From patchwork Tue Jul 18 22:25:32 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 9849971
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	EB5A5600CC
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:28:20 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D544428433
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:28:20 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CA39A285B7; Tue, 18 Jul 2017 22:28:20 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5190A28433
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 18 Jul 2017 22:28:20 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752814AbdGRW10 (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 18 Jul 2017 18:27:26 -0400
Received: from mail-pf0-f170.google.com ([209.85.192.170]:33140 "EHLO
	mail-pf0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752626AbdGRWZx (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 18 Jul 2017 18:25:53 -0400
Received: by mail-pf0-f170.google.com with SMTP id s70so8661472pfs.0
	for <linux-security-module@vger.kernel.org>;
	Tue, 18 Jul 2017 15:25:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=tsCHOMo/qVvrzfiqQ1/yWn/IH2uIszfYcfm8Bh+FIBw=;
	b=bwgqrDyMSygO4UgVHx6Sqsd0YJ1wj2oXiWi32LVfgcCnbDPCSEUqbcL4f086J0yw25
	9Hnt1PsgK1L2+ethoqUt6oPucDO4qs64NqxJEgvbE+jrzj6Io4qhwbAiefD7AdMrGn8I
	3T7Wm1PIGJ2AR9xMBgSITOoi+SM3ZNgS87qj4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=tsCHOMo/qVvrzfiqQ1/yWn/IH2uIszfYcfm8Bh+FIBw=;
	b=cS98JFxgJ4jYbtGNymXAcIk27nzJGDc9XpRICAtUOU+Y3hVR17wZuMjdzLaYDRmXKI
	THL1kKGOGKm8fNlE3zBDWZXztHqQc1SdxsS95Sq2WCNIqcu+pmwhYHpY4ody6CGd0SE2
	AwYnaj+dz4bnVwXhuOmq+FlQnSogypUZMbh9J3hjljT7nFjSGQvA+Oi0GmmA4PruxRuU
	1htAy8qfqbIafICEUwmRa/rkonIjeGi6ajuh+Gu9uI1iBH7W23Q/Pz+QwuS+rpoVWtt6
	TC8x6HHXituj/SiA8Dro6xhejRJM+hHQyq7jQQIYFn87XyOgVrTwhqu0tLVYM+JCQmM+
	k44A==
X-Gm-Message-State: AIVw112Z8qOPIWXPzm1qTqKpu+clg4WoLpekxT4Nr3UzDCvbCJZZkQfE
	XApIgWePMU7bBD4u
X-Received: by 10.98.58.210 with SMTP id v79mr4008477pfj.162.1500416752916;
	Tue, 18 Jul 2017 15:25:52 -0700 (PDT)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	w7sm7022764pfw.25.2017.07.18.15.25.46
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 18 Jul 2017 15:25:47 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Kees Cook <keescook@chromium.org>, David Howells <dhowells@redhat.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	John Johansen <john.johansen@canonical.com>,
	"Serge E. Hallyn" <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Casey Schaufler <casey@schaufler-ca.com>,
	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	James Morris <james.l.morris@oracle.com>,
	Andy Lutomirski <luto@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-fsdevel@vger.kernel.org,
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 11/15] exec: Use secureexec for clearing pdeath_signal
Date: Tue, 18 Jul 2017 15:25:32 -0700
Message-Id: <1500416736-49829-12-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1500416736-49829-1-git-send-email-keescook@chromium.org>
References: <1500416736-49829-1-git-send-email-keescook@chromium.org>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Like dumpability, clearing pdeath_signal happens both in setup_new_exec()
and later in commit_creds(). The test in setup_new_exec() is different
from all other privilege comparisons, though: it is checking the new cred
(bprm) uid vs the old cred (current) euid. This appears to be a bug,
introduced by commit a6f76f23d297 ("CRED: Make execve() take advantage of
copy-on-write credentials"):

-       if (bprm->e_uid != current_euid() ||
-           bprm->e_gid != current_egid()) {
-               set_dumpable(current->mm, suid_dumpable);
+       /* install the new credentials */
+       if (bprm->cred->uid != current_euid() ||
+           bprm->cred->gid != current_egid()) {

It was bprm euid vs current euid (and egids), but the effective got
dropped. Nothing in the exec flow changes bprm->cred->uid (nor gid).
The call traces are:

	prepare_bprm_creds()
	    prepare_exec_creds()
	        prepare_creds()
	            memcpy(new_creds, old_creds, ...)
	            security_prepare_creds() (unimplemented by commoncap)
	...
	prepare_binprm()
	    bprm_fill_uid()
	        resets euid/egid to current euid/egid
	        sets euid/egid on bprm based on set*id file bits
	    security_bprm_set_creds()
		cap_bprm_set_creds()
		        handle all caps-based manipulations

so this test is effectively a test of current_uid() vs current_euid(),
which is wrong, just like the prior dumpability tests were wrong.

The commit log says "Clear pdeath_signal and set dumpable on
certain circumstances that may not be covered by commit_creds()." This
may be meaning the earlier old euid vs new euid (and egid) test that
got changed.

Luckily, as with dumpability, this is all masked by commit_creds()
which performs old/new euid and egid tests and clears pdeath_signal.

And again, like dumpability, we should include LSM secureexec logic for
pdeath_signal clearing. For example, Smack goes out of its way to clear
pdeath_signal when it finds a secureexec condition.

Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 fs/exec.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 5241c8f25f5d..81793a193d92 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1368,8 +1368,7 @@ void setup_new_exec(struct linux_binprm * bprm)
 	 */
 	current->mm->task_size = TASK_SIZE;
 
-	if (!uid_eq(bprm->cred->uid, current_euid()) ||
-	    !gid_eq(bprm->cred->gid, current_egid())) {
+	if (bprm->secureexec) {
 		current->pdeath_signal = 0;
 	} else {
 		if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)