From: Max Kellermann <max.kellermann@ionos.com>
To: "Andrew G. Morgan" <morgan@kernel.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Andy Lutomirski <luto@kernel.org>,
paul@paul-moore.com, jmorris@namei.org, kees@kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] security/commoncap: don't assume "setid" if all ids are identical
Date: Wed, 7 May 2025 08:33:25 +0200 [thread overview]
Message-ID: <CAKPOu+_=ocLeEqcaSMjb5qqrvi6KAu3GYJa19Fqz_dm3a5F77w@mail.gmail.com> (raw)
In-Reply-To: <CACmP8U+aLY7wmEqdb=a_tpDCY5LaPGb46DU+jSD3bCXX=JUAuA@mail.gmail.com>
On Wed, May 7, 2025 at 5:16 AM Andrew G. Morgan <morgan@kernel.org> wrote:
> If a setuid program execs itself, does the presence of this code undo
> any protection the kernel afforded it on its first invocation?
What protection do you mean, and what behavior do you expect when
setid execs itself? I see this affects:
1. reset effective ids to real ids (only affects NO_NEW_PRIVS)
2. new cap_permitted cannot be higher than old cap_permitted
3. clear cap_ambient
4. clear pdeath_signal (in begin_new_exec)
5. reset stack limits (in begin_new_exec)
About these (from my very limited knowledge of this part of the kernel):
1. is my primary goal, and really no new privs gained by allowing the
process to keep existing ids
2. only ever changes anything if new cap_permitted is higher, but if
that's the case, the is_setid check is irrelevant because __cap_gained
is true, therefore no change with my patch
3. as I already described, the kernel is wrong (or the documentation
is wrong), and my patch adjusts kernel to behave as documented
4. I don't see how this is dangerous for anything regarding re-exec;
if pdeath_signal wasn't reset on the first exec, it's safe to keep it
after the re-exec, too
5. same as 4, I think
Did I miss anything?
> FWIW I ran the libcap quicktest.sh script against your change and it
> doesn't break any capability thing I test for when making libcap
> releases.
Thanks for taking the time to run these tests. I'm glad the existing
tests didn't find any obvious bugs. If we identify an actual problem
with my patch, let's write a new test that fails with my patch!
> That being said, in general this whole zoo of *[ug]id values
> and their subtle behavior is not casually obvious. I'd recommend using
> a userspace workaround for your use case, and not changing the legacy
> behavior of the kernel.
What userspace workaround would be possible? The only thing that comes
to my mind is to apply NO_NEW_PRIVS in the child process after exec -
but that's too late, because arbitrary untrusted code has already been
executed at this point. This means I lose NO_NEW_PRIVS completely,
because the attacker can simply skip the call.
Max
next prev parent reply other threads:[~2025-05-07 6:33 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-06 8:26 [PATCH] security/commoncap: don't assume "setid" if all ids are identical Max Kellermann
2025-03-07 10:32 ` kernel test robot
2025-03-09 15:19 ` Serge E. Hallyn
2025-04-28 11:43 ` Max Kellermann
2025-05-06 13:21 ` Serge E. Hallyn
2025-05-06 14:51 ` Max Kellermann
2025-05-07 3:16 ` Andrew G. Morgan
2025-05-07 6:33 ` Max Kellermann [this message]
2025-05-08 3:32 ` Andrew G. Morgan
2025-05-08 6:38 ` Max Kellermann
2025-05-08 8:37 ` Max Kellermann
2025-05-09 17:50 ` Max Kellermann
2025-05-08 22:12 ` sergeh
2025-05-09 6:15 ` Max Kellermann
2025-05-09 14:44 ` Eric W. Biederman
2025-05-09 16:53 ` Max Kellermann
2025-05-09 20:17 ` Serge E. Hallyn
2025-05-09 18:41 ` [PATCH] Documentation/no_new_privs.rst: document dropping effective ids Max Kellermann
2025-05-15 16:24 ` [PATCH] exec: Correct the permission check for unsafe exec Eric W. Biederman
2025-05-15 22:09 ` Kees Cook
2025-05-16 15:26 ` Eric W. Biederman
2025-05-16 18:06 ` Jann Horn
2025-05-16 18:08 ` Jann Horn
2025-05-16 21:46 ` sergeh
2025-05-20 22:38 ` Jann Horn
2025-05-20 22:43 ` Kees Cook
2025-05-16 23:29 ` Eric W. Biederman
2025-05-20 20:20 ` Kees Cook
2025-05-20 22:13 ` [PATCH v2] " Eric W. Biederman
2025-05-20 22:35 ` Kees Cook
2025-05-20 23:53 ` Jann Horn
2025-05-21 15:27 ` Eric W. Biederman
2025-05-21 15:36 ` Jann Horn
2025-06-11 0:18 ` Paul Moore
2025-06-11 14:23 ` Max Kellermann
2025-06-13 15:07 ` Eric W. Biederman
2025-06-12 21:26 ` Serge E. Hallyn
2025-06-13 1:48 ` Kees Cook
2025-06-13 15:28 ` Paul Moore
2025-06-16 19:57 ` Kees Cook
2025-06-16 20:16 ` Paul Moore
2025-05-16 21:48 ` [PATCH] " sergeh
2025-05-16 21:49 ` sergeh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKPOu+_=ocLeEqcaSMjb5qqrvi6KAu3GYJa19Fqz_dm3a5F77w@mail.gmail.com' \
--to=max.kellermann@ionos.com \
--cc=jmorris@namei.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=morgan@kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).