exec: Convert security_bprm_set_creds into security_bprm_repopulate_creds
Rename bprm->cap_elevated to bprm->active_secureexec and initialize it in prepare_binprm instead of in cap_bprm_set_creds. Initializing bprm->active_secureexec in prepare_binprm allows multiple implementations of security_bprm_repopulate_creds to play nicely with each other. Rename security_bprm_set_creds to security_bprm_reopulate_creds to emphasize that this path recomputes part of bprm->cred. This recomputation avoids the time of check vs time of use problems that are inherent in unix #! interpreters. In short two renames and a move in the location of initializing bprm->active_secureexec. Link: https://lkml.kernel.org/r/87o8qkzrxp.fsf_-_@x220.int.ebiederm.org Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
Eric W. Biederman
parent
b8bff59926
commit
112b714759
@ -1366,7 +1366,7 @@ int begin_new_exec(struct linux_binprm * bprm)
|
|||||||
* the final state of setuid/setgid/fscaps can be merged into the
|
* the final state of setuid/setgid/fscaps can be merged into the
|
||||||
* secureexec flag.
|
* secureexec flag.
|
||||||
*/
|
*/
|
||||||
bprm->secureexec |= bprm->cap_elevated;
|
bprm->secureexec |= bprm->active_secureexec;
|
||||||
|
|
||||||
if (bprm->secureexec) {
|
if (bprm->secureexec) {
|
||||||
/* Make sure parent cannot signal privileged process. */
|
/* Make sure parent cannot signal privileged process. */
|
||||||
@ -1634,10 +1634,10 @@ int prepare_binprm(struct linux_binprm *bprm)
|
|||||||
int retval;
|
int retval;
|
||||||
loff_t pos = 0;
|
loff_t pos = 0;
|
||||||
|
|
||||||
|
/* Recompute parts of bprm->cred based on bprm->file */
|
||||||
|
bprm->active_secureexec = 0;
|
||||||
bprm_fill_uid(bprm);
|
bprm_fill_uid(bprm);
|
||||||
|
retval = security_bprm_repopulate_creds(bprm);
|
||||||
/* fill in binprm security blob */
|
|
||||||
retval = security_bprm_set_creds(bprm);
|
|
||||||
if (retval)
|
if (retval)
|
||||||
return retval;
|
return retval;
|
||||||
|
|
||||||
|
|||||||
@ -27,10 +27,10 @@ struct linux_binprm {
|
|||||||
unsigned long argmin; /* rlimit marker for copy_strings() */
|
unsigned long argmin; /* rlimit marker for copy_strings() */
|
||||||
unsigned int
|
unsigned int
|
||||||
/*
|
/*
|
||||||
* True if most recent call to cap_bprm_set_creds
|
* True if most recent call to security_bprm_set_creds
|
||||||
* resulted in elevated privileges.
|
* resulted in elevated privileges.
|
||||||
*/
|
*/
|
||||||
cap_elevated:1,
|
active_secureexec:1,
|
||||||
/*
|
/*
|
||||||
* Set by bprm_creds_for_exec hook to indicate a
|
* Set by bprm_creds_for_exec hook to indicate a
|
||||||
* privilege-gaining exec has happened. Used to set
|
* privilege-gaining exec has happened. Used to set
|
||||||
|
|||||||
@ -50,7 +50,7 @@ LSM_HOOK(int, 0, settime, const struct timespec64 *ts,
|
|||||||
const struct timezone *tz)
|
const struct timezone *tz)
|
||||||
LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)
|
LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)
|
||||||
LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
|
LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
|
||||||
LSM_HOOK(int, 0, bprm_set_creds, struct linux_binprm *bprm)
|
LSM_HOOK(int, 0, bprm_repopulate_creds, struct linux_binprm *bprm)
|
||||||
LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
|
LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
|
||||||
LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, struct linux_binprm *bprm)
|
LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, struct linux_binprm *bprm)
|
||||||
LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, struct linux_binprm *bprm)
|
LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, struct linux_binprm *bprm)
|
||||||
|
|||||||
@ -44,7 +44,7 @@
|
|||||||
* request libc enable secure mode.
|
* request libc enable secure mode.
|
||||||
* @bprm contains the linux_binprm structure.
|
* @bprm contains the linux_binprm structure.
|
||||||
* Return 0 if the hook is successful and permission is granted.
|
* Return 0 if the hook is successful and permission is granted.
|
||||||
* @bprm_set_creds:
|
* @bprm_repopulate_creds:
|
||||||
* Assuming that the relevant bits of @bprm->cred->security have been
|
* Assuming that the relevant bits of @bprm->cred->security have been
|
||||||
* previously set, examine @bprm->file and regenerate them. This is
|
* previously set, examine @bprm->file and regenerate them. This is
|
||||||
* so that the credentials derived from the interpreter the code is
|
* so that the credentials derived from the interpreter the code is
|
||||||
@ -53,7 +53,7 @@
|
|||||||
* reopen script, and may end up opening something completely different.
|
* reopen script, and may end up opening something completely different.
|
||||||
* This hook may also optionally check permissions (e.g. for
|
* This hook may also optionally check permissions (e.g. for
|
||||||
* transitions between security domains).
|
* transitions between security domains).
|
||||||
* The hook must set @bprm->cap_elevated to 1 if AT_SECURE should be set to
|
* The hook must set @bprm->active_secureexec to 1 if AT_SECURE should be set to
|
||||||
* request libc enable secure mode.
|
* request libc enable secure mode.
|
||||||
* @bprm contains the linux_binprm structure.
|
* @bprm contains the linux_binprm structure.
|
||||||
* Return 0 if the hook is successful and permission is granted.
|
* Return 0 if the hook is successful and permission is granted.
