux_binprm *bprm);

void security_bprm_committed_creds(struct linux_binprm *bprm);
@@ -575,9 +575,9 @@ static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm) 
	return 0;

}



static inline int security_bprm_set_creds(struct linux_binprm *bprm)

static inline int security_bprm_repopulate_creds(struct linux_binprm *bprm)

{

	return cap_bprm_set_creds(bprm);

	return cap_bprm_repopulate_creds(bprm);

}



static inline int security_bprm_check(struct linux_binprm *bprm)

CRA Git | Maintained and supported by SUSTech CRA and CCSE