Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 828f4257 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'secureexec-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux 

Pull secureexec update from Kees Cook:
 "This series has the ultimate goal of providing a sane stack rlimit
  when running set*id processes.

  To do this, the bprm_secureexec LSM hook is collapsed into the
  bprm_set_creds hook so the secureexec-ness of an exec can be
  determined early enough to make decisions about rlimits and the
  resulting memory layouts. Other logic acting on the secureexec-ness of
  an exec is similarly consolidated. Capabilities needed some special
  handling, but the refactoring removed other special handling, so that
  was a wash"

* tag 'secureexec-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  exec: Consolidate pdeath_signal clearing
  exec: Use sane stack rlimit under secureexec
  exec: Consolidate dumpability logic
  smack: Remove redundant pdeath_signal clearing
  exec: Use secureexec for clearing pdeath_signal
  exec: Use secureexec for setting dumpability
  LSM: drop bprm_secureexec hook
  commoncap: Move cap_elevated calculation into bprm_set_creds
  commoncap: Refactor to remove bprm_secureexec hook
  smack: Refactor to remove bprm_secureexec hook
  selinux: Refactor to remove bprm_secureexec hook
  apparmor: Refactor to remove bprm_secureexec hook
  binfmt: Introduce secureexec flag
  exec: Correct comments about "point of no return"
  exec: Rename bprm->cred_prepared to called_set_creds
parents 44ccba3f fe8993b3

fs/binfmt_elf.c

+1 −1
Original line number Diff line number Diff line
@@ -252,7 +252,7 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec, 
	NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));

	NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));

	NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));

 	NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm));

	NEW_AUX_ENT(AT_SECURE, bprm->secureexec);

	NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);

#ifdef ELF_HWCAP2

	NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);

fs/binfmt_elf_fdpic.c

+1 −1
Original line number Diff line number Diff line
@@ -650,7 +650,7 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm, 
	NEW_AUX_ENT(AT_EUID,	(elf_addr_t) from_kuid_munged(cred->user_ns, cred->euid));

	NEW_AUX_ENT(AT_GID,	(elf_addr_t) from_kgid_munged(cred->user_ns, cred->gid));

	NEW_AUX_ENT(AT_EGID,	(elf_addr_t) from_kgid_munged(cred->user_ns, cred->egid));

	NEW_AUX_ENT(AT_SECURE,	security_bprm_secureexec(bprm));

	NEW_AUX_ENT(AT_SECURE,	bprm->secureexec);

	NEW_AUX_ENT(AT_EXECFN,	bprm->exec);



#ifdef ARCH_DLINFO

fs/binfmt_flat.c

+1 −1
Original line number Diff line number Diff line
@@ -890,7 +890,7 @@ static int load_flat_shared_library(int id, struct lib_info *libs) 
	 * as we're past the point of no return and are dealing with shared

	 * libraries.

	 */

	bprm.cred_prepared = 1;

	bprm.called_set_creds = 1;



	res = prepare_binprm(&bprm);

fs/exec.c

+41 −15
Original line number Diff line number Diff line
@@ -1259,6 +1259,12 @@ void __set_task_comm(struct task_struct *tsk, const char *buf, bool exec) 
	perf_event_comm(tsk, exec);

}



/*

 * Calling this is the point of no return. None of the failures will be

 * seen by userspace since either the process is already taking a fatal

 * signal (via de_thread() or coredump), or will have SEGV raised

 * (after exec_mmap()) by search_binary_handlers (see below).

 */

int flush_old_exec(struct linux_binprm * bprm)

{

	int retval;
@@ -1286,7 +1292,13 @@ int flush_old_exec(struct linux_binprm * bprm) 
	if (retval)

		goto out;



	bprm->mm = NULL;		/* We're using it now */

	/*

	 * After clearing bprm->mm (to mark that current is using the

	 * prepared mm now), we have nothing left of the original

	 * process. If anything from here on returns an error, the check

	 * in search_binary_handler() will SEGV current.

	 */

	bprm->mm = NULL;



	set_fs(USER_DS);

	current->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
@@ -1331,15 +1343,38 @@ EXPORT_SYMBOL(would_dump); 


void setup_new_exec(struct linux_binprm * bprm)

{

	/*

	 * Once here, prepare_binrpm() will not be called any more, so

	 * the final state of setuid/setgid/fscaps can be merged into the

	 * secureexec flag.

	 */

	bprm->secureexec |= bprm->cap_elevated;



	if (bprm->secureexec) {

		/* Make sure parent cannot signal privileged process. */

		current->pdeath_signal = 0;



		/*

		 * For secureexec, reset the stack limit to sane default to

		 * avoid bad behavior from the prior rlimits. This has to

		 * happen before arch_pick_mmap_layout(), which examines

		 * RLIMIT_STACK, but after the point of no return to avoid

		 * needing to clean up the change on failure.

		 */

		if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)

			current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;

	}



	arch_pick_mmap_layout(current->mm);



	/* This is the point of no return */

	current->sas_ss_sp = current->sas_ss_size = 0;



	if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid()))

		set_dumpable(current->mm, SUID_DUMP_USER);

	else

	/* Figure out dumpability. */

	if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP ||

	    bprm->secureexec)

		set_dumpable(current->mm, suid_dumpable);

	else

		set_dumpable(current->mm, SUID_DUMP_USER);



	arch_setup_new_exec();

	perf_event_exec();
@@ -1351,15 +1386,6 @@ void setup_new_exec(struct linux_binprm * bprm) 
	 */

	current->mm->task_size = TASK_SIZE;



	/* install the new credentials */

	if (!uid_eq(bprm->cred->uid, current_euid()) ||

	    !gid_eq(bprm->cred->gid, current_egid())) {

		current->pdeath_signal = 0;

	} else {

		if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)

			set_dumpable(current->mm, suid_dumpable);

	}



	/* An exec changes our domain. We are no longer part of the thread

	   group */

	current->self_exec_id++;
@@ -1548,7 +1574,7 @@ int prepare_binprm(struct linux_binprm *bprm) 
	retval = security_bprm_set_creds(bprm);

	if (retval)

		return retval;

	bprm->cred_prepared = 1;

	bprm->called_set_creds = 1;



	memset(bprm->buf, 0, BINPRM_BUF_SIZE);

	return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);

include/linux/binfmts.h

+19 −5
Original line number Diff line number Diff line
@@ -25,11 +25,25 @@ struct linux_binprm { 
	struct mm_struct *mm;

	unsigned long p; /* current top of mem */

	unsigned int

		cred_prepared:1,/* true if creds already prepared (multiple

				 * preps happen for interpreters) */

		cap_effective:1;/* true if has elevated effective capabilities,

				 * false if not; except for init which inherits

				 * its parent's caps anyway */

		/*

		 * True after the bprm_set_creds hook has been called once

		 * (multiple calls can be made via prepare_binprm() for

		 * binfmt_script/misc).

		 */

		called_set_creds:1,

		/*

		 * True if most recent call to the commoncaps bprm_set_creds

		 * hook (due to multiple prepare_binprm() calls from the

		 * binfmt_script/misc handlers) resulted in elevated

		 * privileges.

		 */

		cap_elevated:1,

		/*

		 * Set by bprm_set_creds hook to indicate a privilege-gaining

		 * exec has happened. Used to sanitize execution environment

		 * and to set AT_SECURE auxv for glibc.

		 */

		secureexec:1;

#ifdef __alpha__

	unsigned int taso:1;

#endif