Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751674AbeACHG0 (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Wed, 3 Jan 2018 02:06:26 -0500
Received: from h2.hallyn.com ([78.46.35.8]:53052 "EHLO h2.hallyn.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751599AbeACHGY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Jan 2018 02:06:24 -0500
Date: Wed, 3 Jan 2018 01:06:22 -0600
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Tom Horsley <horsley1953@gmail.com>,
        Laura Abbott <labbott@redhat.com>,
        David Howells <dhowells@redhat.com>,
        Serge Hallyn <serge@hallyn.com>,
        James Morris <james.l.morris@oracle.com>,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] exec: Weaken dumpability for secureexec
Message-ID: <20180103070622.GA6950@mail.hallyn.com>
References: <20180102232133.GA39880@beast>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180102232133.GA39880@beast>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Tue, Jan 02, 2018 at 03:21:33PM -0800, Kees Cook wrote:
> This is a logical revert of:
> 
>     commit e37fdb785a5f ("exec: Use secureexec for setting dumpability")
> 
> This weakens dumpability back to checking only for uid/gid changes in
> current (which is useless), but userspace depends on dumpability not
> being tied to secureexec.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1528633
> 
> Reported-by: Tom Horsley <horsley1953@gmail.com>
> Fixes: e37fdb785a5f ("exec: Use secureexec for setting dumpability")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
>  fs/exec.c | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index 5688b5e1b937..7eb8d21bcab9 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1349,9 +1349,14 @@ void setup_new_exec(struct linux_binprm * bprm)
>  
>  	current->sas_ss_sp = current->sas_ss_size = 0;
>  
> -	/* Figure out dumpability. */
> +	/*
> +	 * Figure out dumpability. Note that this checking only of current
> +	 * is wrong, but userspace depends on it. This should be testing
> +	 * bprm->secureexec instead.
> +	 */
>  	if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP ||
> -	    bprm->secureexec)
> +	    !(uid_eq(current_euid(), current_uid()) &&
> +	      gid_eq(current_egid(), current_gid())))

So what about the pdeath_signal?  Is that going to be another subtle
time-bomb?

>  		set_dumpable(current->mm, suid_dumpable);
>  	else
>  		set_dumpable(current->mm, SUID_DUMP_USER);
> -- 
> 2.7.4
> 
> 
> -- 
> Kees Cook
> Pixel Security