From patchwork Tue Jul 18 22:25:31 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 9849927
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B6D9A600CC
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:26:14 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A0AAE28433
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:26:14 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 951C7285B7; Tue, 18 Jul 2017 22:26:14 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 45B2228433
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:26:14 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752648AbdGRWZ6 (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 18 Jul 2017 18:25:58 -0400
Received: from mail-pg0-f52.google.com ([74.125.83.52]:34611 "EHLO
	mail-pg0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752379AbdGRWZv (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 18 Jul 2017 18:25:51 -0400
Received: by mail-pg0-f52.google.com with SMTP id 123so19969805pgj.1
	for <linux-security-module@vger.kernel.org>;
	Tue, 18 Jul 2017 15:25:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=7wuiZt3eETHZ7KpcppzkWolgICsVjWb7hU+GYvEV9OQ=;
	b=lqzTAQEr5uwrYNKnCiWFUYFScZiHOVweb1F2i34pzMVXE0O8zruCcpfzDuLekiY5Vc
	DSgm5A43mSCmAn2KfTL3MVYqyb0Eb8BW5q3VeIDX9SnSBZiEGpQrCEfbWzpaZS5/H/T4
	Dxc0o+PtKCsZ/MFl5Qe8kV4d+QtXuSWbERmOk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=7wuiZt3eETHZ7KpcppzkWolgICsVjWb7hU+GYvEV9OQ=;
	b=JMRFFYduoBeDzsY2C7+oOCmJXhCaiDCYtu90T2BGZjK7W3vc6Tf9NB12TM0INJt62V
	M7s01D60CGOWLKxBdiDqWWr+Dl+dpUhyeGlQ48i23hzA06UanXCUfasjImG/nPXM4W0K
	aoTc5NgDJWIUGXSKJOOoGHnxIOVBIN0/w6n2Z8dunlfV9L9WVcNGAW2IJ0/pkgWONiFh
	BNWi1xatyMBZNNwxcmoLL2fdUO8gNAIYNKjRmLEl/g1akVk4RbYDs3aQWUKE7rhSkElk
	gjGGujRftUzvX25fYvNBg+FUxAQfOth+AVgKM/mTEBEGsZ5Pu5YJgLYRrfG0TlehXr0l
	AYQA==
X-Gm-Message-State: AIVw112kof28EZbnbn9ysUEKRIytmHPuZBiasjM1LRwtzyT14tPl9ICE
	BuwviwKS+aqVsX/J
X-Received: by 10.98.63.83 with SMTP id m80mr3857852pfa.161.1500416750619;
	Tue, 18 Jul 2017 15:25:50 -0700 (PDT)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	e11sm5338392pgn.23.2017.07.18.15.25.46
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 18 Jul 2017 15:25:47 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>, David Howells <dhowells@redhat.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	John Johansen <john.johansen@canonical.com>,
	"Serge E. Hallyn" <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	James Morris <james.l.morris@oracle.com>,
	Andy Lutomirski <luto@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 10/15] exec: Use secureexec for setting dumpability
Date: Tue, 18 Jul 2017 15:25:31 -0700
Message-Id: <1500416736-49829-11-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1500416736-49829-1-git-send-email-keescook@chromium.org>
References: <1500416736-49829-1-git-send-email-keescook@chromium.org>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The examination of "current" to decide dumpability is wrong. This was a
check of and euid/uid (or egid/gid) mismatch in the existing process,
not the newly created one. This appears to stretch back into even the
"history.git" tree. Luckily, dumpability is later set in commit_creds().
In earlier kernel versions before creds existed, similar checks also
existed late in the exec flow, covering up the mistake as far back as I
could find.

Note that because the commit_creds() check examines differences of euid,
uid, egid, gid, and capabilities between the old and new creds, it would
look like the setup_new_exec() dumpability test could be entirely removed.
However, the secureexec test may cover a different set of tests (specific
to the LSMs) than what commit_creds() checks for. So, fix this test to
use secureexec (the removed euid tests are redundant to the commoncap
secureexec checks now).

Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/exec.c b/fs/exec.c
index f9480d3e0b82..5241c8f25f5d 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1353,7 +1353,7 @@ void setup_new_exec(struct linux_binprm * bprm)
 
 	current->sas_ss_sp = current->sas_ss_size = 0;
 
-	if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid()))
+	if (!bprm->secureexec)
 		set_dumpable(current->mm, SUID_DUMP_USER);
 	else
 		set_dumpable(current->mm, suid_dumpable);