Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp3758476ybk; Tue, 19 May 2020 12:14:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwOrvASC2zfAWcY3EPAeXynrYTz82SiVmwH0VRT/WHz0r91wYEFTYFR11fsL6Www/1FtQal X-Received: by 2002:a17:906:4356:: with SMTP id z22mr659608ejm.334.1589915649823; Tue, 19 May 2020 12:14:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589915649; cv=none; d=google.com; s=arc-20160816; b=R3kNGE3PkotDbP1jbfBHCHYlX/KhfMP8gA5q8OBayziF1nrYEtseRPwok4WYso6+g9 Fea7h8+1QChCLtXvFt23lSmLKPeGFIHbKVdWIhUkmEb45GsVLKKuu/ivskEXo/enCSnj +RPn/wh6QxSl3H4ZWnk7+LJNUSN2ycQ74MALNDnwIUyYO5itfxwFgoONn3mMxAnNq7/h V7J00ttlwL/5csTtrbczRv25G2yO3+q29bXAExh+Ac1MH3RMgWnrYLQ29KLTOEBW9Tgd +Ogj476/+mGTdvHjZWpev0AdrBTgxUi7+wqx39h7vVt913+BXBUTI0h/hr8XarpnuhWx 9j+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=pT/TGl5G/hxlus9y+dZcKs8gxteovb5+6snU1r3a9hM=; b=tfMypQoYMlDLAIvcUFJH9uAPupi5pahcUo6Kxzvy2wtO+ejz5t9TDnXYkqVgrZDdUy h6Q2F31zgLMBKir86khxr/QjIbn5a7rWSkIu0GojAqO5b9Tkn6yHHtIOyWv2YGrs9Kvf DSi/kLkL7QJdj9HqpKeMsFLtrggSRt4usT7yHYKhdGADlvd9tmJPujsa/Y3439w/x2Qw k4UHwTDt2SiTzK8K8oL5Q7wOkNpZT0amRLbqO5jwPiXX10/PHRYy6KtyjzXS+tyTr66A 9TaSebTALrrIOYYXLPFkQEZkhVhUypy+jG6ShahxfTaWY3SQW7Rk2ovtbegTsTv1IVZ0 8KAw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w8si435486eji.455.2020.05.19.12.13.46; Tue, 19 May 2020 12:14:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=xmission.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726898AbgESTMX (ORCPT + 99 others); Tue, 19 May 2020 15:12:23 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:39744 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726290AbgESTMW (ORCPT ); Tue, 19 May 2020 15:12:22 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jb7ez-0008UU-9H; Tue, 19 May 2020 13:12:17 -0600 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1jb7ey-00014b-3r; Tue, 19 May 2020 13:12:16 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Kees Cook Cc: linux-kernel@vger.kernel.org, Linus Torvalds , Oleg Nesterov , Jann Horn , Greg Ungerer , Rob Landley , Bernd Edlinger , linux-fsdevel@vger.kernel.org, Al Viro , Alexey Dobriyan , Andrew Morton , Casey Schaufler , linux-security-module@vger.kernel.org, James Morris , "Serge E. Hallyn" , Andy Lutomirski References: <87h7wujhmz.fsf@x220.int.ebiederm.org> <87sgga6ze4.fsf@x220.int.ebiederm.org> <87v9l4zyla.fsf_-_@x220.int.ebiederm.org> <877dx822er.fsf_-_@x220.int.ebiederm.org> <87imgszrwo.fsf_-_@x220.int.ebiederm.org> <202005191122.0A1FD07@keescook> Date: Tue, 19 May 2020 14:08:34 -0500 In-Reply-To: <202005191122.0A1FD07@keescook> (Kees Cook's message of "Tue, 19 May 2020 11:27:25 -0700") Message-ID: <87sgfvoi8d.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1jb7ey-00014b-3r;;;mid=<87sgfvoi8d.fsf@x220.int.ebiederm.org>;;;hst=in01.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/kgQUwX+CSXDS53ITr/pklJfenYpzNP1g= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on sa06.xmission.com X-Spam-Level: X-Spam-Status: No, score=0.5 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01,XMSubLong autolearn=disabled version=3.4.2 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4998] * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 0; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: ; sa06 0; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Kees Cook X-Spam-Relay-Country: X-Spam-Timing: total 406 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 11 (2.7%), b_tie_ro: 10 (2.4%), parse: 0.95 (0.2%), extract_message_metadata: 11 (2.7%), get_uri_detail_list: 1.30 (0.3%), tests_pri_-1000: 6 (1.4%), tests_pri_-950: 1.30 (0.3%), tests_pri_-900: 1.06 (0.3%), tests_pri_-90: 139 (34.2%), check_bayes: 129 (31.7%), b_tokenize: 7 (1.8%), b_tok_get_all: 8 (2.0%), b_comp_prob: 2.5 (0.6%), b_tok_touch_all: 107 (26.3%), b_finish: 0.99 (0.2%), tests_pri_0: 225 (55.3%), check_dkim_signature: 0.52 (0.1%), check_dkim_adsp: 2.2 (0.5%), poll_dns_idle: 0.62 (0.2%), tests_pri_10: 2.1 (0.5%), tests_pri_500: 6 (1.5%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2 4/8] exec: Allow load_misc_binary to call prepare_binfmt unconditionally X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Kees Cook writes: > On Mon, May 18, 2020 at 07:31:51PM -0500, Eric W. Biederman wrote: >> >> Add a flag preserve_creds that binfmt_misc can set to prevent >> credentials from being updated. This allows binfmt_misc to always >> call prepare_binfmt. Allowing the credential computation logic to be > > typo: prepare_binprm() Thank you. >> consolidated. >> >> Not replacing the credentials with the interpreters credentials is >> safe because because an open file descriptor to the executable is >> passed to the interpreter. As the interpreter does not need to >> reopen the executable it is guaranteed to see the same file that >> exec sees. > > Yup, looks good. Note below on comment. > > Reviewed-by: Kees Cook > >> [...] >> diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h >> index 8605ab4a0f89..dbb5614d62a2 100644 >> --- a/include/linux/binfmts.h >> +++ b/include/linux/binfmts.h >> @@ -26,6 +26,8 @@ struct linux_binprm { >> unsigned long p; /* current top of mem */ >> unsigned long argmin; /* rlimit marker for copy_strings() */ >> unsigned int >> + /* It is safe to use the creds of a script (see binfmt_misc) */ >> + preserve_creds:1, > > How about: > > /* > * A binfmt handler will set this to True before calling > * prepare_binprm() if it is safe to reuse the previous > * credentials, based on bprm->file (see binfmt_misc). > */ I think that is more words saying less. While I agree it might be better. I don't see what your comment adds to the understanding. What do you see my comment not saying that is important? Eric