From: "Andy Lutomirski" <luto@kernel.org>
To: "Jann Horn" <jannh@google.com>, "Christian Brauner" <brauner@kernel.org>
Cc: "Kees Cook" <keescook@chromium.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Jorge Merlino" <jorge.merlino@canonical.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Andrew Morton" <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
"John Johansen" <john.johansen@canonical.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Stephen Smalley" <stephen.smalley.work@gmail.com>,
"Eric Paris" <eparis@parisplace.org>,
"Richard Haines" <richard_c_haines@btinternet.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Xin Long" <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
"Todd Kjos" <tkjos@google.com>,
"Ondrej Mosnacek" <omosnace@redhat.com>,
"Prashanth Prahlad" <pprahlad@redhat.com>,
"Micah Morton" <mortonm@chromium.org>,
"Fenghua Yu" <fenghua.yu@intel.com>,
"Andrei Vagin" <avagin@gmail.com>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org,
selinux@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec
Date: Thu, 13 Oct 2022 20:18:04 -0700 [thread overview]
Message-ID: <2032f766-1704-486b-8f24-a670c0b3cb32@app.fastmail.com> (raw)
In-Reply-To: <CAG48ez0sEkmaez9tYqgMXrkREmXZgxC9fdQD3mzF9cGo_=Tfyg@mail.gmail.com>
On Thu, Oct 6, 2022, at 7:13 AM, Jann Horn wrote:
> On Thu, Oct 6, 2022 at 11:05 AM Christian Brauner <brauner@kernel.org> wrote:
>> On Thu, Oct 06, 2022 at 01:27:34AM -0700, Kees Cook wrote:
>> > The check_unsafe_exec() counting of n_fs would not add up under a heavily
>> > threaded process trying to perform a suid exec, causing the suid portion
>> > to fail. This counting error appears to be unneeded, but to catch any
>> > possible conditions, explicitly unshare fs_struct on exec, if it ends up
>>
>> Isn't this a potential uapi break? Afaict, before this change a call to
>> clone{3}(CLONE_FS) followed by an exec in the child would have the
>> parent and child share fs information. So if the child e.g., changes the
>> working directory post exec it would also affect the parent. But after
>> this change here this would no longer be true. So a child changing a
>> workding directoro would not affect the parent anymore. IOW, an exec is
>> accompanied by an unshare(CLONE_FS). Might still be worth trying ofc but
>> it seems like a non-trivial uapi change but there might be few users
>> that do clone{3}(CLONE_FS) followed by an exec.
>
> I believe the following code in Chromium explicitly relies on this
> behavior, but I'm not sure whether this code is in active use anymore:
>
> https://source.chromium.org/chromium/chromium/src/+/main:sandbox/linux/suid/sandbox.c;l=101?q=CLONE_FS&sq=&ss=chromium
Wait, this is absolutely nucking futs. On a very quick inspection, the sharable things like this are fs, files, sighand, and io. files and sighand get unshared, which makes sense. fs supposedly checks for extra refs and prevents gaining privilege. io is... ignored! At least it's not immediately obvious that io is a problem.
But seriously, this makes no sense at all. It should not be possible to exec a program and then, without ptrace, change its cwd out from under it. Do we really need to preserve this behavior?
--Andy
next prev parent reply other threads:[~2022-10-14 3:19 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-06 8:27 [PATCH 0/2] fs/exec: Explicitly unshare fs_struct on exec Kees Cook
2022-10-06 8:27 ` [PATCH 1/2] " Kees Cook
2022-10-06 9:05 ` Christian Brauner
2022-10-06 10:48 ` David Laight
2022-10-06 14:13 ` Jann Horn
2022-10-06 15:25 ` Kees Cook
2022-10-06 15:35 ` Jann Horn
2025-05-13 13:05 ` Mateusz Guzik
2025-05-13 15:29 ` Eric W. Biederman
2025-05-13 20:57 ` Kees Cook
2025-05-13 21:09 ` Jann Horn
2025-05-13 22:16 ` Eric W. Biederman
2025-05-14 0:03 ` Mateusz Guzik
2025-05-14 15:33 ` Eric W. Biederman
2025-05-14 15:42 ` Kees Cook
2025-05-15 16:48 ` Eric W. Biederman
2025-05-13 23:15 ` Kees Cook
2022-10-14 3:18 ` Andy Lutomirski [this message]
2022-10-14 3:54 ` Kees Cook
2022-10-14 15:35 ` Jann Horn
2022-10-18 7:09 ` Kees Cook
2022-10-18 11:19 ` Jann Horn
2022-10-14 22:03 ` David Laight
2022-11-28 17:49 ` Eric W. Biederman
2022-10-06 8:27 ` [PATCH 2/2] exec: Remove LSM_UNSAFE_SHARE Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2032f766-1704-486b-8f24-a670c0b3cb32@app.fastmail.com \
--to=luto@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=apparmor@lists.ubuntu.com \
--cc=avagin@gmail.com \
--cc=bigeasy@linutronix.de \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=fenghua.yu@intel.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=jorge.merlino@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=mortonm@chromium.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=pprahlad@redhat.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tglx@linutronix.de \
--cc=tkjos@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).