Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751637AbdGZD7T (ORCPT ); Tue, 25 Jul 2017 23:59:19 -0400 Received: from mail-io0-f175.google.com ([209.85.223.175]:37575 "EHLO mail-io0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751421AbdGZD7R (ORCPT ); Tue, 25 Jul 2017 23:59:17 -0400 MIME-Version: 1.0 In-Reply-To: <1500416736-49829-11-git-send-email-keescook@chromium.org> References: <1500416736-49829-1-git-send-email-keescook@chromium.org> <1500416736-49829-11-git-send-email-keescook@chromium.org> From: Kees Cook Date: Tue, 25 Jul 2017 20:59:15 -0700 X-Google-Sender-Auth: bY4pE7CYrcZYknKJOiselekPOfE Message-ID: Subject: Re: [PATCH v3 10/15] exec: Use secureexec for setting dumpability To: Andrew Morton Cc: Kees Cook , David Howells , "Eric W. Biederman" , John Johansen , "Serge E. Hallyn" , Paul Moore , Stephen Smalley , Casey Schaufler , Tetsuo Handa , James Morris , Andy Lutomirski , Linus Torvalds , "linux-fsdevel@vger.kernel.org" , linux-security-module , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1929 Lines: 54 On Tue, Jul 18, 2017 at 3:25 PM, Kees Cook wrote: > The examination of "current" to decide dumpability is wrong. This was a > check of and euid/uid (or egid/gid) mismatch in the existing process, > not the newly created one. This appears to stretch back into even the > "history.git" tree. Luckily, dumpability is later set in commit_creds(). > In earlier kernel versions before creds existed, similar checks also > existed late in the exec flow, covering up the mistake as far back as I > could find. > > Note that because the commit_creds() check examines differences of euid, > uid, egid, gid, and capabilities between the old and new creds, it would > look like the setup_new_exec() dumpability test could be entirely removed. > However, the secureexec test may cover a different set of tests (specific > to the LSMs) than what commit_creds() checks for. So, fix this test to > use secureexec (the removed euid tests are redundant to the commoncap > secureexec checks now). > > Cc: David Howells > Signed-off-by: Kees Cook David (or anyone else), how does this (and the following undiscussed patches) look? I only have a few unreviewed patches in this series, and I'd like to get some more eyes on it. Thanks! -Kees > --- > fs/exec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index f9480d3e0b82..5241c8f25f5d 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -1353,7 +1353,7 @@ void setup_new_exec(struct linux_binprm * bprm) > > current->sas_ss_sp = current->sas_ss_size = 0; > > - if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid())) > + if (!bprm->secureexec) > set_dumpable(current->mm, SUID_DUMP_USER); > else > set_dumpable(current->mm, suid_dumpable); > -- > 2.7.4 > -- Kees Cook Pixel Security