From patchwork Tue Jul 18 22:25:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9850009 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E79A060392 for ; Tue, 18 Jul 2017 22:29:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D212828433 for ; Tue, 18 Jul 2017 22:29:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C6FA8285B7; Tue, 18 Jul 2017 22:29:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C41028433 for ; Tue, 18 Jul 2017 22:29:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752679AbdGRW3d (ORCPT ); Tue, 18 Jul 2017 18:29:33 -0400 Received: from mail-pf0-f170.google.com ([209.85.192.170]:35077 "EHLO mail-pf0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752549AbdGRWZr (ORCPT ); Tue, 18 Jul 2017 18:25:47 -0400 Received: by mail-pf0-f170.google.com with SMTP id e199so17688959pfh.2 for ; Tue, 18 Jul 2017 15:25:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=aAOAB8376/LFnCTHf4KwvjZO7RiYD+xyu5Ab0NZvjwU=; b=RTs3YuhftyxWTtSXAkM5j7L7hWd6RDwHkiBZLaH9K5eVVAx3h2KTXsELYCt/Gm8TZz UoZaPvhEZpmGTbIdwahu39bjTzDoXWsAsXxgkjRkqqgMGSJdpEVpiaL6qaYGoQ23w1P6 ffLf9+TdmqjGPnKd7EsjaL2VLBNiGUdyOSt44= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=aAOAB8376/LFnCTHf4KwvjZO7RiYD+xyu5Ab0NZvjwU=; b=JebiUNja4/11x0WXlfzvcP3SmSwOpiluR47EEgKzosW+4ucO4LkHff9ZTs0a1Svn89 4bjvnKBuXIwor2I6Kq2LQHBq8eOFsmcB0Uq3uE/+xPxMGnPjy8MN4+IVDBL9khQ/Vdol EyJyW7w5rRkc5Ka7M151F3Jq0EfIBsEi6MOTNlq3RIWaghp3G4Pu2eLq4T5fXFQbzVKG 0AQ+OwRrqw4MXBLVlxIi8RW4EOzb0Be6EoW1Q/4dREGG16q0YD0zlckk7wBs1NJqaj7y AzK1XMG6HS212Z54V/rLzBUV0vz6uvd8vwglOn7ok8zK3TjLpb6kXREeWv51a12CoYK3 FD6g== X-Gm-Message-State: AIVw112I3g5dWfsTRmxIsRcEKRp7jcPXwcEmN/EvR9zXNG9LKTFGdVfT GV0XHOj/tNLfWBw3 X-Received: by 10.84.232.70 with SMTP id f6mr3998808pln.169.1500416746662; Tue, 18 Jul 2017 15:25:46 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id e124sm6973813pfc.76.2017.07.18.15.25.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jul 2017 15:25:43 -0700 (PDT) From: Kees Cook To: Andrew Morton Cc: Kees Cook , David Howells , "Eric W. Biederman" , John Johansen , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Casey Schaufler , Tetsuo Handa , James Morris , Andy Lutomirski , Linus Torvalds , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 01/15] binfmt: Introduce secureexec flag Date: Tue, 18 Jul 2017 15:25:22 -0700 Message-Id: <1500416736-49829-2-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1500416736-49829-1-git-send-email-keescook@chromium.org> References: <1500416736-49829-1-git-send-email-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The bprm_secureexec hook can be moved earlier. Right now, it is called during create_elf_tables(), via load_binary(), via search_binary_handler(), via exec_binprm(). Nearly all (see exception below) state used by bprm_secureexec is created during the bprm_set_creds hook, called from prepare_binprm(). For all LSMs (except commoncaps described next), only the first execution of bprm_set_creds takes any effect (they all check bprm->cred_prepared which prepare_binprm() sets after the first call to the bprm_set_creds hook). However, all these LSMs also only do anything with bprm_secureexec when they detected a secure state during their first run of bprm_set_creds. Therefore, it is functionally identical to move the detection into bprm_set_creds, since the results from secureexec here only need to be based on the first call to the LSM's bprm_set_creds hook. The single exception is that the commoncaps secureexec hook also examines euid/uid and egid/gid differences which are controlled by bprm_fill_uid(), via prepare_binprm(), which can be called multiple times (e.g. binfmt_script, binfmt_misc), and may clear the euid/egid for the final load (i.e. the script interpreter). However, while commoncaps specifically ignores bprm->cred_prepared, and runs its bprm_set_creds hook each time prepare_binprm() may get called, it needs to base the secureexec decision on the final call to bprm_set_creds. As a result, it will need special handling. To begin this refactoring, this adds the secureexec flag to the bprm struct, which will eventually be used in place of the LSM hook. Cc: David Howells Signed-off-by: Kees Cook Reviewed-by: John Johansen --- fs/binfmt_elf.c | 3 ++- fs/binfmt_elf_fdpic.c | 3 ++- include/linux/binfmts.h | 8 +++++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 5075fd5c62c8..991e4de3515f 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -254,7 +254,8 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid)); - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); + bprm->secureexec |= security_bprm_secureexec(bprm); + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes); #ifdef ELF_HWCAP2 NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2); diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index cf93a4fad012..c88b35d4a6b3 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -650,7 +650,8 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, NEW_AUX_ENT(AT_EUID, (elf_addr_t) from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->egid)); - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); + bprm->secureexec |= security_bprm_secureexec(bprm); + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_EXECFN, bprm->exec); #ifdef ARCH_DLINFO diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 05488da3aee9..9508b5f83c7e 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -27,9 +27,15 @@ struct linux_binprm { unsigned int cred_prepared:1,/* true if creds already prepared (multiple * preps happen for interpreters) */ - cap_effective:1;/* true if has elevated effective capabilities, + cap_effective:1,/* true if has elevated effective capabilities, * false if not; except for init which inherits * its parent's caps anyway */ + /* + * Set by bprm_set_creds hook to indicate a privilege-gaining + * exec has happened. Used to sanitize execution environment + * and to set AT_SECURE auxv for glibc. + */ + secureexec:1; #ifdef __alpha__ unsigned int taso:1; #endif