From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>
Cc: "Linus Torvalds"
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Linux API" <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Andy Lutomirski" <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
"Richard Weinberger" <richard-/L3Ra7n9ekc@public.gmane.org>,
"Kenton Varda" <kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org>,
"Michael Kerrisk-manpages"
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
"Stéphane Graber"
<stgraber-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
"Eric Windisch"
<ewindisch-FCduhRhOUaTQT0dZR+AlfA@public.gmane.org>,
"Greg Kroah-Hartman"
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
"Tejun Heo" <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"Seth Forshee"
<seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
"Omar Sandoval" <osandov-nWWhXC5lh1RBDgjK7y7TUQ@public.gmane.org>,
"Ivan Delalande" <colona-nzgTgzXrdUbQT0dZR+AlfA@public.gmane.org>,
"Al Viro"
<viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
Subject: [REVIEW][PATCH 0/2] noexec on proc and sysfs
Date: Fri, 10 Jul 2015 11:16:14 -0500 [thread overview]
Message-ID: <87mvz4yomp.fsf_-_@x220.int.ebiederm.org> (raw)
In-Reply-To: <20150704231118.GT17109-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org> (Al Viro's message of "Sun, 5 Jul 2015 00:11:18 +0100")
Given the code I have seen executables especially suid root executable
appearing on proc or sysfs will break userspace because there are
current applications that depend on nosuid and noexec on proc and sysfs
being meaningless.
This patchset addes a new flag SB_I_NOEXEC to enforce that restriction,
and to make it hard for a kernel developer to make the mistake of adding
executables to sysfs or proc.
The first patch has been updated since last time to a super block flags
instead of a file_system type flag based on Al's suggestion.
The code in fs_fully_visible to enforce nosuid and noexec when needed
has also been added.
At a practical level this code is a no-op on a slow path, to guard
against future mistakes and to make auditing the kernel for this class
of problem trivial.
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git for-testing
Eric W. Biederman (2):
vfs: Commit to never having exectuables on proc and sysfs.
mnt: fs_fully_visible enforce noexec and nosuid if !SB_I_NOEXEC
fs/exec.c | 10 ++++++++--
fs/namespace.c | 33 +++++++++++++++++++++++++--------
fs/open.c | 2 +-
fs/proc/root.c | 2 ++
fs/sysfs/mount.c | 4 ++++
include/linux/fs.h | 3 +++
kernel/sys.c | 3 +--
mm/mmap.c | 4 ++--
mm/nommu.c | 2 +-
security/security.c | 2 +-
10 files changed, 48 insertions(+), 17 deletions(-)
next prev parent reply other threads:[~2015-07-10 16:16 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-26 20:50 [GIT PULL] User namespace related fixes for v4.2 Eric W. Biederman
2015-06-29 16:43 ` Linus Torvalds
[not found] ` <CA+55aFysKDXr2HEwNzm3z9QOw=E4ZeWcvYQ-xLhy5_k+rGbeRg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-29 21:13 ` Eric W. Biederman
2015-07-03 22:10 ` Linus Torvalds
[not found] ` <CA+55aFw-DK-xDC-3HYa=BMX8WNyQgT9O01tihrAS9+-7PPj_jA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-04 23:11 ` Al Viro
[not found] ` <20150704231118.GT17109-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-07-10 16:16 ` [REVIEW][PATCH 0/2] noexec on proc and sysfs Eric W. Biederman
2015-07-10 16:16 ` Eric W. Biederman [this message]
2015-07-10 16:17 ` [REVIEW][PATCH 1/2] vfs: Commit to never having exectuables " Eric W. Biederman
[not found] ` <87h9pcyokc.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-10 18:24 ` Richard Weinberger
[not found] ` <55A00DE9.7060806-/L3Ra7n9ekc@public.gmane.org>
2015-07-10 19:30 ` Greg Kroah-Hartman
[not found] ` <20150710193052.GB19824-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2015-07-10 19:38 ` Richard Weinberger
2015-07-10 19:38 ` Richard Weinberger
[not found] ` <55A01F4B.9010205-/L3Ra7n9ekc@public.gmane.org>
2015-07-10 20:00 ` Eric W. Biederman
2015-07-10 20:00 ` Eric W. Biederman
2015-07-10 19:30 ` Greg Kroah-Hartman
[not found] ` <87mvz4yomp.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-10 16:17 ` Eric W. Biederman
2015-07-10 16:18 ` [REVIEW][PATCH 2/2] mnt: fs_fully_visible enforce noexec and nosuid if !SB_I_NOEXEC Eric W. Biederman
[not found] ` <87pp4eqktr.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-03 22:10 ` [GIT PULL] User namespace related fixes for v4.2 Linus Torvalds
[not found] ` <87381eyz26.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-06-29 16:43 ` Linus Torvalds
2015-07-01 20:41 ` Eric W. Biederman
2015-07-06 20:47 ` Seth Forshee
2015-07-06 21:24 ` Eric W. Biederman
[not found] ` <E81DECCD-9B19-4D42-BE43-5987DE7B05DB-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2015-07-06 22:25 ` Seth Forshee
2015-07-06 22:25 ` Seth Forshee
2015-07-06 21:24 ` Eric W. Biederman
[not found] ` <878uazhapq.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-06 20:47 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mvz4yomp.fsf_-_@x220.int.ebiederm.org \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=colona-nzgTgzXrdUbQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ewindisch-FCduhRhOUaTQT0dZR+AlfA@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=osandov-nWWhXC5lh1RBDgjK7y7TUQ@public.gmane.org \
--cc=richard-/L3Ra7n9ekc@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=stgraber-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.