Re: [GIT PULL] execve updates for v6.13-rc1 (take 2)

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	 Kees Cook <kees@kernel.org>,
	 linux-kernel@vger.kernel.org,
	 Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
	 Nir Lichtman <nir@lichtman.org>,
	 Tycho Andersen <tandersen@netflix.com>,
	 Vegard Nossum <vegard.nossum@oracle.com>,
	 linux-security-module@vger.kernel.org,
	 Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [GIT PULL] execve updates for v6.13-rc1 (take 2)
Date: Fri, 29 Nov 2024 13:33:19 -0600	[thread overview]
Message-ID: <87mshhn8cg.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <87h67qoeh5.fsf@email.froward.int.ebiederm.org> (Eric W. Biederman's message of "Thu, 28 Nov 2024 22:23:18 -0600")


Casey and the smack folks my apologies for copying you in.

I just read the code below a little more carefully and it is definitely
a systemd bug.

mac_smack_read_fd reads the xattr that smack will apply as a label if it
is present.  So there is no reason for systemd to apply the label
itself.  Worse smack_bprm_creds_for_exec applies checks before
applying the label (aka is the superblock trusted) that systemd doesn't.

Which means systemd might apply a label from a smack xattr when
smack wouldn't.

> static int setup_smack(
>                 const ExecParameters *params,
>                 const ExecContext *context,
>                 int executable_fd) {
>         int r;
>
>         assert(params);
>         assert(executable_fd >= 0);
>
>         if (context->smack_process_label) {
>                 r = mac_smack_apply_pid(0, context->smack_process_label);
>                 if (r < 0)
>                         return r;
>         } else if (params->fallback_smack_process_label) {
>                 _cleanup_free_ char *exec_label = NULL;
>
>                 r = mac_smack_read_fd(executable_fd, SMACK_ATTR_EXEC, &exec_label);
>                 if (r < 0 && !ERRNO_IS_XATTR_ABSENT(r))
>                         return r;
>
>                 r = mac_smack_apply_pid(0, exec_label ?: params->fallback_smack_process_label);
>                 if (r < 0)
>                         return r;
>         }
>
>         return 0;
> }


Which means the systemd code should really be:

> static int setup_smack(
>                 const ExecParameters *params,
>                 const ExecContext *context) {
>         int r;
>
>         assert(params);
>         if (context->smack_process_label) {
>                 r = mac_smack_apply_pid(0, context->smack_process_label);
>                 if (r < 0)
>                         return r;
>         } else if (params->fallback_smack_process_label) {
>                 r = mac_smack_apply_pid(0, params->fallback_smack_process_label);
>                 if (r < 0)
>                         return r;
>         }
>
>         return 0;
> }


At which point systemd has no need to open the executable file
descriptor and thus no need to play with fexecve.

Eric

     prev parent reply	other threads:[~2024-11-29 19:33 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <202411210651.CD8B5A3B98@keescook>
     [not found] ` <CAHk-=wjMagH_5-_8KhAOJ+YSjXUR5FELYxFgqtWBHOhKyUzGxA@mail.gmail.com>
     [not found]   ` <05F133C4-DB2D-4186-9243-E9E18FCBF745@kernel.org>
     [not found]     ` <CAHk-=wgEjs8bwSMSpoyFRiUT=_NEFzF8BXFEvYzVQCu8RD=WmA@mail.gmail.com>
     [not found]       ` <202411271645.04C3508@keescook>
     [not found]         ` <CAHk-=wi+_a9Y8DtEp2P9RnDCjn=gd4ym_5ddSTEAadAyzy1rkw@mail.gmail.com>
     [not found]           ` <20241128020558.GF3387508@ZenIV>
     [not found]             ` <CAHk-=whb+V5UC0kuJkBByeEkeRGyLhTupBvpF-z57Hvmn7kszA@mail.gmail.com>
     [not found]               ` <13223528-74FF-4B68-B0CF-25DCC995D0A0@kernel.org>
     [not found]                 ` <CAHk-=wgKgi5eqo6oW0bBS2-Cr+d4jraoKfVq6wbmdiWWsZbMLw@mail.gmail.com>
     [not found]                   ` <20241129033419.GI3387508@ZenIV>
2024-11-29  4:23                     ` [GIT PULL] execve updates for v6.13-rc1 (take 2) Eric W. Biederman
2024-11-29  4:48                       ` Al Viro
2024-11-29 17:00                       ` Casey Schaufler
2024-11-29 19:33                       ` Eric W. Biederman [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87mshhn8cg.fsf@email.froward.int.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=casey@schaufler-ca.com \
    --cc=christophe.jaillet@wanadoo.fr \
    --cc=kees@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nir@lichtman.org \
    --cc=tandersen@netflix.com \
    --cc=torvalds@linux-foundation.org \
    --cc=vegard.nossum@oracle.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).