Re: [PATCH 2/2] exec: Compute file based creds only once
From: Kees Cook <hidden>
Date: 2020-05-30 05:18:22
Also in:
linux-fsdevel, lkml
Possibly related (same subject, not in this thread)
- 2020-05-29 · Re: [PATCH 2/2] exec: Compute file based creds only once · Kees Cook <hidden>
- 2020-05-29 · [PATCH 2/2] exec: Compute file based creds only once · Eric W. Biederman <hidden>
On Fri, May 29, 2020 at 10:28:41PM -0500, Eric W. Biederman wrote:
The range-diff winds up being:
1: c9258ef4879b ! 1: a7868323c263 exec: Add a per bprm->file version of per_clear
@@ Commit message
History Tree: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Fixes: 1bb0fa189c6a ("[PATCH] NX: clean up legacy binary support")
+ Reviewed-by: Kees Cook [off-list ref]
Signed-off-by: "Eric W. Biederman" [off-list ref]
## fs/exec.c ##
@@ include/linux/lsm_hooks.h
* transitions between security domains).
* The hook must set @bprm->active_secureexec to 1 if AT_SECURE should be set to
* request libc enable secure mode.
-+ * The hook must set @bprm->pf_per_clear to the personality flags that
-+ * should be cleared from current->personality.
++ * The hook must add to @bprm->pf_per_clear any personality flags that
++ * should be cleared from current->personality.
* @bprm contains the linux_binprm structure.
* Return 0 if the hook is successful and permission is granted.
* @bprm_check_security:
2: e6f20c69b96e ! 2: 56305aa9b6fa exec: Compute file based creds only once
@@ Commit message
secureity attribute and derive capabilities from the fact the
user had uid 0 has been added.
+ Reviewed-by: Kees Cook [off-list ref]
Signed-off-by: "Eric W. Biederman" [off-list ref]
## fs/binfmt_misc.c ##
@@ include/linux/lsm_hooks.h
+ * between security domains).
+ * The hook must set @bprm->secureexec to 1 if AT_SECURE should be set to
* request libc enable secure mode.
-- * The hook must set @bprm->pf_per_clear to the personality flags that
-+ * The hook must set @bprm->per_clear to the personality flags that
- * should be cleared from current->personality.
+- * The hook must add to @bprm->pf_per_clear any personality flags that
++ * The hook must add to @bprm->per_clear any personality flags that
+ * should be cleared from current->personality.
* @bprm contains the linux_binprm structure.
* Return 0 if the hook is successful and permission is granted.Awesome; thanks!
quoted
The cap_ambient_invariant_ok() test is needlessly repeated: it doesn't examine securebits, and nonroot_raised_pE appears to have no side-effects. One of those can be dropped, yes?That is what it looks like to me.
Okay, cool. I was worried I was missing something in the mess of tiny helper calls. :)
I hope that when the dust clears the function can become a straightforward implementation of the capability equations. We will see.
Yeah, this looks better and better every day! I'm glad you're able to dig through all of this. -- Kees Cook