Re: [PATCH 14/27] LSM: Specify which LSM to display

[PATCH v5 00/27] LSM: Module stacking for AppArmor · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 02/27] LSM: Infrastructure management of the key blob · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 04/27] LSM: Use lsmblob in security_audit_rule_match · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 03/27] LSM: Create and manage the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 06/27] net: Prepare UDS for security module stacking · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 08/27] LSM: Use lsmblob in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 05/27] LSM: Use lsmblob in security_kernel_act_as · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 09/27] LSM: Use lsmblob in security_ipc_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 07/27] LSM: Use lsmblob in security_secctx_to_secid · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 11/27] LSM: Use lsmblob in security_inode_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 10/27] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 14/27] LSM: Specify which LSM to display · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
Re: [PATCH 14/27] LSM: Specify which LSM to display · Kees Cook <hidden> · 2019-07-29
[PATCH 12/27] LSM: Use lsmblob in security_cred_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 13/27] IMA: Change internal interfaces to use lsmblobs · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 16/27] LSM: Use lsmcontext in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 15/27] LSM: Ensure the correct LSM context releaser · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 17/27] LSM: Use lsmcontext in security_dentry_init_security · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 18/27] LSM: Use lsmcontext in security_inode_getsecctx · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 19/27] LSM: security_secid_to_secctx in netlink netfilter · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 21/27] SELinux: Verify LSM display sanity in binder · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 20/27] NET: Store LSM netlabel data in a lsmblob · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 24/27] LSM: Provide an user space interface for the default display · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
Re: [PATCH 24/27] LSM: Provide an user space interface for the default display · Kees Cook <hidden> · 2019-07-29
[PATCH 22/27] Audit: Add subj_LSM fields when necessary · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 23/27] Audit: Include object data for all security modules · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 25/27] NET: Add SO_PEERCONTEXT for multiple LSMs · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
Re: [PATCH 25/27] NET: Add SO_PEERCONTEXT for multiple LSMs · Simon McVittie <hidden> · 2019-07-29
Re: [PATCH 25/27] NET: Add SO_PEERCONTEXT for multiple LSMs · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-29
[PATCH 26/27] LSM: Add /proc attr entry for full LSM context · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
Re: [PATCH 26/27] LSM: Add /proc attr entry for full LSM context · Kees Cook <hidden> · 2019-07-29
Re: [PATCH 26/27] LSM: Add /proc attr entry for full LSM context · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-29
Re: [PATCH 26/27] LSM: Add /proc attr entry for full LSM context · Kees Cook <hidden> · 2019-07-29
[PATCH 27/27] AppArmor: Remove the exclusive flag · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26
[PATCH 01/27] LSM: Infrastructure management of the sock security · Casey Schaufler <casey@schaufler-ca.com> · 2019-07-26

From: Kees Cook <hidden>
Date: 2019-07-29 17:05:04
Also in: selinux

On Fri, Jul 26, 2019 at 04:39:10PM -0700, Casey Schaufler wrote:

quoted hunk ↗ jump to hunk

When a program is executed in a way that changes its privilege
the display is reset to the initial state to prevent unprivileged
programs from tricking it into setting an unexpected display.
[...]

diff --git a/security/security.c b/security/security.c
index 8927508b2142..4dd4ebeda18d 100644
--- a/security/security.c
+++ b/security/security.c

@@ -835,7 +857,18 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
 
 int security_bprm_set_creds(struct linux_binprm *bprm)
 {
-	return call_int_hook(bprm_set_creds, 0, bprm);
+	int *disp = current->security;
+	int rc;
+
+	rc = call_int_hook(bprm_set_creds, 0, bprm);
+
+	/*
+	 * Reset the "display" LSM if privilege has been elevated.
+	 */
+	if (bprm->cap_elevated && disp)
+		*disp = LSMBLOB_INVALID;
+
+	return rc;
 }

I think this is the wrong place to check this. This is called in
prepare_binprm(), which is very early in the execve() process. By my
reading this will change the forked process's display first before the
exec happens (which may potentially fail) -- this needs to be changing
the final state once exec is under way (past the "point of no return" in
flush_old_exec()).

Also, the consolidation of privilege information happens into
bprm->secureexec in setup_new_exec(), so I think you want to test
secureexec not just cap_elevated.

So the test/clear should likely happen in finalize_exec() since it's a
runtime state, not a memory layout-changing state (which would need to
happen earlier).

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help