|
||||||
|
|||||||
@ -140,7 +140,7 @@ extern int cap_capset(struct cred *new, const struct cred *old,
|
|||||||
const kernel_cap_t *effective,
|
const kernel_cap_t *effective,
|
||||||
const kernel_cap_t *inheritable,
|
const kernel_cap_t *inheritable,
|
||||||
const kernel_cap_t *permitted);
|
const kernel_cap_t *permitted);
|
||||||
extern int cap_bprm_set_creds(struct linux_binprm *bprm);
|
extern int cap_bprm_repopulate_creds(struct linux_binprm *bprm);
|
||||||
extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
|
extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
|
||||||
const void *value, size_t size, int flags);
|
const void *value, size_t size, int flags);
|
||||||
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
|
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
|
||||||
@ -277,7 +277,7 @@ int security_syslog(int type);
|
|||||||
int security_settime64(const struct timespec64 *ts, const struct timezone *tz);
|
int security_settime64(const struct timespec64 *ts, const struct timezone *tz);
|
||||||
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
|
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
|
||||||
int security_bprm_creds_for_exec(struct linux_binprm *bprm);
|
int security_bprm_creds_for_exec(struct linux_binprm *bprm);
|
||||||
int security_bprm_set_creds(struct linux_binprm *bprm);
|
int security_bprm_repopulate_creds(struct linux_binprm *bprm);
|
||||||
int security_bprm_check(struct linux_binprm *bprm);
|
int security_bprm_check(struct linux_binprm *bprm);
|
||||||
void security_bprm_committing_creds(struct linux_binprm *bprm);
|
void security_bprm_committing_creds(struct linux_binprm *bprm);
|
||||||
void security_bprm_committed_creds(struct linux_binprm *bprm);
|
void security_bprm_committed_creds(struct linux_binprm *bprm);
|
||||||
@ -575,9 +575,9 @@ static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_bprm_set_creds(struct linux_binprm *bprm)
|
static inline int security_bprm_repopulate_creds(struct linux_binprm *bprm)
|
||||||
{
|
{
|
||||||
return cap_bprm_set_creds(bprm);
|
return cap_bprm_repopulate_creds(bprm);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int security_bprm_check(struct linux_binprm *bprm)
|
static inline int security_bprm_check(struct linux_binprm *bprm)
|
||||||
|
|||||||
@ -797,14 +797,14 @@ static inline bool nonroot_raised_pE(struct cred *new, const struct cred *old,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* cap_bprm_set_creds - Set up the proposed credentials for execve().
|
* cap_bprm_repopulate_creds - Set up the proposed credentials for execve().
|
||||||
* @bprm: The execution parameters, including the proposed creds
|
* @bprm: The execution parameters, including the proposed creds
|
||||||
*
|
*
|
||||||
* Set up the proposed credentials for a new execution context being
|
* Set up the proposed credentials for a new execution context being
|
||||||
* constructed by execve(). The proposed creds in @bprm->cred is altered,
|
* constructed by execve(). The proposed creds in @bprm->cred is altered,
|
||||||
* which won't take effect immediately. Returns 0 if successful, -ve on error.
|
* which won't take effect immediately. Returns 0 if successful, -ve on error.
|
||||||
*/
|
*/
|
||||||
int cap_bprm_set_creds(struct linux_binprm *bprm)
|
int cap_bprm_repopulate_creds(struct linux_binprm *bprm)
|
||||||
{
|
{
|
||||||
const struct cred *old = current_cred();
|
const struct cred *old = current_cred();
|
||||||
struct cred *new = bprm->cred;
|
struct cred *new = bprm->cred;
|
||||||
@ -884,12 +884,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
|
|||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
/* Check for privilege-elevated exec. */
|
/* Check for privilege-elevated exec. */
|
||||||
bprm->cap_elevated = 0;
|
|
||||||
if (is_setid ||
|
if (is_setid ||
|
||||||
(!__is_real(root_uid, new) &&
|
(!__is_real(root_uid, new) &&
|
||||||
(effective ||
|
(effective ||
|
||||||
__cap_grew(permitted, ambient, new))))
|
__cap_grew(permitted, ambient, new))))
|
||||||
bprm->cap_elevated = 1;
|
bprm->active_secureexec = 1;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -1346,7 +1345,7 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
|
|||||||
LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
|
LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
|
||||||
LSM_HOOK_INIT(capget, cap_capget),
|
LSM_HOOK_INIT(capget, cap_capget),
|
||||||
LSM_HOOK_INIT(capset, cap_capset),
|
LSM_HOOK_INIT(capset, cap_capset),
|
||||||
LSM_HOOK_INIT(bprm_set_creds, cap_bprm_set_creds),
|
LSM_HOOK_INIT(bprm_repopulate_creds, cap_bprm_repopulate_creds),
|
||||||
LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
|
LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
|
||||||
LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
|
LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
|
||||||
LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
|
LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
|
||||||
|
|||||||
@ -828,9 +828,9 @@ int security_bprm_creds_for_exec(struct linux_binprm *bprm)
|
|||||||
return call_int_hook(bprm_creds_for_exec, 0, bprm);
|
return call_int_hook(bprm_creds_for_exec, 0, bprm);
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_bprm_set_creds(struct linux_binprm *bprm)
|
int security_bprm_repopulate_creds(struct linux_binprm *bprm)
|
||||||
{
|
{
|
||||||
return call_int_hook(bprm_set_creds, 0, bprm);
|
return call_int_hook(bprm_repopulate_creds, 0, bprm);
|
||||||
}
|
}
|
||||||
|
|
||||||
int security_bprm_check(struct linux_binprm *bprm)
|
int security_bprm_check(struct linux_binprm *bprm)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user