From patchwork Mon Jul 10 07:57:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9832539 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 67BBD60318 for ; Mon, 10 Jul 2017 08:00:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5BF0926E3A for ; Mon, 10 Jul 2017 08:00:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 504EB2842E; Mon, 10 Jul 2017 08:00:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AEFC127861 for ; Mon, 10 Jul 2017 08:00:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753807AbdGJIAD (ORCPT ); Mon, 10 Jul 2017 04:00:03 -0400 Received: from mail-pf0-f177.google.com ([209.85.192.177]:35517 "EHLO mail-pf0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753557AbdGJH5m (ORCPT ); Mon, 10 Jul 2017 03:57:42 -0400 Received: by mail-pf0-f177.google.com with SMTP id c73so45965951pfk.2 for ; Mon, 10 Jul 2017 00:57:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=6ZH1HQ6WT81G5qxK5uh+XDzniZpEGHbBE+ouSTYPZQ8=; b=oXU4qlkOlEHJr5KDxeysIFc5bYKs9Rgd8kwEsoEosn3xObx0QwKk01isx1+mECH3zO nDDbXpx28UpQ/NaKkitbV75lzV5APIok0rbKJDkwbOy0v0/9TU3DXWGtFak1ucsnaZJl NmjBB2w0OP956XgygT9weW7OatVFztDfBeg8Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=6ZH1HQ6WT81G5qxK5uh+XDzniZpEGHbBE+ouSTYPZQ8=; b=I4m/OjxTf0NLDGsiNVUqogh5WiEgGX0JORICrV0Ghs40c/AMRoh1VIP739eZ02qE9B prKYCyxckjNFTZ6+Zo4Z0b2nLfZja2iRtRt8p3qibx5P0WD0e+WE5YR+7AcV8rFtCWfj H1jhcNf+RFso/vsR9s1n5cxDBLGJZU7a8K97a3DYKrTqIOCwsEyP04W0mubNHxQFFlfv xO5WM7th9Dvd1bf8Dzkuvs2OhNV3XqsiYkWVSL0SAv1oewahCpoFpPgwFPqrgwRTLVPc /inKfpffnK2eMClAhBFqFqiYdTQuPb9j7fd2Xqy0eLbN1SSc6sCfhW+k+9rVvHHB/WYT EbJw== X-Gm-Message-State: AIVw112NltkIq6JqjVmARXh0DXwoKV3eY/QejHy+oYDjvhEhsDGEEMzy 8wDI6o9LDijoXQEd X-Received: by 10.98.44.205 with SMTP id s196mr28941288pfs.168.1499673461951; Mon, 10 Jul 2017 00:57:41 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r9sm25932331pfi.114.2017.07.10.00.57.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2017 00:57:37 -0700 (PDT) From: Kees Cook To: Linus Torvalds Cc: Kees Cook , Andy Lutomirski , David Howells , Serge Hallyn , John Johansen , Casey Schaufler , "Eric W. Biederman" , Alexander Viro , Michal Hocko , Ben Hutchings , Hugh Dickins , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , James Morris , Greg Ungerer , Ingo Molnar , Nicolas Pitre , Stephen Smalley , Paul Moore , Vivek Goyal , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Tetsuo Handa , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Subject: [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier Date: Mon, 10 Jul 2017 00:57:25 -0700 Message-Id: <1499673451-66160-3-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1499673451-66160-1-git-send-email-keescook@chromium.org> References: <1499673451-66160-1-git-send-email-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP There are several places where exec needs to know if a privilege-gain has happened. These should be using the results of security_bprm_secureexec() but it is getting (needlessly) called very late. Instead, move this earlier in the exec code, to the start of the point of no return in setup_new_exec(). Here, the new creds have already been calculated (and stored in bprm->cred), which is normally what security_bprm_secureexec() wants to examine. Since it's moved earlier, LSMs hooking bprm_secureexec() need to be adjusted to use the creds in bprm: $ git grep LSM_HOOK_INIT.*bprm_secureexec apparmor/lsm.c: LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec), commoncap.c: LSM_HOOK_INIT(bprm_secureexec, cap_bprm_secureexec), selinux/hooks.c: LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec), smack/smack_lsm.c: LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec), AppArmor does not access creds in apparmor_bprm_secureexec. Capabilities needed to be adjusted to use bprm creds. SELinux needed to be adjusted to use bprm creds for the security structure. Smack needed to be adjusted to use bprm creds for the security structure. The result of the bprm_secureexec() hook is saved in a new bprm field "secureexec" so it can be queried later (just AT_SECURE currently). Signed-off-by: Kees