From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: "Linus Torvalds" <torvalds@linux-foundation.org>,
"Andy Lutomirski" <luto@kernel.org>,
"David Howells" <dhowells@redhat.com>,
"Serge Hallyn" <serge@hallyn.com>,
"John Johansen" <john.johansen@canonical.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Michal Hocko" <mhocko@kernel.org>,
"Ben Hutchings" <ben@decadent.org.uk>,
"Hugh Dickins" <hughd@google.com>,
"Oleg Nesterov" <oleg@redhat.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Rik van Riel" <riel@redhat.com>,
"James Morris" <james.l.morris@oracle.com>,
"Greg Ungerer" <gerg@linux-m68k.org>,
"Ingo Molnar" <mingo@kernel.org>,
"Nicolas Pitre" <nicolas.pitre@linaro.org>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Paul Moore" <paul@paul-moore.com>,
"Vivek Goyal" <vgoyal@redhat.com>,
"Mickaël Salaün" <mic@digikod.net>,
"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"<linux-security-module@vger.kernel.org>"
<linux-security-module@vger.kernel.org>,
"SE Linux" <selinux@tycho.nsa.gov>
Subject: Re: [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier
Date: Mon, 10 Jul 2017 12:18:48 -0500 [thread overview]
Message-ID: <87bmosmcqv.fsf@xmission.com> (raw)
In-Reply-To: <CAGXu5jLw6SsXM66x7ZHdj+Pb8Aepq7rHn1saNHRhq-wqk8p=4g@mail.gmail.com> (Kees Cook's message of "Mon, 10 Jul 2017 09:06:29 -0700")
Kees Cook <keescook@chromium.org> writes:
> On Mon, Jul 10, 2017 at 1:57 AM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>> Kees Cook <keescook@chromium.org> writes:
>>
>>> There are several places where exec needs to know if a privilege-gain has
>>> happened. These should be using the results of security_bprm_secureexec()
>>> but it is getting (needlessly) called very late.
>>
>> It is hard to tell at a glance but I believe this introduces a
>> regression.
>>
>> cap_bprm_set_creds is currently called before cap_bprm_secureexec and
>> it has a number of cases such as no_new_privs and ptrace that can result
>> in some of the precomputed credential changes not happening.
>>
>> Without accounting for that I believe your cap_bprm_securexec now
>> returns a postive value too early.
>
> It's still before cap_bprm_secureexec. cap_brpm_set_creds() is in
> prepare_binprm(), which is well before exec_binprm() and it's eventual
> call to setup_new_exec().
Good point. I didn't double check and the set in the name had me
thinking it was setting the creds on current.
Is there any reason we need a second security hook? It feels like we
should be able to just fold the secureexec hook into the set_creds hook.
The two are so interrelated I fear that having them separate only
encourages them to diverge in trivial ways as it is easy to forget about
some detail or other.
Certainly having them called from different functions seems wrong. If
we know enough in prepare_binprm we know enough.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Cc: "Nicolas Pitre"
<nicolas.pitre-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
"Jason A. Donenfeld"
<Jason-OnJsPKxuuEcAvxtiuMwx3w@public.gmane.org>,
"Andy Lutomirski" <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"Tetsuo Handa"
<penguin-kernel-1yMVhJb1mP/7nzcFbJAaVXf5DAMn2ifp@public.gmane.org>,
"Michal Hocko" <mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"David Howells"
<dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"SE Linux" <selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"Ingo Molnar" <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"Hugh Dickins" <hughd-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
"Greg Ungerer" <gerg-Td1EMuHUCqxL1ZNQvxDV9g@public.gmane.org>,
"Stephen Smalley" <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"Vivek Goyal" <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"Rik van Riel" <riel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Alexander Viro"
<viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
"James Morris"
<james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
"Mickaël Salaün" <mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>,
"John Johansen"
<john.johansen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
"Ben Hutchings" <ben-/+tVBieCtBitmTQ+vhA3Yw@public.gmane.org>,
"Oleg Nesterov" <oleg@r>
Subject: Re: [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier
Date: Mon, 10 Jul 2017 12:18:48 -0500 [thread overview]
Message-ID: <87bmosmcqv.fsf@xmission.com> (raw)
In-Reply-To: <CAGXu5jLw6SsXM66x7ZHdj+Pb8Aepq7rHn1saNHRhq-wqk8p=4g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Kees Cook's message of "Mon, 10 Jul 2017 09:06:29 -0700")
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> writes:
> On Mon, Jul 10, 2017 at 1:57 AM, Eric W. Biederman
> <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>> Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> writes:
>>
>>> There are several places where exec needs to know if a privilege-gain has
>>> happened. These should be using the results of security_bprm_secureexec()
>>> but it is getting (needlessly) called very late.
>>
>> It is hard to tell at a glance but I believe this introduces a
>> regression.
>>
>> cap_bprm_set_creds is currently called before cap_bprm_secureexec and
>> it has a number of cases such as no_new_privs and ptrace that can result
>> in some of the precomputed credential changes not happening.
>>
>> Without accounting for that I believe your cap_bprm_securexec now
>> returns a postive value too early.
>
> It's still before cap_bprm_secureexec. cap_brpm_set_creds() is in
> prepare_binprm(), which is well before exec_binprm() and it's eventual
> call to setup_new_exec().
Good point. I didn't double check and the set in the name had me
thinking it was setting the creds on current.
Is there any reason we need a second security hook? It feels like we
should be able to just fold the secureexec hook into the set_creds hook.
The two are so interrelated I fear that having them separate only
encourages them to diverge in trivial ways as it is easy to forget about
some detail or other.
Certainly having them called from different functions seems wrong. If
we know enough in prepare_binprm we know enough.
Eric
next prev parent reply other threads:[~2017-07-10 17:18 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-10 7:57 [PATCH v2 0/8] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 1/8] exec: Correct comments about "point of no return" Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 8:46 ` Eric W. Biederman
2017-07-10 8:46 ` Eric W. Biederman
2017-07-10 16:04 ` Kees Cook
2017-07-10 16:04 ` Kees Cook
2017-07-10 17:07 ` Eric W. Biederman
2017-07-10 17:07 ` Eric W. Biederman
2017-07-18 6:39 ` Kees Cook
2017-07-18 6:39 ` Kees Cook
2017-07-18 13:12 ` Eric W. Biederman
2017-07-18 13:12 ` Eric W. Biederman
2017-07-18 13:42 ` Kees Cook
2017-07-18 13:42 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 8:57 ` Eric W. Biederman
2017-07-10 8:57 ` Eric W. Biederman
2017-07-10 16:06 ` Kees Cook
2017-07-10 16:06 ` Kees Cook
2017-07-10 17:18 ` Eric W. Biederman [this message]
2017-07-10 17:18 ` Eric W. Biederman
2017-07-11 2:07 ` Kees Cook
2017-07-11 2:07 ` Kees Cook
2017-07-18 6:45 ` Kees Cook
2017-07-18 6:45 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 3/8] exec: Use secureexec for setting dumpability Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 4/8] exec: Use secureexec for clearing pdeath_signal Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 5/8] smack: Remove redundant pdeath_signal clearing Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 6/8] exec: Consolidate dumpability logic Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 7/8] exec: Consolidate pdeath_signal clearing Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 8/8] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 14:08 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bmosmcqv.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=Jason@zx2c4.com \
--cc=ben@decadent.org.uk \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=gerg@linux-m68k.org \
--cc=hughd@google.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhocko@kernel.org \
--cc=mic@digikod.net \
--cc=mingo@kernel.org \
--cc=nicolas.pitre@linaro.org \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=riel@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=vgoyal@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.