lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Oct 2022 01:27:35 -0700 From: Kees Cook <keescook@...omium.org> To: Eric Biederman <ebiederm@...ssion.com> Cc: Kees Cook <keescook@...omium.org>, Alexander Viro <viro@...iv.linux.org.uk>, John Johansen <john.johansen@...onical.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Stephen Smalley <stephen.smalley.work@...il.com>, Eric Paris <eparis@...isplace.org>, Richard Haines <richard_c_haines@...nternet.com>, Casey Schaufler <casey@...aufler-ca.com>, Xin Long <lucien.xin@...il.com>, "David S. Miller" <davem@...emloft.net>, Todd Kjos <tkjos@...gle.com>, Ondrej Mosnacek <omosnace@...hat.com>, linux-fsdevel@...r.kernel.org, linux-mm@...ck.org, apparmor@...ts.ubuntu.com, linux-security-module@...r.kernel.org, selinux@...r.kernel.org, Jorge Merlino <jorge.merlino@...onical.com>, "Christian Brauner (Microsoft)" <brauner@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, Andy Lutomirski <luto@...nel.org>, Sebastian Andrzej Siewior <bigeasy@...utronix.de>, Andrew Morton <akpm@...ux-foundation.org>, Prashanth Prahlad <pprahlad@...hat.com>, Micah Morton <mortonm@...omium.org>, Fenghua Yu <fenghua.yu@...el.com>, Andrei Vagin <avagin@...il.com>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: [PATCH 2/2] exec: Remove LSM_UNSAFE_SHARE With fs_struct explicitly unshared during exec, it is no longer possible to have unexpected shared state, and LSM_UNSAFE_SHARE can be entirely removed. Cc: Alexander Viro <viro@...iv.linux.org.uk> Cc: Eric Biederman <ebiederm@...ssion.com> Cc: John Johansen <john.johansen@...onical.com> Cc: Paul Moore <paul@...l-moore.com> Cc: James Morris <jmorris@...ei.org> Cc: "Serge E. Hallyn" <serge@...lyn.com> Cc: Stephen Smalley <stephen.smalley.work@...il.com> Cc: Eric Paris <eparis@...isplace.org> Cc: Richard Haines <richard_c_haines@...nternet.com> Cc: Casey Schaufler <casey@...aufler-ca.com> Cc: Xin Long <lucien.xin@...il.com> Cc: "David S. Miller" <davem@...emloft.net> Cc: Todd Kjos <tkjos@...gle.com> Cc: Ondrej Mosnacek <omosnace@...hat.com> Cc: linux-fsdevel@...r.kernel.org Cc: linux-mm@...ck.org Cc: apparmor@...ts.ubuntu.com Cc: linux-security-module@...r.kernel.org Cc: selinux@...r.kernel.org Signed-off-by: Kees Cook <keescook@...omium.org> --- fs/exec.c | 17 +---------------- include/linux/security.h | 5 ++--- security/apparmor/domain.c | 5 ----- security/selinux/hooks.c | 10 ---------- 4 files changed, 3 insertions(+), 34 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 7d5f63f03c58..3cd058711098 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1563,8 +1563,7 @@ EXPORT_SYMBOL(bprm_change_interp); */ static void check_unsafe_exec(struct linux_binprm *bprm) { - struct task_struct *p = current, *t; - unsigned n_fs; + struct task_struct *p = current; if (p->ptrace) bprm->unsafe |= LSM_UNSAFE_PTRACE; @@ -1575,20 +1574,6 @@ static void check_unsafe_exec(struct linux_binprm *bprm) */ if (task_no_new_privs(current)) bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS; - - t = p; - n_fs = 1; - spin_lock(&p->fs->lock); - rcu_read_lock(); - while_each_thread(p, t) { - if (t->fs == p->fs) - n_fs++; - } - rcu_read_unlock(); - - if (p->fs->users > n_fs) - bprm->unsafe |= LSM_UNSAFE_SHARE; - spin_unlock(&p->fs->lock); } static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) diff --git a/include/linux/security.h b/include/linux/security.h index 1bc362cb413f..db508a8c3cc7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -215,9 +215,8 @@ struct sched_param; struct request_sock; /* bprm->unsafe reasons */ -#define LSM_UNSAFE_SHARE 1 -#define LSM_UNSAFE_PTRACE 2 -#define LSM_UNSAFE_NO_NEW_PRIVS 4 +#define LSM_UNSAFE_PTRACE BIT(0) +#define LSM_UNSAFE_NO_NEW_PRIVS BIT(1) #ifdef CONFIG_MMU extern int mmap_min_addr_handler(struct ctl_table *table, int write, diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 91689d34d281..1b2c0bb4d9ae 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -924,11 +924,6 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm) goto audit; } - if (bprm->unsafe & LSM_UNSAFE_SHARE) { - /* FIXME: currently don't mediate shared state */ - ; - } - if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) { /* TODO: test needs to be profile of label to new */ error = may_change_ptraced_domain(new, &info); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 79573504783b..3ec80cc8ad1c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2349,16 +2349,6 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) if (rc) return rc; - /* Check for shared state */ - if (bprm->unsafe & LSM_UNSAFE_SHARE) { - rc = avc_has_perm(&selinux_state, - old_tsec->sid, new_tsec->sid, - SECCLASS_PROCESS, PROCESS__SHARE, - NULL); - if (rc) - return -EPERM; - } - /* Make sure that anyone attempting to ptrace over a task that * changes its SID has the appropriate permit */ if (bprm->unsafe & LSM_UNSAFE_PTRACE) { -- 2.34.1
Powered by blists - more mailing lists