lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAG48ez0aP8LaGppy6Yon7xcFbQa1=CM-HXSZChvXYV2VJZ8y7g@mail.gmail.com>
Date: Tue, 13 May 2025 23:09:48 +0200
From: Jann Horn <jannh@...gle.com>
To: Kees Cook <kees@...nel.org>
Cc: Mateusz Guzik <mjguzik@...il.com>, Kees Cook <keescook@...omium.org>, 
	Christian Brauner <brauner@...nel.org>, Eric Biederman <ebiederm@...ssion.com>, 
	Jorge Merlino <jorge.merlino@...onical.com>, Alexander Viro <viro@...iv.linux.org.uk>, 
	Thomas Gleixner <tglx@...utronix.de>, Andy Lutomirski <luto@...nel.org>, 
	Sebastian Andrzej Siewior <bigeasy@...utronix.de>, Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org, 
	linux-fsdevel@...r.kernel.org, John Johansen <john.johansen@...onical.com>, 
	Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, 
	"Serge E. Hallyn" <serge@...lyn.com>, Stephen Smalley <stephen.smalley.work@...il.com>, 
	Eric Paris <eparis@...isplace.org>, Richard Haines <richard_c_haines@...nternet.com>, 
	Casey Schaufler <casey@...aufler-ca.com>, Xin Long <lucien.xin@...il.com>, 
	"David S. Miller" <davem@...emloft.net>, Todd Kjos <tkjos@...gle.com>, 
	Ondrej Mosnacek <omosnace@...hat.com>, Prashanth Prahlad <pprahlad@...hat.com>, 
	Micah Morton <mortonm@...omium.org>, Fenghua Yu <fenghua.yu@...el.com>, 
	Andrei Vagin <avagin@...il.com>, linux-kernel@...r.kernel.org, apparmor@...ts.ubuntu.com, 
	linux-security-module@...r.kernel.org, selinux@...r.kernel.org, 
	linux-hardening@...r.kernel.org, oleg@...hat.com
Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec

On Tue, May 13, 2025 at 10:57 PM Kees Cook <kees@...nel.org> wrote:
> On May 13, 2025 6:05:45 AM PDT, Mateusz Guzik <mjguzik@...il.com> wrote:
> >Here is my proposal: *deny* exec of suid/sgid binaries if fs_struct is
> >shared. This will have to be checked for after the execing proc becomes
> >single-threaded ofc.
>
> Unfortunately the above Chrome helper is setuid and uses CLONE_FS.

Chrome first launches a setuid helper, and then the setuid helper does
CLONE_FS. Mateusz's proposal would not impact this usecase.

Mateusz is proposing to block the case where a process first does
CLONE_FS, and *then* one of the processes sharing the fs_struct does a
setuid execve(). Linux already downgrades such an execve() to be
non-setuid, which probably means anyone trying to do this will get
hard-to-understand problems. Mateusz' proposal would just turn this
hard-to-debug edgecase, which already doesn't really work, into a
clean error; I think that is a nice improvement even just from the
UAPI standpoint.

If this change makes it possible to clean up the kernel code a bit, even better.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