Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751252AbeACReN (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Wed, 3 Jan 2018 12:34:13 -0500
Received: from mail-oi0-f68.google.com ([209.85.218.68]:34266 "EHLO
        mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751096AbeACReM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Jan 2018 12:34:12 -0500
X-Google-Smtp-Source: ACJfBovvaDgxkQWdMtOEb4XKrcJMqNg2ymX1pkHFvFnOeopYHmxhEIQz17DY6vNtBP9o/ApkUkEGsQ==
Subject: Re: [PATCH] exec: Weaken dumpability for secureexec
To: Kees Cook <keescook@chromium.org>,
        Tom Horsley <horsley1953@gmail.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        David Howells <dhowells@redhat.com>,
        James Morris <james.l.morris@oracle.com>,
        LKML <linux-kernel@vger.kernel.org>
References: <20180102232133.GA39880@beast>
 <20180103070444.GA6331@mail.hallyn.com> <20180103071158.204eeb41@tomh>
 <CAGXu5j+FrS0Hmc-SfagJ1O2F69MN8KUec4TVZ-v9_HtTws3bRA@mail.gmail.com>
From: Laura Abbott <labbott@redhat.com>
Message-ID: <a45b06e9-cc7a-289a-a2ac-cd06f15386be@redhat.com>
Date: Wed, 3 Jan 2018 09:34:08 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <CAGXu5j+FrS0Hmc-SfagJ1O2F69MN8KUec4TVZ-v9_HtTws3bRA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On 01/03/2018 09:21 AM, Kees Cook wrote:
> On Wed, Jan 3, 2018 at 4:11 AM, Tom Horsley <horsley1953@gmail.com> wrote:
>> On Wed, 3 Jan 2018 01:04:44 -0600
>> Serge E. Hallyn wrote:
>>
>>>> This weakens dumpability back to checking only for uid/gid changes in
>>>> current (which is useless), but userspace depends on dumpability not
>>>> being tied to secureexec.
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1528633
>>>>
>>>> Reported-by: Tom Horsley <horsley1953@gmail.com>
>>>
>>> Seems right, any chance we could get a tested-by: Tom?  (Did we already
>>> get that?)
>>
>> I didn't test it myself, but all I'd do is run the test program
>> I've attached to the bugzilla above which is trivial compared
>> to be learning how to patch and build kernels. So it would be
>> much simpler for someone with the kernel already built to
>> extract the tarball and type make :-).
> 
> This is what I did to verify it. Thank you very much for the test case!
> 
> -Kees
> 

I ran the test case again and can confirm that it works. I didn't
get a chance to try the other test case I reported (coredumping
systemd units) but I pointed the reporter to the patch.

Thanks,
Laura