Cook --- fs/binfmt_elf.c | 2 +- fs/binfmt_elf_fdpic.c | 2 +- fs/exec.c | 5 +++++ include/linux/binfmts.h | 3 ++- include/linux/lsm_hooks.h | 3 ++- security/commoncap.c | 4 +--- security/selinux/hooks.c | 2 +- security/smack/smack_lsm.c | 2 +- 8 files changed, 14 insertions(+), 9 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 5075fd5c62c8..7f6ec4dac13d 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -254,7 +254,7 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid)); - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes); #ifdef ELF_HWCAP2 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2); diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index cf93a4fad012..5aa9199dfb13 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -650,7 +650,7 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, NEW_AUX_ENT(AT_EUID, (elf_addr_t) from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->egid)); - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_EXECFN, bprm->exec); #ifdef ARCH_DLINFO diff --git a/fs/exec.c b/fs/exec.c index 7842ae661e34..b92e37fb53aa 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1337,6 +1337,11 @@ EXPORT_SYMBOL(would_dump); void setup_new_exec(struct linux_binprm * bprm) { + if (security_bprm_secureexec(bprm)) { + /* Record for AT_SECURE. */ + bprm->secureexec = 1; + } + arch_pick_mmap_layout(current->mm); current->sas_ss_sp = current->sas_ss_size = 0; diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 05488da3aee9..1afaa303cad0 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -27,9 +27,10 @@ struct linux_binprm { unsigned int cred_prepared:1,/* true if creds already prepared (multiple * preps happen for interpreters) */ - cap_effective:1;/* true if has elevated effective capabilities, + cap_effective:1,/* true if has elevated effective capabilities, * false if not; except for init which inherits * its parent's caps anyway */ + secureexec:1; /* true when gaining privileges */ #ifdef __alpha__ unsigned int taso:1; #endif diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 080f34e66017..d1bd24fb4a33 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -72,7 +72,8 @@ * Return a boolean value (0 or 1) indicating whether a "secure exec" * is required. The flag is passed in the auxiliary table * on the initial stack to the ELF interpreter to indicate whether libc - * should enable secure mode. + * should enable secure mode. Called before bprm_committing_creds(), + * so pending credentials are in @bprm->cred. * @bprm contains the linux_binprm structure. * * Security hooks for filesystem operations. diff --git a/security/commoncap.c b/security/commoncap.c index 7abebd782d5e..482d3aac2fc6 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -624,12 +624,10 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) * Determine whether a secure execution is required, return 1 if it is, and 0 * if it is not. * - * The credentials have been committed by this point, and so are no longer - * available through @bprm->cred. */ int cap_bprm_secureexec(struct linux_binprm *bprm) { - const struct cred *cred = current_cred(); + const struct cred *cred = bprm->cred; kuid_t root_uid = make_kuid(cred->user_ns, 0); if (!uid_eq(cred->uid, root_uid)) { diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 819fd6858b49..9381c8474cf4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2420,7 +2420,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) static int selinux_bprm_secureexec(struct linux_binprm *bprm) { - const struct task_security_struct *tsec = current_security(); + const struct task_security_struct *tsec = bprm->cred->security; u32 sid, osid; int atsecure = 0; diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 658f5d8c7e76..13cf9e66d5fe 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -975,7 +975,7 @@ static void smack_bprm_committing_creds(struct linux_binprm *bprm) */ static int smack_bprm_secureexec(struct linux_binprm *bprm) { - struct task_smack *tsp = current_security(); + struct task_smack *tsp = bprm->cred->security; if (tsp->smk_task != tsp->smk_forked) return 1;