Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp3714765ybk; Tue, 19 May 2020 11:12:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz8+ePnelhMwcdOp83V+r/5IwvsS150FipDaYKsKN9qpo1p1QJjmlRMlGhdjRSsTrrqy+ZI X-Received: by 2002:a17:906:4eda:: with SMTP id i26mr473393ejv.228.1589911926668; Tue, 19 May 2020 11:12:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589911926; cv=none; d=google.com; s=arc-20160816; b=PMKoWsIDTndSx4c9TmkN2BLwBUZSmZcso3vOuJ4E8ig47XlR2OiDcdyXdqfVVSNLrt VLDncHeAvXR3VHpa/BtbrKVI2euDdeTomVsb30B8a90X8fiBW5Sq9u+V0bLEDLOfc5wG DHUgaXdSymNcdSbZm6tiGFqvaVe/51R5BVklrSMbgGI8QGOcdtB+XrgXbl+8Jo1klMax tiIMfvrjvNxvqm8NAtQ3TjHGOG4jIla7YIj8Y5kmNKgk5h5CVLDe1Q3I/yrUfnLyVvPt CnPYmyZSpj7KRtMsyF/rHjQb4p0j5/WLdjEZ7kJz8vz1dP2rCg0qHoyH5qomXg+LAYXe 9tSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=jDYo4m5PP7xufMNqX2IQkJ1zE2G71qHXVTGfdTFjKEY=; b=aBlP8m90iAWABx7xprll/W33PFMLVpmuZONPhRKBvG/z9tDDylzl/pcp5xoP+WhmJS earQCus2h3JgAt29OPbg8bZF3gsf1iJkB0UnyrHoXbJHE22XV+W4CNcoG+3PpVQWLMvW Imnl0gAymKcUJnsO/ht2uGp9kvZWJlxAqi+GdZSMMxvp2uBKQVm0LM5GoI61K1taayPE xeYaSCggE4I6+FN20U7NzwnPdA0oFpsvwvLds32+dvD9K8blUAqbTT5WOi7iuXMGt01U DgpllHHIXdZIkJvpA/B2583rWNcD4hTVwrYetCw/zv5+F4J3AyW+pt0bAJ6hfiX1IOOC YiEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=G872pkcm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p19si315269ejj.538.2020.05.19.11.11.42; Tue, 19 May 2020 11:12:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=G872pkcm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726447AbgESSKP (ORCPT + 99 others); Tue, 19 May 2020 14:10:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726059AbgESSKO (ORCPT ); Tue, 19 May 2020 14:10:14 -0400 Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBDD8C08C5C0 for ; Tue, 19 May 2020 11:10:14 -0700 (PDT) Received: by mail-pl1-x642.google.com with SMTP id a13so216907pls.8 for ; Tue, 19 May 2020 11:10:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=jDYo4m5PP7xufMNqX2IQkJ1zE2G71qHXVTGfdTFjKEY=; b=G872pkcm8w6Qv241zfp28F0Fi28C447LZGFxMoMou558duvg393y5a4Y+yvm4hpY23 /B3SoivGMflaBaRqQXD0/Tt4XmF8m6Ru1YrRQBVVftz1Vjj8MjKTaYP8ziUFmvhgimd5 q9FHPEqaNOcBWF2dh/VDjEYZ5KzcghWUGivs0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=jDYo4m5PP7xufMNqX2IQkJ1zE2G71qHXVTGfdTFjKEY=; b=ZnFP0Rdh6p3UtZbJPWO/+4qlDOkD5KiBf/zUMkOs1CZQj91iQb7wZWX3KKwHxmMEPa lfDNkKPX8kIlZpSHlkDhVElwoWZ7rVhh95tnr/Xal7MGNQHctSPV2hFg4LXYButX4whk waPAphCky4udWf6UgK7OxrEdkJ7ouiLVWDVga3xFIBKjQR35wHeYEID3wMaAdugnDdFf dl8a18cHChu2E585TYje1lBYfcqd2e2vits4SvP0BnLyThDQF1jr788UhfpMG9zXrW6L N9512tMbMklvNAQNDLccdNnk0/6lxelCVgzSU2AlGop27xKkA6om3cI1SErm+vPBVzJj 3wOQ== X-Gm-Message-State: AOAM533/pDDu/JH16PJ42Zy3s0ae1sDV46OpaWpIRT2F541ersTrxIvg pNclLywAO6TPqIs5qk/W/4dE4w== X-Received: by 2002:a17:90a:6d90:: with SMTP id a16mr821079pjk.138.1589911814441; Tue, 19 May 2020 11:10:14 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id s13sm138380pfh.118.2020.05.19.11.10.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 May 2020 11:10:13 -0700 (PDT) Date: Tue, 19 May 2020 11:10:12 -0700 From: Kees Cook To: "Eric W. Biederman" Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Oleg Nesterov , Jann Horn , Greg Ungerer , Rob Landley , Bernd Edlinger , linux-fsdevel@vger.kernel.org, Al Viro , Alexey Dobriyan , Andrew Morton , Casey Schaufler , linux-security-module@vger.kernel.org, James Morris , "Serge E. Hallyn" , Andy Lutomirski Subject: Re: [PATCH v2 2/8] exec: Factor security_bprm_creds_for_exec out of security_bprm_set_creds Message-ID: <202005191108.7A6E97831@keescook> References: <87h7wujhmz.fsf@x220.int.ebiederm.org> <87sgga6ze4.fsf@x220.int.ebiederm.org> <87v9l4zyla.fsf_-_@x220.int.ebiederm.org> <877dx822er.fsf_-_@x220.int.ebiederm.org> <87v9kszrzh.fsf_-_@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87v9kszrzh.fsf_-_@x220.int.ebiederm.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 18, 2020 at 07:30:10PM -0500, Eric W. Biederman wrote: > > Today security_bprm_set_creds has several implementations: > apparmor_bprm_set_creds, cap_bprm_set_creds, selinux_bprm_set_creds, > smack_bprm_set_creds, and tomoyo_bprm_set_creds. > > Except for cap_bprm_set_creds they all test bprm->called_set_creds and > return immediately if it is true. The function cap_bprm_set_creds > ignores bprm->calld_sed_creds entirely. > > Create a new LSM hook security_bprm_creds_for_exec that is called just > before prepare_binprm in __do_execve_file, resulting in a LSM hook > that is called exactly once for the entire of exec. Modify the bits > of security_bprm_set_creds that only want to be called once per exec > into security_bprm_creds_for_exec, leaving only cap_bprm_set_creds > behind. > > Remove bprm->called_set_creds all of it's former users have been moved > to security_bprm_creds_for_exec. > > Add or upate comments a appropriate to bring them up to date and > to reflect this change. Yup, awesome. One nit below. Reviewed-by: Kees Cook > [...] > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0b4e32161b77..718345dd76bb 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > [...] > @@ -2297,8 +2297,6 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) > > /* SELinux context only depends on initial program or script and not > * the script interpreter */ > - if (bprm->called_set_creds) > - return 0; > > old_tsec = selinux_cred(current_cred()); > new_tsec = selinux_cred(bprm->cred); As you've done in the other LSMs, I think this comment can be removed (or moved to the top of the function) too. -- Kees Cook