From patchwork Tue Jul 18 22:25:29 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9849995 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 01272600CC for ; Tue, 18 Jul 2017 22:29:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF49128433 for ; Tue, 18 Jul 2017 22:29:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D3D9D285B7; Tue, 18 Jul 2017 22:29:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30C4F28433 for ; Tue, 18 Jul 2017 22:29:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752739AbdGRW22 (ORCPT ); Tue, 18 Jul 2017 18:28:28 -0400 Received: from mail-pg0-f42.google.com ([74.125.83.42]:34616 "EHLO mail-pg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751995AbdGRWZv (ORCPT ); Tue, 18 Jul 2017 18:25:51 -0400 Received: by mail-pg0-f42.google.com with SMTP id 123so19970005pgj.1 for ; Tue, 18 Jul 2017 15:25:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=PooSpzRcJQW9qL7smggFx0GtyE/clYpXzSapVzyIOcI=; b=g4YE7iPW+xJQHuR3YjbxB9cLDYzbK6j7DEHExuznL5GIZLynPa1TI6zI6fHWJnt9mM vRnkocAS5wfM6LUIl7/ypaCf2KahDAUr7h/2CabBZn7NhJTAiFCUEqN1OxHkEjFv8UJV 8ElYHYFFMqRRXymPsnhtwNfsXS5rgxRPBlQ5k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=PooSpzRcJQW9qL7smggFx0GtyE/clYpXzSapVzyIOcI=; b=pyIO1KQPSCRovIRXJEseXYs7wrq4ldufqeVo/3oOhdNGpqhQJq+Eh2n1PVFzQItD4B Onf3I6fkFhbrko/3oRaVpS4KCwtgf4lDz9mUYBKpQ10N9r8YG3haiD8nFmKj91vVg0vk 28q0QxmWuC5XWXOCfpp40W9+ese5Hnnc2fgllsFKYi2mGiV8Plx5x8Uu9ahiaB1uPTgZ jSnIkkOQmui7DyanN5cE+eg/UkinfQXc909cSGCPFnbm1nSU0qy2snhSAPRi9UdLeLYG Tw6YqEVE+ydArpYPJLm4QsL4CTrfgOg17/dDEZbOi2othC9RlwHBM9OyJP70dvw1qz6F yY7g== X-Gm-Message-State: AIVw111UX12/BFu6xyW71uzjDwLQBrX6/3RaMmVOwtMnvTAjUXN+fNh+ S9EfRWAfwfsejSW3 X-Received: by 10.84.191.165 with SMTP id a34mr3898145pld.243.1500416751412; Tue, 18 Jul 2017 15:25:51 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id d24sm7220119pfk.43.2017.07.18.15.25.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jul 2017 15:25:47 -0700 (PDT) From: Kees Cook To: Andrew Morton Cc: Kees Cook , James Morris , "Eric W . Biederman" , David Howells , John Johansen , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Casey Schaufler , Tetsuo Handa , Andy Lutomirski , Linus Torvalds , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 08/15] LSM: drop bprm_secureexec hook Date: Tue, 18 Jul 2017 15:25:29 -0700 Message-Id: <1500416736-49829-9-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1500416736-49829-1-git-send-email-keescook@chromium.org> References: <1500416736-49829-1-git-send-email-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This removes the bprm_secureexec hook since the logic has been folded into the bprm_set_creds hook for all LSMs now. Cc: James Morris Cc: Eric W. Biederman Signed-off-by: Kees Cook Reviewed-by: John Johansen Acked-by: James Morris --- fs/binfmt_elf.c | 1 - fs/binfmt_elf_fdpic.c | 1 - include/linux/lsm_hooks.h | 14 +++++--------- include/linux/security.h | 7 ------- security/security.c | 5 ----- 5 files changed, 5 insertions(+), 23 deletions(-) diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 991e4de3515f..7f6ec4dac13d 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -254,7 +254,6 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid)); - bprm->secureexec |= security_bprm_secureexec(bprm); NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes); #ifdef ELF_HWCAP2 diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index c88b35d4a6b3..5aa9199dfb13 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -650,7 +650,6 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, NEW_AUX_ENT(AT_EUID, (elf_addr_t) from_kuid_munged(cred->user_ns, cred->euid)); NEW_AUX_ENT(AT_GID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->gid)); NEW_AUX_ENT(AT_EGID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->egid)); - bprm->secureexec |= security_bprm_secureexec(bprm); NEW_AUX_ENT(AT_SECURE, bprm->secureexec); NEW_AUX_ENT(AT_EXECFN, bprm->exec); diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 080f34e66017..2ddc1c7e8923 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -40,7 +40,11 @@ * interpreters. The hook can tell whether it has already been called by * checking to see if @bprm->security is non-NULL. If so, then the hook * may decide either to retain the security information saved earlier or - * to replace it. + * to replace it. The hook must set @bprm->secureexec to 1 if a "secure + * exec" has happened as a result of this hook call. The flag is used to + * indicate the need for a sanitized execution environment, and is also + * passed in the ELF auxiliary table on the initial stack to indicate + * whether libc should enable secure mode. * @bprm contains the linux_binprm structure. * Return 0 if the hook is successful and permission is granted. * @bprm_check_security: @@ -68,12 +72,6 @@ * linux_binprm structure. This hook is a good place to perform state * changes on the process such as clearing out non-inheritable signal * state. This is called immediately after commit_creds(). - * @bprm_secureexec: - * Return a boolean value (0 or 1) indicating whether a "secure exec" - * is required. The flag is passed in the auxiliary table - * on the initial stack to the ELF interpreter to indicate whether libc - * should enable secure mode. - * @bprm contains the linux_binprm structure. * * Security hooks for filesystem operations. * @@ -1368,7 +1366,6 @@ union security_list_options { int (*bprm_set_creds)(struct linux_binprm *bprm); int (*bprm_check_security)(struct linux_binprm *bprm); - int (*bprm_secureexec)(struct linux_binprm *bprm); void (*bprm_committing_creds)(struct linux_binprm *bprm); void (*bprm_committed_creds)(struct linux_binprm *bprm); @@ -1680,7 +1677,6 @@ struct security_hook_heads { struct list_head vm_enough_memory; struct list_head bprm_set_creds; struct list_head bprm_check_security; - struct list_head bprm_secureexec; struct list_head bprm_committing_creds; struct list_head bprm_committed_creds; struct list_head sb_alloc_security; diff --git a/include/linux/security.h b/include/linux/security.h index af675b576645..133c41bb666d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -80,7 +80,6 @@ extern int cap_capset(struct cred *new, const struct cred *old, const kernel_cap_t *inheritable, const kernel_cap_t *permitted); extern int cap_bprm_set_creds(struct linux_binprm *bprm); -extern int cap_bprm_secureexec(struct linux_binprm *bprm); extern int cap_inode_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags); extern int cap_inode_removexattr(struct dentry *dentry, const char *name); @@ -223,7 +222,6 @@ int security_bprm_set_creds(struct linux_binprm *bprm); int security_bprm_check(struct linux_binprm *bprm); void security_bprm_committing_creds(struct linux_binprm *bprm); void security_bprm_committed_creds(struct linux_binprm *bprm); -int security_bprm_secureexec(struct linux_binprm *bprm); int security_sb_alloc(struct super_block *sb); void security_sb_free(struct super_block *sb); int security_sb_copy_data(char *orig, char *copy); @@ -515,11 +513,6 @@ static inline void security_bprm_committed_creds(struct linux_binprm *bprm) { } -static inline int security_bprm_secureexec(struct linux_binprm *bprm) -{ - return cap_bprm_secureexec(bprm); -} - static inline int security_sb_alloc(struct super_block *sb) { return 0; diff --git a/security/security.c b/security/security.c index b9fea3999cf8..750b83186869 100644 --- a/security/security.c +++ b/security/security.c @@ -311,11 +311,6 @@ void security_bprm_committed_creds(struct linux_binprm *bprm) call_void_hook(bprm_committed_creds, bprm); } -int security_bprm_secureexec(struct linux_binprm *bprm) -{ - return call_int_hook(bprm_secureexec, 0, bprm); -} - int security_sb_alloc(struct super_block *sb) { return call_int_hook(sb_alloc_security, 0, sb);