From patchwork Mon Jul 31 23:51:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9873397 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5A99D6016C for ; Mon, 31 Jul 2017 23:55:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4342E285ED for ; Mon, 31 Jul 2017 23:55:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 36BFB28604; Mon, 31 Jul 2017 23:55:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BF0D8285ED for ; Mon, 31 Jul 2017 23:55:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751758AbdGaXyW (ORCPT ); Mon, 31 Jul 2017 19:54:22 -0400 Received: from mail-pg0-f44.google.com ([74.125.83.44]:37188 "EHLO mail-pg0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751799AbdGaXvw (ORCPT ); Mon, 31 Jul 2017 19:51:52 -0400 Received: by mail-pg0-f44.google.com with SMTP id y129so459341pgy.4 for ; Mon, 31 Jul 2017 16:51:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=LKIepbqrc4Q+xoCrdARuohDXRlRmIeXRcOGXfChIgQQ=; b=DfMejAQbiY/4NGpIvxGrk4hkuqzlPFvKlOluhw0kcK2yB141Lcvk4yLh91AdbJK8r0 HNgIlmve9xmnIDeUTX7O66Lt030kV0RcHSithnS0jfCjO+ZlULjvRFccyZJJu3fheyCN G2avrrXWj49mC8Pd+3hl/GH3F5vZ/+s8psatw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=LKIepbqrc4Q+xoCrdARuohDXRlRmIeXRcOGXfChIgQQ=; b=rEm4je65n+I0aNT0QRSWFOVGGbfjtrXbhiVHgJrAll6xLOJLrWZvqm//J/F8wTMe/F KpHgVdcTqWh8KrS1mJRWkUxIbbswY/M238J9y+1Z1kPuWC/+Kabh/kYizDjHP7C0WwSs D9gOrlKlNkjM7Ad5Y2y6pJHS1vqYGXo9nYIlUfcNpR0xLeJIuzPD9bWkASV2q+aJAawe sO0UHX4KyblyPz38JQwMVm8MV7VRTOB58/eznjxeYsLh3y7HsT4NitpI5XLpSN1tchL0 3rjJpt4LXk0EhfhFTu9IgfTQSUOCYHaaFzK/uh9N7sL+jQQV+CGyQz3iiRxEbbsOP2sF vegw== X-Gm-Message-State: AIVw111L+q9NcvHT4J4li4vTPPX0Ciip5HRmiB1izSvbWNMd27kwgx9P 5NQrrPE+Q0qPm3xE X-Received: by 10.84.176.100 with SMTP id u91mr19751173plb.390.1501545111767; Mon, 31 Jul 2017 16:51:51 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id v128sm47816429pgv.49.2017.07.31.16.51.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Jul 2017 16:51:47 -0700 (PDT) From: Kees Cook To: Andrew Morton Cc: Kees Cook , David Howells , "Eric W. Biederman" , John Johansen , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Casey Schaufler , Tetsuo Handa , James Morris , Andy Lutomirski , Linus Torvalds , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v4 10/15] exec: Use secureexec for setting dumpability Date: Mon, 31 Jul 2017 16:51:28 -0700 Message-Id: <1501545093-56634-11-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1501545093-56634-1-git-send-email-keescook@chromium.org> References: <1501545093-56634-1-git-send-email-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The examination of "current" to decide dumpability is wrong. This was a check of and euid/uid (or egid/gid) mismatch in the existing process, not the newly created one. This appears to stretch back into even the "history.git" tree. Luckily, dumpability is later set in commit_creds(). In earlier kernel versions before creds existed, similar checks also existed late in the exec flow, covering up the mistake as far back as I could find. Note that because the commit_creds() check examines differences of euid, uid, egid, gid, and capabilities between the old and new creds, it would look like the setup_new_exec() dumpability test could be entirely removed. However, the secureexec test may cover a different set of tests (specific to the LSMs) than what commit_creds() checks for. So, fix this test to use secureexec (the removed euid tests are redundant to the commoncap secureexec checks now). Cc: David Howells Signed-off-by: Kees Cook Acked-by: Serge Hallyn Reviewed-by: James Morris --- fs/exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index f0e8d25eba9f..f9997ea6414e 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1333,7 +1333,7 @@ void setup_new_exec(struct linux_binprm * bprm) current->sas_ss_sp = current->sas_ss_size = 0; - if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid())) + if (!bprm->secureexec) set_dumpable(current->mm, SUID_DUMP_USER); else set_dumpable(current->mm, suid_dumpable);