Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp471439ybi;
        Thu, 13 Jun 2019 20:40:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxZF2BpJh7YzkEAviRPp943eesFyQ7u+UqJo9Xr0igz2p3aP/aFANfrF1jEpRLrcM0ZBw6E
X-Received: by 2002:a63:4104:: with SMTP id o4mr34707237pga.345.1560483614458;
        Thu, 13 Jun 2019 20:40:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560483614; cv=none;
        d=google.com; s=arc-20160816;
        b=rLy7rbe5KyQ/5IBCTIYdPdMy8lYS7N2AMkWG91bNwmltQO3ZCYgkftyJs5Us11uyOH
         bWjLHRGlz1gjLKorLMx/jd53TkqmP1NM81Nus7xn+F81LNfmdMbX0ofDZFt498JCgpQo
         QIAes61C5AnQDfzxeqESqNLc0PIdzwP9tHrVo0EK8T6hPBkGxh4dNXLFv2ynxIa+tW7U
         0p9VOldfXMjRShRn02G/ZMkEjedjKusbFvaoZrgzVAGJ/MXfNJ7kASAsKc0Oz9E2R4CC
         6mSQfeflKYiXWErxBRwMQT/xelUL40gZ7yNQxy6OVXyTjSUvVfKARywhwwJ482+/X2sP
         Th/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=7Dlwu8GAm9bBZxK/S6eJGy6rJE/WW5Sc0vJEWPWMBso=;
        b=qGvqogy+RLxrcNbbi7tFrd5xh6na7m4JysKJzhoK68d+Utf19X4mN9r4eeqI6IBIvo
         syBDMZk0zd4nBZp5qAy9XDsDewpVpRYQQdmRKou6Pf2paPvgN17ntDlNhz7gVuREZnMN
         00e2vR4ZhXny7AbMTOOMjKcoAY6+QeO7fb5eVh1CEUDKvecGy8xsZdbvO7xze6R1qQzX
         mSUQIoiAeQREDmZ5orOK5B5hGDjFB0LfcOS7ueyrxihnVD8/o3l9b9ZsZnpFW7rcJCyA
         tq6gpp+47QWNMaqESYcZMPgLPc3zYbjq01TE1rYsE07S2hrYEqHLxZPMxrpQ9O74rrxL
         XOAA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v142si1357700pgb.459.2019.06.13.20.39.59;
        Thu, 13 Jun 2019 20:40:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725819AbfFNDj4 (ORCPT <rfc822;krseo358@gmail.com> + 99 others);
        Thu, 13 Jun 2019 23:39:56 -0400
Received: from namei.org ([65.99.196.166]:39088 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725616AbfFNDj4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 13 Jun 2019 23:39:56 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x5E3cr1f007713;
        Fri, 14 Jun 2019 03:38:53 GMT
Date:   Fri, 14 Jun 2019 13:38:53 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Igor Lubashev <ilubashe@akamai.com>
cc:     Serge Hallyn <serge@hallyn.com>,
        linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
        Al Viro <viro@ftp.linux.org.uk>
Subject: Re: [RFC PATCH 0/1] security: add SECURE_KEEP_FSUID to preserve
 fsuid/fsgid across execve
In-Reply-To: <1560473087-27754-1-git-send-email-ilubashe@akamai.com>
Message-ID: <alpine.LRH.2.21.1906141338350.7150@namei.org>
References: <1560473087-27754-1-git-send-email-ilubashe@akamai.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[Adding David and Al]


On Thu, 13 Jun 2019, Igor Lubashev wrote:

> I've posted this in March but received no response. Reposting.
> 
> This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be
> preserved across execve. It is currently impossible to execve a
> program such that effective and filesystem uid differ.
> 
> The need for this functionality arose from a desire to allow certain
> non-privileged users to run perf. To do this, we install perf without
> set-uid-root and have a set-uid-root wrapper decide who is allowed to
> run perf (and with what arguments).
> 
> The wrapper must execve perf with real and effective root uid, because
> perf and KASLR require this. However, that presently resets fsuid to
> root, giving the user ability to read and overwrite any file owned by
> root (perf report -i, perf record -o). Also, perf record will create
> perf.data that cannot be deleted by the user.
> 
> We cannot reset /proc/sys/kernel/perf_event_paranoid to a permissive
> level, since we must be selective which users have the permissions.
> 
> Of course, we could fix our problem by a patch to perf to allow
> passing a username on the command line and having perf execute
> setfsuid before opening files. However, perf is not the only program
> that uses kernel features that require root uid/euid, so a general
> solution that does not involve updating all such programs seems
> warranted.
> 
> I will update man pages, if this patch is deemed a good idea.
> 
> Igor Lubashev (1):
>   security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve
> 
>  include/uapi/linux/securebits.h | 10 +++++++++-
>  security/commoncap.c            |  9 +++++++--
>  2 files changed, 16 insertions(+), 3 deletions(-)
> 
> 

-- 
James Morris
<jmorris@namei.org>