From patchwork Mon Jul 10 07:57:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9832493 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0EE8160363 for ; Mon, 10 Jul 2017 07:57:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 05BBB26E3A for ; Mon, 10 Jul 2017 07:57:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EE7CC28426; Mon, 10 Jul 2017 07:57:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6180426E3A for ; Mon, 10 Jul 2017 07:57:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753561AbdGJH5l (ORCPT ); Mon, 10 Jul 2017 03:57:41 -0400 Received: from mail-pf0-f174.google.com ([209.85.192.174]:33868 "EHLO mail-pf0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752454AbdGJH5k (ORCPT ); Mon, 10 Jul 2017 03:57:40 -0400 Received: by mail-pf0-f174.google.com with SMTP id q85so45941227pfq.1 for ; Mon, 10 Jul 2017 00:57:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Jm2gkoaeyLh04Q8mnRdfAj1Ss5ccZkgFxSNZunWpHlU=; b=ScqRgguFLG46EBOH3cVgd6W93gFKginC8D6ijHYXqKEFt77GJJ4A+8uVVCdyYhvnc4 IqhnBZQDCBxt/MiSZlufF0t5nIq+uoMncvY4MKv45Fvf7dzStoES06INwBmnrJeo+E+c CWvUCfIIwEIj4FO8sew/4AadvdqZb5MbmPFUw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Jm2gkoaeyLh04Q8mnRdfAj1Ss5ccZkgFxSNZunWpHlU=; b=FxY4/lJDU9OT317imDqO0c7LXJJAjqnGfllyQKXUZy0jtSww4fGfG0aXU4ctBA1N/9 D6obsrAX+CrM2+rX+yBPf89K1MvShFzvJsD1BXMOa87Ng3FDGOE8pRwIB5I/Do7fjAMz QkpWrTrN147bvoNWHHzxTFLFtBtbAKAgQDCoNXV41sWAb1jWDYbgkOPnsiM3doNqBISu EtCGt5GLp0oPLVM3bAoGQ1WkvvW5mvGqJ3zkDIehIuirkX5oioOtQjOxfR0cJTwoNF5l W3F06h7wBXPrw7dLGu7/W3Blz6WxfNsJOTe19MDmkXw3Go0uC1Oq303pTf12ChjS0hAI HZPw== X-Gm-Message-State: AIVw11385yO3wxNd1PC6PZPc1LKLw18t6A1pCCyIveV2IaHYV3zA4guv UN8lyxc0nGNhn8o6 X-Received: by 10.99.2.81 with SMTP id 78mr13360332pgc.33.1499673459259; Mon, 10 Jul 2017 00:57:39 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r62sm21028589pfb.39.2017.07.10.00.57.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Jul 2017 00:57:37 -0700 (PDT) From: Kees Cook To: Linus Torvalds Cc: Kees Cook , Andy Lutomirski , David Howells , Serge Hallyn , John Johansen , Casey Schaufler , "Eric W. Biederman" , Alexander Viro , Michal Hocko , Ben Hutchings , Hugh Dickins , Oleg Nesterov , "Jason A. Donenfeld" , Rik van Riel , James Morris , Greg Ungerer , Ingo Molnar , Nicolas Pitre , Stephen Smalley , Paul Moore , Vivek Goyal , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Tetsuo Handa , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Subject: [PATCH v2 3/8] exec: Use secureexec for setting dumpability Date: Mon, 10 Jul 2017 00:57:26 -0700 Message-Id: <1499673451-66160-4-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1499673451-66160-1-git-send-email-keescook@chromium.org> References: <1499673451-66160-1-git-send-email-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The examination of "current" to decide dumpability is wrong. This was a check of and euid/uid (or egid/gid) mismatch in the existing process, not the newly created one. This appears to stretch back into even the "history.git" tree. Luckily, dumpability is later set in commit_creds(). In earlier kernel versions before creds existed, similar checks also existed late in the exec flow, covering up the mistake as far back as I could find. The commit_creds() check examines differences of euid, uid, egid, gid, and capabilities between the old and new creds. It would look like the setup_new_exec() dumpability test could be entirely removed, but strictly speaking, the secureexec test covers a different set of tests than what commit_creds() checks for. So, fix this test to use secureexec, which includes the same logical check (euid != uid || egid != gid), but checks bprm->cred, not current->cred. One would wonder if we need a security_commit_creds() LSM hook and to move the existing checks in commit_creds() into commoncaps.c, which would allow expanding the logic to all LSMs. Currently this doesn't seem needed, though. Signed-off-by: Kees Cook --- fs/exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index b92e37fb53aa..3e519d4f0bd3 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1346,7 +1346,7 @@ void setup_new_exec(struct linux_binprm * bprm) current->sas_ss_sp = current->sas_ss_size = 0; - if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid())) + if (!bprm->secureexec) set_dumpable(current->mm, SUID_DUMP_USER); else set_dumpable(current->mm, suid_dumpable);