Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752587AbdGSBBs (ORCPT ); Tue, 18 Jul 2017 21:01:48 -0400 Received: from mail.kernel.org ([198.145.29.99]:59546 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752102AbdGSBBp (ORCPT ); Tue, 18 Jul 2017 21:01:45 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6875023693 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org MIME-Version: 1.0 In-Reply-To: <1500416736-49829-2-git-send-email-keescook@chromium.org> References: <1500416736-49829-1-git-send-email-keescook@chromium.org> <1500416736-49829-2-git-send-email-keescook@chromium.org> From: Andy Lutomirski Date: Tue, 18 Jul 2017 18:01:22 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 01/15] binfmt: Introduce secureexec flag To: Kees Cook Cc: Andrew Morton , David Howells , "Eric W. Biederman" , John Johansen , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Casey Schaufler , Tetsuo Handa , James Morris , Andy Lutomirski , Linus Torvalds , Linux FS Devel , LSM List , "linux-kernel@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2232 Lines: 50 On Tue, Jul 18, 2017 at 3:25 PM, Kees Cook wrote: > To begin this refactoring, this adds the secureexec flag to the bprm > struct, which will eventually be used in place of the LSM hook. I'm very confused. See below. Maybe a later patch will unconfuse me. > > Cc: David Howells > Signed-off-by: Kees Cook > --- > fs/binfmt_elf.c | 3 ++- > fs/binfmt_elf_fdpic.c | 3 ++- > include/linux/binfmts.h | 8 +++++++- > 3 files changed, 11 insertions(+), 3 deletions(-) > > diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c > index 5075fd5c62c8..991e4de3515f 100644 > --- a/fs/binfmt_elf.c > +++ b/fs/binfmt_elf.c > @@ -254,7 +254,8 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, > NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid)); > NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid)); > NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid)); > - NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm)); > + bprm->secureexec |= security_bprm_secureexec(bprm); > + NEW_AUX_ENT(AT_SECURE, bprm->secureexec); This is ->load_binary ... > diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h > index 05488da3aee9..9508b5f83c7e 100644 > --- a/include/linux/binfmts.h > +++ b/include/linux/binfmts.h > @@ -27,9 +27,15 @@ struct linux_binprm { > unsigned int > cred_prepared:1,/* true if creds already prepared (multiple > * preps happen for interpreters) */ > - cap_effective:1;/* true if has elevated effective capabilities, > + cap_effective:1,/* true if has elevated effective capabilities, > * false if not; except for init which inherits > * its parent's caps anyway */ > + /* > + * Set by bprm_set_creds hook to indicate a privilege-gaining > + * exec has happened. Used to sanitize execution environment > + * and to set AT_SECURE auxv for glibc. > + */ ... which is not bprm_set_creds(). What am I missing here?