lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Oct 2022 01:27:33 -0700 From: Kees Cook <keescook@...omium.org> To: Eric Biederman <ebiederm@...ssion.com> Cc: Kees Cook <keescook@...omium.org>, Jorge Merlino <jorge.merlino@...onical.com>, Al Viro <viro@...iv.linux.org.uk>, "Christian Brauner (Microsoft)" <brauner@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, Andy Lutomirski <luto@...nel.org>, Sebastian Andrzej Siewior <bigeasy@...utronix.de>, Andrew Morton <akpm@...ux-foundation.org>, John Johansen <john.johansen@...onical.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Stephen Smalley <stephen.smalley.work@...il.com>, Eric Paris <eparis@...isplace.org>, Richard Haines <richard_c_haines@...nternet.com>, Casey Schaufler <casey@...aufler-ca.com>, Xin Long <lucien.xin@...il.com>, "David S. Miller" <davem@...emloft.net>, Todd Kjos <tkjos@...gle.com>, Ondrej Mosnacek <omosnace@...hat.com>, Prashanth Prahlad <pprahlad@...hat.com>, Micah Morton <mortonm@...omium.org>, Fenghua Yu <fenghua.yu@...el.com>, Andrei Vagin <avagin@...il.com>, linux-kernel@...r.kernel.org, linux-mm@...ck.org, linux-fsdevel@...r.kernel.org, apparmor@...ts.ubuntu.com, linux-security-module@...r.kernel.org, selinux@...r.kernel.org, linux-hardening@...r.kernel.org Subject: [PATCH 0/2] fs/exec: Explicitly unshare fs_struct on exec Hi, These changes seek to address an issue reported[1] by Jorge Merlino where high-thread-count processes would sometimes fail to setuid during a setuid execve(). It looks to me like the solution is to explicitly do an unshare_fs(), which should almost always be a no-op. Current testing seems to indicate that only the swapper->init exec triggers this condition (and I'm unclear on whether that's expected or undesirable). This has only received very light testing so far, but I wanted to share it so other folks could look it over. Jorge, can you test with these patches? Your PoC triggered immediately for me on an unpatched kernel, and did not trigger on a patched one. I added this patch on top of the series to see if the code ever fired: diff --git a/kernel/fork.c b/kernel/fork.c index 53b7248f7a4b..3c197d9d8daa 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -3113,6 +3113,7 @@ int unshare_fs(void) if (error || !new_fs) return error; + pr_notice("UNSHARE of \"%s\" [%d]\n", current->comm, current->pid); unshare_fs_finalize(&new_fs); if (new_fs) Thanks! -Kees [1] https://lore.kernel.org/lkml/20220910211215.140270-1-jorge.merlino@canonical.com/ Kees Cook (2): fs/exec: Explicitly unshare fs_struct on exec exec: Remove LSM_UNSAFE_SHARE fs/exec.c | 26 ++++------------ fs/fs_struct.c | 1 - include/linux/fdtable.h | 1 + include/linux/fs_struct.h | 1 - include/linux/security.h | 5 ++- kernel/fork.c | 62 ++++++++++++++++++++++++++------------ security/apparmor/domain.c | 5 --- security/selinux/hooks.c | 10 ------ 8 files changed, 51 insertions(+), 60 deletions(-) -- 2.34.1
Powered by blists - more mailing lists