From patchwork Tue Aug 1 19:16:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9875347 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E774A60365 for ; Tue, 1 Aug 2017 19:20:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D34592872B for ; Tue, 1 Aug 2017 19:20:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C84BA28731; Tue, 1 Aug 2017 19:20:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D0942872B for ; Tue, 1 Aug 2017 19:20:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752388AbdHATUg (ORCPT ); Tue, 1 Aug 2017 15:20:36 -0400 Received: from mail-pf0-f176.google.com ([209.85.192.176]:34164 "EHLO mail-pf0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752158AbdHATQp (ORCPT ); Tue, 1 Aug 2017 15:16:45 -0400 Received: by mail-pf0-f176.google.com with SMTP id o86so8089434pfj.1 for ; Tue, 01 Aug 2017 12:16:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CL9laZWsjM6mqd2huv3jo509vkZ368rgTAGyu9P8HqY=; b=i4XDBFG8Wr/EJBYX4/VH+zOEZ3g6IjzuJHNYFthuG43GaG9UCUCOwbL/eHxXsFsXE2 TOKrENIM/0ZS8Ku1J4MgWdbEd5F9xN9aG+YEZxnWw4doRuuyDlCY/xlctstcVY5px/6W A7w2WoCB9/ujZ0uVqRhd6cHq+AYcbq8dUEsCM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CL9laZWsjM6mqd2huv3jo509vkZ368rgTAGyu9P8HqY=; b=W9BlGLOGE175jzdX09yzjhbD8fLs5XrQtkAHtCRsVHMvt3fQy4zi7owBKyugHyqu1T vLdJLAcHI430qh8cNxTNVn2t0UxtYPVkXIgoXWX60v9hqQtPzgcBQPdpo5lrRpHUXZTm 0seSAwIl6NmZ1ie9v1BVu7YHGEymmgqz6nTH/TL51IA3w15LnXPzbjqJBrcvn1CyrHE+ +S6FWWUrG6fUW3o+SSUzJ1NhWdWCcFTGL/yTxD2HTeLaQJD3hIyCzCwzgugf2fQ/k1YT Kkf9aPJ+lk0MzCzcz+ttK3FObyyK15JgJ87ijvT3ubVxQK28zzjTaM9hK2FgHG0bmQZ+ AwtQ== X-Gm-Message-State: AIVw113gcQh7+iAwIghxTCZnFYcWSGGbtoM24N5rZcVv/+HU/CK2sdcH 6uPYrIoUjdtpgwa8 X-Received: by 10.98.13.219 with SMTP id 88mr8303948pfn.179.1501615005015; Tue, 01 Aug 2017 12:16:45 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id x5sm53958983pgq.18.2017.08.01.12.16.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Aug 2017 12:16:41 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Linus Torvalds , Andrew Morton , James Morris , "Serge E. Hallyn" , Andy Lutomirski , "Eric W. Biederman" , John Johansen , Paul Moore , Casey Schaufler , Stephen Smalley , Tetsuo Handa , David Howells , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 04/15] apparmor: Refactor to remove bprm_secureexec hook Date: Tue, 1 Aug 2017 12:16:27 -0700 Message-Id: <1501614998-62619-5-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1501614998-62619-1-git-send-email-keescook@chromium.org> References: <1501614998-62619-1-git-send-email-keescook@chromium.org> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The AppArmor bprm_secureexec hook can be merged with the bprm_set_creds hook since it's dealing with the same information, and all of the details are finalized during the first call to the bprm_set_creds hook via prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored via bprm->called_set_creds). Here, all the comments describe how secureexec is actually calculated during bprm_set_creds, so this actually does it, drops the bprm flag that was being used internally by AppArmor, and drops the bprm_secureexec hook. Signed-off-by: Kees Cook Acked-by: John Johansen Reviewed-by: James Morris Acked-by: Serge Hallyn --- security/apparmor/domain.c | 19 +------------------ security/apparmor/include/domain.h | 1 - security/apparmor/include/file.h | 3 --- security/apparmor/lsm.c | 1 - 4 files changed, 1 insertion(+), 23 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 67ec52cfc523..17a601c67b62 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -807,7 +807,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) aa_label_printk(new, GFP_ATOMIC); dbg_printk("\n"); } - bprm->unsafe |= AA_SECURE_X_NEEDED; + bprm->secureexec = 1; } if (label->proxy != new->proxy) { @@ -843,23 +843,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) goto done; } -/** - * apparmor_bprm_secureexec - determine if secureexec is needed - * @bprm: binprm for exec (NOT NULL) - * - * Returns: %1 if secureexec is needed else %0 - */ -int apparmor_bprm_secureexec(struct linux_binprm *bprm) -{ - /* the decision to use secure exec is computed in set_creds - * and stored in bprm->unsafe. - */ - if (bprm->unsafe & AA_SECURE_X_NEEDED) - return 1; - - return 0; -} - /* * Functions for self directed profile change */ diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h index bab5810b6e9a..24c5976d6143 100644 --- a/security/apparmor/include/domain.h +++ b/security/apparmor/include/domain.h @@ -30,7 +30,6 @@ struct aa_domain { #define AA_CHANGE_STACK 8 int apparmor_bprm_set_creds(struct linux_binprm *bprm); -int apparmor_bprm_secureexec(struct linux_binprm *bprm); void aa_free_domain_entries(struct aa_domain *domain); int aa_change_hat(const char *hats[], int count, u64 token, int flags); diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index 001e40073ff9..4c2c8ac8842f 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -101,9 +101,6 @@ static inline struct aa_label *aa_get_file_label(struct aa_file_ctx *ctx) #define AA_X_INHERIT 0x4000 #define AA_X_UNCONFINED 0x8000 -/* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */ -#define AA_SECURE_X_NEEDED 0x8000 - /* need to make conditional which ones are being set */ struct path_cond { kuid_t uid; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 867bcd154c7e..7a82c0f61452 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -694,7 +694,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), - LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec), LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), };